cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3405
Views
0
Helpful
5
Replies
Highlighted
Beginner

ACL to deny LAN IP to Public (Internet) IP

Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723.  I did some research and it appears this is definetly a virus/trojan.  We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:

access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723

or

access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723

Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:

telnet 94.100.25.138 4723

I was still able to make a connection to that IP and Port with either ACL in place.  I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command.  MY ACL does not seem to be doing what I think it should do.  Is my logic off here?

Any help or suggestions would be greatly appreciated.

Dee

5 REPLIES 5
Highlighted
Hall of Fame Guru

Re: ACL to deny LAN IP to Public (Internet) IP

deezturner1 wrote:

Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723.  I did some research and it appears this is definetly a virus/trojan.  We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:

access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723

or

access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723

Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:

telnet 94.100.25.138 4723

I was still able to make a connection to that IP and Port with either ACL in place.  I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command.  MY ACL does not seem to be doing what I think it should do.  Is my logic off here?

Any help or suggestions would be greatly appreciated.

Dee

Dee

Are you applying this to the inside interface  ?

You first acl is wrong but the 2nd should work as long as -

1) it is TCP and not UDP

and

2) you tried to connect from the host 192.168.100.79

and

3) you applied the acl to the interface

use this -

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

access-group inside_out i interface inside

Note - if you already have an acl on the inside interface then you need to add the first line from the acl above to it. You also need to make sure it is before any line that would permit the traffic.

Jon

Highlighted
Beginner

Re: ACL to deny LAN IP to Public (Internet) IP

Jon,

Thanks for your reply.  So I looked through the ACLs and I see:

access-list Inside_access_in extended permit ip any any

access-group Inside_access_in in interface Inside

This is the only ACL I see attached to the inside interface.  So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.

Dee

Highlighted
Hall of Fame Guru

Re: ACL to deny LAN IP to Public (Internet) IP

deezturner1 wrote:

Jon,

Thanks for your reply.  So I looked through the ACLs and I see:

access-list Inside_access_in extended permit ip any any

access-group Inside_access_in in interface Inside

This is the only ACL I see attached to the inside interface.  So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.

Dee

Dee

You need to add the deny line before the permit line. You can do this with ASA acls but it may be easier just to create a new temporary one eg. -

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

and apply that one -

access-group inside_out in interface inside

Jon

Highlighted
Beginner

Re: ACL to deny LAN IP to Public (Internet) IP

Perfect. Added:

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

access-group inside_out in interface inside

And I now cannot establish connection to that IP/Port from my LAN. I'm now

remediating the threat from within.

Thanks,

Dee

Highlighted
Hall of Fame Guru

Re: ACL to deny LAN IP to Public (Internet) IP

Dee

No problem, glad to help, hope you get the virus sorted.

Jon