Re: show conn entries starting with ESP

Dileep Sivadas Padmini · ‎03-14-2010

Hello,

I have noticed that some entries in show conn command starting with ESP like following

    ESP outside 207.241.148.226 dmz internal-server, idle 0:00:00, bytes 0
    ESP outside 61.17.217.48 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 64.18.2.161 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 77.203.92.39 dmz internal-server, idle 0:00:04, bytes 0
    ESP outside 209.85.210.178 dmz internal-server, idle 0:00:04, bytes 0

What is the meaning of this out put ?

Dileep

Jon Marshall · ‎03-15-2010

dileepsp123 wrote:

Hello,

I have noticed that some entries in show conn command starting with ESP like following

    ESP outside 207.241.148.226 dmz internal-server, idle 0:00:00, bytes 0
    ESP outside 61.17.217.48 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 64.18.2.161 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 77.203.92.39 dmz internal-server, idle 0:00:04, bytes 0
    ESP outside 209.85.210.178 dmz internal-server, idle 0:00:04, bytes 0

What is the meaning of this out put ?

Dileep

ESP = Encapsulating Security Payload which is used by IPSEC for a VPN tunnel. Do you have VPN tunnels coming through your firewall ?

Jon

Dileep Sivadas Padmini · ‎03-15-2010

Hi Jon,

I have made some mistake in the query, actually this output was from show local-host command.

Yes , do have vpn tunnels terminated on outside interface of asa.

This is the output of show local-host internal-server

UDP outside 202.54.12.164:53 dmz internal-server:43944, idle 0:00:05, bytes 33, flags -
    UDP outside 202.54.12.164:53 dmz internal-server:54644, idle 0:00:14, bytes 33, flags -
    ESP outside 190.234.24.138 dmz internal-server, idle 0:00:45, bytes 0
    ESP outside 182.48.196.18 dmz internal-server, idle 0:00:55, bytes 0
    UDP outside 172.16.105.10:53 dmz internal-server:2038, idle 0:00:49, bytes 90, flags -
    UDP outside 172.20.105.10:53 dmz internal-server:21528, idle 0:01:01, bytes 79, flags -
    ESP outside 67.195.168.31 dmz internal-server, idle 0:01:10, bytes 0
    TCP outside 67.195.168.31:25 dmz internal-server:34865, idle 0:00:00, bytes 3415944, flags UIO
    ESP outside 65.182.191.221 dmz internal-server, idle 0:01:11, bytes 0
    ESP outside 117.97.23.226 dmz internal-server, idle 0:01:18, bytes 0
    ESP outside 69.63.178.191 dmz internal-server, idle 0:05:47, bytes 0
    ESP outside 203.99.41.130 dmz internal-server, idle 0:06:33, bytes 0
    ESP outside 188.168.78.190 dmz internal-server, idle 0:07:44, bytes 0
    ESP outside 117.97.108.106 dmz internal-server, idle 3:54:06, bytes 0
    TCP outside 190.234.24.138:28781 dmz internal-server:25, idle 0:00:42, bytes 330, flags UIOB
    TCP outside 182.48.196.18:1210 dmz internal-server:25, idle 0:00:35, bytes 335, flags UIOB
    TCP outside 117.97.23.226:57264 dmz internal-server:143, idle 0:00:49, bytes 29466, flags UIOB

output shows the connection entries made to a dmz mail server, you can see that some enties start with ESP and then connect to the actual TCP port.

Thanks

Dileep