Disturbing Traffic from ASA

baskervi · ‎09-29-2014

We have an ASA that has a private IP on the outside interface (10.10.50.2), and it's NATed to a public IP at the Internet router. While troubleshooting a problem, we looked at the NAT translations at the Internet router and saw the following for the ASA:

tcp x.x.x.251:443 10.10.50.2:443 68.12.177.70:59888 68.12.177.70:59888
tcp x.x.x.251:443 10.10.50.2:443 68.97.191.176:58769 68.97.191.176:58769
tcp x.x.x.251:443 10.10.50.2:443 72.215.13.144:1660 72.215.13.144:1660
udp x.x.x.251:443 10.10.50.2:443 68.97.191.176:63761 68.97.191.176:63761
tcp x.x.x.251:25941 10.10.50.2:25941 64.111.111.113:80 64.111.111.113:80
tcp x.x.x.251:27288 10.10.50.2:27288 69.25.100.185:1973 69.25.100.185:1973
tcp x.x.x.251:39315 10.10.50.2:39315 69.25.100.186:1973 69.25.100.186:1973
tcp x.x.x.251:46456 10.10.50.2:46456 69.25.100.186:1973 69.25.100.186:1973
tcp x.x.x.251:57384 10.10.50.2:57384 64.111.111.113:80 64.111.111.113:80
tcp x.x.x.251:60003 10.10.50.2:60003 64.111.111.113:80 64.111.111.113:80
tcp x.x.x.251:60623 10.10.50.2:60623 69.25.100.185:1973 69.25.100.185:1973
tcp x.x.x.251:63408 10.10.50.2:63408 69.25.100.186:1973 69.25.100.186:1973

The ASA accepts SSL VPN connections, so traffic to 443 on the ASA is understandable. However, no outbound traffic is NATed to the outside Interface of the ASA, so I was surprised to see traffic from the ASA to a few different public IPs on ports 80 and 1973. Does anyone know what these might be for? Thanks

Vibhor Amrodia · ‎10-04-2014

Hi,

I would recommend checking the connection information from the ASA device simultaneously using this command:- show conn all and then finding the IP addresses which it seems to be creating the connections to.

Do you have any Botnet filter enabled ?

Thanks and Regards,

Vibhor Amrodia

baskervi · ‎10-06-2014

I'll have to check on this periodically. Right now, the only connections shown are my ssh and a handful of SSL VPN connections. Thanks for the assistance.