Re: ASA inside IP address

pugliededaniele88 · ‎10-18-2017

Dear all,

I have a problem with my asa. From domain controller server I see some access attempts. I don't know why I see the ip address of the inside interface of asa.

in attachment the log of the server.

192.168.0.252 is the ip of the inside interface of ASA.

Can this be a malicius tentative of access ?

What commands can i put on my asa to check furtherly ?

Thank you in advance for your help.

Flavio Miranda · ‎10-18-2017

Hello @pugliededaniele88

Do you have VPN users on this ASA ? Do they use Domain credentials to access the VPN?

This can be the ASA validating Clients agains Domain database.

-If I helped you somehow, please, rate it as useful.-

pugliededaniele88 · ‎10-18-2017

@Flavio Miranda Hi,

thank you for your reply. Unfortunatelly there are no vpn user configured on this ASA.

Flavio Miranda · ‎10-18-2017

Is there any other service that could be using Domain credentials ?

Could you share the show running-config ?

-If I helped you somehow, please, rate it as useful.-

pugliededaniele88 · ‎10-25-2017

Hi,

I am sorry but i can't share the running config. The ASA is proprietary and belong to our customer. Anyway I don't see any service configured. In add this log messagges are not more present but I need to provide a reply to our customer and explain why there is this log.

Marvin Rhoads · ‎10-25-2017

The ASA might be setup with AD Agent or the successor CDA (Context Directory Agent) whereby it is querying AD automatically to try to get username-IP address mapping. If the credential used in such a setup are expired or otherwise invalid that would cause such a symptom.

Given the frequency of messages it is almost certainly some process that is machine- or script-based.

pugliededaniele88 · ‎10-26-2017

what specific commands I can put in to understand if there is thi type of service ?

thanks

Daniele.

Marvin Rhoads · ‎10-26-2017

I'd look at the configuration for AAA server(s), i.e. "show run aaa-server". You could also search the ASA configuration for any instance of the server's IP address.

If none of that helps, you could capture traffic from the ASA destined for the address of the server that is getting the log messages. Open the packets and see what's going on there.

pugliededaniele88 · ‎10-26-2017

@Marvin Rhoads

With the command show run aaa-server I don't have any output.

I can attempt to do a packet capture from asa to the IP address to the server.

If I will do a capture as source host have I to set the ASA's inside interface ?

Example:

access-list 10 permit ip interface inside host 192.168.20.201 (server log)

capture TEST interface inside match access-lists 10

thank you

Marvin Rhoads · ‎10-26-2017

That capture command stanza should work.

pugliededaniele88 · ‎11-08-2017

Hi all,

i did a packet capture about the issue descripted in subject.

