PIX/ASA - How to deal with "dynamic" HTTP or SMTP

jean.l.pierre · ‎11-27-2006

Hi!

I've been noticing that some mail-servers (SMTP) and web-servers (HTTP(HTTPS) use dynamic connections when we connect to them.

Lets say we are on a PIX/ASA inside network and do a 'http://www.xpto.com' to access this web site. Basicaly we are acessing the Web-Server TCP port 80. Some of these servers respond using another new TCP session with origin on the TCP/80 but to a diferent TCP port on the original machine that did the HTTP request. The firewall obviously denies these connections. I've also seen some cases with SMTP servers.

Has anyone seen this problem i'm talking? How do you solve this issue?

Best regards,

JP

Collin Clark · ‎11-27-2006

We currently open the port, I hope there is a better way.

jean.l.pierre · ‎11-27-2006

Hi!

Thanks for your answer.

That's a major security threat!!! Something like: 'access-list internet permit tcp any eq 80 host mail-server'

Best regards,

JP

Collin Clark · ‎11-28-2006

It's not a major security threat, it's allowing access to a resources. Actually your ACL is less secure. It should be something like-

access-list internet permit tcp host(s) host eq port#

jean.l.pierre · ‎12-04-2006

Hi!

You clearly didn't understand my question. That problema occurs when we connect to an outside HTTP or STMP server and those server replay using a diferent TCP session.

To make it work we have to use something like:

access-list acl-out permit tcp any eq 80 host xpto

We can?t susbtitute the 'any' part because we don't know what HTTP or SMTP servers internal users will connect with.

Regards,

JP

bhooker · ‎11-29-2006

is this what you're saying happens?

client:portA-->server:portX

server:portX-->client:portB

jean.l.pierre · ‎12-04-2006

Hi!

Exactly!

JP