External request to a port which is not NATED by the Cisco ASA 5510 : How is this possible ?

Hello everybody,

I need some advices by Cisco geeks :-)

I have a linux server with vsftpd installed, behind a "Cisco ASA5510". This one provides Static NAT on the server, like that :

----- static (int1,ext) tcp XX.XX.XX.XX ssh red4 ssh netmask 255.255.255.255 static (int1,ext) tcp XX.XX.XX.XX www red4 www netmask 255.255.255.255 static (int1,ext) tcp XX.XX.XX.XX https red4 https netmask 255.255.255.255

-----

The server is named "red4" into the cisco config:

----- name 192.168.0.3 ... name 192.168.0.4 red4 description "... server4" name 192.168.0.5 ...

-----

So, only ssh, http and https ports are routed. However, here a sample of the vsftp log :

----- Sun Jun 1 17:14:32 2008 [pid 16364] CONNECT: Client "74.54.18.114" Sun Jun 1 17:14:34 2008 [pid 16363] [Administrator] FAIL LOGIN: Client "74.54.XX.XXX" Sun Jun 1 17:14:37 2008 [pid 16363] [Administrator] FAIL LOGIN: Client "74.54.XX.XXX" Sun Jun 1 17:14:40 2008 [pid 16363] [Administrator] FAIL LOGIN: Client "74.54.XX.XXX"

-----

74.54.XX.XXX is an American external IP address, that I don't know at all.

I have only two explications about this :

First explication, the Cisco left enter packets from this address, or is not well configured. However, I have try to connect by ftp from an external IP, and the connection is refused. Can you give me a process to check the configuration ?

Second explication, a server on the local network act as a router from the external IP.

Any idea ? Thanks.

Reply to
André Rodier
Loading thread data ...

you have to create and ACL and bind it to the right interface

access-list 101 permit tcp any any eq 22 access-list 101 permit tcp any any eq 80 access-list 101 permit tcp any any eq 443

access-group 101 in interface ext

If you wish you can adjust the "any any" portion the first any is source and the second is destination. Source meaning public IP you are comng from to access the server and destination meaning your public globally routable used to get to the server the xx.xx,xx.xx in your static pat below. So long as the servers def. route is the ASA this will work. If you server is trapping logs from the internet and people are getting to it somehow. You must have some interface configed on the server for people to get in.

"74.54.XX.XXX"

"74.54.XX.XXX"

"74.54.XX.XXX"

ot well configured.

ion is refused.

external IP.

Reply to
jcle

What would be a good way to trace the connections being made to see if they are in fact going through the ASA? I'm new to Cisco gear myself and am used to using tcpdump on unix/windows machines to debug items like this.

If what I have read so far is correct, I would use one of two methods:

1) Set up more verbose logging to a syslog server and then look through them using grep. 2) Use the debug command on the cisco itself.

Are these good methods? Any good docs out there either from cisco or a

3rd party on how to perform traffic analysis that the group would recommend?

Thanks!

Charles

Reply to
Charles N Wyble

if the server is trappig this logs that means ASA is redirecting the traffic properly Now for port redirection

Access-list e.g. access-list 101 permit tcp any host "public ip provided to server" eq telnet access-list 101 permit tcp any host "public ip provided to server" eq ftp

NAT e.g. static (inside,outside) tcp "public ip provided to server" telnet red4 telnet netmask 255.255.255.255 0 0

Reply to
CK

There are 2 wonderful options available on PIX/ASA for traffic analysis. First is (surprise! :-) tcpdump. See "capture" command for more details. Second one is "packet-tracer" (available in 7.2 and later).

Regards, Andrey.

Reply to
Andrey Tarasov

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.