Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3932
Views
0
Helpful
24
Replies

5505 firewall, block everything execpt a few ports

Go to solution
haakonrovik
Level 1
Level 1

‎04-16-2013 01:06 PM - edited ‎03-11-2019 06:29 PM

Hi folks

We have a client that is running a PC on a internet over satellite.

To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.

So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).

But I'm struggling a bit, since this is my first cisco router to be configured.

My interfaces are as follows.

Outside - DHCP

Inside (port 1) - 192.168.1.1

I'm only running ipv4.

in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)

in Access rules I made

under outside (incomming rules)

source=any  destination=outside service=ssh action=permit

So far so good.

But when I try to add further rules to block everything else, it takes the SSH on port 22 with it.

How should I do this the easiest way?

the hardware setup is pretty straight forward.

sat-terminal(with IP 192.168.0.1 running DHCP)   ->  5505 (outside IP=DHCP - inside IP=192.168.1.1)   ->    computer (IP=192.168.1.5)

Labels:
0 Helpful
24 Replies 24

Go to solution
haakonrovik
Level 1
Level 1
In response to Jouni Forss

‎04-18-2013 05:13 AM

Hi again

That worked very well for my test with port 22 and ssh, thanks.

I moved over the setup to the sat- terminal.

Added the extra ports.

The only program that is allowed to get access is a mail program, but still get problems resolving the DNS though.

Unable to resolve the IP to DNS.

This mail program, talks to a server that has a specific domain name, I think I might have to gain access to this server specifically as well

-Håkon

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to haakonrovik

‎04-18-2013 06:01 AM

Hi,

Was there still something on the ASA that needs a look? If you are testing some connections through the ASA I would suggest looking at the ASDM logs while you test the connections and see if any connections are blocked by the ACL.

Please remember to rate answers and/or mark the question as answered (if it is).

- Jouni

0 Helpful

Go to solution
haakonrovik
Level 1
Level 1
In response to Jouni Forss

‎04-19-2013 01:41 AM

Hi Jouni

There's still something that need to be done.

Inboud DNS is still being blocked it seems, according to the logs.

I guess in addition to below rules

access-list INSIDE-IN permit tcp any any eq 54

access-group INSIDE-IN in interface inside

I will need something like:

access-list OUTSIDE-OUT permit tcp any any eq 54

access-group OUTSIDE-OUT in interface OUTSIDE

?

Also, trying to figure out how to gain access to spesific IP-adresses, IP-ranges and host names from the outside to inside.

I will need to have access to the sat-terminal's web-page on 192.168.0.1

-Håkon

0 Helpful

Go to solution
haakonrovik
Level 1
Level 1
In response to haakonrovik

‎04-19-2013 06:30 AM

Hi

I managed top fix my problems

there were more ports I had to open from the inside, manufacturer did not specify all ports that I had to open.

I did not need to open any ports on the outside interface, all was done on the inside interface.

I also managed to let the computer gain access to the network between the sat-terminal and the firewall (192.168.0.0/24)

This was to gain access to a configuration web page that was running on the sat-terminal, also port 80 and 8080 was opened, for this.

I did however do this on the web-configurator of the 5505, so I don't know the command, if you could enlighten me on that for next time that'd be appresheated.

I think the rule was in the order of "INSIDE-IN permit tcp any any 192.168.0.0./24 interface inside" ??

Anyway, thanks for the help.

-Håkon

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to haakonrovik

‎04-19-2013 06:39 AM

Hi,

If you want, you can always share the configuration here (CLI format) and I can go through the configurations and explain what the different configuration parameters/commands do.

I personally dont use the ASDM graphical user interface that much for actual configurations. I mostly use it incase of troubleshooting. Especially monitoring logs in real time. If you happen to have doubts that some connections still arent going through I would suggest using the ASDM Monitoring/Logging section to see if anything gets blocked by the firewall. There you can easily determine if something is getting blocked while you test connections.

Good thing that there was no need to open ports from the "outside". It would have made the situation way more hard to accomplish.

- Jouni

0 Helpful

Go to solution
haakonrovik
Level 1
Level 1
In response to Jouni Forss

‎04-22-2013 03:32 AM

That'd be very nice if you could do.

We're testing live here now with the sat-terminal, and we still see some traffic, when the PC connected is idling.

We want as less traffic as possible go through as possible.

The data transfer over satellite is quite expesive.

As it is right now, we get around 80kb of traffic that is not started by user over around 30mins.

I suspect it is because maybe there is some DNS lookup from time to time, for windows updates and other stuff, but I can't say for sure. I'll enclose some logs, hope this won't break the forums..

When I look in the log, I see all sorts of ports being used. What does Teardown mean in this setting?

FYI we have two laptops on the system. 192.168.1.7 and 8. where 7 is a winXP laptop where windows update/java update etc are shut off manually. 8 is a windows 7 laptop from our office enviroment that has windows updates etc running as normal. The mail program in question that is the only program to gain access, runs normal now. Web browsing is being blocked, so far so good. But quite unsure of why there is additional traffic going.

------- config (not sure if there is another way to show config, or more details, do tell me if it is).------

ciscoasa(config)# show run access-list

access-list INSIDE-IN extended permit tcp any any eq ssh

access-list INSIDE-IN extended permit udp any any eq 22

access-list INSIDE-IN extended permit udp any any eq domain

access-list INSIDE-IN extended permit udp any any eq 4710

access-list INSIDE-IN extended permit tcp any any eq domain

access-list INSIDE-IN extended permit tcp any any eq 4708

access-list INSIDE-IN extended permit udp any any eq 4708

access-list INSIDE-IN extended permit tcp any any eq 4709

access-list INSIDE-IN extended permit udp any any eq 4709

access-list INSIDE-IN extended permit tcp any any eq 4710

access-list INSIDE-IN extended permit object-group TCPUDP any BDU 255.255.0.0 object-group DM_INLINE_TCPUDP_1

ciscoasa(config)# show run access-group

access-group INSIDE-IN in interface inside

---------------

------ rules displayed in ASDM ------

------------------------------------------------

----------------- snipped from logs in ASDM, hope this won't brake the forums too much ---------

4|Apr 22 2013|01:31:02|106023|192.168.1.7|1623|130.67.15.251|80|Deny tcp src inside:192.168.1.7/1623 dst outside:130.67.15.251/80 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:31:02|302014|192.168.0.1|80|192.168.1.7|1626|Teardown TCP connection 17043 for outside:192.168.0.1/80 to inside:192.168.1.7/1626 duration 0:00:00 bytes 671 TCP FINs

6|Apr 22 2013|01:31:02|302014|192.168.0.1|80|192.168.1.7|1625|Teardown TCP connection 17042 for outside:192.168.0.1/80 to inside:192.168.1.7/1625 duration 0:00:00 bytes 663 TCP FINs

6|Apr 22 2013|01:31:02|305012|192.168.1.7|1589|192.168.0.2|35052|Teardown dynamic TCP translation from inside:192.168.1.7/1589 to outside:192.168.0.2/35052 duration 0:00:30

6|Apr 22 2013|01:31:02|305012|192.168.1.7|1588|192.168.0.2|37551|Teardown dynamic TCP translation from inside:192.168.1.7/1588 to outside:192.168.0.2/37551 duration 0:00:30

6|Apr 22 2013|01:31:02|302014|192.168.0.1|80|192.168.1.7|1624|Teardown TCP connection 17041 for outside:192.168.0.1/80 to inside:192.168.1.7/1624 duration 0:00:00 bytes 658 TCP FINs

6|Apr 22 2013|01:31:02|305012|192.168.1.7|1587|192.168.0.2|53157|Teardown dynamic TCP translation from inside:192.168.1.7/1587 to outside:192.168.0.2/53157 duration 0:00:30

6|Apr 22 2013|01:31:02|305012|192.168.1.7|1586|192.168.0.2|61958|Teardown dynamic TCP translation from inside:192.168.1.7/1586 to outside:192.168.0.2/61958 duration 0:00:30

6|Apr 22 2013|01:31:02|305012|192.168.1.7|1585|192.168.0.2|6702|Teardown dynamic TCP translation from inside:192.168.1.7/1585 to outside:192.168.0.2/6702 duration 0:00:30

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1628|192.168.0.1|80|Built outbound TCP connection 17045 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1628 (192.168.0.2/3109)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1628|192.168.0.2|3109|Built dynamic TCP translation from inside:192.168.1.7/1628 to outside:192.168.0.2/3109

