Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3790
Views
0
Helpful
5
Replies

ACL to deny LAN IP to Public (Internet) IP

deezturner1
Level 1
Level 1

‎10-27-2010 07:30 PM - edited ‎03-11-2019 12:01 PM

Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723.  I did some research and it appears this is definetly a virus/trojan.  We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:

access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723

or

access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723

Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:

telnet 94.100.25.138 4723

I was still able to make a connection to that IP and Port with either ACL in place.  I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command.  MY ACL does not seem to be doing what I think it should do.  Is my logic off here?

Any help or suggestions would be greatly appreciated.

Dee

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2010 02:13 AM 

deezturner1 wrote:
Ok so I got a complaint from our public agency which acts as our "ISP" that their IDS system detected a host(s)(in our network) showing malicious activity, connecting outbound to an Internet IP of 94.100.25.138 over port 4723.  I did some research and it appears this is definetly a virus/trojan.  We are scanning our network to determine which host is infected, however, as a quick reactionary remediation, I figured I could just create an ACL on my ASA 5520 to deny all outbound LAN traffic to the internet host 94.100.25.138 with this rule while I track down the culprit:
access-list DENY-MALWARE extended deny tcp host 94.100.25.138 any eq 4723
or
access-list DENY-MALWARE extended deny tcp host 192.168.100.79 94.100.25.138 255.255.255.255 eq 4723
Aften enabling one of these (I tried both) I then intiated a telnet session from a LAN host:
telnet 94.100.25.138 4723
I was still able to make a connection to that IP and Port with either ACL in place.  I then verfied on the CLI of the ASA that the TCP connections were active by using the show conn details protocols tcp command.  MY ACL does not seem to be doing what I think it should do.  Is my logic off here? 
Any help or suggestions would be greatly appreciated.
Dee

Dee

Are you applying this to the inside interface  ?

You first acl is wrong but the 2nd should work as long as -

1) it is TCP and not UDP

and

2) you tried to connect from the host 192.168.100.79

and

3) you applied the acl to the interface

use this -

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

access-group inside_out i interface inside

Note - if you already have an acl on the inside interface then you need to add the first line from the acl above to it. You also need to make sure it is before any line that would permit the traffic.

Jon

0 Helpful

deezturner1
Level 1
Level 1
In response to Jon Marshall

‎10-28-2010 09:58 AM

Jon,

Thanks for your reply.  So I looked through the ACLs and I see:

access-list Inside_access_in extended permit ip any any

access-group Inside_access_in in interface Inside

This is the only ACL I see attached to the inside interface.  So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.

Dee

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to deezturner1

‎10-28-2010 11:19 AM 

deezturner1 wrote:
Jon,
Thanks for your reply.  So I looked through the ACLs and I see:
access-list Inside_access_in extended permit ip any any
access-group Inside_access_in in interface Inside
This is the only ACL I see attached to the inside interface.  So could I add your suggested ACL and access group to the inside interface since the ACL in place seems to be a bit different than what I want to accomplish.
Dee

Dee

You need to add the deny line before the permit line. You can do this with ASA acls but it may be easier just to create a new temporary one eg. -

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

and apply that one -

access-group inside_out in interface inside

Jon

0 Helpful

deezturner1
Level 1
Level 1
In response to Jon Marshall

‎10-28-2010 12:32 PM

Perfect. Added:

access-list inside_out deny tcp any host 94.100.25.138 eq 4723

access-list inside_out permit ip any any

access-group inside_out in interface inside

And I now cannot establish connection to that IP/Port from my LAN. I'm now

remediating the threat from within.

Thanks,

Dee

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to deezturner1

‎10-28-2010 03:19 PM

Dee

No problem, glad to help, hope you get the virus sorted.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card