09-09-2008 08:44 AM - edited 03-11-2019 06:41 AM
Hello,
I have PIX-515E with version 6.3(4). I saw an IP address is hacking my web server in DMZ on port 80. I deny the ip address on my outside access-list. But when I do "sh conn | i x.x.x.x", I am still seeing that ip address. Could anyone tell me how to stop that.
thanks,
Gene
Solved! Go to Solution.
09-09-2008 09:59 AM
The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.
For your reference,here is what asa checks and in what order:
Legends:
1. Recieve Packet.
2. Existing Connection?
3. Permit by Inbound ACL on interface?
4. Match translation rule (nat, static).
5. NAT embedded IP and perform security checks / randomize sequence number.
6. NAT IP header.
7. Pass packet to outgoing interface.
8. Layer 3 route lookup?
9. Layer 2 next hop?
10. Transmit packet.
NAT ORDER OF OPERATIONS
The rules are tried in order.
1) nat 0 access-list (nat-exempt)
2) match against existing xlates
3) static
a) static nat with and without access-list (first match)
b) static pat with and without access-list (first match)
4) nat
a) nat
Note: nat 0 access-list is not part of this command.
b) nat
Note: When choosing a global address from multiple pools with
the same nat id, the following order is tried
i) if the id is 0, create an identity xlate.
ii) use the global pool for dynamic NAT
iii) use the global pool for dynamic PAT
5) Error
nat (inside) 0
Nat 0 has two affects
1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface
2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.
Regards,
Sushil
09-09-2008 09:00 AM
cl local-host
cl xlate global
Regards,
Sushil
09-09-2008 09:10 AM
Thanks Sushil! Could you tell me why ACL deny statement on the outside interface did not take care of the problem right the way?
Gene
09-09-2008 09:59 AM
The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.
For your reference,here is what asa checks and in what order:
Legends:
1. Recieve Packet.
2. Existing Connection?
3. Permit by Inbound ACL on interface?
4. Match translation rule (nat, static).
5. NAT embedded IP and perform security checks / randomize sequence number.
6. NAT IP header.
7. Pass packet to outgoing interface.
8. Layer 3 route lookup?
9. Layer 2 next hop?
10. Transmit packet.
NAT ORDER OF OPERATIONS
The rules are tried in order.
1) nat 0 access-list (nat-exempt)
2) match against existing xlates
3) static
a) static nat with and without access-list (first match)
b) static pat with and without access-list (first match)
4) nat
a) nat
Note: nat 0 access-list is not part of this command.
b) nat
Note: When choosing a global address from multiple pools with
the same nat id, the following order is tried
i) if the id is 0, create an identity xlate.
ii) use the global pool for dynamic NAT
iii) use the global pool for dynamic PAT
5) Error
nat (inside) 0
Nat 0 has two affects
1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface
2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.
Regards,
Sushil
09-09-2008 10:42 AM
Thank you so much Sushil!
regards,
Gene
09-11-2008 12:48 AM
Right way is use "shun" command, not the access-list.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: