09-04-2014 05:58 AM - edited 03-11-2019 09:42 PM
After a recent firewall cleanup we now are failing a PCI Scan from Trustwave. I have created a rule to allow their IP's to come in any port and I am still getting a "Network Service Stopped Responding" on there end while they are going to our Public IP address on port 443. Since I have allowed their IP's to come in any port I'm not sure what the problem is.
Here are some logs from the firewall.
Early on in the scan I am seeing a bunch of these for different internal IPs but I can't ping any of them internally so I think they are trying to go to some devices that don't exist anymore.
6|Sep 03 2014|15:19:20|302014|64.37.231.144|40312|10.1.20.133|22361|Teardown TCP connection 185611354 for Outside:64.37.231.144/40312 to Inside:10.1.20.133/22361 duration 0:00:30 bytes 0 SYN Timeout
About the same time the test fails I see this in the logs. It's them coming to our public IP on port 443 but it keeps getting a TCP deny (No Connection)
6 | Sep 03 2014 | 16:03:15 | 302013 | 64.37.231.144 | 52986 | 207.140.152.66 | 443 | Built inbound TCP connection 185701488 for Outside:64.37.231.144/52986 (64.37.231.144/52986) to identity:207.140.152.66/443 (207.140.152.66/443) |
6 | Sep 03 2014 | 16:03:15 | 725001 | 64.37.231.144 | 52986 | Starting SSL handshake with client Outside:64.37.231.144/52986 for TLSv1 session. |
6 | Sep 03 2014 | 16:03:16 | 725002 | 64.37.231.144 | 52986 | Device completed SSL handshake with client Outside:64.37.231.144/52986 |
6 | Sep 03 2014 | 16:03:16 | 725007 | 64.37.231.144 | 52986 | SSL session with client Outside:64.37.231.144/52986 terminated. |
6 | Sep 03 2014 | 16:03:16 | 302014 | 64.37.231.144 | 52986 | 207.140.152.66 | 443 | Teardown TCP connection 185701488 for Outside:64.37.231.144/52986 to identity:207.140.152.66/443 duration 0:00:00 bytes 717 TCP Reset-O |
4 | Sep 03 2014 | 16:03:16 | 106015 | 64.37.231.144 | 52986 | 207.140.152.66 | 443 | Deny TCP (no connection) from 64.37.231.144/52986 to 207.140.152.66/443 flags PSH ACK on interface Outside |
4 | Sep 03 2014 | 16:03:16 | 106015 | 64.37.231.144 | 52986 | 207.140.152.66 | 443 | Deny TCP (no connection) from 64.37.231.144/52986 to 207.140.152.66/443 flags FIN ACK on interface Outside |
Solved! Go to Solution.
09-04-2014 01:06 PM
Looks like the ASA is not dropping the connection , maybe the server / ISP is cutting off the connection.
I would check that part first , before doing any changes on the ASA.
-Randy -
09-04-2014 11:07 AM
Hi Bryan ,
Looks like the tcp connection is denied on the outside interface . Check your policy for the traffic coming from outside to inside.
