10-14-2009 12:14 PM - edited 03-11-2019 09:26 AM
Dear all,
I found one of my servers from Inside network built a lot of connections with unknown outside hosts.
From the that server, I saw the server itself keeps setting up TCP connection to outside host and the destination port is 445. I think the server got virus but I don't know how this server got virus infection.
I tried to imit the maximum TCP connection to 100 for the NAT but it doesn't help.
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 100 100
What can I prevent this issue and what should I do in this situation? thanks a lot.
TCP outside 172.5.48.170:445 inside 192.168.1.63:2128, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.169:445 inside 192.168.1.63:2127, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.168:445 inside 192.168.1.63:2126, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.167:445 inside 192.168.1.63:2125, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.166:445 inside 192.168.1.63:2124, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.165:445 inside 192.168.1.63:2123, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.164:445 inside 192.168.1.63:2122, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.163:445 inside 192.168.1.63:2121, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.162:445 inside 192.168.1.63:2120, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.161:445 inside 192.168.1.63:2119, idle 0:00:27, bytes 0, flags saA
TCP outside 172.5.48.160:445 inside 192.168.1.63:2118, idle 0:00:27, bytes 0, flags saA
10-14-2009 01:22 PM
Add a line to the beginning of the ACL applied to the inside interface.
access-list inside_out ext deny tcp host 192.168.1.63 172.5.48.0 255.255.255.0
This will block all TCP communications from your server to the outside host.
10-15-2009 05:46 AM
The issue is the destined IP's is always changed.
How come the maximum TCP connection limit doesn't take effect?
Thank you.
10-19-2009 07:06 AM
Howcome the packets is still going through ASA when I remove the NAT for every inside hosts?
After applying a ACL on port 445 on inside infterface, it stopped going out.
10-19-2009 07:09 AM
Post your NAT config please.
10-19-2009 07:26 AM
Hi Collin,
NAT config is pretty normal as following,
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 500 300
nat (inside) 1 192.168.1.63 255.255.255.255 tcp 100 100 udp 100
All the hosts with Inside network can access the Internet(Outside).
I added the TCP connection limit but didn't help. When I remove all the NAT setting, the packet from malware is still going out.
Thanks.
10-19-2009 07:31 AM
If the connection was already established when you removed the NAT statements, it would have to wait until the timeout. As far as the limiting, we're you hitting 100?
10-19-2009 08:19 AM
Yes, The connection from infected server had reached more than above 500.(roughly 30 packets per soecond).
I did a test to block the 445 dest. port on Outside Interface. The packet was still hitting Outside interface and blocked at there.
I don't understand how it works.
10-19-2009 08:21 AM
Can you post your access-group (show run | i access-group) config? I think it might be applied either on the wrong interface or in the wrong direction.
10-19-2009 08:42 AM
The current ACL is as below and works fine.
access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445
access-list Inside-out extended permit ip any any
access-group Inside-out in interface inside
The ACL for the test is as following,
access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445 (didn't get any hit)
access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445
access-list Inside-out extended permit ip any any
access-group Inside-out out interface outside
Thanks a lot.
10-19-2009 11:07 AM
I suspect the second one is not being blocked because of NAT.
10-19-2009 11:39 AM
Yes you are right. The 2nd one got the hit at
access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445
But this way didn't lighten the connection amount on firewall.
ACL is ok now. I just don't understant what the packet is going through even i removed the NAT setting. I am sure I stopped it for more than 10 minutes and the new connection was still setting up.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: