cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
0
Helpful
2
Replies

ASA Allowing Un-Allowed Traffic Through ACL

rfranzke
Level 1
Level 1

Have a strange issue here (or what I feel is strange). I have an ASA 5515X series box setup using two interfaces, inside and outside. Using NAT to translate between interfaces. Fairly simple setup. I have a handful of services I allow through the device from outside:some WWW/TLS traffic, email traffic, etc by way of an outside ACL configured on the outside interface.
Recently I discovered one of the translated devices had a rogue RDP connection terminated on it from the Internet. The ACL configuration for this device only allowed Email and web traffic to it. Yet there was the RDP connection. I tried connecting to the RDP server off net and sure enough the connection was allowed in. I looked through the ACL to try and figure out how this connection was getting through. I could not find any rule allowing RDP access to this machine in the ACL. I ran packet-tracer to test the connection on the device:

packet-tracer input outside tcp 76.70.85.101 3753 <public NAT IP> 3389

Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So testing in packet tracer shows that the traffic should be dropped by the ACL protecting the outside interface.

Yet when I try connecting RDP offnet the traffic bypasses the ACL somehow and gets to the machine:

CAB01-ASA5515X-A# sh conn | i 10.20.50.116
UDP outside 24.27.101.164:56835 inside 10.20.50.116:3389, idle 0:00:18, bytes 147162, flags -

Here is the relevant configuration:

object network mailtest-int
host 10.20.50.116
description Internal VDI Workstation Test Mail Server
object network mailtest-ext
host <public IP>
description External VDI Workstation Test Mail Server

object network mailtest-int
nat (inside,outside) static mailtest-ext

object-group service mail tcp
description Mail Server Ports
port-object eq 366
port-object eq 465
port-object eq 587
port-object eq 993
port-object eq 995
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq 1000
port-object eq 3000
port-object eq 3101
port-object eq 4069
port-object eq https
port-object eq www

access-list outside-in remark Any to Email Test Server for Email Services
access-list outside-in extended permit tcp any object mailtest-int object-group mail

access-group outside-in in interface outside

So why would the device show the traffic as being dropped in packet tracer but then turn around and allow the traffic through, especially when there is not an ACL entry that allows the traffic. I cannot find a single rule in this ACL that would allow it. Is it possible some kind of connection outbound from the PC is getting reused and allowing RDP inbound bypassing the ACL? If I put a deny rule specifically for blocking RDP traffic in the ACL like so:

access-list outside-in remark Deny RDP access to Email Test Machine
access-list outside-in extended deny tcp any object mailtest-int eq 3389

the traffic gets blocked. If I put an explicit catch all deny any any at the end of the ACL the traffic still gets allowed. I don't normally have that rule as the flow of traffic would be from lower security level to higher security level. Firewall is running Cisco Adaptive Security Appliance Software Version 9.9(1). This host and configurations were recently moved from one site to another. The same basic FW configuration for this host was on the original ASA at the original site and this same issue came up there. Same problem. No RDP access allowed but yet it works. Normally I am trying to get traffic through this thing, not the other way around. Not sure whats going on here. Any help is appreciated. Thanks in advance.

2 Replies 2

rfranzke
Level 1
Level 1

OK I figured this out. Sorry for the time waste here netpros. Despite me saying there was not an ACL entry in there that allowed it, there was. The reason the packet tracer worked is because I was not specific enough with the source ports when running it. Only the destination ports. The ACL was to allow VoIP to work with our voice provider and is pretty loose as the provider never could tell me what ports they use. Just wanted a huge range opened. Anyway this is solved and again sorry for the stupidity.

i noticed your nat was using UDP on 3389, so you must have a whole bunch of high ports open for voip.

 

be careful with that,. you might want to look into sip inspection , so the fw can open media ports for RTP dynamically, based on sip signalling, if you run firepower than you can do deeper inspection and allow only if it is indeed RTP traffic and drop when its not

Please remember to rate useful posts, by clicking on the stars below.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: