Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX/ASA - How to deal with "dynamic" HTTP or SMTP

Hi!

I've been noticing that some mail-servers (SMTP) and web-servers (HTTP(HTTPS) use dynamic connections when we connect to them.

Lets say we are on a PIX/ASA inside network and do a 'http://www.xpto.com' to access this web site. Basicaly we are acessing the Web-Server TCP port 80. Some of these servers respond using another new TCP session with origin on the TCP/80 but to a diferent TCP port on the original machine that did the HTTP request. The firewall obviously denies these connections. I've also seen some cases with SMTP servers.

Has anyone seen this problem i'm talking? How do you solve this issue?

Best regards,

JP

6 REPLIES

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

We currently open the port, I hope there is a better way.

New Member

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

Hi!

Thanks for your answer.

That's a major security threat!!! Something like: 'access-list internet permit tcp any eq 80 host mail-server'

Best regards,

JP

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

It's not a major security threat, it's allowing access to a resources. Actually your ACL is less secure. It should be something like-

access-list internet permit tcp host(s) host eq port#

New Member

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

Hi!

You clearly didn't understand my question. That problema occurs when we connect to an outside HTTP or STMP server and those server replay using a diferent TCP session.

To make it work we have to use something like:

access-list acl-out permit tcp any eq 80 host xpto

We can?t susbtitute the 'any' part because we don't know what HTTP or SMTP servers internal users will connect with.

Regards,

JP

New Member

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

is this what you're saying happens?

client:portA-->server:portX

server:portX-->client:portB

New Member

Re: PIX/ASA - How to deal with "dynamic" HTTP or SMTP

Hi!

Exactly!

JP

210
Views
0
Helpful
6
Replies