04-24-2018 08:31 AM - edited 02-21-2020 07:40 AM
We're in the process of restricting the lines in one of our access lists, and I've run across some interesting hits that seem strange. The UDP timeout is set for 2 minutes, but we have some traffic I wasn't expecting - it seems to me as if the UDP timer times out, because what's being matched on appears to me to be return traffic. We have more entries similar to the following with the destination port gt 50000, and I also have a "permit udp any any" after these entries. If I take out these entries with the source ports lt 1024 and the destination ports gt 50000, the "permit udp any any" will start incrementing again.
access-list MYACL line 13 extended permit udp 172.20.0.0 255.255.248.0 eq domain 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=109) 0x934d4385
access-list MYACL line 19 extended permit udp 172.20.0.0 255.255.248.0 eq snmp 172.16.16.0 255.255.248.0 gt 50000 (hitcnt=409) 0x5e40e624
I remember crafting packets in the 80's with source port of 53 to get around the stateless ACLs on routers for UDP traffic, so I'm a little paranoid about permitting traffic that could potentially be a problem. I'd appreciate any thoughts here.
04-25-2018 01:15 AM
They look to me as dns and snmp server responses.
I believe you would need those rules if you do not have the inspection for dns and snmp enabled.
You could also do a capture of the packets to get more details.
HTH
Bogdan
04-26-2018 07:51 AM
I agree that these are responses for dns and snmp, and inspection is enabled for both of these. That was my concern - during the inspection process, ASA properly detects most responses but not all. I'm concerned that something may be going on that I need to investigate further, but I'm not able to find anything strange going on between or within the systems.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: