IP Inspect problem, dropping telnet and ftp sessions in VPN.

Unanswered Question

Hi,


We recently activated IP Inspect in every router who connect to the main office via VPN. And we're starting to have problem with IP Inspect blocking telnet, ftp and traffic who is not supposed to be block. When we desactivate IP Inspect everything is fine. Or another problem we have, the traffic ( telnet of ftp ) is working for a short time and after the telnet or ftp connection is droped by ip inspect.


Anyone have a solution to my problem. I want to keep every router ( who are directly connected to Internet but also connected to the main office via VPN ).

We use Cisco 871 router with IOS 12.4(4)T4.


If someone could help me with my problem I'll really appreciate


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.1 (11 ratings)
Loading.
oabduo983 Fri, 04/27/2007 - 03:18
User Badges:
  • Bronze, 100 points or more

If you have implemented CBAC, make sure you have explicit access-list allowing traffic to flow from outside to inside, this should include the traffic which will be initiating from outside to inside...


Have you played with the timout values?


if you have changed the idle timeout of a tcp session, you will have to bring it back to the default...


ip inspect tcp idel-time 3600


Could you please post your ip inspect (CBAC) configration... I will check the for you...

Hi, Thanks for your reply.


Yeah we set the "tcp idle-time" to 7200 it was 3600 before.


For the ip inspect we have in every vpn router here what we have:


General configuration:

ip inspect tcp idle-time 7200

ip inspect name xxFW http

ip inspect name xxFW https

ip inspect name xxFW tcp

ip inspect name xxFW udp


On the wan interface of the router:

ip inspect xxFW in

ip inspect xxFW out


Thanks!





oabduo983 Fri, 04/27/2007 - 08:03
User Badges:
  • Bronze, 100 points or more

Hi there...


I do not think you have to enable inspection on the inbound direction on the wan interface. i.e. remove the ip inspect xxFW in on the wan interface.


If you want normal inspection, then you only need to inpect tcp and udp, no need for http or https unless you want to inspect deep into there protocols, e.g. you want to filter JAVA (this is your case), or want to enable URL filtering...etc, so I think you can remove ip inspect name xxFW http and ip inspect name xxFW https. If you want to allow traffic to come from outside to inside, then you need to open explicit access-lists for them...


Let me know if you need further support...

Please rate this post if it was useful.


oabduo983 Fri, 04/27/2007 - 09:28
User Badges:
  • Bronze, 100 points or more

Hi,


yes, ip inspect xxFW in on the WAN interface means you are firewalling the outside world from your internal network and opening a return traffic for the traffic initiating from outside... you do not want to do this, right? BIG security hole!


Thanks,

oabduo983 Fri, 04/27/2007 - 09:37
User Badges:
  • Bronze, 100 points or more

In your case, everyting we talked about is fine... but need to allow esp, udp 500 and 4500 to reach the wan interface of each router... you do this by creating access-lists from each router to router wan interfaces... and for ease of management you can deal with subnets instead of single IP's... depends on how many routers do you have and whether or not you use full mesh topology (In which case I would advise to use DMVPN less prossing and memory utilization)...


Finally do not forget to apply the acl to the wan interface...


Regards,

Ok ok I see. We have like 450-500 VPN router in our network. We already have these basic access-list in every router:

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit x.x.x.x x.x.x.255 = ( our public IP address )

access-list 1 deny any


You said in a previous reply to open all traffic from outside to inside, like this: access-list 1 permit 10.0.0.0 0.255.255.255 ?


I'm still kind of new with access-list and IP inspect.


Thanks for your help and time!

oabduo983 Fri, 04/27/2007 - 10:43
User Badges:
  • Bronze, 100 points or more

Hi Gloubier,


In the Cisco World, when we talk about Access-lists, they do not mean permit and block access... they mean control traffic to abide to a certain rule, this rule may be access, translation, VPN, QoS, route-map ...etc, therefore I'm not sure where are you applying the three access-lists above, because they are standard acls.


The second issue, I'm sorry if misworded it, but I mean you configure explicit access-list applied on the outside interface allowing relevant traffic (not all traffic, otherwise your CBAC config is meaningless). Relevant traffic typically include the VPN traffic, routing traffic if you are using Dynamic routing protocols like RIP or Eigrp...etc...


