Allowing icomming connections?
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
Allowing icomming connections?

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
Wil
Guest
Posted: Fri Dec 09, 2005 5:20 pm    Post subject: Allowing icomming connections? Reply with quote
I am suspecting that one of my users is allowing an Internet IP Addy
into my network. I see many of the below lines (PIX log) where the UDP
port 1204 on B.B.B.B remains constant and the ports associated on
A.A.A.A increment. Port on C.C.C.C remains constant as well, tells me
the NAT remains active.

Built outbound UDP connection 100283196 for outside:A.A.A.A/2218
(A.A.A.A/2218) to inside:B.B.B.B/1204 (C.C.C.C/53935)

Where:
A.A.A.A is some Internet IP
B.B.B.B is one of my Inside IPs
C.C.C.C is my global interface

My first thought would have been bit-torrent or something but the graphs
don't show anything suspicious. Anyone have an idea what this could be?
Looks like I'll be setting up some RSPAN this weekend...

--
Wil
my 3¢
Back to top
Walter Roberson
Guest
Posted: Fri Dec 09, 2005 5:20 pm    Post subject: Re: Allowing icomming connections? Reply with quote
In article <4399b7c2$0$38630$742ec2ed@news.sonic.net>,
Wil <wil@SPAM.THIS> wrote:
Quote:
I am suspecting that one of my users is allowing an Internet IP Addy
into my network. I see many of the below lines (PIX log) where the UDP
port 1204 on B.B.B.B remains constant and the ports associated on
A.A.A.A increment. Port on C.C.C.C remains constant as well, tells me
the NAT remains active.

Built outbound UDP connection 100283196 for outside:A.A.A.A/2218
(A.A.A.A/2218) to inside:B.B.B.B/1204 (C.C.C.C/53935)

That message wording is always a bit confusing, so you have to look
at the built *outbound* part of it and interpret the rest in that light.
It's an -outgoing- packet, which originated at B.B.B.B/1204 and
is heading for A.A.A.A/2218 .

If you have access to the user's machine, you can use netstat to find
out which process is running and forming the connections.


Quote:
Where:
A.A.A.A is some Internet IP
B.B.B.B is one of my Inside IPs
C.C.C.C is my global interface

You mention that the port on C.C.C.C remains constant while the
ports on A.A.A.A increment and that that tells you "that NAT remains active".
But unless you have a static mapping between C.C.C.C 53935 and
B.B.B.B 1204, the port number should keep changing on C.C.C.C --
the PIX's PAT keeps incrementing the outside port, not reusing a port
number until it has wrapped around.


Quote:
My first thought would have been bit-torrent or something but the graphs
don't show anything suspicious. Anyone have an idea what this could be?

Something -unsuccessfully- trying to get somewhere. If the ports on
A.A.A.A keep incrementing, it could be a virus/worm at your end... or
it could be a P2P program trying blindly to find a way around firewalls.
[IMHO, a P2P program that does that should be classified in with
viruses and worms...]

Quote:
Looks like I'll be setting up some RSPAN this weekend...

If you have PIX 6.3, then you can just use the 'capture' command
on the PIX. Set up an ACL like so...

access-list bbbb1024 permit udp any host b.b.b.b eq 1024
access-lsit bbbb1024 permit udp host b.b.b.b eq 1024 any

then use that on a 'capture' against the inside interface.

This is the only place I know of on the PIX where you have to put
both directions into the ACL: in all other contexts, the PIX knows
to automatically read the ACL "backwards" for incoming packets.
--
Programming is what happens while you're busy making other plans.
Back to top
Wil
Guest
Posted: Sat Dec 10, 2005 12:20 am    Post subject: Re: Allowing icomming connections? Reply with quote
Okay, so here's my situation. I know who is on the other side of
A.A.A.A, I have provided specific DMZ access and they are not to be on
my LAN. I've had issues with this IP in the past and need to keep the
channels open but need to keep them in check at the same time. This
connection does not happen to any other external address.

Below is an excerpt from an entire conversation between A.A.A.A and
B.B.B.B. What seems disturbing is that the service is opened up from
within the inside and remains open for 11 minutes (see the bottom line).
This happens quite frequently and I'm fairly confidant that it is not a
virus but have yet to rule out some sort of directed P2P. VNC and the
likes also comes to mind as well.

If my inside user were to access a service at the other end I would
expect the ports to increment on the B.B.B.B side and remain constant on
the A.A.A.A side, since they are reversed I am very suspicious.

Using 6.2 on this PIX so capture is out, probably wouldn't help much
anyway since I have yet to catch them in the act.

