09-05-2020 10:48 PM
Hi All,
I have separate bidirectional rules in my firewall (ASA 5545-X) for different applications (including VoIP). What is puzzling here is if i capture logs for the traffic coming from OUTSIDE (of firewall) back into the segmented environment i am seeing entries that should have been logged under inside interfaces initiating those connections. Reason why i am saying that: i am seeing a lower end source port session logged under the OUTSIDE interface with a higher end DP. Examples:
SA: 10.100.11.20, SP: TCP(88) , DA=10.47.10.42, DP(50014 to 65408)
SA: 10.100.11.20, SP: UDP(53) , DA=10.47.10.37, DP(58146)
Is the firewall closing the session so it gets logged under a new session under OUTSIDE. Is there a timer issue here i need to check where it waits for a response and if it doesnt see it under a specific amount of time it will log it against the OUTSIDE rather than associating it to a session built from Inside (10.47.x.x)
09-06-2020 12:15 AM
09-06-2020 01:52 AM
Thanks for the feedback. A quick question. Wouldn't firewall be independent of the client side closure. It is a transit device with it's own timeouts. Also i am seeing it on many different types of traffic SMB, DNS, LDAP etc. Every second or third flow is like this. This is happening so often that it looks like this is normal behaviour.
09-07-2020 11:25 PM
Any further comments on these from any experts out there?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide