Can this be explained? (Help)

Mitchell Tuckness — Tue, 12 Mar 2019 04:42:51 GMT

Sep 05 2014

21:28:46

192.168.1.2

37071

199.195.xxx.xxx

37071

Teardown dynamic TCP translation from any:192.168.1.2/37071 to Outside:199.195.xxx.xxx/37071 duration 0:00:31

Hi,

I am hoping I can get this explained to me in simple terms so I understand what is happening. I thought that I had statements in my config that allowed all the traffic from my internal networks to external networks, but my active log is filled with packets getting blocked and blocked. I am just curious what is occurring here. It is with UDP and TCP.

Thanks!

I have tons of them:

Sep 05 2014

21:36:59

192.168.1.2

62608

199.195.xxx.xxx

62608

Built dynamic UDP translation from any:192.168.1.2/62608 to Outside:199.195.xxx.xxx/62608

Sep 05 2014

21:36:59

199.195.xxx.x

192.168.1.2

62608

Teardown UDP connection 6952281 for Outside:199.195.xxx.x/53 to Inside:192.168.1.2/62608 duration 0:00:00 bytes 152

Sep 05 2014

21:36:58

10.10.1.2

63481

199.195.xxx.xxx

63481

Teardown dynamic UDP translation from any:10.10.1.2/63481 to Outside:199.195.xxx.xxx/63481 duration 0:00:31

ASA Config:

ASA5510# sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ASA5510
domain-name maladomini.int
enable password liqhNWIOSfzvir2g encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIchangedvir2g encrypted
names
dns-guard
!
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
!
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.xxx.x 255.255.255.240
!
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
!
interface Ethernet0/3
description VOIP
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.xxx.x
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx.xxx
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.xx object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xx object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.xx interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx.xx object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.xxx.xx object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
!
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
!
router rip
network 10.0.0.0
version 2
no auto-summary
!
route Outside 0.0.0.0 0.0.0.0 199.195.xxx.xxx 1
route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx.xxx 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx.xxx 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source Outside prefer
username redacted encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50
: end

you provided are NAT and

Marvin Rhoads — Sat, 06 Sep 2014 04:22:39 GMT

The log messages you provided are NAT and connections' dis-establishment messages, not blocks.

They are normal part of the firewall cleaning up the xlate table and connections once they've timed out.

OK, thanks. I wasn't sure and

Mitchell Tuckness — Sat, 06 Sep 2014 04:22:40 GMT

OK, thanks. I wasn't sure and just wanted to confirm it wasn't something I missed.

topic Can this be explained? (Help) in Network Security

Can this be explained? (Help)

you provided are NAT and

OK, thanks. I wasn't sure and