Easy Question with ip inspect

scottyd · ‎06-29-2007

I have an 837, very simple setup. It is working, but I want to know why it apears that some return traffic is being denied. As below trafic with a source port of what I am using, ie www and pop3.

000150: .Jun 30 00:39:26.687 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 72.32.149.214(80) -> 124.197.44.54(49915), 1 packet

000151: .Jun 30 00:44:57.419 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.180.66.207(110) -> 124.197.44.54(9997), 4 packets

Below is the config, I think I have the firewall configuired correctly, but I don't think it is normall to see these denies.

Thanks

Scotty

OUR_CISCO_ROUTER#sh run

Building configuration...

Current configuration : 4192 bytes

!

! Last configuration change at 00:26:58 NZST Sat Jun 30 2007

!

version 12.3

ip subnet-zero

no ip source-route

!

ip cef

no ip domain lookup

ip domain name scottys.place

no ip bootp server

ip inspect name firewall cuseeme

ip inspect name firewall http java-list 1

ip inspect name firewall tftp

ip inspect name firewall vdolive

ip inspect name firewall h323

ip inspect name firewall realaudio

ip inspect name firewall sqlnet

ip inspect name firewall rtsp

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall udp

ip inspect name firewall rcmd

ip inspect name firewall ftp

ip inspect name firewall tcp

ip inspect name firewall router

no ip ips deny-action ips-interface

!

interface Null0

no ip unreachables

!

interface Ethernet0

description LAN

ip address 10.11.12.13 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting access-violations

no ip mroute-cache

atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

dsl power-cutback 1

hold-queue 224 in

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group outside_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting output-packets

ip accounting access-violations

ip nat outside

ip inspect firewall out

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxz password 7 0xxxxx42

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Dialer0 overload

!

ip access-list extended outside_in

remark Inbound traffic filter

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 224.0.0.0 15.255.255.255 any

deny icmp any any redirect

deny ip host 0.0.0.0 any

permit udp host 130.123.128.253 any eq ntp

permit icmp any any unreachable

permit icmp any any echo-reply

permit icmp any any packet-too-big

permit icmp any any time-exceeded

permit icmp any any traceroute

permit icmp any any administratively-prohibited

deny ip any any log

access-list 100 permit ip any any

no cdp run

!

control-plane

JBDanford2002 · ‎06-29-2007

try this:

conf t

interface Ethernet0

ip inspect name firewall in

exit

wr mem

scottyd · ‎06-29-2007

Hi, Thanks for that. I have done that but it is still logging denied packets as below.

I just wonder if there is something wrong with the interfaces, I have not come accross one that has two ethernet interfaces and also four fast ethernet int. Of course it only has four physical ports.

Thanks

cp 202.180.66.208(110) -> 124.197.44.54(11283), 1 packet

000202: *Jun 30 07:29:57.190 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 210.3.20.151(80) -> 124.197.44.54(1685), 1 packet

000203: *Jun 30 07:30:35.010 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1699), 1 packet

000204: *Jun 30 07:30:36.242 NZST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.11.12.200)

000205: *Jun 30 07:30:42.406 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1709), 1 packet

000206: *Jun 30 07:30:53.010 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1712), 1 packet

000207: *Jun 30 07:31:22.610 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1697), 1 packet

JBDanford2002 · ‎06-30-2007

Are those the only IPs that are being dropped? I missed you inspect on the outside interface earlier. Both of those IPs are from Hong Kong. I wouldnt be surprised if the traffic was just garbage. You can so a "sh ip inspect all" and view the sessions that are created. See if there are any valid session entries to the IPs that are being dropped.

scottyd · ‎06-30-2007

Hi again,

Yes those are sites from HK, as we were accessing sites from HK at the time. But they are not the only ones that I am seeing. Also I can see my mail server and DNS server, on 110 and 53.

sh ip inspec sessions shows that the sessions are being created.

Should I have the inspect on both interfaces or just one? That is what I find confusing.

Thanks.