Re: Source Port of return traffic

pkinzel · ‎06-15-2005

All of our Pix's are setup with a PAT address for outbound web surfing. By default, we allow destination ports TCP 80 and 443 outbound (DNS is handled by an internal server). There are no related ports allowed inbound as the return traffic should be allowed through because the sessions are initiated from the inside.

I just did an analysis of our firewall 'denies' and found that nearly 50% of our denied traffic is coming from the internet to our PAT address on source port 80 or 443. I looked at some of the source addresses and they appear to be legitimate.

Is it necessary / risky to open source ports 80 and 443 from the internet to our inside network?

Example of block to our PAT address (x.x.x.x)

%PIX-4-106023: Deny tcp src outside:208.185.174.65/443 dst inside:x.x.x.x/56699 by access-group "acl_mdc_outside_access_1"

nkhawaja · ‎06-15-2005

no, it is not necessary and it is not required to open up port 80 and 443 from internet to inside

the connections are initiated from inside, hence there must be a dynamic hole for the return traffic.

if there are too many denies, and your service is inturpted, you should look above and beyond this error message. may be a translation was removed or something else

what is the pix version

thanks

Nadeem

pkinzel · ‎06-16-2005

Thanks for your thoughts, Nadeem.

These messages have not appeared to cause any issues, other than filling up my syslogs. But it is happening on all 25 Pix's that I manage. This is the first time I have been able to get a comprehensive report of all syslogs, and because it is happening on all of them I don't believe it is due to a recent change. They are all at 6.3(3).

In the samples I took, I had 96,000 total 'deny' syslog messages and 48,000 of them are inbound on source port 80 or 443. And I don't want to eliminate message 106023 from my syslogs.

Could it be an issue with all firewalls configured for about 100 users to share a single PAT address?

Thanks

Paul