Recently I noticed in my extranet PIX 515E from the output of "show conn protocol udp" command, a number of unknown udp connections that have initiated from ISA Proxy Server (inside). All outbound traffic is routed through this Server. The outside PIX interface is connected to Internet faced Router's FastEthernet interface. There is an inbound access list attached to Internet Router's serial interface (connection with ISP) that permits only the inbound smtp & web traffic, as well as the replies from connections have initiated from inside and discards all other traffic. There is also two ACEs that permit the udp packets with source port greater than 1024 and destination port greater than 1024 and discard the udp packets with source port less than 1024 and destination port greater than 1024.
As you can see in the attached .txt file there are several UDP connections with flags dD. What kind of connections are these? And why some of those udp connections with source port less than 1024 exist and pass the Router's access list?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...