Recently I noticed in my extranet PIX 515E from the output of "show conn protocol udp" command, a number of unknown udp connections that have initiated from ISA Proxy Server (inside). All outbound traffic is routed through this Server. The outside PIX interface is connected to Internet faced Router's FastEthernet interface. There is an inbound access list attached to Internet Router's serial interface (connection with ISP) that permits only the inbound smtp & web traffic, as well as the replies from connections have initiated from inside and discards all other traffic. There is also two ACEs that permit the udp packets with source port greater than 1024 and destination port greater than 1024 and discard the udp packets with source port less than 1024 and destination port greater than 1024.
As you can see in the attached .txt file there are several UDP connections with flags dD. What kind of connections are these? And why some of those udp connections with source port less than 1024 exist and pass the Router's access list?
Any reply will be appreciated!!!
Thanks in advance and kind regards!