Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
2
Replies

ASA 5510 exposing VPN users to Internet

d.jursik
Level 1
Level 1

‎01-23-2018 04:25 AM - edited ‎02-21-2020 07:11 AM

Hello,

 

We are runnig ASA 5510 with 9.0.1 as vpn gateway and we recently found out that it is possible to query public ip address for example for nbtstat via udp for connected vpn clients, at least the asa answer on public ip on udp 137 and allow access to random vpn connected client.

We see that this is probably comming from nat on public interface for vpn clients going to internet (we are using tunnel all and allowing the users via dynamic pat to go out the same public interface and ip for internet), for that we allowed connection between hosts on the same interface. 

 

So if the vpn user somehow open a udp session to outside there is nat entry created and when the public ip is queried we can see the info from the vpn client (domain membership, user logged in etc). 

 

Till now i was thinkig that only outgoing traffic is possible but incoming also, at least for UDP. 

 

Can some one explain me how this is possible or better to say how to avoid it?

 

disabling the nat works but then the users are not able to reach internet resources. 

 

Thanks in advance,

 

daniel

 

Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-23-2018 07:58 AM

Hi Daniel,

 

This is really interesting could you share the sanitized nat configuration and detail what you mean by "if the vpn user somehow open a udp session to outside". What are the source and destination ports and IPs ? Also from where are you initiating the query for the ASAs public IP ?

 

NAT for U-turn VPN is normally this is done something like this:

ciscoasa(config)# object network obj-AnyconnectPool
ciscoasa(config-network-object)# subnet 192.168.10.0 255.255.255.0
ciscoasa(config-network-object)# nat (outside,outside) dynamic interface

 and should not allow connections initiated form outside.

Also the ACL on the outside interface should block undesired traffic being initiated form outside.

 

HTH

Bogdan

0 Helpful

d.jursik
Level 1
Level 1
In response to Bogdan Nita

‎01-23-2018 09:23 AM

Hello,

thanks.

it is set up as you wrote, almost exactly:
object network AFW-NAT
subnet x.x.x.x. 255.255.255.192
nat (External,External) source dynamic AFW-NAT interface

We found it by security audit and was confirmed by our server team.

when they run netstat from internet to public ip of ASA (used for VPN and
also as pat for outgoing traffic) they receive output of some VPN users:

[image: Inline image 1]

​This shows in reports as open UDP port 137, wit changing PC with time,
disabling the NAT close it but the internet via VPN is not working anymore.
Thanks ,

d.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card