?
Solved

Trying to Identify Unknown Firewall Traffic

Posted on 2013-06-21
5
Medium Priority
?
792 Views
Last Modified: 2013-06-26
About once or twice a day I am seeing something like this in the any -> any rule from the inside interface:

6|Jun 21 2013|08:05:25
184.106.86.97
5223
10.210.241.21
56987
access-list inside_access_in permitted tcp inside/184.106.86.97(5223) -> WAN/10.210.241.21(56987) hit-cnt 1 first hit



6|Jun 21 2013|08:05:25
10.210.241.21
56987
184.106.86.97
5223
access-list inside_access_in permitted tcp inside/10.210.241.21(56987) -> WAN/184.106.86.97(5223) hit-cnt 1 first hit

None of our network or VLANS use this inside IP range so I'm not clear on how this can be routed in our network or sent out the firewall.  I tried doing a search on the 184.106.86.97 and it only comes back to a RackSpace address.

I also did some searching on port 5223 and it seems to be used by Apple/Iphone products.  

Right now, our any -> any rule is set to allow on the inside interface because we are still testing restricting outbound access but it will soon be set to deny.  I'm just curious where this traffic is coming from and how it's getting out with this IP address.

Anyone familiar with this?
0
Comment
Question by:AllDaySentry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39266530
is it always to 184.106.86.97 and port 5223?  What do you have for a firewall?  Do you have a managed switch?

What I'm thinking is have you perform a capture either from the firewall (if its capable) using an ACL to restrict what gets captured or if you have a managed switch you can mirror the firewall traffic to a different switch port, plug a computer into it and sniff the traffic.  After it happens again look at the traffic at that time to see if you can spot the protocol being used.

also, maybe via arp table lookups you can find out the MAC of that client.  see if its an apple device of some sort.  maybe find out if its an iOS device because like you saw 5223 should be something related to apple's push notification
0
 
LVL 7

Expert Comment

by:dec0mpile
ID: 39266569
I think you are on the right track here. Port 5223 is used by Apple primarily for iCloud, but also for MobileMe, APNs, FaceTime, etc. You most likely have users in your company that have their devices connected to your network. When you block the port they will experience connectivity issues (unless they disconnect from the network and use 3G/4G).

I can't explain the rackspace IP, perhaps one of the users has hosted email account or something similar with rackspace on their phone or tablet.
0
 

Author Comment

by:AllDaySentry
ID: 39266573
Yes, the traffic is always to 184.106.86.97 on port 5223.  The inside IP changes but its always a 10 address: 10.148.236.144, 10.210.241.21, etc.

We are using a ASA 5510 firewall.  We have a 3750 switch that does our internal L3 routing using 172.16.0.0/24 subnets internally and we have one 10.45.0.0/16 subnet.

Its only a couple hits a day and we are going to be setting the any -> any to deny soon but I'm confused how this even gets routed and where it's coming from.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1000 total points
ID: 39266594
In that case, you can run a capture from the ASA then:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

do an acl with two rules to match
any > 184.106.86.97 eq 5223
184.106.86.97 eq 5223 > any

Sounds like you shouldn't have anything to worry about.  The capture will be able to tell you for sure.  I have to wonder if it will just be dropped though when trying to leave the inside interface as there is no route is my guess.  It might also be hairpinning you're seeing if you have same-security intra-interface turned on as the default route on the ASA would pry force it back out the outside interface. not really sure.  if nothing else, after  you get capture from the outside and inside interface (you should do two capture sessions) you might find out enough to run a packet-tracer to see exactly what rules are being hit and if it somehow does match a routing rule you're not expecting it to match
0
 

Author Closing Comment

by:AllDaySentry
ID: 39279026
I think you are right.  Its most likely hairpinning.  After reviewing the logs it does not look like any meaningful traffic.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses
Course of the Month10 days, 17 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question