https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419470#M857131 <HTML><HEAD></HEAD><BODY><P>hi karuppu,</P><P></P><P>&nbsp; thanks for your reply. my worries is that 192.168.1.x is not being used in my network thats why i'm thinking if this is safe. 192.168.1.x is coming from outside internet.</P><P></P><P>thanks,</P></BODY></HTML> Thu, 04 Mar 2010 12:33:43 GMT Mon Baul 2010-03-04T12:33:43Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419468#M857097 <P>Hi,</P><P></P><P>&nbsp; Can anyone tell me if this is ok? i see this two ports that are connecting to my exchange and AD.</P><P></P><P> UDP outside1 192.168.1.106:6004 inside EXCH01:31970, idle 0:00:42, bytes 8, flags -<BR />UDP outside1 192.168.1.106:6004 inside EXCH01:31959, idle 0:00:42, bytes 8, flags -<BR />UDP outside1 192.168.1.106:6004 inside EXCH01:31859, idle 0:01:43, bytes 8, flags -<BR />UDP outside1 192.168.1.106:6004 inside EXCH01:31847, idle 0:01:43, bytes 8, flags -<BR />UDP outside1 192.168.134.1:123 inside ADDC01:123, idle 0:00:23, bytes 68, flags -<BR />UDP outside1 192.168.195.1:123 inside ADDC01:123, idle 0:00:23, bytes 68, flags -<BR />UDP outside1 192.168.0.1:137 inside ADDC01:137, idle 0:00:40, bytes 903, flags -<BR />UDP outside1 192.168.218.1:137 inside ADDC01:137, idle 0:00:47, bytes 1806, flags -<BR />UDP outside1 192.168.136.1:137 inside ADDC01:137, idle 0:01:02, bytes 903, flags -<BR />UDP outside1 192.168.32.1:137 inside ADDC01:137, idle 0:01:03, bytes 903, flags -</P><P></P><P>Thanks,</P><P>Reymon</P> Mon, 11 Mar 2019 17:17:23 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419468#M857097 Mon Baul 2019-03-11T17:17:23Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419469#M857130 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As per you logs, there is communication is happening between your clients to your AD server &amp; exchange server.</P><P></P><P>Because nowadays&nbsp; exchange server is using random ports to connect thier email clients.even i have seen lots of logs like this in my ASA.</P><P></P><P>port number 137 is used by Name Resolution Service to resolve the name.</P><P></P><P>so, no worries...</P><P>regards</P><P>karuppu</P></BODY></HTML> Thu, 04 Mar 2010 06:53:54 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419469#M857130 KARUPPUCHAMY MALAIYANDI 2010-03-04T06:53:54Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419470#M857131 <HTML><HEAD></HEAD><BODY><P>hi karuppu,</P><P></P><P>&nbsp; thanks for your reply. my worries is that 192.168.1.x is not being used in my network thats why i'm thinking if this is safe. 192.168.1.x is coming from outside internet.</P><P></P><P>thanks,</P></BODY></HTML> Thu, 04 Mar 2010 12:33:43 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419470#M857131 Mon Baul 2010-03-04T12:33:43Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419471#M857132 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>Do you have any VPN connectivity in the same firewall.</P><P></P><P>If not, then somebody is trying to spoof your network.</P><P></P><P>You should protect your network by configuring <STRONG>ip spoofing</STRONG> in your firewall.</P><P></P><P>The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.</P><P></P><P>If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured).</P><P></P><P>To enable IP Spoofing protection, enter the following command:</P><P></P><P><STRONG>CiscoASA5500(config)# ip verify reverse-path interface "interface_name"</STRONG><BR />For example, to enable IP spoofing on the inside interface, use the following command:</P><P></P><P>Regards</P><P>Karuppu</P></BODY></HTML> Thu, 04 Mar 2010 13:54:29 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419471#M857132 KARUPPUCHAMY MALAIYANDI 2010-03-04T13:54:29Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419472#M857133 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>&nbsp; As of now, i don't have any VPN connection. I already configured&nbsp; <STRONG>CiscoASA5500(config)# ip verify reverse-path interface&nbsp; "interface_name"</STRONG></P><P>but still i can see those private ip's connecting to the server.</P><P></P><P>thanks,</P></BODY></HTML> Fri, 19 Mar 2010 11:46:34 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419472#M857133 Mon Baul 2010-03-19T11:46:34Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419473#M857134 <HTML><HEAD></HEAD><BODY><P>You can also configure deny statement on the outside interface denying RFC 1918 towards your Exchange server if you think they are not legitimate ip addresses.</P></BODY></HTML> Fri, 19 Mar 2010 11:54:09 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419473#M857134 Jennifer Halim 2010-03-19T11:54:09Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419474#M857135 <HTML><HEAD></HEAD><BODY><P>I tried this configuration but it doesn't work. What i did is block the traffic coming from my inside interface going to RFC1918 and I see a lots of drops packets for this one.</P></BODY></HTML> Sat, 20 Mar 2010 13:01:26 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419474#M857135 Mon Baul 2010-03-20T13:01:26Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419475#M857136 <HTML><HEAD></HEAD><BODY><P>UDP/6004 seems to be Microsoft Exchange server port as per the following doc:</P><P><A class="jive-link-external-small" href="http://www.pc-library.com/ports/tcp-udp-port/6004/">http://www.pc-library.com/ports/tcp-udp-port/6004/</A></P></BODY></HTML> Sat, 20 Mar 2010 13:04:53 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419475#M857136 Jennifer Halim 2010-03-20T13:04:53Z https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419476#M857137 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I would suggest you to configure a span session on the switch behind your firewall and then try to filter output based on exact IP address being seen using Wireshark.</P><P></P><P>This way you can track down the host behind your network who may be trying to spoof <EM>IP addresses with the help of mac address-table and arp table.</EM></P><P></P><P>HTH</P><P></P><P>Vijaya</P></BODY></HTML> Sun, 21 Mar 2010 18:32:32 GMT https://community.cisco.com/t5/network-security/udp-port-6004-and-137/m-p/1419476#M857137 vilaxmi 2010-03-21T18:32:32Z