10-14-2009 12:14 PM - edited 03-11-2019 09:26 AM
Dear all,
I found one of my servers from Inside network built a lot of connections with unknown outside hosts.
From the that server, I saw the server itself keeps setting up TCP connection to outside host and the destination port is 445. I think the server got virus but I don't know how this server got virus infection.
I tried to imit the maximum TCP connection to 100 for the NAT but it doesn't help.
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 100 100
What can I prevent this issue and what should I do in this situation? thanks a lot.
TCP outside 172.5.48.170:445 inside 192.168.1.63:2128, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.169:445 inside 192.168.1.63:2127, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.168:445 inside 192.168.1.63:2126, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.167:445 inside 192.168.1.63:2125, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.166:445 inside 192.168.1.63:2124, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.165:445 inside 192.168.1.63:2123, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.164:445 inside 192.168.1.63:2122, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.163:445 inside 192.168.1.63:2121, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.162:445 inside 192.168.1.63:2120, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.161:445 inside 192.168.1.63:2119, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.160:445 inside 192.168.1.63:2118, idle 0:00:27, bytes 0, flags saA
10-14-2009 01:22 PM
Add a line to the beginning of the ACL applied to the inside interface.
access-list inside_out ext deny tcp host 192.168.1.63 172.5.48.0 255.255.255.0
This will block all TCP communications from your server to the outside host.
10-15-2009 05:46 AM
The issue is the destined IP's is always changed.
How come the maximum TCP connection limit doesn't take effect?
Thank you.
10-19-2009 07:06 AM
Howcome the packets is still going through ASA when I remove the NAT for every inside hosts?
After applying a ACL on port 445 on inside infterface, it stopped going out.
10-19-2009 07:09 AM
Post your NAT config please.
10-19-2009 07:26 AM
Hi Collin,
NAT config is pretty normal as following,
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 500 300
nat (inside) 1 192.168.1.63 255.255.255.255 tcp 100 100 udp 100
All the hosts with Inside network can access the Internet(Outside).
I added the TCP connection limit but didn't help. When I remove all the NAT setting, the packet from malware is still going out.
Thanks.
10-19-2009 07:31 AM
If the connection was already established when you removed the NAT statements, it would have to wait until the timeout. As far as the limiting, we're you hitting 100?
10-19-2009 08:19 AM
Yes, The connection from infected server had reached more than above 500.(roughly 30 packets per soecond).
I did a test to block the 445 dest. port on Outside Interface. The packet was still hitting Outside interface and blocked at there.
I don't understand how it works.
10-19-2009 08:21 AM
Can you post your access-group (show run | i access-group) config? I think it might be applied either on the wrong interface or in the wrong direction.
10-19-2009 08:42 AM
The current ACL is as below and works fine.
access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445
access-list Inside-out extended permit ip any any
access-group Inside-out in interface inside
The ACL for the test is as following,
access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445 (didn't get any hit)
access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445
access-list Inside-out extended permit ip any any
access-group Inside-out out interface outside
Thanks a lot.
10-19-2009 11:07 AM
I suspect the second one is not being blocked because of NAT.
10-19-2009 11:39 AM
Yes you are right. The 2nd one got the hit at
access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445
But this way didn't lighten the connection amount on firewall.
ACL is ok now. I just don't understant what the packet is going through even i removed the NAT setting. I am sure I stopped it for more than 10 minutes and the new connection was still setting up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide