06-29-2007 04:54 AM - edited 03-11-2019 03:37 AM
I have an 837, very simple setup. It is working, but I want to know why it apears that some return traffic is being denied. As below trafic with a source port of what I am using, ie www and pop3.
000150: .Jun 30 00:39:26.687 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 72.32.149.214(80) -> 124.197.44.54(49915), 1 packet
000151: .Jun 30 00:44:57.419 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.180.66.207(110) -> 124.197.44.54(9997), 4 packets
Below is the config, I think I have the firewall configuired correctly, but I don't think it is normall to see these denies.
Thanks
Scotty
OUR_CISCO_ROUTER#sh run
Building configuration...
Current configuration : 4192 bytes
!
! Last configuration change at 00:26:58 NZST Sat Jun 30 2007
!
version 12.3
ip subnet-zero
no ip source-route
!
!
ip cef
no ip domain lookup
ip domain name scottys.place
no ip bootp server
ip inspect name firewall cuseeme
ip inspect name firewall http java-list 1
ip inspect name firewall tftp
ip inspect name firewall vdolive
ip inspect name firewall h323
ip inspect name firewall realaudio
ip inspect name firewall sqlnet
ip inspect name firewall rtsp
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall udp
ip inspect name firewall rcmd
ip inspect name firewall ftp
ip inspect name firewall tcp
ip inspect name firewall router
no ip ips deny-action ips-interface
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description LAN
ip address 10.11.12.13 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
no ip mroute-cache
atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
dsl power-cutback 1
hold-queue 224 in
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username xxxxxz password 7 0xxxxx42
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
!
!
ip access-list extended outside_in
remark Inbound traffic filter
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny icmp any any redirect
deny ip host 0.0.0.0 any
permit udp host 130.123.128.253 any eq ntp
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any administratively-prohibited
deny ip any any log
access-list 100 permit ip any any
no cdp run
!
!
control-plane
06-29-2007 08:02 PM
try this:
conf t
interface Ethernet0
ip inspect name firewall in
exit
wr mem
06-29-2007 09:02 PM
Hi, Thanks for that. I have done that but it is still logging denied packets as below.
I just wonder if there is something wrong with the interfaces, I have not come accross one that has two ethernet interfaces and also four fast ethernet int. Of course it only has four physical ports.
Thanks
cp 202.180.66.208(110) -> 124.197.44.54(11283), 1 packet
000202: *Jun 30 07:29:57.190 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 210.3.20.151(80) -> 124.197.44.54(1685), 1 packet
000203: *Jun 30 07:30:35.010 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1699), 1 packet
000204: *Jun 30 07:30:36.242 NZST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.11.12.200)
000205: *Jun 30 07:30:42.406 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1709), 1 packet
000206: *Jun 30 07:30:53.010 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1712), 1 packet
000207: *Jun 30 07:31:22.610 NZST: %SEC-6-IPACCESSLOGP: list outside_in denied tcp 202.71.200.104(80) -> 124.197.44.54(1697), 1 packet
06-30-2007 05:59 AM
Are those the only IPs that are being dropped? I missed you inspect on the outside interface earlier. Both of those IPs are from Hong Kong. I wouldnt be surprised if the traffic was just garbage. You can so a "sh ip inspect all" and view the sessions that are created. See if there are any valid session entries to the IPs that are being dropped.
06-30-2007 08:00 PM
Hi again,
Yes those are sites from HK, as we were accessing sites from HK at the time. But they are not the only ones that I am seeing. Also I can see my mail server and DNS server, on 110 and 53.
sh ip inspec sessions shows that the sessions are being created.
Should I have the inspect on both interfaces or just one? That is what I find confusing.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: