Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

stateful firewall problems (IOS)

What is the correct way to implement stateful firewall inspection using CBAC? I recently used the following configuration to permit outbound web and other traffic to work through my IOS firewall.

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

!

int fa0/1

description OUTSIDE

ip inspect SDM_LOW out

ip access-group 103 in

...

When I used this, browsing worked sometimes. For instance if I pulled up http://www.yahoo.com it would give me a page failure 3 times and then work. When I went to http://www.cdw.com I would get broken images but the page would load. When I would go to http://www.google.com everything would work fine.

To fix this, I added a permit established acl entry to acl 103 and removed the outbound inspection. If I only added the established acl, the problem persisted.

The inbound rules in acl 103 work fine.

Obviously I am missing something with the whole CBAC stateful inspection. Any ideas?

8 REPLIES

Re: stateful firewall problems (IOS)

Hi .. I suggest you to apply the inspection rule to the Interface which protects your internal devices.

i.e f0/0 Internal interface linked to your LAN

f0/1 external interface linked to your ISP

1.- configure access-list allowing also the required traffic that you want to inspect and apply it to the inside interface on the inbound direction.

Int fa0/0

description INSIDE

ip access-group 100 in

2.- configure access-list to deny any traffic that you don't want to be initiated from the Internet towards your internal network and apply it on the Inbound direction to the outside interface.

int fa0/1

description OUTSIDE

ip access-group 103 in

3.- create inspect rule and apply it to the INSIDE interface on the inbound direction.

ip inspect name SDM_LOW tcp timeout 3600

ip inspect name SDM_LOW udp timeout 15

Int fa0/0

ip inspect SDM_LOW in

NOTE; you need to make sure that your ACLs which apply to the traffic LEAVING your internal network are not blocking the traffic that is to be inspected ..otherwise CBAC inspection will not work as expected.

I hope it helps .. please rate it if it does !!!

New Member

Re: stateful firewall problems (IOS)

I tried that as well. Realize the only difference between suggestions and original config are the placement of the inspect statements. I'm pretty sure they are equivelant. Anyhow, no dice.

Here is exactly what I have.

ip inspect name SDM_LOW tcp timeout 3600

ip inspect name SDM_LOW udp timeout 300

!

int fa0/1

description OUTSIDE

ip access-group 103 in

!

int vlan 1

description INSIDE

ip access-group 100 in

ip inspect SDM_LOW in

!

ip access-list extended 103

10 deny SPOOFED STUFF

20 deny BAD PROTOCOLS

...(permit inbound services like http & ssh to specific hosts)

1200 deny ip any any log

!

ip access-list extended 100

10 deny SPOOFED STUFF

...(more spoofed stuff)

50 permit ip any any

Now if I remove the ip inspect statements and add "20 permit tcp any any established" to the ACL 103 outbound works fine.

Otherwise Internet browsing works sometimes. It almost seems like CBAC is doing some sort of content filtering but that doesn't make sense. For instance it pulls up http://www.cdw.com but many images are broken. Works fine with some pages and awfully with others.

New Member

Re: stateful firewall problems (IOS)

I have tried your solution and unfortunately I have not seen that it helps the situation any. I am personally leaning to a Cisco IOS issue. What are the commonalities between each of our issues? The following are my specs:

- Cisco 2821 Router

- c2800nm-advsecurityk9-mz.124-9.T1.bin

New Member

Re: stateful firewall problems (IOS)

I am having the EXACT same issue. I believe that it may be an IOS issue. I am running c2800nm-advsecurityk9-mz.124-9.T1.bin. It seems to be directly related to the Application Firewall. I would paste my config, but its nearly identical to your two. If anyone has any ideas on how to fix this permanatly without turning off the APPFW, I would greatly appreciate input.

New Member

Re: stateful firewall problems (IOS)

When I first began having this issue I was running c2800nm-adventerprisek9-mz.124-10. I have since then switched to c2800nm-advsecurityk9-mz.124-3g. Changing to the only GD code for 12.4 Security didn't help.

Bronze

Re: stateful firewall problems (IOS)

Hello,

What's the output of a show ip inspect all?

The only thing I can think of if it's 'intermittent' is that you are hitting some of the connection limitations (max incomplete or one minute high/low). this would explain why you would get part of the cdw page - but some images (which are coming from other sites) might be incomplete, as those would be new http connections to those sites.

--Jason

New Member

Re: stateful firewall problems (IOS)

Currently my show ip inspect all is as followed.

RTR1#show ip inspect all

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name SDM_LOW

http java-list 99 url-filter is on alert is on audit-trail is off timeout 36

00

(Output Omitted)

Interface Configuration

Interface MFR0.646

Inbound inspection rule is not set

Outgoing inspection rule is SDM_LOW

http java-list 99 url-filter is on alert is on audit-trail is off timeout 36

00

(Output Omitted)

Inbound access list is 103

Outgoing access list is not set

Established Sessions

(Output Omitted)

Bronze

Re: stateful firewall problems (IOS)

All right.

Well, I've had some problems in various locations with this, it *may* or may not be the same issue.

A couple of recommendations:

enable the audit trail so you can see what inspects 'issue' is.

ip inspect audit-trail

also, I would increase all the session thresholds (note - if you're worried about hosts doing DOS attacks, then play with these numbers):

ip inspect max-incomplete high 5000

ip inspect max-incomplete low 4800

ip inspect one-minute high 5000

ip inspect one-minute low 4800

ip inspect udp idle-time 60

ip inspect tcp idle-time 43200

ip inspect tcp synwait-time 60

ip inspect tcp max-incomplete host 200 block-time 0

I would then try the connections again and see how it goes - turn the log buffer up to debug and see what inspect is complaining about.

Hope this helps!

--Jason

Please rate this message if it solves some or all of your question/issue.

534
Views
2
Helpful
8
Replies
CreatePlease login to create content