   5: 22:15:28.472006 a44c.11bb.4588 0023.335e.914b 0x8100 118: 802.1Q vlan#1 P0 192.168.0.252 > 192.168.20.201: icmp: echo request (ttl 255, id 23993)
0x0000   0001 0800 4500 0064 5db9 0000 ff01 c6c9        ....E..d].......
0x0010   c0a8 00fc c0a8 14c9 0800 4d8b 2077 6111        ..........M. wa.
0x0020   abcd abcd abcd abcd abcd abcd abcd abcd        ................
0x0030   abcd abcd abcd abcd abcd abcd abcd abcd        ................
0x0040   abcd abcd abcd abcd abcd abcd abcd abcd        ................
0x0050   abcd abcd abcd abcd abcd abcd abcd abcd        ................
0x0060   abcd abcd abcd abcd                            ........
   6: 00:56:28.512867 a44c.11bb.4588 0023.335e.914b 0x8100 69: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 23 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 0033 0000 4000 3411 afa4        ....E..3..@.4...
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 001f f73a        ........<..o...:
0x0020   0600 ff07 0000 0000 0000 0000 0009 2018        .............. .
0x0030   c881 f838 8e02 bf                              ...8...
   7: 00:56:29.068859 a44c.11bb.4588 0023.335e.914b 0x8100 94: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 48 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 004c 0000 4000 3411 af8b        ....E..L..@.4...
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0038 1cb3        ........<..o.8..
0x0020   0600 ff07 0610 0000 0000 0000 0000 2000        .............. .
0x0030   d002 0000 f368 18a1 0000 0008 0100 0000        .....h..........
0x0040   0100 0008 0100 0000 0200 0008 0100 0000        ................
   8: 00:56:29.594955 a44c.11bb.4588 0023.335e.914b 0x8100 96: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 50 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 004e 0000 4000 3411 af89        ....E..N..@.4...
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 003a 7e89        ........<..o.:~.
0x0020   0600 ff07 0612 0000 0000 0000 0000 2200        ..............".
0x0030   d100 0000 00fb 0003 7ff1 dbe7 f491 4b67        ..............Kg
0x0040   36b1 8c54 33c4 23bd 1200 0006 5553 4552        6..T3.#.....USER
0x0050   4944                                           ID
   9: 00:56:30.197346 a44c.11bb.4588 0023.335e.914b 0x8100 90: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 44 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 0048 0000 4000 3411 af8f        ....E..H..@.4...
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0034 6957        ........<..o.4iW
0x0020   0600 ff07 0614 0000 0000 0000 0000 1c00        ................
0x0030   d200 0000 00fb 0003 f62c 2fb0 dc3e d283        .........,/..>..
0x0040   d073 9f1c 27ad 79c9 e703 f9da                  .s..'.y.....
10: 00:56:30.794880 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 d0e4        ........<..o.H..
0x0020   0600 ff07 06c0 00fb 0003 0100 0000 2000        .............. .
0x0030   6884 66a6 8126 fdb5 6ef4 8b1b b56f 3c9f        h.f..&..n....o<.
0x0040   e2f7 85ad f2d6 c916 122d 4ec2 ac88 dcb8        .........-N.....
0x0050   ffff 0207 dfc8 3f76 d428 c57a a273 84dd        ......?v.(.z.s..
11: 00:56:31.431297 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 b7e4        ........<..o.H..
0x0020   0600 ff07 06c0 00fb 0003 0200 0000 2000        .............. .
0x0030   5f6d cbc8 bfac 300b 6d41 ad14 88c3 7eef        _m....0.mA....~.
0x0040   df8f 666f 3fb3 2e05 e5ba 6d48 26a2 c240        ..fo?.....mH&..@
0x0050   ffff 0207 87d1 fd2b 483a e66b abbe b526        .......+H:.k...&
12: 00:56:32.061718 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 3b6b        ........<..o.H;k
0x0020   0600 ff07 06c0 00fb 0003 0300 0000 2000        .............. .
0x0030   c34c 59be b6ce d2ab c0e8 8ec8 6b18 c907        .LY.........k...
0x0040   0499 bb06 3bb7 636f 6949 b121 c5b5 5ba1        ....;.coiI.!..[.
0x0050   ffff 0207 13ce b40c d8b8 c25a 042b 909e        ...........Z.+..
13: 00:56:32.697504 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 0779        ........<..o.H.y
0x0020   0600 ff07 06c0 00fb 0003 0400 0000 2000        .............. .
0x0030   24d4 1dce 9c2e 69a0 2e70 169f 2e72 7dc2        $.....i..p...r}.
0x0040   9ee1 d90a 4cd2 a622 d918 7279 14e4 1b27        ....L.."..ry...'
0x0050   ffff 0207 561a 1fb9 c8f2 423f 09fa 4456        ....V.....B?..DV
14: 00:56:33.362667 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 83df        ........<..o.H..
0x0020   0600 ff07 06c0 00fb 0003 0500 0000 2000        .............. .
0x0030   2c54 88c6 7199 fdcb 86b2 72e7 2310 6802        ,T..q.....r.#.h.
0x0040   bc69 18a0 8653 4d41 3164 4140 a35c 2bc6        .i...SMA1dA@.\+.
0x0050   ffff 0207 1201 952b f451 2fdf d225 410d        .......+.Q/..%A.
15: 00:56:34.039731 a44c.11bb.4588 0023.335e.914b 0x8100 110: 802.1Q vlan#1 P0 192.168.0.252.15369 > 192.168.20.201.623: [udp sum ok] udp 64 (DF) (ttl 52, id 0)
0x0000   0001 0800 4500 005c 0000 4000 3411 af7b        ....E..\..@.4..{
0x0010   c0a8 00fc c0a8 14c9 3c09 026f 0048 d2bd        ........<..o.H..
0x0020   0600 ff07 06c0 00fb 0003 0600 0000 2000        .............. .
0x0030   b85f f6ae 550c 01cd 1c10 5a1d f5f5 a8aa        ._..U.....Z.....
0x0040   0a3d 6a69 c5fb 4ee4 ae3c d808 65a5 bc62        .=ji..N..<..e..b
0x0050   ffff 0207 8dbd a6ba 7d32 e47a b1f8 8d9c        ........}2.z....

Do you have any idea about the port udp 64 that compare in the output ?

Thank you,

Daniele.