I am suspecting that one of my users is allowing an Internet IP Addy into my network. I see many of the below lines (PIX log) where the UDP port 1204 on B.B.B.B remains constant and the ports associated on A.A.A.A increment. Port on C.C.C.C remains constant as well, tells me the NAT remains active.
Built outbound UDP connection 100283196 for outside:A.A.A.A/2218 (A.A.A.A/2218) to inside:B.B.B.B/1204 (C.C.C.C/53935)
Where: A.A.A.A is some Internet IP B.B.B.B is one of my Inside IPs C.C.C.C is my global interface
My first thought would have been bit-torrent or something but the graphs don't show anything suspicious. Anyone have an idea what this could be? Looks like I'll be setting up some RSPAN this weekend...
That message wording is always a bit confusing, so you have to look at the built *outbound* part of it and interpret the rest in that light. It's an -outgoing- packet, which originated at B.B.B.B/1204 and is heading for A.A.A.A/2218 .
If you have access to the user's machine, you can use netstat to find out which process is running and forming the connections.
You mention that the port on C.C.C.C remains constant while the ports on A.A.A.A increment and that that tells you "that NAT remains active". But unless you have a static mapping between C.C.C.C 53935 and B.B.B.B 1204, the port number should keep changing on C.C.C.C -- the PIX's PAT keeps incrementing the outside port, not reusing a port number until it has wrapped around.
Something -unsuccessfully- trying to get somewhere. If the ports on A.A.A.A keep incrementing, it could be a virus/worm at your end... or it could be a P2P program trying blindly to find a way around firewalls. [IMHO, a P2P program that does that should be classified in with viruses and worms...]
If you have PIX 6.3, then you can just use the 'capture' command on the PIX. Set up an ACL like so...
access-list bbbb1024 permit udp any host b.b.b.b eq 1024 access-lsit bbbb1024 permit udp host b.b.b.b eq 1024 any
then use that on a 'capture' against the inside interface.
This is the only place I know of on the PIX where you have to put both directions into the ACL: in all other contexts, the PIX knows to automatically read the ACL "backwards" for incoming packets.
Okay, so here's my situation. I know who is on the other side of A.A.A.A, I have provided specific DMZ access and they are not to be on my LAN. I've had issues with this IP in the past and need to keep the channels open but need to keep them in check at the same time. This connection does not happen to any other external address.
Below is an excerpt from an entire conversation between A.A.A.A and B.B.B.B. What seems disturbing is that the service is opened up from within the inside and remains open for 11 minutes (see the bottom line). This happens quite frequently and I'm fairly confidant that it is not a virus but have yet to rule out some sort of directed P2P. VNC and the likes also comes to mind as well.
If my inside user were to access a service at the other end I would expect the ports to increment on the B.B.B.B side and remain constant on the A.A.A.A side, since they are reversed I am very suspicious.
Using 6.2 on this PIX so capture is out, probably wouldn't help much anyway since I have yet to catch them in the act.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.