ingress-filter is applied inbound on my WAN interface (fa0/0). The machines in question vary, as do the ports involved (I have seen log entries for blocked WWW, SMTP, POP3, and DNS traffic).
The odd thing is that this only occurs occasionally, and even when it does, nobody complains to me that they're unable to reach websites, etc.
I can think of two reasons for this behaviour:
- CBAC is removing the temporary ACL entry for this session too early, thus blocking the remaining traffic. I've tried increasing the TCP idle time to counter for this, without effect.
- http://www.website.com:80 really is trying to initiate a new connection to my.host.machine:1234. As CBAC is configured to inspect outbound traffic only, there will be no dynamic ACL antry to permit this inbound traffic.
Maybe there are more reasons! I enclose my CBAC config below. Does anyone have any suggestions as to why this is happening?
ip inspect dns-timeout 30
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 20
ip inspect name firewall cuseeme alert on
ip inspect name firewall fragment maximum 256 timeout 1
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...