Unable to block UDP broadcasts on Cisco VPN 3000

Unanswered Question
Jan 23rd, 2009
User Badges:

Hi,


We are running Cisco VPN 3030 on version 4.7.2.J. For some reason we see a lot of UDP datagrams to the internal broadcast address on port 137 and 138. This seems to be NetBIOS name and datagram service. We do not have any WINS servers and we want to block these broadcasts from flooding the local subnet (where no servers are available). We have defined a filter that drop all traffic to the internal broadcast address and applied it to the group where the users come in, but the packets still passing into the internal network.


Does anyone have any clues to how to solve this issue?


Best regards,


Harry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ggilbert Sat, 01/24/2009 - 07:13
User Badges:
  • Cisco Employee,

Harry,


Can you please let me know what is the rule/rules that you have created for this filter.


Also, is there something else on this filter that is already applied to the group.


If so, can you please make sure that the drop filter that you created is at the top of the list.


Thanks

Gilbert

net-harry Mon, 01/26/2009 - 00:48
User Badges:

Hi Gilbert,


Please find below the rule and the network list used:


--------------------------------------------------------------------------------


Rule Name: Block_Local_Traffic

Direction: Inbound

Action: Drop and Log


Protocol: Any

TCP Connection: Don't Care


Source Address

Network List: Use IP Address/Wildcard-mask below

IP Address: 0.0.0.0

Wildcard-mask: 255.255.255.255


Destination Address

Network List: Local_Block_List


TCP/UDP Source Port

Port: Range 0-65535


TCP/UDP Destination Port

Port: Range 0-65535


ICMP Packet Type: 0-255


--------------------------------------------------------------------------------


We have also duplicated this rule with another having direction Outbound and added that to the group filter, but that did not prevent the broadcasts from getting through either.



Network List: Local_Block_List


10.10.120.35/0.0.0.0

10.10.120.36/0.0.0.0

10.10.120.37/0.0.0.0

10.10.120.63/0.0.0.0


The local internal network is 10.10.120.32/27. The local broadcast address is thus 10.10.120.63. The three other IP addresses are for the next hop internal routers (including HSRP address).



The filter is at the top of the list.



Thanks for your help!


Best regards,


Harry

ggilbert Mon, 01/26/2009 - 05:07
User Badges:
  • Cisco Employee,

Harry,


Let me test this scenario in the lab and get back with you.


Cheers,

Gilbert

Actions

This Discussion