Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
2
Replies

Anauthorized port scan

kingsleylawani
Level 1
Level 1

‎06-18-2015 08:16 AM - edited ‎03-11-2019 11:09 PM

Please can someone interpret this log messages below for me? The IP address 10.5.4.8 was performing an unauthorized port scan in my network from within.

 

Jun 18 2015 10:51:03 single_vf : %ASA-6-302013: Built outbound TCP connection 746450139 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17179 (139.55.126.155/17179)
Jun 18 2015 10:51:04 single_vf : %ASA-6-305012: Teardown dynamic TCP translation from inside:10.5.4.8/16776 to outside:139.55.126.155/16776 duration 0:04:07
Jun 18 2015 10:51:04 single_vf : %ASA-6-302014: Teardown TCP connection 746442992 for outside:98.139.199.205/443 to inside:10.5.4.8/17019 duration 0:02:00 bytes 2067 TCP FINs
Jun 18 2015 10:51:05 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17182 to outside:139.55.126.155/17182
Jun 18 2015 10:51:05 single_vf : %ASA-6-302013: Built outbound TCP connection 746450241 for outside:98.139.199.204/443 (98.139.199.204/443) to inside:10.5.4.8/17182 (139.55.126.155/17182)
Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443065 for outside:98.139.199.205/443 to inside:10.5.4.8/17024 duration 0:01:59 bytes 9383 TCP FINs
Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443051 for outside:98.139.199.204/443 to inside:10.5.4.8/17022 duration 0:01:59 bytes 9431 TCP FINs
Jun 18 2015 10:51:05 single_vf : %ASA-6-302014: Teardown TCP connection 746443043 for outside:208.86.238.30/443 to inside:10.5.4.8/17021 duration 0:02:00 bytes 5922 TCP FINs
Jun 18 2015 10:51:05 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17021 to 208.86.238.30/443 flags RST  on interface inside

 

 

 

Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17219 to outside:139.55.126.155/17219
Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450594 for outside:23.52.91.27/80 (23.52.91.27/80) to inside:10.5.4.8/17219 (139.55.126.155/17219)
Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17221 to outside:139.55.126.155/17221
Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450623 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17221 (139.55.126.155/17221)
Jun 18 2015 10:51:12 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17222 to outside:139.55.126.155/17222
Jun 18 2015 10:51:12 single_vf : %ASA-6-302013: Built outbound TCP connection 746450624 for outside:72.167.239.239/80 (72.167.239.239/80) to inside:10.5.4.8/17222 (139.55.126.155/17222)
Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450623 for outside:72.167.239.239/80 to inside:10.5.4.8/17221 duration 0:00:00 bytes 2402 TCP FINs
Jun 18 2015 10:51:12 single_vf : %ASA-6-302014: Teardown TCP connection 746450624 for outside:72.167.239.239/80 to inside:10.5.4.8/17222 duration 0:00:00 bytes 2402 TCP FINs
Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17226 to outside:139.55.126.155/17226
Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450778 for outside:23.21.243.54/443 (23.21.243.54/443) to inside:10.5.4.8/17226 (139.55.126.155/17226)
Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450013 for outside:23.21.243.54/443 to inside:10.5.4.8/17163 duration 0:00:15 bytes 5729 TCP FINs
Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17163 to 23.21.243.54/443 flags RST  on interface inside
Jun 18 2015 10:51:16 single_vf : %ASA-6-302014: Teardown TCP connection 746450012 for outside:23.21.243.54/443 to inside:10.5.4.8/17164 duration 0:00:15 bytes 5729 TCP FINs
Jun 18 2015 10:51:16 single_vf : %ASA-6-106015: Deny TCP (no connection) from 10.5.4.8/17164 to 23.21.243.54/443 flags RST  on interface inside
Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17228 to outside:139.55.126.155/17228
Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450785 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17228 (139.55.126.155/17228)
Jun 18 2015 10:51:16 single_vf : %ASA-6-305011: Built dynamic TCP translation from inside:10.5.4.8/17227 to outside:139.55.126.155/17227
Jun 18 2015 10:51:16 single_vf : %ASA-6-302013: Built outbound TCP connection 746450786 for outside:68.67.152.6/443 (68.67.152.6/443) to inside:10.5.4.8/17227 (139.55.126.155/17227)

 

Labels:
0 Helpful
2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-19-2015 04:33 AM

Hi,

These are some common connections Built and teardown messages.

What information would you like to collect from these syslogs.

I think you can find out the IP addresses and Ports numbers and if you want to stop them , apply ACL on the ASA device interface to block them.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

kingsleylawani
Level 1
Level 1
In response to Vibhor Amrodia

‎06-19-2015 08:18 AM

Thanks for the responds.

KIngsley

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card