Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2535
Views
0
Helpful
7
Replies

ASA leaking internal IP

Brianoh733
Level 1
Level 1

‎08-04-2020 09:29 AM

Hi,

We had a external pen test done and we were told that our firewall is leaking internal IP address. (Waiting for the official report)

I started gathering some logs and did find nmap from external to internal host. (Source was public IP and destination was our internal IP)

I am a beginner level and I have checked ASA and I do not find any holes.

Can someone please point me in right direction.

We have one to one static NAT for our public facing services. ASA 5515

Attach is a screenshot from PCAP file.

 

Thank you,

Brian

Preview file
158 KB
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-04-2020 10:04 AM

More than once I have seen external "pen tests" report false positives. If you can share more details we can have a look at it.

0 Helpful

Brianoh733
Level 1
Level 1
In response to Marvin Rhoads

‎08-04-2020 11:04 AM

Attach file is a report from Nessus scan. I ran from public internet and targeted one of our public server.

Preview file
37 KB
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Brianoh733

‎08-04-2020 11:27 AM

Hi, most likely this is from your isp proxy instead of your hosts.

Run nmap -n -v -sT -sV ##ip### -p 80,443

See if the response match the version of your iis/Apache
0 Helpful

Brianoh733
Level 1
Level 1
In response to Mohammed al Baqari

‎08-04-2020 12:06 PM

I ran the one nmap from a system on public internet targeting our web server public IP and I ran second nmap from a system inside our network targeting our webserver internal IP.

Both the results were same.

PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 

0 Helpful

Brianoh733
Level 1
Level 1
In response to Marvin Rhoads

‎08-04-2020 11:05 AM

This are our current alerts from the SIEM. All the destinations shows private IP now. 

Preview file
108 KB
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎08-04-2020 10:06 AM

Private IPs are not routable over internet. To confirm that the responses
are from your actual hosts use -sV option in nmap. This will fingerprint
the service.
0 Helpful

Brianoh733
Level 1
Level 1
In response to Mohammed al Baqari

‎08-04-2020 11:18 PM

I did the NMAP scan from public internet to our public facing server public IP and capture the logs from my ASA.

The logs on ASA showed my laptop public IP as source but showed my public facing server private IP as destination.

That's probably cause of NAT?

Is that a normal for ASA so show private IP of my public server as destination under the logs? Rather than public IP on which NMAP was ran?

 

My SIEM get's logs from ASA and since ASA has destination IP as private IP, my SIEM alerts me of an External to Internal one on one scan.

 

Brian. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card