IOS Firewall Inbound access issues

Unanswered Question
Mar 14th, 2007

My scenario is as such: Trusted <--> g0/0:IOS FIREWALL(HSRP&NAT):g0/1 <--> Extranet. I have inspect rules setup for the very basic inspection (udp/tcp). I have not changed any of the default settings for timeouts, etc. I have applied inbound acls to both interfaces. (See Extranet perimeter Configuration -- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html)

When I apply an inbound inspection rule to the external interface for some reason all traffic sourced from the extranet is not granted access to the trusted network even though I have explicit permit statements in the ACLS allowing for specific tcp port access to services hosed in the trusted net. When I remove the inbound inspection rule from the extranet interface and leave the acl the traffic is allowed in?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Tue, 03/20/2007 - 07:08

Probably, the acl permits the traffic whatever you intended to allow, it deviates from the rule programmed in the inspection program rules.

plavine Tue, 03/20/2007 - 07:17

Please go into futher detail. Are you stating that the rule as compiled in the IOS is conflicting with the ACL or visa versa. How is that possible if the inspection rule is "inspecting" the same port range on the ACL.

plavine Wed, 03/21/2007 - 06:31

I attached the file:

Here is a log debug as well:

njdg01#sh log | include 2189

048883: Mar 20 13:01:51.040 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57168) -- responder (204.10.80.130:2189)

048939: Mar 20 13:02:12.036 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57169) -- responder (204.10.80.130:2189)

048940: Mar 20 13:02:12.108 EST: %FW-6-DROP_TCP_PKT: Dropping Other pkt 10.202.212.14:57169 => 204.10.80.130:2189 due to Invalid Segment -- ip ident 16595 tcpflags 0x5010 seq.no 1944175712 ack 504166107

048954: Mar 20 13:02:17.108 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57170) -- responder (204.10.80.130:2189)

048961: Mar 20 13:02:20.884 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57168) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048980: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57169) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048985: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57170) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

Attachment: 

Actions

This Discussion