stop conn

Answered Question
Sep 9th, 2008
User Badges:

Hello,


I have PIX-515E with version 6.3(4). I saw an IP address is hacking my web server in DMZ on port 80. I deny the ip address on my outside access-list. But when I do "sh conn | i x.x.x.x", I am still seeing that ip address. Could anyone tell me how to stop that.


thanks,

Gene

Correct Answer by suschoud about 8 years 7 months ago

The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.



For your reference,here is what asa checks and in what order:



Legends:


1. Recieve Packet.

2. Existing Connection?

3. Permit by Inbound ACL on interface?

4. Match translation rule (nat, static).

5. NAT embedded IP and perform security checks / randomize sequence number.

6. NAT IP header.

7. Pass packet to outgoing interface.

8. Layer 3 route lookup?

9. Layer 2 next hop?

10. Transmit packet.





NAT ORDER OF OPERATIONS


The rules are tried in order.


1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat (best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error



nat (inside) 0

Nat 0 has two affects


1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.


Regards,

Sushil


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
suschoud Tue, 09/09/2008 - 09:00
User Badges:
  • Gold, 750 points or more

cl local-host

cl xlate global



Regards,

Sushil



gpan667788 Tue, 09/09/2008 - 09:10
User Badges:

Thanks Sushil! Could you tell me why ACL deny statement on the outside interface did not take care of the problem right the way?


Gene

Correct Answer
suschoud Tue, 09/09/2008 - 09:59
User Badges:
  • Gold, 750 points or more

The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.



For your reference,here is what asa checks and in what order:



Legends:


1. Recieve Packet.

2. Existing Connection?

3. Permit by Inbound ACL on interface?

4. Match translation rule (nat, static).

5. NAT embedded IP and perform security checks / randomize sequence number.

6. NAT IP header.

7. Pass packet to outgoing interface.

8. Layer 3 route lookup?

9. Layer 2 next hop?

10. Transmit packet.





NAT ORDER OF OPERATIONS


The rules are tried in order.


1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat (best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error



nat (inside) 0

Nat 0 has two affects


1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.


Regards,

Sushil


Ivast Thu, 09/11/2008 - 00:48
User Badges:

Right way is use "shun" command, not the access-list.

Actions

This Discussion