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1627|192.168.0.1|80|Built outbound TCP connection 17044 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1627 (192.168.0.2/62968)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1627|192.168.0.2|62968|Built dynamic TCP translation from inside:192.168.1.7/1627 to outside:192.168.0.2/62968

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1626|192.168.0.1|80|Built outbound TCP connection 17043 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1626 (192.168.0.2/6363)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1626|192.168.0.2|6363|Built dynamic TCP translation from inside:192.168.1.7/1626 to outside:192.168.0.2/6363

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1625|192.168.0.1|80|Built outbound TCP connection 17042 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1625 (192.168.0.2/30357)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1625|192.168.0.2|30357|Built dynamic TCP translation from inside:192.168.1.7/1625 to outside:192.168.0.2/30357

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1624|192.168.0.1|80|Built outbound TCP connection 17041 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1624 (192.168.0.2/19681)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1624|192.168.0.2|19681|Built dynamic TCP translation from inside:192.168.1.7/1624 to outside:192.168.0.2/19681

4|Apr 22 2013|01:31:01|106023|192.168.1.7|1623|130.67.15.251|80|Deny tcp src inside:192.168.1.7/1623 dst outside:130.67.15.251/80 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:31:01|302014|192.168.0.3|80|192.168.1.7|1622|Teardown TCP connection 17040 for outside:192.168.0.3/80 to inside:192.168.1.7/1622 duration 0:00:00 bytes 2726 TCP FINs

6|Apr 22 2013|01:31:01|302013|192.168.1.7|1622|192.168.0.3|80|Built outbound TCP connection 17040 for outside:192.168.0.3/80 (192.168.0.3/80) to inside:192.168.1.7/1622 (192.168.0.2/24507)

6|Apr 22 2013|01:31:01|305011|192.168.1.7|1622|192.168.0.2|24507|Built dynamic TCP translation from inside:192.168.1.7/1622 to outside:192.168.0.2/24507

6|Apr 22 2013|01:31:01|305012|192.168.1.7|1584|192.168.0.2|25779|Teardown dynamic TCP translation from inside:192.168.1.7/1584 to outside:192.168.0.2/25779 duration 0:00:30

6|Apr 22 2013|01:31:01|302014|192.168.0.1|80|192.168.1.8|60761|Teardown TCP connection 17039 for outside:192.168.0.1/80 to inside:192.168.1.8/60761 duration 0:00:01 bytes 675 TCP FINs

6|Apr 22 2013|01:31:01|302014|192.168.0.1|80|192.168.1.8|60760|Teardown TCP connection 17038 for outside:192.168.0.1/80 to inside:192.168.1.8/60760 duration 0:00:00 bytes 667 TCP FINs

6|Apr 22 2013|01:31:01|302014|192.168.0.1|80|192.168.1.8|60759|Teardown TCP connection 17037 for outside:192.168.0.1/80 to inside:192.168.1.8/60759 duration 0:00:00 bytes 662 TCP FINs

6|Apr 22 2013|01:31:01|302014|192.168.0.1|80|192.168.1.7|1621|Teardown TCP connection 17036 for outside:192.168.0.1/80 to inside:192.168.1.7/1621 duration 0:00:04 bytes 0 TCP FINs

6|Apr 22 2013|01:31:00|305012|192.168.1.8|60737|192.168.0.2|34647|Teardown dynamic TCP translation from inside:192.168.1.8/60737 to outside:192.168.0.2/34647 duration 0:00:30

6|Apr 22 2013|01:31:00|305012|192.168.1.8|60736|192.168.0.2|32885|Teardown dynamic TCP translation from inside:192.168.1.8/60736 to outside:192.168.0.2/32885 duration 0:00:30

6|Apr 22 2013|01:31:00|305012|192.168.1.8|60735|192.168.0.2|29733|Teardown dynamic TCP translation from inside:192.168.1.8/60735 to outside:192.168.0.2/29733 duration 0:00:30

6|Apr 22 2013|01:31:00|302013|192.168.1.8|60761|192.168.0.1|80|Built outbound TCP connection 17039 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60761 (192.168.0.2/57340)

6|Apr 22 2013|01:31:00|305011|192.168.1.8|60761|192.168.0.2|57340|Built dynamic TCP translation from inside:192.168.1.8/60761 to outside:192.168.0.2/57340

6|Apr 22 2013|01:31:00|302013|192.168.1.8|60760|192.168.0.1|80|Built outbound TCP connection 17038 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60760 (192.168.0.2/3213)

6|Apr 22 2013|01:31:00|305011|192.168.1.8|60760|192.168.0.2|3213|Built dynamic TCP translation from inside:192.168.1.8/60760 to outside:192.168.0.2/3213

6|Apr 22 2013|01:31:00|302013|192.168.1.8|60759|192.168.0.1|80|Built outbound TCP connection 17037 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60759 (192.168.0.2/17385)

6|Apr 22 2013|01:31:00|305011|192.168.1.8|60759|192.168.0.2|17385|Built dynamic TCP translation from inside:192.168.1.8/60759 to outside:192.168.0.2/17385

6|Apr 22 2013|01:30:59|302014|192.168.0.1|80|192.168.1.7|1620|Teardown TCP connection 17035 for outside:192.168.0.1/80 to inside:192.168.1.7/1620 duration 0:00:02 bytes 0 TCP FINs

6|Apr 22 2013|01:30:58|305012|192.168.1.7|1583|192.168.0.2|59765|Teardown dynamic TCP translation from inside:192.168.1.7/1583 to outside:192.168.0.2/59765 duration 0:00:30

4|Apr 22 2013|01:30:57|106023|192.168.1.8|60758|173.194.78.113|443|Deny tcp src inside:192.168.1.8/60758 dst outside:173.194.78.113/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:57|302014|192.168.0.1|80|192.168.1.7|1619|Teardown TCP connection 17034 for outside:192.168.0.1/80 to inside:192.168.1.7/1619 duration 0:00:00 bytes 671 TCP FINs

6|Apr 22 2013|01:30:57|302014|192.168.0.1|80|192.168.1.7|1618|Teardown TCP connection 17033 for outside:192.168.0.1/80 to inside:192.168.1.7/1618 duration 0:00:00 bytes 663 TCP FINs

6|Apr 22 2013|01:30:57|305012|192.168.1.7|1581|192.168.0.2|24633|Teardown dynamic TCP translation from inside:192.168.1.7/1581 to outside:192.168.0.2/24633 duration 0:00:30

6|Apr 22 2013|01:30:57|302014|192.168.0.1|80|192.168.1.7|1617|Teardown TCP connection 17032 for outside:192.168.0.1/80 to inside:192.168.1.7/1617 duration 0:00:00 bytes 658 TCP FINs

6|Apr 22 2013|01:30:57|305012|192.168.1.7|1580|192.168.0.2|11847|Teardown dynamic TCP translation from inside:192.168.1.7/1580 to outside:192.168.0.2/11847 duration 0:00:30

6|Apr 22 2013|01:30:57|305012|192.168.1.7|1579|192.168.0.2|17128|Teardown dynamic TCP translation from inside:192.168.1.7/1579 to outside:192.168.0.2/17128 duration 0:00:30

6|Apr 22 2013|01:30:57|305012|192.168.1.7|1578|192.168.0.2|18788|Teardown dynamic TCP translation from inside:192.168.1.7/1578 to outside:192.168.0.2/18788 duration 0:00:30

6|Apr 22 2013|01:30:57|305012|192.168.1.7|1577|192.168.0.2|15282|Teardown dynamic TCP translation from inside:192.168.1.7/1577 to outside:192.168.0.2/15282 duration 0:00:30

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1621|192.168.0.1|80|Built outbound TCP connection 17036 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1621 (192.168.0.2/8445)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1621|192.168.0.2|8445|Built dynamic TCP translation from inside:192.168.1.7/1621 to outside:192.168.0.2/8445

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1620|192.168.0.1|80|Built outbound TCP connection 17035 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1620 (192.168.0.2/37725)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1620|192.168.0.2|37725|Built dynamic TCP translation from inside:192.168.1.7/1620 to outside:192.168.0.2/37725

4|Apr 22 2013|01:30:56|106023|192.168.1.8|60758|173.194.78.113|443|Deny tcp src inside:192.168.1.8/60758 dst outside:173.194.78.113/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1619|192.168.0.1|80|Built outbound TCP connection 17034 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1619 (192.168.0.2/16647)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1619|192.168.0.2|16647|Built dynamic TCP translation from inside:192.168.1.7/1619 to outside:192.168.0.2/16647