########################################################
23:20:26 %PIX-3-106011: Deny inbound (No xlate) udp src
outside:A.A.A.A/1942 dst outside:C.C.C.C/1204
23:20:26 %PIX-3-106011: Deny inbound (No xlate) udp src
outside:A.A.A.A/1942 dst outside:C.C.C.C/1204
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552936 for
outside:A.A.A.A/58094 (A.A.A.A/58094) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552937 for
outside:A.A.A.A/1853 (A.A.A.A/1853) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552938 for
outside:A.A.A.A/1855 (A.A.A.A/1855) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552939 for
outside:A.A.A.A/1854 (A.A.A.A/1854) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552940 for
outside:A.A.A.A/1856 (A.A.A.A/1856) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:26 %PIX-6-302015: Built outbound UDP connection 100552941 for
outside:A.A.A.A/1513 (A.A.A.A/1513) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-3-106011: Deny inbound (No xlate) udp src
outside:A.A.A.A/1942 dst outside:C.C.C.C/1204
23:20:27 %PIX-3-106011: Deny inbound (No xlate) udp src
outside:A.A.A.A/1942 dst outside:C.C.C.C/1204
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552946 for
outside:A.A.A.A/1944 (A.A.A.A/1944) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552947 for
outside:A.A.A.A/1945 (A.A.A.A/1945) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552948 for
outside:A.A.A.A/1946 (A.A.A.A/1946) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552949 for
outside:A.A.A.A/1947 (A.A.A.A/1947) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552950 for
outside:A.A.A.A/1948 (A.A.A.A/1948) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552951 for
outside:A.A.A.A/1949 (A.A.A.A/1949) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552952 for
outside:A.A.A.A/1935 (A.A.A.A/1935) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552953 for
outside:A.A.A.A/1936 (A.A.A.A/1936) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552954 for
outside:A.A.A.A/1937 (A.A.A.A/1937) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552955 for
outside:A.A.A.A/1938 (A.A.A.A/1938) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552956 for
outside:A.A.A.A/1939 (A.A.A.A/1939) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552957 for
outside:A.A.A.A/1940 (A.A.A.A/1940) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552958 for
outside:A.A.A.A/1941 (A.A.A.A/1941) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552959 for
outside:A.A.A.A/1942 (A.A.A.A/1942) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552960 for
outside:A.A.A.A/1943 (A.A.A.A/1943) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:20:27 %PIX-6-302015: Built outbound UDP connection 100552961 for
outside:A.A.A.A/1934 (A.A.A.A/1934) to inside:B.B.B.B/1204 (C.C.C.C/3307)
23:22:27 %PIX-6-302016: Teardown UDP connection 100552936 for
outside:A.A.A.A/58094 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:27 %PIX-6-302016: Teardown UDP connection 100552937 for
outside:A.A.A.A/1853 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:27 %PIX-6-302016: Teardown UDP connection 100552938 for
outside:A.A.A.A/1855 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:27 %PIX-6-302016: Teardown UDP connection 100552939 for
outside:A.A.A.A/1854 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:27 %PIX-6-302016: Teardown UDP connection 100552940 for
outside:A.A.A.A/1856 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:27 %PIX-6-302016: Teardown UDP connection 100552941 for
outside:A.A.A.A/1513 to inside:B.B.B.B/1204 duration 0:02:01 bytes 144
23:22:28 %PIX-6-302016: Teardown UDP connection 100552946 for
outside:A.A.A.A/1944 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552947 for
outside:A.A.A.A/1945 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552948 for
outside:A.A.A.A/1946 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552949 for
outside:A.A.A.A/1947 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552950 for
outside:A.A.A.A/1948 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552951 for
outside:A.A.A.A/1949 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552952 for
outside:A.A.A.A/1935 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552953 for
outside:A.A.A.A/1936 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552954 for
outside:A.A.A.A/1937 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552955 for
outside:A.A.A.A/1938 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552956 for
outside:A.A.A.A/1939 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552957 for
outside:A.A.A.A/1940 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552958 for
outside:A.A.A.A/1941 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552959 for
outside:A.A.A.A/1942 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:22:28 %PIX-6-302016: Teardown UDP connection 100552961 for
outside:A.A.A.A/1934 to inside:B.B.B.B/1204 duration 0:02:01 bytes 36
23:32:10 %PIX-6-302016: Teardown UDP connection 100552960 for
outside:A.A.A.A/1943 to inside:B.B.B.B/1204 duration 0:11:42 bytes 1037
########################################################

Wil
my 3¢
Back to top
CiscoHeadsetAdapter.com
Guest
Posted: Sat Dec 10, 2005 9:21 am    Post subject: Re: Allowing icomming connections? Reply with quote
Wil,

TCP and UDP ports 1204 are used for ssslog-mgr (Log Request Listener). May
be it's part of the application running on that PC?

Anyway, if you have access to that PC, it would be good idea to run
"netstat -b" or "netstat -a -b" to see which application generates these
requests.

Good luck,

Mike
www.ciscoheadsetadapter.com



"Wil" <wil@SPAM.THIS> wrote in message
news:4399b7c2$0$38630$742ec2ed@news.sonic.net...
Quote:
I am suspecting that one of my users is allowing an Internet IP Addy into
my network. I see many of the below lines (PIX log) where the UDP port 1204
on B.B.B.B remains constant and the ports associated on A.A.A.A increment.
Port on C.C.C.C remains constant as well, tells me the NAT remains active.

Built outbound UDP connection 100283196 for outside:A.A.A.A/2218
(A.A.A.A/2218) to inside:B.B.B.B/1204 (C.C.C.C/53935)

Where:
A.A.A.A is some Internet IP
B.B.B.B is one of my Inside IPs
C.C.C.C is my global interface

My first thought would have been bit-torrent or something but the graphs
don't show anything suspicious. Anyone have an idea what this could be?
Looks like I'll be setting up some RSPAN this weekend...

--
Wil
my 3¢
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB