Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
764
Views
0
Helpful
4
Replies

What happens to TCP packet when it hits explicit deny in ACL

m.surtees
Level 1
Level 1

‎05-14-2009 07:03 AM - edited ‎03-11-2019 08:32 AM

Hi all,

Basic questions before the details: Does an explicit deny on an ASA 5510 7.2(2) send a RST packet back to a SYN scanner? Why does it not just drop the packet? Can I make it do so? Do I understand what I'm doing? :)

Details: Got a client running his own Qualys (sp?) scanner on his network. When he scans well known ports at remote offices which essentially hang off 5510 DMZ's he receives an RST from port 25. As far the the Inside int ACL goes there is a specific deny of all smtp traffic not coming from his mail servers. Everything else from his scanner would at least be allowed past the ingress interface of the ASA.

But as mentioned he receives an RST from an smtp probe. Now I don't have access to his Qualys but I do have namap and I ran the following on a random (might not even exist) host at a remotre site:

nmap -sS 10.180.74.217

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2009-05-14 22:36 WST

Interesting ports on 10.180.74.217:

(The 1659 ports scanned but not shown below are in state: filtered)

PORT STATE SERVICE

25/tcp closed smtp

Nmap run completed -- 1 IP address (1 host up) scanned in 22.057 seconds

I then put an explicit permit in the ACL tpo allow my nmap host smtp access to that random host and here are the results:

nmap -sS 10.180.74.217

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2009-05-14 22:43 WST

All 1660 scanned ports on 10.180.74.217 are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 35.012 seconds

So my question again - is the explicit deny returning a RST to a SYN request when I'd hope it would just drop the packet? If so how do force the drop?

All help much appreciated

Mike

Labels:
0 Helpful
4 Replies 4

handsy
Level 1
Level 1

‎05-15-2009 02:39 AM

Hmmm, I wonder if the 'inspect esmtp' ASA default is sending your RST.

Try turning that off in config:

policy-map global_policy

class inspection_default

no inspect esmtp

....and run your nmap/qualys scans again.

Good luck!

0 Helpful

m.surtees
Level 1
Level 1
In response to handsy

‎05-17-2009 05:47 PM

Hi handsy,

Sorry I didn't mention it originally but I did check the esmtp inspect. Although I don't uderstand why, it has caused issues before (actually sending emails to @cisco.com ridiculously). As such it was/is turned off.

Thanks for your reply though,

Mike

0 Helpful

ppoouellet
Level 1
Level 1

‎05-15-2009 04:46 AM

You may also check if there is some 'service ...' command in the config (service resetoutside, service resetinbound).

0 Helpful

m.surtees
Level 1
Level 1
In response to ppoouellet

‎05-17-2009 05:54 PM

hi ppoouellet,

Unfortunately that's not it either. No 'service ...' cmd in there.

Thanks for the reply,

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card