Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
12
Replies

IP TCP INTERCEPT

kjanakiraman
Level 1
Level 1

‎04-22-2003 11:42 AM - edited ‎03-02-2019 06:48 AM

I have a cisco 3640 router with 12.x ios running. I wanted to make my router as application firewall to intercept all the connections for my web server and i configured like this

ip tcp intercept list 103

access-list 103 permit tcp any host x.x.x.x1( my web server ip address)

I did not configure any other intercept command and left everything to default.

Now when i try to browse the site x.x.x.x1 from outside the page is not getting displayed. But in the show tcp intercept statistics i could see establised session from the outside ip address of the system from which i am trying to browse x.x.x.x1. Now when i make the tcp intercept mode to watch mode

Ip tcp intercept mode watch.

Then my site is accessable from outside. I am having a pix firewall between my router and the web server.

Can some one advice me what is the mistake i am making and how to solve this problem

Thanks in Advance

Labels:
0 Helpful
12 Replies 12

xge
Level 1
Level 1

‎04-22-2003 11:33 PM

Have you tried to disable cef and fast switch in the router ? Since the router have to process switch the intercepted traffic.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to xge

‎04-23-2003 05:45 AM

Hi,

Thanks for your reply. I disabled cef and tried and enabled cef and tried and both the time the web server is not accessable from outside. How can i disable fast switch in the router?

Thanks in Advance

0 Helpful

mshickell
Level 1
Level 1
In response to kjanakiraman

‎04-23-2003 06:23 AM

You disable fast switching on each interface individually.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd2.htm#1065562

0 Helpful

kjanakiraman
Level 1
Level 1
In response to mshickell

‎04-23-2003 08:48 AM

Hi,

I gave no ip route-cache, no ip mroute-cache on all the interfaces and in the global configuration i gave no ip cef but still i could not browse my web site when i am in the interface mode. IS there anything i am missing.

Thanks in advance

0 Helpful

rais
Level 7
Level 7
In response to kjanakiraman

‎04-23-2003 10:23 AM

Do you have ICMPs allowed both ways? Is any of the sites using TCP Options?

Thanks.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to rais

‎04-23-2003 11:18 AM

We have diabled icmp in our cisco pix firewall from outside. What is TCP options?

Thanks in Advance

0 Helpful

rais
Level 7
Level 7
In response to kjanakiraman

‎04-23-2003 11:23 AM

I would enable ICMPs for a while and check if things start working. TCP options are options like MSS etc that are negotiated at startup.

Thanks.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to rais

‎04-23-2003 11:56 AM

I tried enabling the icmp and checked by both enabling cef and disabling the cef but the same result. I could not connect to my web server. But when i type

sh tcp intercept statistics i could see the result showing that the connecton is establised. When i type in sh tcp intercept connections i am able to see the connctions in the establised state with the source ip address from which i am trying to browse the web server. I have enabled in the cisco pix ip verify reverese path for both inside and outside. Should that be any issues in that.

Thanks for your time.

0 Helpful

rais
Level 7
Level 7
In response to kjanakiraman

‎04-24-2003 05:38 AM

I can only think of sniffing the packets and noticing where does the link break. If you are seeing connections, it means initial SYN and ACKs are ok. HTTP connection shouldn't be retained for a long time though. Once the page has been transferred, these connections should terminate.

Rais.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to rais

‎04-25-2003 01:08 AM

For testing purpose i kept the web server outside the firewall with public address but still the same result. When i gave ip tcp intercept mode watch/intercept i am getting an message

command accepted, interfaces with mls configured might cause inconsistent behavior

but there is not mls configured on any of the interface. Can you suggest may to sniff the packets.

Thanks in Advance

0 Helpful

rais
Level 7
Level 7
In response to kjanakiraman

‎04-25-2003 05:57 AM

So you are not getting anything in: show mls rp.

Can you anyways issue: no mls rp ip, in global mode.

Thanks.

0 Helpful

kjanakiraman
Level 1
Level 1
In response to rais

‎04-25-2003 09:26 AM

the mls is disabled when i gave no mls rp ip i am getting message that multilayer switchiing is already disabled. But when i type in sh tcp intercept connections i am seeing some connections in the establised mode though it was tried 8 hours before and already revereted back to watch mode from the intercept mode. The connections is not getting cleared automatically.

Thanks in Advance for your time.

0 Helpful
Customers Also Viewed These Support Documents