Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

stop conn

Hello,

I have PIX-515E with version 6.3(4). I saw an IP address is hacking my web server in DMZ on port 80. I deny the ip address on my outside access-list. But when I do "sh conn | i x.x.x.x", I am still seeing that ip address. Could anyone tell me how to stop that.

thanks,

Gene

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: stop conn

The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.

For your reference,here is what asa checks and in what order:

Legends:

1. Recieve Packet.

2. Existing Connection?

3. Permit by Inbound ACL on interface?

4. Match translation rule (nat, static).

5. NAT embedded IP and perform security checks / randomize sequence number.

6. NAT IP header.

7. Pass packet to outgoing interface.

8. Layer 3 route lookup?

9. Layer 2 next hop?

10. Transmit packet.

NAT ORDER OF OPERATIONS

The rules are tried in order.

1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat

(best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error

nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

Regards,

Sushil

5 REPLIES
Silver

Re: stop conn

cl local-host

cl xlate global

Regards,

Sushil

New Member

Re: stop conn

Thanks Sushil! Could you tell me why ACL deny statement on the outside interface did not take care of the problem right the way?

Gene

Silver

Re: stop conn

The way ASA processes traffic,it first looks at any existing connection.If there is one,traffic is directly sent without the acl check.So,if acl is added afterwards and a connection entry is already in place,you would need to get rid of the existing connection.Afterwards,acl check would be taken into the consideration again.

For your reference,here is what asa checks and in what order:

Legends:

1. Recieve Packet.

2. Existing Connection?

3. Permit by Inbound ACL on interface?

4. Match translation rule (nat, static).

5. NAT embedded IP and perform security checks / randomize sequence number.

6. NAT IP header.

7. Pass packet to outgoing interface.

8. Layer 3 route lookup?

9. Layer 2 next hop?

10. Transmit packet.

NAT ORDER OF OPERATIONS

The rules are tried in order.

1) nat 0 access-list (nat-exempt)

2) match against existing xlates

3) static

a) static nat with and without access-list (first match)

b) static pat with and without access-list (first match)

4) nat

a) nat access-list (first match)

Note: nat 0 access-list is not part of this command.

b) nat

(best match)

Note: When choosing a global address from multiple pools with

the same nat id, the following order is tried

i) if the id is 0, create an identity xlate.

ii) use the global pool for dynamic NAT

iii) use the global pool for dynamic PAT

5) Error

nat (inside) 0

Nat 0 has two affects

1. nat (inside) 0 access-list 101 This works exaclty the same way as static, except bypasses NAT. It does not require the connection to be initiated from the Higher Security Inteface before the host on the Lower Security interface can create a connection to the host on the Higher Security level interface

2. nat (inside) 0 0.0.0.0 0.0.0.0 This bypasses NAT, but requires the host on the Higher Security interface to first initiate a connection to the host on the Lower Security interface before the host on the Lower Security interface can initiate a connection.

Regards,

Sushil

New Member

Re: stop conn

Thank you so much Sushil!

regards,

Gene

New Member

Re: stop conn

Right way is use "shun" command, not the access-list.

97
Views
0
Helpful
5
Replies