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1618|192.168.0.1|80|Built outbound TCP connection 17033 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1618 (192.168.0.2/59668)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1618|192.168.0.2|59668|Built dynamic TCP translation from inside:192.168.1.7/1618 to outside:192.168.0.2/59668

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1617|192.168.0.1|80|Built outbound TCP connection 17032 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.7/1617 (192.168.0.2/3945)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1617|192.168.0.2|3945|Built dynamic TCP translation from inside:192.168.1.7/1617 to outside:192.168.0.2/3945

4|Apr 22 2013|01:30:56|106023|192.168.1.8|60758|173.194.78.113|443|Deny tcp src inside:192.168.1.8/60758 dst outside:173.194.78.113/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:56|106023|192.168.1.8|60757|173.194.78.101|443|Deny tcp src inside:192.168.1.8/60757 dst outside:173.194.78.101/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:56|302014|192.168.0.3|80|192.168.1.7|1616|Teardown TCP connection 17031 for outside:192.168.0.3/80 to inside:192.168.1.7/1616 duration 0:00:00 bytes 2726 TCP FINs

6|Apr 22 2013|01:30:56|302013|192.168.1.7|1616|192.168.0.3|80|Built outbound TCP connection 17031 for outside:192.168.0.3/80 (192.168.0.3/80) to inside:192.168.1.7/1616 (192.168.0.2/18290)

6|Apr 22 2013|01:30:56|305011|192.168.1.7|1616|192.168.0.2|18290|Built dynamic TCP translation from inside:192.168.1.7/1616 to outside:192.168.0.2/18290

6|Apr 22 2013|01:30:56|305012|192.168.1.7|1575|192.168.0.2|52936|Teardown dynamic TCP translation from inside:192.168.1.7/1575 to outside:192.168.0.2/52936 duration 0:00:30

4|Apr 22 2013|01:30:55|106023|192.168.1.8|60757|173.194.78.101|443|Deny tcp src inside:192.168.1.8/60757 dst outside:173.194.78.101/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:55|106023|192.168.1.8|60757|173.194.78.101|443|Deny tcp src inside:192.168.1.8/60757 dst outside:173.194.78.101/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:55|106023|192.168.1.8|60753|173.194.78.138|443|Deny tcp src inside:192.168.1.8/60753 dst outside:173.194.78.138/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:55|302014|192.168.0.1|80|192.168.1.8|60756|Teardown TCP connection 17030 for outside:192.168.0.1/80 to inside:192.168.1.8/60756 duration 0:00:00 bytes 675 TCP FINs

6|Apr 22 2013|01:30:55|302014|192.168.0.1|80|192.168.1.8|60755|Teardown TCP connection 17029 for outside:192.168.0.1/80 to inside:192.168.1.8/60755 duration 0:00:00 bytes 667 TCP FINs

6|Apr 22 2013|01:30:55|302014|192.168.0.1|80|192.168.1.8|60754|Teardown TCP connection 17028 for outside:192.168.0.1/80 to inside:192.168.1.8/60754 duration 0:00:00 bytes 662 TCP FINs

6|Apr 22 2013|01:30:55|305012|192.168.1.8|60731|192.168.0.2|60085|Teardown dynamic TCP translation from inside:192.168.1.8/60731 to outside:192.168.0.2/60085 duration 0:00:30

6|Apr 22 2013|01:30:55|305012|192.168.1.8|60730|192.168.0.2|32444|Teardown dynamic TCP translation from inside:192.168.1.8/60730 to outside:192.168.0.2/32444 duration 0:00:30

6|Apr 22 2013|01:30:55|305012|192.168.1.8|60729|192.168.0.2|62022|Teardown dynamic TCP translation from inside:192.168.1.8/60729 to outside:192.168.0.2/62022 duration 0:00:30

6|Apr 22 2013|01:30:55|302013|192.168.1.8|60756|192.168.0.1|80|Built outbound TCP connection 17030 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60756 (192.168.0.2/45554)

6|Apr 22 2013|01:30:55|305011|192.168.1.8|60756|192.168.0.2|45554|Built dynamic TCP translation from inside:192.168.1.8/60756 to outside:192.168.0.2/45554

6|Apr 22 2013|01:30:55|302013|192.168.1.8|60755|192.168.0.1|80|Built outbound TCP connection 17029 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60755 (192.168.0.2/26132)

6|Apr 22 2013|01:30:55|305011|192.168.1.8|60755|192.168.0.2|26132|Built dynamic TCP translation from inside:192.168.1.8/60755 to outside:192.168.0.2/26132

6|Apr 22 2013|01:30:55|302013|192.168.1.8|60754|192.168.0.1|80|Built outbound TCP connection 17028 for outside:192.168.0.1/80 (192.168.0.1/80) to inside:192.168.1.8/60754 (192.168.0.2/24862)

6|Apr 22 2013|01:30:55|305011|192.168.1.8|60754|192.168.0.2|24862|Built dynamic TCP translation from inside:192.168.1.8/60754 to outside:192.168.0.2/24862

4|Apr 22 2013|01:30:54|106023|192.168.1.8|60753|173.194.78.138|443|Deny tcp src inside:192.168.1.8/60753 dst outside:173.194.78.138/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:54|106023|192.168.1.8|60753|173.194.78.138|443|Deny tcp src inside:192.168.1.8/60753 dst outside:173.194.78.138/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:54|106023|192.168.1.8|60752|173.194.78.100|443|Deny tcp src inside:192.168.1.8/60752 dst outside:173.194.78.100/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:53|106023|192.168.1.8|60752|173.194.78.100|443|Deny tcp src inside:192.168.1.8/60752 dst outside:173.194.78.100/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:53|106023|192.168.1.8|60752|173.194.78.100|443|Deny tcp src inside:192.168.1.8/60752 dst outside:173.194.78.100/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:53|106023|192.168.1.8|60751|173.194.78.139|443|Deny tcp src inside:192.168.1.8/60751 dst outside:173.194.78.139/443 by access-group "INSIDE-IN" [0x0, 0x0]

2|Apr 22 2013|01:30:53|106007|192.168.0.1|53|DNS||Deny inbound UDP from 192.168.0.1/53 to 192.168.0.2/29904 due to DNS Response

4|Apr 22 2013|01:30:52|106023|192.168.1.8|60751|173.194.78.139|443|Deny tcp src inside:192.168.1.8/60751 dst outside:173.194.78.139/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:52|302016|192.168.0.1|53|192.168.1.8|51277|Teardown UDP connection 17023 for outside:192.168.0.1/53 to inside:192.168.1.8/51277 duration 0:00:02 bytes 311

4|Apr 22 2013|01:30:52|106023|192.168.1.8||192.168.0.1||Deny icmp src inside:192.168.1.8 dst outside:192.168.0.1 (type 3, code 3) by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:52|106023|192.168.1.8|60751|173.194.78.139|443|Deny tcp src inside:192.168.1.8/60751 dst outside:173.194.78.139/443 by access-group "INSIDE-IN" [0x0, 0x0]

4|Apr 22 2013|01:30:52|106023|192.168.1.8|60750|173.194.78.102|443|Deny tcp src inside:192.168.1.8/60750 dst outside:173.194.78.102/443 by access-group "INSIDE-IN" [0x0, 0x0]

6|Apr 22 2013|01:30:52|302014|192.168.0.1|80|192.168.1.7|1615|Teardown TCP connection 17027 for outside:192.168.0.1/80 to inside:192.168.1.7/1615 duration 0:00:00 bytes 671 TCP FINs

6|Apr 22 2013|01:30:52|302014|192.168.0.1|80|192.168.1.7|1614|Teardown TCP connection 17026 for outside:192.168.0.1/80 to inside:192.168.1.7/1614 duration 0:00:00 bytes 663 TCP FINs

6|Apr 22 2013|01:30:52|302014|192.168.0.1|80|192.168.1.7|1613|Teardown TCP connection 17025 for outside:192.168.0.1/80 to inside:192.168.1.7/1613 duration 0:00:00 bytes 658 TCP FINs

6|Apr 22 2013|01:30:52|305012|192.168.1.7|1573|192.168.0.2|41321|Teardown dynamic TCP translation from inside:192.168.1.7/1573 to outside:192.168.0.2/41321 duration 0:00:30

6|Apr 22 2013|01:30:52|305012|192.168.1.7|1572|192.168.0.2|50910|Teardown dynamic TCP translation from inside:192.168.1.7/1572 to outside:192.168.0.2/50910 duration 0:00:30

6|Apr 22 2013|01:30:52|305012|192.168.1.7|1571|192.168.0.2|64944|Teardown dynamic TCP translation from inside:192.168.1.7/1571 to outside:192.168.0.2/64944 duration 0:00:30

6|Apr 22 2013|01:30:52|305012|192.168.1.7|1570|192.168.0.2|34515|Teardown dynamic TCP translation from inside:192.168.1.7/1570 to outside:192.168.0.2/34515 duration 0:00:30

6|Apr 22 2013|01:30:52|305012|192.168.1.7|1569|192.168.0.2|31210|Teardown dynamic TCP translation from inside:192.168.1.7/1569 to outside:192.168.0.2/31210 duration 0:00:30

----------------------------------------------------

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to haakonrovik

‎04-22-2013 09:17 AM

Hi,

"Teardown" messages are normal ASA Syslog messages. They usually tell that either a TCP/UDP connections is being removed from the firewall (since the hosts have closed the connection) or it might be about removing a NAT translation for a TCP/UDP connection.

In the case of TCP connections, the Teardown messages give the most information. They will tell us if a connection has been normally closed by the hosts (TCP FINs)  or if a TCP connection attempt timed out (SYN Timeout, Conn timeout etc) or it might tell that either of the 2 endpoints of the TCP connection resetted the TCP connection (TCP Reset)

I looked through the logs you posted.

To me it seems most of the connections are connections from the client PCs behind the ASA to the sat-terminal device (192.168.0.1). There are also connections to 192.168.0.3. I dont know what that is.

I would check that you dont leave any HTTP management connection active on the hosts while you monitor how much traffic goes through the ASA while PC hosts are idle. They might automatically refresh the page or something and cause the extra traffic. Though that still doesnt mean that the connections head out the sat-terminal. Which is the only thing that matters.

If in doubt, I would suggest traffic capture on the hosts directly or on the ASA which will let you know exactly what traffic goes through the ASA and out the sat-terminal.

Also naturally the good practice is to disable all unnecesary services on the client PCs.

- Jouni

0 Helpful

Go to solution
haakonrovik
Level 1
Level 1
In response to Jouni Forss

‎04-23-2013 04:48 AM

HI

Thanks for the info

It does indeed seem to be the client PC's that generate the traffic, when disconnecting the clients, no more traffic is being generated.

Do you know of any software to capture traffic data going in/out from a computer? Would be interesting to see.

Disabling all not needed services on client PC's are indeed always a good practice, but clients out in the field always miss something, and this is why a firewall comes in handy.

-Håkon

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to haakonrovik

‎04-23-2013 07:54 AM

Hi,

You can use for example Wireshark on the actual PC

Or you can configure a traffic capture on the ASA

Naturally doing the capture on the PCs directly will give the most accurate information. And you wont run into the memory buffer limitations of ASA.

You can find Wireshark here

http://www.wireshark.org/download.html

If you simply want to cpture all traffic from the host then you can just start the program after its installed and go to the top bar menu

Capture -> Interfaces -> Choose the interface -> Click Start

There might be alot of information shown on the program window when you start. Depends how many network using applications you have on.

- Jouni

0 Helpful

Go to solution
haakonrovik
Level 1
Level 1
In response to Jouni Forss

‎05-02-2013 06:21 AM

Hi again Jouni

Just an update.

I installed wireshark, and got alot of info through the logs generated.

It seems like most traffic is generated on port 53, DNS lookups.

This is everything from apps/plugins installed in the web browser (when visiting the sat-terminal's config page, which I have gicven access to) and programs installed that are requesting access, wireshark seems to be very good on identifying what program is requesting access to the internet, so it's fairly easy to track.

And by the looks of it, it is alot. In total I roughly saw that around 120-130kb pr hour is going through on port 53.

Length pr request is not much, but there's alot of them.

I assume this is not easy to get rid of, since port 53 is a common port for alot of services, including the mail program that we want to allow to run. I'd assume a rule has to be made that only the spesific mailprogram will be allowed to do an DNS lookup somehow.

-Håkon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card