In your case if you want to establish ISec tunnels from all routers (500) to all routers, I would highly recommend you go with DMVPN solution, you will love it if you get it to work! It is probably a good idea to check with a network service provider in your region... Where are you staying BTW?


Thanks.



Hi,


Ok ok I understand!

The access-list I guess they are really general we don't have access-list applied yet. That's why I'm working on this.


Yeah we are using Eigrp, but every router are using dsl connection from supplier around the country ( Canada ).


And every routeur don't need connect to every router in the network. Each router connect to the main office ( to a concentrator vpn ). A few of them need to talk to other router.


And I'm from Canada, Quebec.


So if I'm understanding right, I need to add access-list rules, but general rules ( VPN traffic, routing traffic ), and let ip inspect do the last verification?


Thanks!

oabduo983 Fri, 04/27/2007 - 11:06
User Badges:
  • Bronze, 100 points or more

Ok lovely,


What I suggest in this case is one of two options (I'm assuming your DSL is using a static IP not a DHCP IP),


You can configure site to site VPN connection on each router terminating on main router.


But the better option is to configure the so called EZVPN on the HO router, which make it really easy to configure on the other 499 routers, less administration headache and less memory and CPU utilization on the routers...


everything else regarding CBAC and ACL's remains the same...


Thanks,

Hi,


For the DSL/pppoe we have static and dhcp IP.


We already use ezvpn to establish vpn connection to the main site. The VPN setup is working great, it's only the part of ACL + IP inspect / firewall that I'm working on and it's kind of new to me.


If you have other advise, feel free to post and I'll try to make a configuration for the acl + ip inspect part with the good advises you told me.


Thanks again!

oabduo983 Fri, 04/27/2007 - 18:27
User Badges:
  • Bronze, 100 points or more

Ok cool, In this case nothing other than what I said earlier... You will have the IP inspect rules as mentioned before and explicit ACL's as follows:


Access-list 101 permit esp host VPN_SERVER_IP host SELF_WAN_INTERFACE

Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 500

Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 4500


interface s0/0

ip access-group 101 in


you will have to do the same on the EZVPN server if you have the control on it and if you are implementing CBAC on it!


Best wishes

Hi,


I finally started to test my firewall setup in 3 production routers. Everything seems to be working fine on 2 PPPoE clients but with the DHCP client he couldn't do a renew of his IP address and when I remove "ip access-group 101 in" ( after a shut/no shut of the interface ) the renew was working.

Is there a access-list rules I need to accept dhcp request from their ISP?


Thanks!

oabduo983 Mon, 05/14/2007 - 07:16
User Badges:
  • Bronze, 100 points or more

Hi Guillaume


You are right, you use IP inspect for the normal traffic and you create the access-lists to exempt the IPSec traffic from being blocked...


Remember your IP inspect command is inspecting TCP and UDP (not esp which is meaningless and maybe even not there!)


Regards,

Hi,


Another question about a problem we have on a few router.


Sometimes the internet stop working for the computer who are connected in the router ( who is connected VPN to the main office ), it's like the router is refusing the connexion to internet.


Here the log we have when we do a debug ip ( on the private ip the computer his using ) :


EDT: IP: tableid=0, s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), routed via FIB

EDT: IP: s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), g=GATEWAYPUBLICIP, len 48, forward

TCP src=1121, dst=80, seq=2099553562, ack=0, win=65535 SYN

IP: tableid=0, s=10.1.1.1 (local), d=PROXY (Dialer1), routed via FIB

IP: s=10.1.1.1 (local), d=PRPXY (Dialer1), len 40, sending

TCP src=1121, dst=80, seq=2099553563, ack=0, win=0 RST


I don't understand why the router is doing a "RST" on the connexion. He's not suppose to block the connexion, anyone have an idea why we have that kind of problem on like 5% of our router.


Thanks!


oabduo983 Mon, 05/28/2007 - 10:09
User Badges:
  • Bronze, 100 points or more

Make sure you are enabling split tunneling using the route-map command and access-lists... if you post your full config of one of the routers which do not work I will try and help you!


Regards,

Actions

This Discussion