Large number of session from inside to outside ( how to stop)

Muhammad Azhar — Mon, 11 Mar 2019 23:21:01 GMT

Hi every body,

Today i want to disuccs one issue i am facing on my network ( might be it common ).

My network Topology is simple, there is one Inside network , one Outside and one DMZ.

on My inside LAN, one host is continously making session with outside live host on port 53. We are using NAT for all traffic that go for internet.

This one host is making more then 1000 session when i give the command " show conn " . I try to block outside and inside host by using ACL , but it not working as i want ( this acl do not block what i want)

like this " access-list acl-inisde deny ip host x.x.x.y host 192.168.2.2 ( where x.x.x.y is live IP on internet).

access-group acl-inside out interface inside.

But again when i look in to show conn table i found more then 1000 enteries with in few seconds. Port use for host is UDP 53.

The follwoing is output

ASA# sh conn | in 192.168.2.2

UDP outside 192.228.79.201:53 inside 192.168.2.2:49262, idle 0:00:02, bytes 51, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:50342, idle 0:00:00, bytes 44, flags -

UDP outside 192.112.36.4:53 inside 192.168.2.2:49943, idle 0:00:00, bytes 40, flags -

UDP outside 202.12.27.33:53 inside 192.168.2.2:50999, idle 0:00:00, bytes 43, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:49991, idle 0:00:00, bytes 39, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:49490, idle 0:00:00, bytes 44, flags -

UDP outside 202.12.27.33:53 inside 192.168.2.2:65299, idle 0:00:00, bytes 44, flags -

UDP outside 192.228.79.201:53 inside 192.168.2.2:50548, idle 0:00:00, bytes 43, flags -

UDP outside 198.41.0.4:53 inside 192.168.2.2:50548, idle 0:00:00, bytes 43, flags -

UDP outside 192.228.79.201:53 inside 192.168.2.2:49534, idle 0:00:00, bytes 36, flags -

UDP outside 202.12.27.33:53 inside 192.168.2.2:65378, idle 0:00:01, bytes 44, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:49439, idle 0:00:01, bytes 35, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:50293, idle 0:00:01, bytes 36, flags -

UDP outside 199.7.83.42:53 inside 192.168.2.2:65502, idle 0:00:01, bytes 50, flags -

UDP outside 202.12.27.33:53 inside 192.168.2.2:49842, idle 0:00:01, bytes 45, flags -

UDP outside 192.228.79.201:53 inside 192.168.2.2:49556, idle 0:00:01, bytes 35, flags -

when i clear the conn table for this IP , following is the outpout on ASA

ASA# clear conn address 192.168.2.2

1111 connection(s) deleted.

ASA# clear conn address 192.168.2.2

642 connection(s) deleted.

ASA# clear conn address 192.168.2.2

30 connection(s) deleted.

and after some time again more then 1000 session buit withine one minute.

HOw i can stop such things, your help will be appericiated.

A file is attached for reference.

Large number of session from inside to outside ( how to stop)

Jennifer Halim — Tue, 19 Jun 2012 12:17:51 GMT

What is that inside host? It is trying to perform DNS resolution, as UDP/53 is DNS request.

To prevent that inside host for doing DNS resolution, you can configure the following:

access-list acl-inside deny udp host 192.168.2.2 any eq 53

access-list acl-inside permit ip any any

access-group acl-inside in interface inside

topic Large number of session from inside to outside ( how to stop) in Network Security

Large number of session from inside to outside ( how to stop)

Large number of session from inside to outside ( how to stop)