Solved: Re: Firewall installed after Internet border Cisco with stateful - Page 2

Alen Danielyan · ‎06-28-2010

Hi,

I have an old issue I can not explain.

I have the following Internet connection topology:

LAN - core Cisco 1811 - Wingate Proxy/Firewall - Internet border Cisco 871 - ISP.

On core Cisco 1811 I have stateful firewall enabled and filter blocking everything on its interface looking at Wingate:

ip inspect name internet tcp

ip inspect name internet udp

ip inspect name internet icmp

+

interface Vlan8

description To_Internet

ip address 192.168.200.10 255.255.255.224

ip access-group vlan8_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect internet out

ip virtual-reassembly

+

ip access-list extended vlan8_in

deny ip any any

On Wingate I have http Proxy enabled plus NAT service enabled (clients mainly use Proxy connection method, only 3-4 - NAT).

On the border Cisco 871 I have NAT, stateful firewall enabled and filter blocking everything on its interface looking at Internet (I attach the whole config just in case, it is not very large. Add. info: we use 2 ISPs, switching is done by means of IP SLA and pinging 2 Internet Root DNS servers):

Now, with initially setup border router (after applying "no ip unreachables") the Firewall section of Wingate, where blocked packets are shown, was totally clean!

After some changes, I mentioned hundreds of packets are blocked by Wingate and almost all are from well known web servers ports 80 and 443. Obviously, these packets are responses for our clients requests for some reason blocked by Wingate (IMHO, Wingate just can't see they are responses for the made requests).

Please help me to find out the reason. This is important, because we have to make some procedures everyday to be sure security is ok, plus we get quite large log files of Wingate, etc.

After long thinking I can suppose the following reasons:

1. double NAT (for some clients NAT is done on Wingate and then on the border Cisco).

2. NAT timeouts on border Cisco (I changed some settings:

ip nat translation timeout 14400

ip nat translation tcp-timeout 14400

ip nat translation icmp-timeout 1800)

3. CEF enabled on the border Cisco (I read somewhere that some conflicts happens with stateful firewall)

4. "No ip unreachables" together with MTU issue.

5. Anything else.

All the possible reasons are just my fantasies, I am not sure. And I don't want to blindly change everything.

Please help to find the reason.

Connection topology schema added.

Alen Danielyan · ‎07-21-2010

duffman55 wrote:

You can't set it to "immediately", but you can set it to "0". It wants a value in seconds.

ip nat translation finrst-timeout 0

I would think that if the NAT translations get timed out, then the router will drop extraneous packets simply because it wouldn't know where the packets are supposed to go.

If that doesn't solve the problem, I'm out of ideas!

"ip nat translation finrst-timeout 0" effectively equals to "never"!

duffman55 · ‎07-21-2010

Ah, darn. Yeah, I don't really know where to go from here, then - sorry!

Alen Danielyan · ‎07-25-2010

Dear duffman55,

As we defined the problem is not in Cisco router (which still does not mean it is impossible to solve the problem on the Cisco side), I mark your answer about possible variants as correct.

Meanwhile, I got an advice to increase TCP timeout from inside Wingate (there is such setting in the advanced settings, I never looked there). Increasing it up to 10 minutes did not change anything. I'll keep trying and report if anything changes.

Thank you for your help.

Firewall installed after Internet border Cisco with stateful firewall enabled is blocking some packets. Why?