Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Disturbing Traffic from ASA

We have an ASA that has a private IP on the outside interface (10.10.50.2), and it's NATed to a public IP at the Internet router. While troubleshooting a problem, we looked at the NAT translations at the Internet router and saw the following for the ASA:

tcp x.x.x.251:443    10.10.50.2:443        68.12.177.70:59888    68.12.177.70:59888
tcp x.x.x.251:443    10.10.50.2:443        68.97.191.176:58769   68.97.191.176:58769
tcp x.x.x.251:443    10.10.50.2:443        72.215.13.144:1660    72.215.13.144:1660
udp x.x.x.251:443    10.10.50.2:443        68.97.191.176:63761   68.97.191.176:63761
tcp x.x.x.251:25941  10.10.50.2:25941      64.111.111.113:80     64.111.111.113:80
tcp x.x.x.251:27288  10.10.50.2:27288      69.25.100.185:1973    69.25.100.185:1973
tcp x.x.x.251:39315  10.10.50.2:39315      69.25.100.186:1973    69.25.100.186:1973
tcp x.x.x.251:46456  10.10.50.2:46456      69.25.100.186:1973    69.25.100.186:1973
tcp x.x.x.251:57384  10.10.50.2:57384      64.111.111.113:80     64.111.111.113:80
tcp x.x.x.251:60003  10.10.50.2:60003      64.111.111.113:80     64.111.111.113:80
tcp x.x.x.251:60623  10.10.50.2:60623      69.25.100.185:1973    69.25.100.185:1973
tcp x.x.x.251:63408  10.10.50.2:63408      69.25.100.186:1973    69.25.100.186:1973

The ASA accepts SSL VPN connections, so traffic to 443 on the ASA is understandable. However, no outbound traffic is NATed to the outside Interface of the ASA, so I was surprised to see traffic from the ASA to a few different public IPs on ports 80 and 1973. Does anyone know what these might be for? Thanks

 

2 REPLIES
Cisco Employee

Hi,I would recommend checking

Hi,

I would recommend checking the connection information from the ASA device simultaneously using this command:- show conn all and then finding the IP addresses which it seems to be creating the connections to.

Do you have any Botnet filter enabled ?

Thanks and Regards,

Vibhor Amrodia

New Member

I'll have to check on this

I'll have to check on this periodically. Right now, the only connections shown are my ssh and a handful of SSL VPN connections. Thanks for the assistance.

 

59
Views
0
Helpful
2
Replies
CreatePlease to create content