Re: UDP port 6004 and 137

Mhon Baul · ‎03-03-2010

Hi,

Can anyone tell me if this is ok? i see this two ports that are connecting to my exchange and AD.

UDP outside1 192.168.1.106:6004 inside EXCH01:31970, idle 0:00:42, bytes 8, flags -
UDP outside1 192.168.1.106:6004 inside EXCH01:31959, idle 0:00:42, bytes 8, flags -
UDP outside1 192.168.1.106:6004 inside EXCH01:31859, idle 0:01:43, bytes 8, flags -
UDP outside1 192.168.1.106:6004 inside EXCH01:31847, idle 0:01:43, bytes 8, flags -
UDP outside1 192.168.134.1:123 inside ADDC01:123, idle 0:00:23, bytes 68, flags -
UDP outside1 192.168.195.1:123 inside ADDC01:123, idle 0:00:23, bytes 68, flags -
UDP outside1 192.168.0.1:137 inside ADDC01:137, idle 0:00:40, bytes 903, flags -
UDP outside1 192.168.218.1:137 inside ADDC01:137, idle 0:00:47, bytes 1806, flags -
UDP outside1 192.168.136.1:137 inside ADDC01:137, idle 0:01:02, bytes 903, flags -
UDP outside1 192.168.32.1:137 inside ADDC01:137, idle 0:01:03, bytes 903, flags -

Thanks,

Reymon

KARUPPUCHAMY MALAIYANDI · ‎03-03-2010

Hi,

As per you logs, there is communication is happening between your clients to your AD server & exchange server.

Because nowadays exchange server is using random ports to connect thier email clients.even i have seen lots of logs like this in my ASA.

port number 137 is used by Name Resolution Service to resolve the name.

so, no worries...

regards

karuppu

Mhon Baul · ‎03-04-2010

hi karuppu,

thanks for your reply. my worries is that 192.168.1.x is not being used in my network thats why i'm thinking if this is safe. 192.168.1.x is coming from outside internet.

thanks,

KARUPPUCHAMY MALAIYANDI · ‎03-04-2010

HI,

Do you have any VPN connectivity in the same firewall.

If not, then somebody is trying to spoof your network.

You should protect your network by configuring ip spoofing in your firewall.

The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.

If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured).

To enable IP Spoofing protection, enter the following command:

CiscoASA5500(config)# ip verify reverse-path interface "interface_name"
For example, to enable IP spoofing on the inside interface, use the following command:

Regards

Karuppu

Mhon Baul · ‎03-19-2010

Hi,

As of now, i don't have any VPN connection. I already configured CiscoASA5500(config)# ip verify reverse-path interface "interface_name"

but still i can see those private ip's connecting to the server.

thanks,

Jennifer Halim · ‎03-19-2010

You can also configure deny statement on the outside interface denying RFC 1918 towards your Exchange server if you think they are not legitimate ip addresses.

Mhon Baul · ‎03-20-2010

I tried this configuration but it doesn't work. What i did is block the traffic coming from my inside interface going to RFC1918 and I see a lots of drops packets for this one.

Jennifer Halim · ‎03-20-2010

UDP/6004 seems to be Microsoft Exchange server port as per the following doc:

http://www.pc-library.com/ports/tcp-udp-port/6004/

vilaxmi · ‎03-21-2010

Hello,

I would suggest you to configure a span session on the switch behind your firewall and then try to filter output based on exact IP address being seen using Wireshark.

This way you can track down the host behind your network who may be trying to spoof IP addresses with the help of mac address-table and arp table.

HTH

Vijaya