Solved: Thanks for the tips. I've

dcanady55 · ‎07-24-2014

Hello,

I've got internal devices connecting back to one particular server using a strange port. I rebooted the server and now there all connecting to a different port still using a strange protocol.

Is there a way to look on the firewall to see if the server is talking to an outside IP address using that same port? I apologize if I didn't frame the question very good.

Thanks

johnlloyd_13 · ‎07-24-2014

Hi,

You can use 'show local-host <server-ip> detail' command.

View solution in original post

nkarthikeyan · ‎07-25-2014

Hi,

Sh conn | in <Server IP> to check if there are any current active connections running for that specific server.... Also this gives you the port information as well.....

If you want to capture the traffic for certain timelines then you may use capture.....

access-list capture extended permit ip host <server ip> any

FW# capture test access-list capture buffer 2048 interface <inside> trace detail

leave for certain period say 30 mins or something

then check

FW#show capture test

Example output:

ASA1# show capture test

15 packets captured

   1: 09:59:45.405389 192.168.1.10 > 192.168.2.10: icmp: echo reply
   2: 09:59:45.529315 192.168.1.10 > 192.168.2.10: icmp: echo reply
   3: 09:59:45.564179 192.168.1.10 > 192.168.2.10: icmp: echo reply
   4: 09:59:45.585266 192.168.1.10 > 192.168.2.10: icmp: echo reply
   5: 09:59:45.628354 192.168.1.10 > 192.168.2.10: icmp: echo reply
   6: 09:59:45.654140 192.168.1.10 > 192.168.2.10: icmp: echo reply
   7: 09:59:45.712304 192.168.1.10 > 192.168.2.10: icmp: echo reply
   8: 09:59:45.756293 192.168.1.10 > 192.168.2.10: icmp: echo reply
   9: 09:59:45.852418 192.168.1.10 > 192.168.2.10: icmp: echo reply
10: 09:59:46.297225 192.168.1.10 > 192.168.2.10: icmp: echo reply
11: 09:59:46.335218 192.168.1.10 > 192.168.2.10: icmp: echo reply
12: 09:59:46.357205 192.168.1.10 > 192.168.2.10: icmp: echo reply
13: 09:59:46.385203 192.168.1.10 > 192.168.2.10: icmp: echo reply
14: 09:59:46.419198 192.168.1.10 > 192.168.2.10: icmp: echo reply
15: 09:59:46.455970 192.168.1.10 > 192.168.2.10: icmp: echo reply
15 packets shown
ASA1#

Regards

Karthik

View solution in original post

Marvin Rhoads · ‎07-24-2014

The server is inside the firewall?

If so, connections initiated from the outside should only be allowed according to the access-list you have on the outside interface.

You can always capture traffic on an ASA firewall to see exactly what's being transmitted and received. From ASDM, use "Wizards > Packet capture wizard' and follow the prompts.

johnlloyd_13 · ‎07-24-2014

Hi,

You can use 'show local-host <server-ip> detail' command.

nkarthikeyan · ‎07-25-2014

Hi,

Sh conn | in <Server IP> to check if there are any current active connections running for that specific server.... Also this gives you the port information as well.....

If you want to capture the traffic for certain timelines then you may use capture.....

access-list capture extended permit ip host <server ip> any

FW# capture test access-list capture buffer 2048 interface <inside> trace detail

leave for certain period say 30 mins or something

then check

FW#show capture test

Example output:

ASA1# show capture test

15 packets captured

   1: 09:59:45.405389 192.168.1.10 > 192.168.2.10: icmp: echo reply
   2: 09:59:45.529315 192.168.1.10 > 192.168.2.10: icmp: echo reply
   3: 09:59:45.564179 192.168.1.10 > 192.168.2.10: icmp: echo reply
   4: 09:59:45.585266 192.168.1.10 > 192.168.2.10: icmp: echo reply
   5: 09:59:45.628354 192.168.1.10 > 192.168.2.10: icmp: echo reply
   6: 09:59:45.654140 192.168.1.10 > 192.168.2.10: icmp: echo reply
   7: 09:59:45.712304 192.168.1.10 > 192.168.2.10: icmp: echo reply
   8: 09:59:45.756293 192.168.1.10 > 192.168.2.10: icmp: echo reply
   9: 09:59:45.852418 192.168.1.10 > 192.168.2.10: icmp: echo reply
10: 09:59:46.297225 192.168.1.10 > 192.168.2.10: icmp: echo reply
11: 09:59:46.335218 192.168.1.10 > 192.168.2.10: icmp: echo reply
12: 09:59:46.357205 192.168.1.10 > 192.168.2.10: icmp: echo reply
13: 09:59:46.385203 192.168.1.10 > 192.168.2.10: icmp: echo reply
14: 09:59:46.419198 192.168.1.10 > 192.168.2.10: icmp: echo reply
15: 09:59:46.455970 192.168.1.10 > 192.168.2.10: icmp: echo reply
15 packets shown
ASA1#

Regards

Karthik

dcanady55 · ‎07-25-2014

Thanks for the tips.

I've ran this command and it's a big help.

Thanks,

Derek

ASA-Port Question