11-27-2006 11:56 AM - edited 03-11-2019 02:00 AM
Hi!
I've been noticing that some mail-servers (SMTP) and web-servers (HTTP(HTTPS) use dynamic connections when we connect to them.
Lets say we are on a PIX/ASA inside network and do a 'http://www.xpto.com' to access this web site. Basicaly we are acessing the Web-Server TCP port 80. Some of these servers respond using another new TCP session with origin on the TCP/80 but to a diferent TCP port on the original machine that did the HTTP request. The firewall obviously denies these connections. I've also seen some cases with SMTP servers.
Has anyone seen this problem i'm talking? How do you solve this issue?
Best regards,
JP
11-27-2006 01:08 PM
We currently open the port, I hope there is a better way.
11-27-2006 02:52 PM
Hi!
Thanks for your answer.
That's a major security threat!!! Something like: 'access-list internet permit tcp any eq 80 host mail-server'
Best regards,
JP
11-28-2006 05:13 AM
It's not a major security threat, it's allowing access to a resources. Actually your ACL is less secure. It should be something like-
access-list internet permit tcp host(s) host eq port#
12-04-2006 08:46 AM
Hi!
You clearly didn't understand my question. That problema occurs when we connect to an outside HTTP or STMP server and those server replay using a diferent TCP session.
To make it work we have to use something like:
access-list acl-out permit tcp any eq 80 host xpto
We can?t susbtitute the 'any' part because we don't know what HTTP or SMTP servers internal users will connect with.
Regards,
JP
11-29-2006 06:25 AM
is this what you're saying happens?
client:portA-->server:portX
server:portX-->client:portB
12-04-2006 09:26 AM
Hi!
Exactly!
JP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: