06-08-2012 01:03 AM - edited 03-11-2019 04:17 PM
Hi,
I am having a few issues since changing from a cbac firewall to a zone based firewall running on a Cisco 877w IOS:
c870-advipservicesk9-mz.124-24.T6.bin
1. Enabling http layer 7 inspection stops certain websites and downloads working. As a work around I have just enabled layer 3/4 inspection
In my config if I enable the following then it breaks certain websites and downloads:
class-map type inspect match-all cm_http
match protocol http
match access-group name zInternal_Subnets
2. I am seeing strange traffic being dropped from port 0 to port 3? This happens quite frequently, and it generally coincides with opening fatrat which is a download manager and bit torrent client. The only info I can find on this port is:
Port(s) | Protocol | Service | Details | Source |
---|---|---|---|---|
3 | tcp,udp | compressnet | SynDrop trojan uses this port. Delta Force also uses port 3 (TCP). IANA assigned for: Compression Process Port also used by: Midnight Commander | SG |
3 | tcp,udp | Compression Process (official) | Wikipedia | |
3 | tcp,udp | compressnet | Compression Process | IANA |
3 | tcp,udp | compressnet | Midnight Commander Sometimes this program is assigned to this port |
Could be a trojan or related to compression process? - what I would like to know is whether or not I should be allowing this through the firewall, ie if it's used in compressing data between clients then that could be quite usefull!?
eg:
4049: [syslog@9 s_sn="4049"]: 004043: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.6:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4050: [syslog@9 s_sn="4050"]: 004044: %FW-6-LOG_SUMMARY: 1 packet were dropped from 118.4.250.164:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4051: [syslog@9 s_sn="4051"]: 004045: %FW-6-LOG_SUMMARY: 1 packet were dropped from 190.229.222.76:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4052: [syslog@9 s_sn="4052"]: 004046: %FW-6-LOG_SUMMARY: 1 packet were dropped from 180.180.81.94:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4053: [syslog@9 s_sn="4053"]: 004047: %FW-6-LOG_SUMMARY: 1 packet were dropped from 122.125.91.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4054: [syslog@9 s_sn="4054"]: 004048: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.35:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4055: [syslog@9 s_sn="4055"]: 004049: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.205.69.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
3. Lastly I am also getting a lot of dropped packets:
%FW-6-DROP_PKT: Dropping tcp session 10.10.0.2:34445 216.137.55.60:443 due to RST inside current window with ip ident 0
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:64664 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46151 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:60092 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 178.111.60.151:55755 => 10.10.0.10:40760 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46620 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 113.160.85.70:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-DROP_PKT: Dropping tcp session 118.215.189.177:443 10.10.0.3:40047 on zone-pair ZP_out_nat class class-default due to DROP action found in policy-map with ip ident 0
%FW-6-DROP_PKT: Dropping tcp session 118.215.178.110:443 10.10.0.3:52182 due to Stray Segment with ip ident 0
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:51745 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:33809 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:44424 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:37326 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:57595 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:65477 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:45402 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:40047 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
I have attached my config also - if someone could help me out with any or all of the above would be much appreciated.
Regards,
Peter
06-08-2012 06:29 PM
I have downgraded to c870-advipservicesk9-mz.124-20.T3.bin as per the suggestion from this thread https://supportforums.cisco.com/thread/2089462 and this has resolved problem 1, with http inspection enabled all traffic is working as expected.
I will try upgrading one release at time and see what IOS version starts causing this problem and report back
I still have problems with 2 & 3 however. So any answers/suggestions regarding those would be appreciated
06-09-2012 12:56 PM
Hi
For problem 2&3: Are you having problems with some applications not working properly? Because for what I can see 95% of the dropped packets are from outside to the inside... which is good, the firewall is doing its work.
But for this for example:
"%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)"
The packet is being dropped from inside to outside by a policy-map that is inspecting... I don't have an answer for that.
06-10-2012 04:04 AM
Hey Henrik,
Yeah I have a problem uploading from within fatrat bit torrent client.... I can download but can't upload.
As I said the connections to port :3, are coinciding with opening fatrat.
As far as the configuration is concerned it looks fine to you?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide