Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
3
Replies

877w ZBFW issues

csc.nes-wa
Level 1
Level 1

‎06-08-2012 01:03 AM - edited ‎03-11-2019 04:17 PM

Hi,

I am having a few issues since changing from a cbac firewall to a zone based firewall running on a Cisco 877w IOS:

c870-advipservicesk9-mz.124-24.T6.bin

1. Enabling http layer 7 inspection stops certain websites and downloads working. As a work around I have just enabled layer 3/4 inspection

     In my config if I enable the following then it breaks certain websites and downloads:

class-map type inspect match-all cm_http
 match protocol http
 match access-group name zInternal_Subnets

2. I am seeing strange traffic being dropped from port 0 to port 3? This happens quite frequently, and it generally coincides with opening fatrat which is a download manager and bit torrent client. The only info I can find on this port is:

Port(s) Protocol Service Details Source
3 tcp,udpcompressnetSynDrop trojan uses this port.
Delta Force also uses port 3 (TCP).
IANA assigned for: Compression Process
Port also used by: Midnight Commander		SG
3 tcp,udp
Compression Process (official)Wikipedia
3 tcp,udpcompressnetCompression ProcessIANA
3 tcp,udpcompressnetMidnight Commander Sometimes this program is assigned to this port

Could be a trojan or related to compression process? - what I would like to know is whether or not I should be allowing this through the firewall, ie if it's used in compressing data between clients then that could be quite usefull!?

     eg: 

4049: [syslog@9 s_sn="4049"]: 004043: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.6:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4050: [syslog@9 s_sn="4050"]: 004044: %FW-6-LOG_SUMMARY: 1 packet were dropped from 118.4.250.164:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4051: [syslog@9 s_sn="4051"]: 004045: %FW-6-LOG_SUMMARY: 1 packet were dropped from 190.229.222.76:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4052: [syslog@9 s_sn="4052"]: 004046: %FW-6-LOG_SUMMARY: 1 packet were dropped from 180.180.81.94:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4053: [syslog@9 s_sn="4053"]: 004047: %FW-6-LOG_SUMMARY: 1 packet were dropped from 122.125.91.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4054: [syslog@9 s_sn="4054"]: 004048: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.35:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4055: [syslog@9 s_sn="4055"]: 004049: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.205.69.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

3. Lastly I am also getting a lot of dropped packets:

%FW-6-DROP_PKT: Dropping tcp session 10.10.0.2:34445 216.137.55.60:443  due to  RST inside current window with ip ident 0 
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:64664 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46151 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:60092 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 178.111.60.151:55755 => 10.10.0.10:40760 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46620 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 113.160.85.70:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-DROP_PKT: Dropping tcp session 118.215.189.177:443 10.10.0.3:40047 on zone-pair ZP_out_nat class class-default due to  DROP action found in policy-map with ip ident 0 
%FW-6-DROP_PKT: Dropping tcp session 118.215.178.110:443 10.10.0.3:52182  due to  Stray Segment with ip ident 0 
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:51745 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:33809 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:44424 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:37326 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:57595 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:65477 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:45402 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:40047 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

I have attached my config also - if someone could help me out with any or all of the above would be much appreciated.

Regards,

Peter

Labels:
129430-latest.config.zip
0 Helpful
3 Replies 3

mightymouse2045
Level 1
Level 1

‎06-08-2012 06:29 PM

I have downgraded to c870-advipservicesk9-mz.124-20.T3.bin as per the suggestion from this thread https://supportforums.cisco.com/thread/2089462 and this has resolved problem 1, with http inspection enabled all traffic is working as expected.

I will try upgrading one release at time and see what IOS version starts causing this problem and report back

I still have problems with 2 & 3 however. So any answers/suggestions regarding those would be appreciated

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to mightymouse2045

‎06-09-2012 12:56 PM

Hi

For problem 2&3: Are you having problems with some applications not working properly? Because for what I can see 95% of the dropped packets are from outside to the inside... which is good, the firewall is doing its work.

But for this for example:

"%FW-6-LOG_SUMMARY: 1 packet were dropped  from 10.5.0.3:32856 => 98.137.129.181:80  (target:class)-(ZP_OUTBOUND:cm_generic_traffic)"

The packet is being dropped from inside to outside by a policy-map that is inspecting... I don't have an answer for that.

0 Helpful

mightymouse2045
Level 1
Level 1
In response to Henrik Grankvist

‎06-10-2012 04:04 AM

Hey Henrik,

Yeah I have a problem uploading from within fatrat bit torrent client.... I can download but can't upload.

As I said the connections to port :3, are coinciding with opening fatrat.

As far as the configuration is concerned it looks fine to you?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card