Can you please share your configuration to cehck your policies , also you can try the command "sysopt connection timewait" on the ASA and check if the behavior changes,
Hope this helps
-Randy -
09-04-2014 11:25 AM
Sorry I don't know much about the ASA. I assume you want the Access-list? The rule I made for them is in bold
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list splittunnel; 1 elements; name hash: 0x907b5bd
access-list splittunnel line 1 standard permit 10.0.0.0 255.0.0.0 (hitcnt=0) 0x0336c9eb
access-list http-list2; 1 elements; name hash: 0xd06c9445
access-list http-list2 line 1 extended permit tcp any host 160.109.103.49 (hitcnt=4579) 0x34d298fd
access-list Web_filter; 4 elements; name hash: 0x607b0795
access-list Web_filter line 1 remark denys HTTP access to Intranet
access-list Web_filter line 2 extended deny ip host 10.1.21.10 any (hitcnt=0) 0xf6050e57
access-list Web_filter line 3 remark denys HTTP access to Esales
access-list Web_filter line 4 extended deny ip host 10.1.21.34 any (hitcnt=1173) 0xb6b80a52
access-list Web_filter line 5 remark denys Web access to Stanion.com
access-list Web_filter line 6 extended deny ip host 10.1.21.7 any (hitcnt=4745) 0xd13f029b
access-list Web_filter line 7 extended permit ip any any (hitcnt=1194557283) 0xe91822f1
access-list ironport_nat; 1 elements; name hash: 0xb93ecc1d
access-list ironport_nat line 1 extended permit ip object Ironport_Email any (hitcnt=0) 0xabf503fb
access-list ironport_nat line 1 extended permit ip host 10.1.21.8 any (hitcnt=0) 0xabf503fb
access-list nonat; 3 elements; name hash: 0x13e041bf
access-list nonat line 1 extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0x51aa1a9a
access-list nonat line 2 extended permit ip 10.1.0.0 255.255.0.0 10.1.100.0 255.255.255.0 (hitcnt=0) 0x64e430e9
access-list nonat line 3 extended permit ip 10.0.0.0 255.0.0.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0x9aa0760e
access-list internet_ironport; 2 elements; name hash: 0xda435661
access-list internet_ironport line 1 extended permit ip host 10.1.21.9 any (hitcnt=0) 0xb6bf9d94
access-list internet_ironport line 2 extended permit ip 10.20.0.0 255.255.0.0 any (hitcnt=0) 0x36e2177a
access-list IN; 85 elements; name hash: 0x9f2434aa
access-list IN line 1 extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 any 0xbe6e62f4
access-list IN line 1 extended permit ip 204.13.201.0 255.255.255.0 any (hitcnt=0) 0x91d0f650
access-list IN line 1 extended permit ip 64.37.231.0 255.255.255.0 any (hitcnt=44587) 0x24912041
access-list IN line 2 extended permit tcp any any eq https (hitcnt=322454) 0x73ce9627
access-list IN line 3 extended permit gre object Public_Corp-Main_Router object Corp-Main_Router (hitcnt=0) 0xf4ff3cf8
access-list IN line 3 extended permit gre host 207.140.152.78 host 10.1.2.253 (hitcnt=0) 0xf4ff3cf8
access-list IN line 4 extended permit tcp any object SWECOFTP eq ftp (hitcnt=0) 0x50c59ab3
access-list IN line 4 extended permit tcp any host 10.1.21.62 eq ftp (hitcnt=94) 0x50c59ab3
access-list IN line 5 extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_6 0xe2a3d5b7
access-list IN line 5 extended permit tcp any host 10.1.20.2 eq smtp (hitcnt=0) 0x7bb9f254
access-list IN line 5 extended permit tcp any host 10.1.20.2 eq ssh (hitcnt=0) 0x0f6c8f93
access-list IN line 5 extended permit tcp any host 10.1.21.8 eq smtp (hitcnt=299568) 0x52abd338
access-list IN line 5 extended permit tcp any host 10.1.21.8 eq ssh (hitcnt=0) 0x3485919c
access-list IN line 6 extended permit tcp any object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_1 0x8b9eb238
access-list IN line 6 extended permit tcp any host 10.1.21.24 eq www (hitcnt=722) 0xb0e5957b
access-list IN line 6 extended permit tcp any host 10.1.21.24 eq https (hitcnt=0) 0xcc6cacc0
access-list IN line 6 extended permit tcp any host 10.1.21.34 eq www (hitcnt=10479) 0xd31dfe76
access-list IN line 6 extended permit tcp any host 10.1.21.34 eq https (hitcnt=0) 0x2939fa74
access-list IN line 6 extended permit tcp any host 10.1.21.64 eq www (hitcnt=21909) 0xd0da46a1
access-list IN line 6 extended permit tcp any host 10.1.21.64 eq https (hitcnt=3) 0xf9224ad7
access-list IN line 7 extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_5 0x64977d1a
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq ssh (hitcnt=0) 0xdcf294e6
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq telnet (hitcnt=0) 0x3bb1a012
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.35 eq 3389 (hitcnt=0) 0x412f51e3
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq ssh (hitcnt=0) 0x59328191
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq telnet (hitcnt=0) 0x70c9e5e0
access-list IN line 7 extended permit tcp 206.114.9.0 255.255.255.0 host 10.1.21.57 eq 3389 (hitcnt=0) 0xb383b91d
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq ssh (hitcnt=0) 0xe621ebc3
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq telnet (hitcnt=0) 0x04cbc347
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.35 eq 3389 (hitcnt=0) 0x1b956387
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq ssh (hitcnt=0) 0x726ff458
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq telnet (hitcnt=0) 0x109c30be
access-list IN line 7 extended permit tcp host 173.8.235.158 host 10.1.21.57 eq 3389 (hitcnt=23) 0x0137d171
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq ssh (hitcnt=0) 0xf4027db3
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq telnet (hitcnt=0) 0x59df8576
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.35 eq 3389 (hitcnt=0) 0x19a30c88
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq ssh (hitcnt=0) 0x20ab6579
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq telnet (hitcnt=0) 0x95cba548
access-list IN line 7 extended permit tcp host 173.178.135.243 host 10.1.21.57 eq 3389 (hitcnt=4) 0xafa35c82
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq ssh (hitcnt=0) 0xfee128cb
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq telnet (hitcnt=0) 0x2de86bf5
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.35 eq 3389 (hitcnt=0) 0x7265e777
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq ssh (hitcnt=0) 0xb7d86182
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq telnet (hitcnt=0) 0xc95b6f56
access-list IN line 7 extended permit tcp host 173.178.146.44 host 10.1.21.57 eq 3389 (hitcnt=6) 0x0b13aeba
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq ssh (hitcnt=0) 0x1983ab13
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq telnet (hitcnt=0) 0xbba32c43
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.35 eq 3389 (hitcnt=0) 0x3e0d9824
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq ssh (hitcnt=0) 0x59537353
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq telnet (hitcnt=0) 0x4e0c0cb3
access-list IN line 7 extended permit tcp host 173.178.148.247 host 10.1.21.57 eq 3389 (hitcnt=9) 0x77641b36
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq ssh (hitcnt=0) 0xcb6b4ed8
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq telnet (hitcnt=0) 0x539015d5
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.35 eq 3389 (hitcnt=0) 0xd4aa4a32
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq ssh (hitcnt=0) 0x2edb1e3c
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq telnet (hitcnt=0) 0xb8d08c18
access-list IN line 7 extended permit tcp host 184.158.74.194 host 10.1.21.57 eq 3389 (hitcnt=0) 0x27b8dff3
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq ssh (hitcnt=0) 0x7d90e69d
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq telnet (hitcnt=0) 0x587f5840
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.35 eq 3389 (hitcnt=0) 0x894d6af4
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq ssh (hitcnt=0) 0x64427444
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq telnet (hitcnt=0) 0x0428511a
access-list IN line 7 extended permit tcp 207.54.32.0 255.255.255.0 host 10.1.21.57 eq 3389 (hitcnt=0) 0x68c6adac
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq ssh (hitcnt=0) 0x5b5eadce
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq telnet (hitcnt=0) 0x9b1f6ec0
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.35 eq 3389 (hitcnt=0) 0x77d58097
