Solved: Hi,As per the basic

Edvin Lux · ‎05-12-2015

I'm troubleshooting a PIX525. When I run the cisco command "show conn" I see lots of UDP connection requests hitting to my firewall from several remote IP address trying to reach an inside server using port 0. When I run the cisco command "capture monitor interface outside" I never see the connection attempts in my capture, but they show up in the connection tables. Eventually the connection times out of the connection table and their is a sys log message written saying "Teardown UDP connection" . I also did a port monitor on my outside interface of my PIX525 to monitor traffic on the outside interface and I still don't see the UDP connection attempts. Any ideas how this is possible?

This is the sys log message I'm seeing, but I cannot seem to capture the packets using "capture monitor interface outside". In my sys log messages I never see the connection creation either.

%PIX-6-302016: Teardown UDP connection 86151050 for outside:x.x.x.x/53605 to inside:x.x.x.x/0 duration 0:30:01 bytes 0

Vibhor Amrodia · ‎05-13-2015

Hi,

As per the basic functionality on the PIX and ASA devices , these connections are opened Pinhole connections for the inspected protocols on the ASA device.

If it is UDP , My guess would be Audio Protocols like SIP or Skinny.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎05-13-2015

Hi,

As per the basic functionality on the PIX and ASA devices , these connections are opened Pinhole connections for the inspected protocols on the ASA device.

If it is UDP , My guess would be Audio Protocols like SIP or Skinny.

Thanks and Regards,

Vibhor Amrodia

Edvin Lux · ‎05-14-2015

Here is a snimplet of my connections table on my PIX525. I see lots of these connections. The interesting part is the firewall connection table is showing the outside source address to be 10.0.1.2. After looking through my wireshark captures I found this IP address in the SIP VIA headers of several inbound sip messages. Is the PIX saying the source address is 10.0.1.2 for these UDP SIP message because I have SIP FIXUP enable (sip inspect)?

UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:00:19 flags ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:01:11 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:02:05 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:02:50 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:03:32 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:04:15 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:04:57 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:05:52 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:06:43 flags Ti
UDP out 10.0.1.2:57632 in X.X.X.X:0 idle 0:07:26 flags Ti

PIX525 Connection table