Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Virus infection in Inside network?

Dear all,

I found one of my servers from Inside network built a lot of connections with unknown outside hosts.

From the that server, I saw the server itself keeps setting up TCP connection to outside host and the destination port is 445. I think the server got virus but I don't know how this server got virus infection.

I tried to imit the maximum TCP connection to 100 for the NAT but it doesn't help.

nat (inside) 1 0.0.0.0 0.0.0.0 tcp 100 100

What can I prevent this issue and what should I do in this situation? thanks a lot.

TCP outside 172.5.48.170:445 inside 192.168.1.63:2128, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.169:445 inside 192.168.1.63:2127, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.168:445 inside 192.168.1.63:2126, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.167:445 inside 192.168.1.63:2125, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.166:445 inside 192.168.1.63:2124, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.165:445 inside 192.168.1.63:2123, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.164:445 inside 192.168.1.63:2122, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.163:445 inside 192.168.1.63:2121, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.162:445 inside 192.168.1.63:2120, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.161:445 inside 192.168.1.63:2119, idle 0:00:27, bytes 0, flags saA

TCP outside 172.5.48.160:445 inside 192.168.1.63:2118, idle 0:00:27, bytes 0, flags saA

11 REPLIES

Re: Virus infection in Inside network?

Add a line to the beginning of the ACL applied to the inside interface.

access-list inside_out ext deny tcp host 192.168.1.63 172.5.48.0 255.255.255.0

This will block all TCP communications from your server to the outside host.

New Member

Re: Virus infection in Inside network?

The issue is the destined IP's is always changed.

How come the maximum TCP connection limit doesn't take effect?

Thank you.

New Member

Re: Virus infection in Inside network?

Howcome the packets is still going through ASA when I remove the NAT for every inside hosts?

After applying a ACL on port 445 on inside infterface, it stopped going out.

Re: Virus infection in Inside network?

Post your NAT config please.

New Member

Re: Virus infection in Inside network?

Hi Collin,

NAT config is pretty normal as following,

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 tcp 500 300

nat (inside) 1 192.168.1.63 255.255.255.255 tcp 100 100 udp 100

All the hosts with Inside network can access the Internet(Outside).

I added the TCP connection limit but didn't help. When I remove all the NAT setting, the packet from malware is still going out.

Thanks.

Re: Virus infection in Inside network?

If the connection was already established when you removed the NAT statements, it would have to wait until the timeout. As far as the limiting, we're you hitting 100?

New Member

Re: Virus infection in Inside network?

Yes, The connection from infected server had reached more than above 500.(roughly 30 packets per soecond).

I did a test to block the 445 dest. port on Outside Interface. The packet was still hitting Outside interface and blocked at there.

I don't understand how it works.

Re: Virus infection in Inside network?

Can you post your access-group (show run | i access-group) config? I think it might be applied either on the wrong interface or in the wrong direction.

New Member

Re: Virus infection in Inside network?

The current ACL is as below and works fine.

access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445

access-list Inside-out extended permit ip any any

access-group Inside-out in interface inside

The ACL for the test is as following,

access-list Inside-out extended deny tcp host 192.168.5.63 any eq 445 (didn't get any hit)

access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445

access-list Inside-out extended permit ip any any

access-group Inside-out out interface outside

Thanks a lot.

Re: Virus infection in Inside network?

I suspect the second one is not being blocked because of NAT.

New Member

Re: Virus infection in Inside network?

Yes you are right. The 2nd one got the hit at

access-list Inside-out extended deny tcp host "Outside interface ip's" any eq 445

But this way didn't lighten the connection amount on firewall.

ACL is ok now. I just don't understant what the packet is going through even i removed the NAT setting. I am sure I stopped it for more than 10 minutes and the new connection was still setting up.

206
Views
4
Helpful
11
Replies