Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco IOS firewall blocks traffic

Dear All,

this minor problem was bothering me for quite a while now, couldn't fine the answer anywhere.

I have Cisco 857 with default "Medium Firewall" configuration from configuration professional:

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark auto generated by CCP firewall configuration

access-list 100 remark CCP_ACL Category=1

access-list 100 deny   ip 87.194.22.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 103 remark auto generated by CCP firewall configuration

access-list 103 remark CCP_ACL Category=1

access-list 103 permit udp host 87.194.255.155 eq domain host <IP ADDRESS>

access-list 103 permit udp host 87.194.255.154 eq domain host <IP ADDRESS>

access-list 103 remark Auto generated by SDM for NTP (123) 132.163.4.103

access-list 103 permit udp host 132.163.4.103 eq ntp host <IP ADDRESS> eq ntp

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 permit icmp any host <IP ADDRESS> echo-reply

access-list 103 permit icmp any host <IP ADDRESS> time-exceeded

access-list 103 permit icmp any host <IP ADDRESS> unreachable

access-list 103 deny   ip 10.0.0.0 0.255.255.255 any

access-list 103 deny   ip 172.16.0.0 0.15.255.255 any

access-list 103 deny   ip 192.168.0.0 0.0.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip host 0.0.0.0 any

access-list 103 deny   ip any any log

ip inspect log drop-pkt

ip inspect name CCP_MEDIUM appfw CCP_MEDIUM

ip inspect name CCP_MEDIUM cuseeme

ip inspect name CCP_MEDIUM dns

ip inspect name CCP_MEDIUM ftp

ip inspect name CCP_MEDIUM h323

ip inspect name CCP_MEDIUM sip

ip inspect name CCP_MEDIUM https

ip inspect name CCP_MEDIUM imap reset

ip inspect name CCP_MEDIUM pop3 reset

ip inspect name CCP_MEDIUM rcmd

ip inspect name CCP_MEDIUM realaudio

ip inspect name CCP_MEDIUM rtsp

ip inspect name CCP_MEDIUM esmtp

ip inspect name CCP_MEDIUM sqlnet

ip inspect name CCP_MEDIUM streamworks

ip inspect name CCP_MEDIUM tftp

ip inspect name CCP_MEDIUM vdolive

ip inspect name CCP_MEDIUM udp

ip inspect name CCP_MEDIUM icmp

ip inspect name CCP_MEDIUM tcp

access list 103 is applied on WAN interface... access list 100 applied on LAN interface.

now, every time I tried to use PINGTEST.NET, thats where I get troubles.

I can browse to the website ok, but as soon as I run test (which is performed on port 8080) its displaying the message that connection is blocked by firewall and router displayes the following:

009324: Oct 28 21:47:46.747 UTC: %FW-6-DROP_PKT: Dropping tcp session <IP ADDRESS>:19354 213.233.154.130:8080  due to  Stray Segment with ip ident 30906 tcpflags 0x5004 seq.no 3187416164 ack 3187416164

the only way i can get rid of this message is to issue

no ip inspect name CCP_MEDIUM tcp...

but then connection starts to be blocked by access list 103

i.e.

009335: Oct 28 21:50:01.069 UTC: %SEC-6-IPACCESSLOGP: list 103 denied tcp 74.209.160.10(80) -> <IP ADDRESS>(19358), 1 packet

so it looks to me that even the traffic is initiated from inside the network, router doesn't think that way and blocks the traffic from the servers I'm trying to run the tests on.

I read on some forums that issueing ip tcp adjust-mms comand on the wan interface can fix StrayPacket problem, but it didnt work for me..

then I tried to add entry in access list 103

#131 permit tcp any eq 8080 any

but this just blocks the whole browsing traffic...

I know its not that a big deal, but I think its something really simple I need to change in the configs to fix it....

any ideas?

Thank you for your advice in advance!

1 REPLY
New Member

cisco IOS firewall blocks traffic

I would recheck the order of the ACE that you added to ensure it doesn't reside at the end of the list (below your explicit deny's that is).

1475
Views
0
Helpful
1
Replies
CreatePlease login to create content