Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Router Firewall Question

I have a 2801 connected to the Internet running the Firewall Feature Set. Version is 12.3(8r)T8. I keep getting log messages that the router has denied access from some random webservers from Port 80. We are running NAT Overload and when I show the NAT translations, that Port is not in the translate table for that traffic. In other words, it almost looks like the router is denying return web traffic, but that port is not seen by the router as "established" traffic. Anyone have any ideas? Thanks.

5 REPLIES
Community Member

Re: Router Firewall Question

Do you have this command on your outside interface:

ip inspect FW-INSPECT out

Community Member

Re: Router Firewall Question

Yes, there is an inspect for TCP, so it should allow returning web traffic. Also, access to outside web servers seems to work, although I am curious to find out if some web access is failing.

Bronze

Re: Router Firewall Question

Do you have any ip port-map commands? do you have any port redirection commnds? Can you post your configuration?

Community Member

Re: Router Firewall Question

There is lots of port redirection on this router, but not on the NAT Overload IP address. Unfortunately, I can't post the whole config as there are some serious security issues that need to be addressed. Let me know if there are some specific parts that would be helpful to share.

Community Member

Re: Router Firewall Question

Here is an example of the log messages we get 2 or 3 times a minute. The from address is a valid web site. I changed the NAT Overload address to protect the innocent:

995990: Apr 26 20:56:20.315: %SEC-6-IPACCESSLOGP: list 105 denied tcp 170.107.179.50(80) -> 192.168.1.136(1900), 1 packet

259
Views
0
Helpful
5
Replies
CreatePlease to create content