show conn entries starting with ESP

Unanswered Question
Mar 14th, 2010
User Badges:

Hello,


I have noticed that some entries in show conn command starting with ESP like following


    ESP outside 207.241.148.226 dmz internal-server, idle 0:00:00, bytes 0
    ESP outside 61.17.217.48 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 64.18.2.161 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 77.203.92.39 dmz internal-server, idle 0:00:04, bytes 0
    ESP outside 209.85.210.178 dmz internal-server, idle 0:00:04, bytes 0


What is the meaning of this out put ?



Dileep

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 03/15/2010 - 09:57
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dileepsp123 wrote:


Hello,


I have noticed that some entries in show conn command starting with ESP like following


    ESP outside 207.241.148.226 dmz internal-server, idle 0:00:00, bytes 0
    ESP outside 61.17.217.48 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 64.18.2.161 dmz internal-server, idle 0:00:01, bytes 0
    ESP outside 77.203.92.39 dmz internal-server, idle 0:00:04, bytes 0
    ESP outside 209.85.210.178 dmz internal-server, idle 0:00:04, bytes 0


What is the meaning of this out put ?



Dileep


Dileep


ESP = Encapsulating Security Payload which is used by IPSEC for a VPN tunnel. Do you have VPN tunnels coming through your firewall ?


Jon

Dileep Sivadas ... Mon, 03/15/2010 - 11:21
User Badges:

Hi Jon,


I have made some mistake in the query, actually this output was from show local-host command.


Yes , do have vpn tunnels terminated on outside interface of asa.


This is the output of show local-host internal-server


UDP outside 202.54.12.164:53 dmz internal-server:43944, idle 0:00:05, bytes 33, flags -
    UDP outside 202.54.12.164:53 dmz internal-server:54644, idle 0:00:14, bytes 33, flags -
    ESP outside 190.234.24.138 dmz internal-server, idle 0:00:45, bytes 0
    ESP outside 182.48.196.18 dmz internal-server, idle 0:00:55, bytes 0
    UDP outside 172.16.105.10:53 dmz internal-server:2038, idle 0:00:49, bytes 90, flags -
    UDP outside 172.20.105.10:53 dmz internal-server:21528, idle 0:01:01, bytes 79, flags -
    ESP outside 67.195.168.31 dmz internal-server, idle 0:01:10, bytes 0
    TCP outside 67.195.168.31:25 dmz internal-server:34865, idle 0:00:00, bytes 3415944, flags UIO
    ESP outside 65.182.191.221 dmz internal-server, idle 0:01:11, bytes 0
    ESP outside 117.97.23.226 dmz internal-server, idle 0:01:18, bytes 0
    ESP outside 69.63.178.191 dmz internal-server, idle 0:05:47, bytes 0
    ESP outside 203.99.41.130 dmz internal-server, idle 0:06:33, bytes 0
    ESP outside 188.168.78.190 dmz internal-server, idle 0:07:44, bytes 0
    ESP outside 117.97.108.106 dmz internal-server, idle 3:54:06, bytes 0
    TCP outside 190.234.24.138:28781 dmz internal-server:25, idle 0:00:42, bytes 330, flags UIOB
    TCP outside 182.48.196.18:1210 dmz internal-server:25, idle 0:00:35, bytes 335, flags UIOB
    TCP outside 117.97.23.226:57264 dmz internal-server:143, idle 0:00:49, bytes 29466, flags UIOB 


output shows the connection entries made to a dmz mail server, you can see that some enties start with ESP and then connect to the actual TCP port.



Thanks


Dileep

Actions

This Discussion