stop conn

gpan667788 — Mon, 11 Mar 2019 13:41:32 GMT

Hello,

I have PIX-515E with version 6.3(4). I saw an IP address is hacking my web server in DMZ on port 80. I deny the ip address on my outside access-list. But when I do "sh conn | i x.x.x.x", I am still seeing that ip address. Could anyone tell me how to stop that.

thanks,

Gene

Re: stop conn

suschoud — Tue, 09 Sep 2008 16:00:42 GMT

cl local-host

cl xlate global

Regards,

Sushil

Re: stop conn

gpan667788 — Tue, 09 Sep 2008 16:10:32 GMT

Thanks Sushil! Could you tell me why ACL deny statement on the outside interface did not take care of the problem right the way?

Gene

Re: stop conn

suschoud — Tue, 09 Sep 2008 16:59:07 GMT

The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.

For your reference,here is what asa checks and in what order:

Legends:

1. Recieve Packet.

2. Existing Connection?

3. Permit by Inbound ACL on interface?

4. Match translation rule (nat, static).

5. NAT embedded IP and perform security checks / randomize sequence number.

6. NAT IP header.

7. Pass packet to outgoing interface.

8. Layer 3 route lookup?

9. Layer 2 next hop?

10. Transmit packet.

NAT ORDER OF OPERATIONS

The rules are tried in order.

1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat

(best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error

nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

Regards,

Sushil

Re: stop conn

gpan667788 — Tue, 09 Sep 2008 17:42:59 GMT

Thank you so much Sushil!

regards,

Gene

Re: stop conn

Ivast — Thu, 11 Sep 2008 07:48:22 GMT

Right way is use "shun" command, not the access-list.

topic Re: stop conn in Network Security

stop conn

Re: stop conn

Re: stop conn

Re: stop conn

Re: stop conn

Re: stop conn