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq ssh (hitcnt=0) 0x6001f207
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq telnet (hitcnt=0) 0x79b2c587
access-list IN line 7 extended permit tcp 65.241.101.0 255.255.255.128 host 10.1.21.57 eq 3389 (hitcnt=0) 0x8e9d71b8
access-list IN line 8 extended permit tcp object-group DM_INLINE_NETWORK_9 object TSE1 eq 3389 0xedd3c6d8
access-list IN line 8 extended permit tcp host 116.75.164.101 host 10.1.21.42 eq 3389 (hitcnt=0) 0xda1d3af8
access-list IN line 8 extended permit tcp host 69.15.189.147 host 10.1.21.42 eq 3389 (hitcnt=0) 0x207ccbf8
access-list IN line 9 extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_10 0xf8839a3b
access-list IN line 9 extended permit tcp any host 10.1.21.100 eq www (hitcnt=73980) 0xd8756829
access-list IN line 9 extended permit tcp any host 10.1.21.100 eq https (hitcnt=43714) 0xe1ff17e3
access-list IN line 9 extended permit tcp any host 10.1.21.101 eq www (hitcnt=558) 0x8883195e
access-list IN line 9 extended permit tcp any host 10.1.21.101 eq https (hitcnt=40) 0x4665009f
access-list IN line 10 extended permit object-group DM_INLINE_SERVICE_1 host 24.159.99.28 object Infor (hitcnt=0) 0x21f8274b
access-list IN line 10 extended permit ip host 24.159.99.28 host 10.1.21.15 (hitcnt=0) 0x152a9951
access-list IN line 10 extended permit tcp host 24.159.99.28 host 10.1.21.15 eq 3389 (hitcnt=0) 0x241955b4
access-list IN line 11 extended permit ip any object-group DM_INLINE_NETWORK_2 0x26b701af
access-list IN line 11 extended permit ip any host 10.1.21.7 (hitcnt=231906) 0x703f53dc
access-list IN line 11 extended permit ip any host 10.1.21.6 (hitcnt=226353) 0x538e3514
access-list IN line 12 extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_7 0x2185238d
access-list IN line 12 extended permit tcp any host 10.6.20.2 eq www (hitcnt=302) 0x6b752058
access-list IN line 12 extended permit tcp any host 10.6.20.3 eq www (hitcnt=171) 0x5676723e
access-list IN line 12 extended permit tcp any host 10.18.20.2 eq www (hitcnt=332) 0x4e028ace
access-list IN line 12 extended permit tcp any host 10.3.20.2 eq www (hitcnt=643) 0x140eaec7
access-list IN line 12 extended permit udp any host 10.6.20.2 eq www (hitcnt=0) 0x5179f1de
access-list IN line 12 extended permit udp any host 10.6.20.3 eq www (hitcnt=0) 0x92eda56e
access-list IN line 12 extended permit udp any host 10.18.20.2 eq www (hitcnt=0) 0x4b9c6dfc
access-list IN line 12 extended permit udp any host 10.3.20.2 eq www (hitcnt=0) 0xe776756d
access-list IN line 13 extended permit tcp object WSUS any object-group DM_INLINE_TCP_4 (hitcnt=0) 0x407a23d4
access-list IN line 13 extended permit tcp host 10.1.21.65 any eq www (hitcnt=0) 0xb9c45cc1
access-list IN line 13 extended permit tcp host 10.1.21.65 any eq https (hitcnt=0) 0x5e88e4c5
access-list AnyConnect_Client_Local_Print; 8 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 extended deny ip any any (hitcnt=0) 0x08993d53
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any any eq lpd (hitcnt=0) 0xc2390719
access-list AnyConnect_Client_Local_Print line 3 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any any eq 631 (hitcnt=0) 0x73a9536a
access-list AnyConnect_Client_Local_Print line 5 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 6 extended permit tcp any any eq 9100 (hitcnt=0) 0x57c0d3e3
access-list AnyConnect_Client_Local_Print line 7 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any host 224.0.0.251 eq 5353 (hitcnt=0) 0x97c694f8
access-list AnyConnect_Client_Local_Print line 9 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit udp any host 224.0.0.252 eq 5355 (hitcnt=0) 0xa7d3d944
access-list AnyConnect_Client_Local_Print line 11 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 12 extended permit tcp any any eq 137 (hitcnt=0) 0x5f84372c
access-list AnyConnect_Client_Local_Print line 13 extended permit udp any any eq netbios-ns (hitcnt=0) 0xb541e0fb
09-04-2014 12:43 PM
Hi Brian ,
I mean the "Show run" of the ASA , however can you try this command on your ASA and post the result.
Packet-tracer input outiside 64.37.231.144 52986 207.140.152.66 443 detailed
-Randy-
09-04-2014 12:52 PM
Here is the output of "Packet-tracer input outside tcp 64.37.231.144 52986 207.140.152.66 443 detailed" and below that is the show run
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad640000, priority=1, domain=permit, deny=false
hits=4552253758, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 207.140.152.66 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae13a448, priority=119, domain=permit, deny=false
hits=71322, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
input_ifc=Outside, output_ifc=identity
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad781d40, priority=8, domain=conn-set, deny=false
hits=71322, user_data=0xadff1d50, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=207.140.152.66, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=Outside, output_ifc=identity
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad644af0, priority=0, domain=inspect-ip-options, deny=true
hits=183370301, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae297338, priority=18, domain=flow-export, deny=false
hits=26629132, user_data=0xae39f468, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 7
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad697210, priority=13, domain=soft-np-tcp-module, deny=false
hits=71324, user_data=0xadfee528, cs_id=0x0, reverse, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=207.140.152.66, mask=255.255.255.255, port=443, dscp=0x0
input_ifc=Outside, output_ifc=identity
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae0cba70, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=19557028, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Outside, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 186590309, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_mod
snp_fp_adjacency
snp_fp_fragment
snp_fp_drop
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
Show run
ASA Version 8.4(2)
!
hostname CorpASA
domain-name stanion.com
enable password 33cPxp7pgqfEVuzl encrypted
passwd OWIlx1L56vEezdTg encrypted
no names
dns-guard
!
interface Ethernet0/0
description Connected to the Internet Router
nameif Outside
security-level 0
ip address 207.140.152.66 255.255.255.192
!
interface Ethernet0/1
description Connected to Internal LAN
nameif Inside
security-level 100
ip address 10.1.2.254 255.255.255.0
!
interface Ethernet0/2
description Connected to Internal DMZ network
nameif dmz
security-level 50
ip address 172.16.2.254 255.255.255.0
!
interface Ethernet0/3
nameif Oustside_Test
security-level 0
ip address 192.168.1.2 255.255.0.0
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 10.1.21.60
domain-name stanion.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-10.20.0.0
subnet 10.20.0.0 255.255.0.0
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.1.100.0
subnet 10.1.100.0 255.255.255.0
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
object network CAS1
host 10.1.21.100
object network obj-10.1.21.100-01
host 10.1.21.100
object network CAS2
host 10.1.21.101
object network obj-10.1.21.101-01
host 10.1.21.101
object network Esales
host 10.1.21.34
object network Tarantella1
host 10.1.21.24
object network NS2
host 10.1.21.6
object network Staging
host 10.1.21.57
object network TSE1
host 10.1.21.42
object network Web1
host 10.1.21.64
object network Unform
host 10.1.21.20
object network NS1
host 10.1.21.7
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.1.100.0_24
subnet 10.1.100.0 255.255.255.0
object network SWECOFTP
host 10.1.21.62
description FTP Server
object network Public_SWECOFTP
host 207.140.152.92
description Public IP for FTP Server
object network Manhattan_Cameras1
host 10.6.20.2
object network Public_Manhattan_Cameras
host 207.140.152.94
object network KC_Cameras
host 10.18.20.2
description Cameras for Kansas City
object network Public_KC_Cameras
host 207.140.152.96
description Public address Kansas City Cameras
object network WSUS
host 10.1.21.65
object network Infor
host 10.1.21.15
object network Public_Infor
host 207.140.152.76
object network 173.8.235.158
host 173.8.235.158
object network Manhattan_Cameras2
host 10.6.20.3
object network Public_Manhattan_Cameras2
host 207.140.152.97
object network Portal
host 10.1.21.24
description Help Desk
object network Public_Portal
host 207.140.152.85
description Public HelpDesk
object network test_Internet_gateway
host 172.16.8.2
object network Corp-Main_Router
host 10.1.2.253
object network Testsvr
host 207.140.152.79
object network GB_Cameras
host 10.3.20.2
object network public_GB_Cameras
host 207.140.152.98
object network NXT
host 10.1.21.35
object network Public_Esales
host 207.140.152.70
object network Public_NXT
host 207.140.152.68
object network Public_Tarantella
host 207.140.152.77
object network Public_Unform
host 207.140.152.83
object network Ironport_Email
host 10.1.21.8
object network Public_CAS1
host 207.140.152.69
object network Public_CAS2
host 207.140.152.95
object network Public_Corp-Main_Router
host 207.140.152.78
object network Public_NS1
host 207.140.152.71
object network Public_NS2
host 207.140.152.73
object network Public_Staging
host 207.140.152.86
object network Public_TSE1
host 207.140.152.87
object network Public_Web1
host 207.140.152.74
object network obj-10.1.21.8
host 10.1.21.8
object network obj-10.21.8-01
object network obj-10.1.21.8-01
host 10.1.21.8
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object udp destination eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host 10.1.20.2
network-object object Ironport_Email
object-group network DM_INLINE_NETWORK_12
network-object object CAS1
network-object object CAS2
object-group network DM_INLINE_NETWORK_2
network-object object NS1
network-object object NS2
object-group network DM_INLINE_NETWORK_3
network-object 204.13.201.0 255.255.255.0
network-object 64.37.231.0 255.255.255.0
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp destination eq 3389
object-group network Trustwave
network-object 204.13.201.0 255.255.255.0
network-object 64.37.231.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp destination eq ssh
object-group network DM_INLINE_NETWORK_5
network-object 206.114.9.0 255.255.255.0
network-object object 173.8.235.158
network-object host 173.178.135.243
network-object host 173.178.146.44
network-object host 173.178.148.247
network-object host 184.158.74.194
network-object 207.54.32.0 255.255.255.0
network-object 65.241.101.0 255.255.255.128
object-group service DM_INLINE_TCP_5 tcp
port-object eq ssh
port-object eq telnet
port-object eq 3389
object-group network DM_INLINE_NETWORK_6
network-object object NXT
network-object object Staging
object-group network DM_INLINE_NETWORK_7
network-object object Manhattan_Cameras1
network-object object Manhattan_Cameras2
network-object object KC_Cameras
network-object object GB_Cameras
object-group network DM_INLINE_NETWORK_8
network-object object Portal
network-object object Esales
network-object object Web1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_9
network-object host 116.75.164.101
network-object host 69.15.189.147
object-group service DM_INLINE_TCP_6 tcp
port-object eq smtp
port-object eq ssh
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
access-list splittunnel standard permit 10.0.0.0 255.0.0.0
access-list http-list2 extended permit tcp any host 160.109.103.49
access-list Web_filter remark denys HTTP access to Intranet
access-list Web_filter extended deny ip host 10.1.21.10 any
access-list Web_filter remark denys HTTP access to Esales
access-list Web_filter extended deny ip host 10.1.21.34 any
access-list Web_filter remark denys Web access to Stanion.com
access-list Web_filter extended deny ip host 10.1.21.7 any
access-list Web_filter extended permit ip any any
access-list ironport_nat extended permit ip object Ironport_Email any
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.100.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.20.0.0 255.255.0.0
access-list internet_ironport extended permit ip host 10.1.21.9 any
access-list internet_ironport extended permit ip 10.20.0.0 255.255.0.0 any
access-list IN extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_3 any
access-list IN extended permit tcp any any eq https
access-list IN extended permit gre object Public_Corp-Main_Router object Corp-Main_Router
access-list IN extended permit tcp any object SWECOFTP eq ftp
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_6
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_1
access-list IN extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_5
access-list IN extended permit tcp object-group DM_INLINE_NETWORK_9 object TSE1 eq 3389
access-list IN extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_10
access-list IN extended permit object-group DM_INLINE_SERVICE_1 host 24.159.99.28 object Infor
access-list IN extended permit ip any object-group DM_INLINE_NETWORK_2
access-list IN extended permit object-group DM_INLINE_SERVICE_3 any object-group DM_INLINE_NETWORK_7
access-list IN extended permit tcp object WSUS any object-group DM_INLINE_TCP_4
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
!
tcp-map mss-map
!
pager lines 24
logging enable
logging buffer-size 10000
logging monitor informational
logging buffered notifications
logging trap informational
logging history errors
logging asdm informational
logging host Inside 10.1.21.62
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 305010
no logging message 338303
no logging message 304001
logging message 106015 level warnings
flow-export destination Inside 10.1.21.55 2055
flow-export destination Inside 10.1.21.30 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu Outside 1500
mtu Inside 1500
mtu dmz 1500
mtu Oustside_Test 1500
ip local pool vpn-pool 10.1.100.1-10.1.100.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
icmp permit any Inside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.20.0.0 obj-10.20.0.0 no-proxy-arp
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.1.100.0 obj-10.1.100.0 no-proxy-arp
nat (Inside,any) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.20.0.0 obj-10.20.0.0 no-proxy-arp
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.1.100.0_24 NETWORK_OBJ_10.1.100.0_24 no-proxy-arp route-lookup
nat (Inside,Outside) source static SWECOFTP Public_SWECOFTP description FTP1
nat (Inside,Outside) source static Manhattan_Cameras2 Public_Manhattan_Cameras2
nat (Inside,Outside) source static Portal Public_Portal
nat (Inside,Outside) source static Manhattan_Cameras1 Public_Manhattan_Cameras
nat (Inside,Outside) source static KC_Cameras Public_KC_Cameras
nat (Inside,Outside) source static Infor Public_Infor
!
object network obj-10.20.0.0
nat (Outside,Outside) dynamic interface
object network CAS1
nat (Inside,Outside) static 207.140.152.69 service tcp www www
object network obj-10.1.21.100-01
nat (Inside,Outside) static 207.140.152.69 service tcp https https
object network CAS2
nat (Inside,Outside) static 207.140.152.95 service tcp www www
object network obj-10.1.21.101-01
nat (Inside,Outside) static 207.140.152.95 service tcp https https
object network Esales
nat (Inside,Outside) static Public_Esales
object network Tarantella1
nat (Inside,Outside) static Public_Tarantella
object network NS2
nat (Inside,Outside) static Public_NS2
object network Staging
nat (Inside,Outside) static Public_Staging
object network TSE1
nat (Inside,Outside) static Public_TSE1
object network Web1
nat (Inside,Outside) static Public_Web1
object network Unform
nat (Inside,Outside) static Public_Unform
object network NS1
nat (Inside,Outside) static Public_NS1
object network obj_any
nat (Inside,Outside) dynamic interface
object network SWECOFTP
nat (Inside,Outside) static Public_SWECOFTP
object network Corp-Main_Router
nat (Inside,Outside) static Public_Corp-Main_Router
object network GB_Cameras
nat (Inside,Outside) static public_GB_Cameras
object network NXT
nat (Inside,Outside) static Public_NXT
object network obj-10.1.21.8
nat (Inside,Outside) static 207.140.152.69 service tcp smtp smtp
object network obj-10.1.21.8-01
nat (Inside,Outside) dynamic 207.140.152.69
access-group IN in interface Outside
route Outside 0.0.0.0 0.0.0.0 207.140.152.65 1
route Inside 10.0.0.0 255.0.0.0 10.1.2.253 1
route Inside 70.252.185.124 255.255.255.252 10.1.2.253 1
route Inside 70.252.185.128 255.255.255.252 10.1.2.253 1
route Inside 0.0.0.0 0.0.0.0 10.1.2.253 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record "Deny Access"
user-message "NO VPN Access"
action terminate
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol ldap
aaa-server AD (Inside) host 10.1.21.60
ldap-base-dn DC=sweco,DC=corp
ldap-group-base-dn DC=sweco,DC=corp
ldap-scope subtree
ldap-login-password *****
ldap-login-dn CN=ldapuser,CN=users,DC=sweco,DC=corp
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.20.0 255.255.255.0 Inside
http 10.1.21.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 10.20.0.0 255.255.0.0 Outside
snmp-server host Inside 10.1.21.30 community ***** version 2c udp-port 161
snmp-server host Inside 10.1.21.55 community ***** version 2c udp-port 161
