IOS Firewall and NAT Issue

chorl0232 · ‎05-28-2007

Hello,

I'm still working in a valid configuration for a 2811 with IOS Firewall

with two WAN interfaces, one Ethernet and one DSL (with a HWIC-DSL port).

I configured two wan ports with SDM, DSL port as failover to the Ethernet

connection. DSL is working with IP Negotiated.

Current tests shows the following issue when Ethernet connection is down:

000057: *May 28 13:52:48.195 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 15619 tcpflags 0x5010 seq.no 1024469584 ack 1157493661

000058: *May 28 13:53:20.187 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 15956 tcpflags 0x5010 seq.no 1024469584 ack 1157493661

000059: *May 28 13:53:52.179 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 88.17.245.247:1584 => 213.4.130.210:80 due to Invalid Ack (or no Ack) -- ip ident 16186 tcpflags 0x5010 seq.no 1024469584 ack 1157493661

000060: *May 28 13:54:24.171 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 38064 tcpflags 0x5010 seq.no 1157479061 ack 1024469583

000061: *May 28 13:54:56.167 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 55729 tcpflags 0x5010 seq.no 1157479061 ack 1024469583

000062: *May 28 13:55:28.155 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1584 due to policy match failure -- ip ident 56754 tcpflags 0x5014 seq.no 1157493661 ack 1024469583

000063: *May 28 13:56:14.599 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 213.4.130.210:80 => 88.17.245.247:1588 due to policy match failure -- ip ident 14772 tcpflags 0x5014 seq.no 1165193308 ack 1776675591

000064: *May 28 13:56:46.371 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 64702 tcpflags 0x5010 seq.no 1376485898 ack 2263723581

000065: *May 28 13:57:23.015 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3/2, changed state to up

000066: *May 28 13:57:50.375 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 35164 tcpflags 0x5010 seq.no 1376485898 ack 2263723581

000067: *May 28 13:58:54.379 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 12205 tcpflags 0x5010 seq.no 1376485898 ack 2263723581

000068: *May 28 13:59:58.383 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 50077 tcpflags 0x5010 seq.no 1376485898 ack 2263723581

000069: *May 28 14:01:02.387 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 19913 tcpflags 0x5010 seq.no 1376485898 ack 2263723581

000070: *May 28 14:02:06.383 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:5410 due to policy match failure -- ip ident 64241 tcpflags 0x5014 seq.no 1376488818 ack 2263723581

000071: *May 28 14:02:41.147 PCTime: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 62.189.244.236:80 => 88.17.245.247:43248 due to policy match failure -- ip ident 60688 tcpflags 0x5014 seq.no 1979999494 ack 671214943

As I can see, ACK packets from external webs are dropped by match policy maps

I think the problem is related to some NAT issue, but I'm not sure.

Any ideas?

Thanks in advance

Ignacio Siles.

hadbou · ‎06-04-2007

I think you need to add a class to explicitly allow TCP traffic from the trusted IP address and insert this class to be before the class that inspects TCP.