Hi, Blake, Thanks a lot for your comments! In-line.... On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
Current gen Cisco ASA firewalls have logic so that if the connection from a private host originated from a privileged source port, the NAT translation to public IP also uses an unprivileged source port (not necessarily the same source port though).
Did you actaully mean "...also uses a *privileged port*"?
I found out that this behavior can cause issues when you have devices on your network that implement older DNS libraries or configs using UDP 53 as a source and destination port for their DNS lookups. Occasionally the source port gets translated to one that ISC BIND servers have in a blocklist (chargen, echo, time, and a few others) and the query is ignored. As I recall, this behavior is hard coded so patching and recompiling BIND is required to work around it.
I forget what the older ASA behavior was. It may have been to leave the source port unchanged through the NAT process (I think this is what you mean by "not translated"). In that case the client doesn't implement source port randomization and the NAT doesn't "upgrade" the connection to a random source port so I don't really see it as an issue.
The issue would be that if the port is not translated, and multiple systems in the internal real of the NAT try to use the same privileged port (say, 123) simultaneously, things wouldn't work. Thanks, -- Fernando Gont Director of Information Security EdgeUno, Inc. PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531