snmp-server location Corp
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
sysopt connection timewait
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set mystanion esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map client-vpn 10 set ikev1 transform-set myset
crypto dynamic-map mymap 1 set ikev1 transform-set mystanion ESP-3DES-SHA
crypto dynamic-map mymap 1 set reverse-route
crypto map StanionVPN 10 ipsec-isakmp dynamic client-vpn
crypto map dyn-map 10 ipsec-isakmp dynamic mymap
crypto map dyn-map interface Outside
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.20.0.0 255.255.0.0 Outside
ssh 10.0.0.0 255.0.0.0 Inside
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp web-cache redirect-list Web_filter
wccp interface Inside web-cache redirect in
ntp server 10.1.254.1 source Inside prefer
webvpn
enable Outside
anyconnect-essentials
anyconnect image disk1:/anyconnect-dart-win-2.5.3055-k9.pkg 1
anyconnect image disk1:/anyconnect-win-3.1.03103-k9.pkg 2
anyconnect enable
tunnel-group-list enable
group-policy split-tunnel internal
group-policy split-tunnel attributes
vpn-idle-timeout 30
group-policy GroupPolicy_StanionAny internal
group-policy GroupPolicy_StanionAny attributes
wins-server value 10.1.21.60
dns-server value 10.1.21.60 10.1.21.25
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value stanion.com
group-policy clientvpn internal
group-policy clientvpn attributes
dns-server value 10.1.21.60 10.1.21.25
vpn-idle-timeout 20
vpn-tunnel-protocol ikev1 l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value Stanion.com
group-policy clientgroup internal
username StanionAny password y9al.Ax396eTnCwt encrypted
username stanion password jzeq0YLBbw50qQPY encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
tunnel-group clientvpn type remote-access
tunnel-group clientvpn general-attributes
address-pool vpn-pool
authorization-server-group LOCAL
default-group-policy clientvpn
tunnel-group clientvpn ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
tunnel-group split-tunnel type remote-access
tunnel-group split-tunnel general-attributes
default-group-policy split-tunnel
tunnel-group StanionAny type remote-access
tunnel-group StanionAny general-attributes
address-pool vpn-pool
authentication-server-group AD
default-group-policy GroupPolicy_StanionAny
tunnel-group StanionAny webvpn-attributes
group-alias StanionAny enable
!
class-map global-class
match any
class-map Outside-ips-class
match any
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list http-list2
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 ras
inspect netbios
inspect rtsp
inspect icmp error
inspect icmp
inspect ftp
inspect ip-options
class http-map1
set connection advanced-options mss-map
class global-class
flow-export event-type all destination 10.1.21.30 10.1.21.55
policy-map Outside-IPS-Policy
description Outside IPS Rule sends traffic to ips for inspection
class Outside-ips-class
ips inline fail-open
!
service-policy global_policy global
service-policy Outside-IPS-Policy interface Outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:22033f54e5f5d2eb77a8f018b1f5443c
: end
09-04-2014 01:06 PM
Looks like the ASA is not dropping the connection , maybe the server / ISP is cutting off the connection.
I would check that part first , before doing any changes on the ASA.
-Randy -
09-08-2014 08:12 AM
Is there a command to see what our PAT rule for our general public IP is translating to on the inside so I could find the devices that trustwave is actually talking to?
09-09-2014 09:47 AM
Hi Brian.
"Show xlate " is the command your looking for.
Use show xlate | incl (server ip ) to filter the results and see the public/private IP.
Hope this helps
-Randy-
09-08-2014 10:08 AM
Never mind I found it. I discovered that DNS had a bad record that was pointing the scan to a device that didn't exist. Thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide