I have a really basic question I'm hoping someone will answer...
I'm reviewing permitted traffic for a single ACL in the ASA Real-time Log Viewer.
The vast majority of these follow the format I expect.
For example an incoming request to a web server:
[...] Source IP Source Port Destination IP Destination Port Description
###.###.###.### 54789 ###.###.###.### 443 access-list outside_access_in permitted TCP [...] hit-cnt 1 first hit
Makes perfect sense. Outside interface is permitting traffic from a dynamic source port on an external host to the HTTPS listener on port 443 on an inside host. Log shows the 1st hit - start of the conversation.
What I'm confused by is entries like the following:
[...] Source IP Source Port Destination IP Destination Port Description
###.###.###.### 25 ###.###.###.### 54877 access list outside_access_in permitted TCP [...] hit cnt 1 first hit
In this case it appears to be showing a static/well-known source port on an external host connecting to a dynamic port on the internal host. If it weren't for the indication that this is a 1st hit, I'd guess this was a response to an established connection, but that doesn't appear to be the case.
So the question is simply "What does it mean when the initial connection on an external host uses a well-known port to attempt to connect to a dynamic port on an internal host?"
Thanks
