Showing results for 
Search instead for 
Did you mean: 

ASA 5510 exposing VPN users to Internet




We are runnig ASA 5510 with 9.0.1 as vpn gateway and we recently found out that it is possible to query public ip address for example for nbtstat via udp for connected vpn clients, at least the asa answer on public ip on udp 137 and allow access to random vpn connected client.

We see that this is probably comming from nat on public interface for vpn clients going to internet (we are using tunnel all and allowing the users via dynamic pat to go out the same public interface and ip for internet), for that we allowed connection between hosts on the same interface. 


So if the vpn user somehow open a udp session to outside there is nat entry created and when the public ip is queried we can see the info from the vpn client (domain membership, user logged in etc). 


Till now i was thinkig that only outgoing traffic is possible but incoming also, at least for UDP. 


Can some one explain me how this is possible or better to say how to avoid it?


disabling the nat works but then the users are not able to reach internet resources. 


Thanks in advance,




2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

Hi Daniel,


This is really interesting could you share the sanitized nat configuration and detail what you mean by "if the vpn user somehow open a udp session to outside". What are the source and destination ports and IPs ? Also from where are you initiating the query for the ASAs public IP ?


NAT for U-turn VPN is normally this is done something like this:

ciscoasa(config)# object network obj-AnyconnectPool
ciscoasa(config-network-object)# subnet
ciscoasa(config-network-object)# nat (outside,outside) dynamic interface

 and should not allow connections initiated form outside.

Also the ACL on the outside interface should block undesired traffic being initiated form outside.






it is set up as you wrote, almost exactly:
object network AFW-NAT
subnet x.x.x.x.
nat (External,External) source dynamic AFW-NAT interface

We found it by security audit and was confirmed by our server team.

when they run netstat from internet to public ip of ASA (used for VPN and
also as pat for outgoing traffic) they receive output of some VPN users:

[image: Inline image 1]

​This shows in reports as open UDP port 137, wit changing PC with time,
disabling the NAT close it but the internet via VPN is not working anymore.
Thanks ,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: