Hi Marcin,

I did the same scans as you did, this are my results.

./nmap -sU x.x.x.210

Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-14 13:49 West-Europa (standaardtijd)

Nmap scan report for d57df1d2.static.xx.nl (x.x.x.210)

Host is up (0.020s latency).

All 1000 scanned ports on d57df1d2.static.xxxx.nl (x.x.x.210) are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 12.66 seconds

./nmap -sS x.x.x.210

Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-14 13:56 West-Europa (standaardtijd)

Nmap scan report for d57df1d2.static.xx.nl (x.x.x.210)

Host is up (0.014s latency).

Not shown: 998 filtered ports

PORT    STATE SERVICE

25/tcp  open  smtp

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 21.97 seconds

From this ouput i think i am save to say that its not open right?

If you need more information i can post a config so u can check it for any misconfigurations? although i am now quite sure that its not the ASA that is causing the problem.

Also he said he was scanning with some SIP scanner and got this output;

./svmap.py x.x.x.210

| SIP Device           | User Agent          | Fingerprint |

------------------------------------------------------------

| x.x.x.210:5060 | FPBX-2.8.1(1.8.7.0) | disabled    |

thanks in advande

Bart,

Please obfuscate that IP address (just in case).

What you've shown is no response on any the ports scanned (however some services will not reply unless you get a propely crafted message) . That being said ASA (with sip inspection enabled) WILL allocate dynamically and on demand ports. Which could lead to the port being seen as open although multiple dependencies exists.

Also on ASA you can do "show asp table socket" to list open/used sockets by applience itself (unlike passthrough traffic).

To me it looks like it's NOT related to ASA itslef being "hacked" (you cannot install services on ASA).

You can try doing:

show xlate global IP_ADD_RE_SS

or show xlate | i IP_ADD_RE_SS

to verify if that IP/PORT has any xlates associated.

M.

hi,

I captured the output when he did a port scan on port 5060, and i got this log message in the ASA

show asp table socket

SSL       0003d6cf  10.192.7.1:443              0.0.0.0:*               LISTEN

TCP       00febd1f  10.192.7.1:23               0.0.0.0:*               LISTEN

TCP       02187728  10.192.7.1:23               10.192.7.10:25786       ESTAB

SSL       024567f8  10.192.7.1:443              10.192.7.10:25975       ESTAB

SSL       0248b568  10.192.7.1:443              10.192.7.10:25981       ESTAB

When i did the xlate command i didnt see any global Xlates. I'm getting a feeling that its a bug in the ASA. Also the guy who configured the PBX keeps telling the port is open when it is obviously not.

This i getting a bit weird.

Thanks alot for your help so far! hope you can help me solve this problem.

Thanks

in the xlate table i did found this,

UDP PAT from inside:10.192.7.20/5060 to outside:x.x.x.210/5060 flags ri id

le 0:00:35 timeout 1:00:00

Dont know if this is usefull?

Bart,

This is perfect example of a dynamic translation that host 10.192.7.20 allocated to itself.

From outside's perspective this will show as a port "open" on firewall while in essence it's on the inside.

M.

Hi,

He stopped the asterix server and then he didnt find an open port. As soon as he started it again, he did find the port 5060. So the ASA is forwarding the traffic to the asterix server. I really dont get it because there is no rule anywhere that says, to forward port 5060 to the asterix server.

Do u have anymore ideas?

You indicated yourself it's a dynamic rule.

I guess you have PAT for that host? most likely PAT + SIP inspections are creating this when that host is initiating traffic to the outside - watch the syslogs on informational level.

But is het possible they could have hacked the SIP through the ASA? With this i mean could they have scanned the IP and then hacked the session with the SIP srver through the ASA?

Bart,

Without SIP inspection on, yes it's possible that this xlate could have been used to connect to server, if your security policy allows that.

If SIP inspection is on we do inspect the SIP payload, up to a certain point of course.

I find it unlikely, but technically possible.

M.

Ok SIP inspection is on so that cant be the problem. So i have 2 scenarios now of what can be the problem, what do you think is more likely?

1, what the asterisk guy thinks, they have scanned the IP and found that SIP was open. They tried the phone extensions with passwords and they have found them. So they could register the phone to the Asterisk server and make the calls.

2, what i think, they downloaded some kind of trojan and a hacker has access to their network and also can register phones and then make the calls.