CBAC Blocking Legitimate Traffic ??

alan.morris · ‎01-25-2002

I have configured an 1600 equipped with IOS 11.2(18)P, and the firewall feature set using configmaker. I used all its default settings for the traffic flows defined. I have added additional IOS commands (to the relevant access-list) to force logging to syslog on an NT system using KIWI.

Evrything mostly seems fine, from the outside only desired ports are visible and from the inside users can use http, ftp, nntp just fine. However I am getting packet filter errors being logged from what seem to be legitimate traffic. I have noticed that a similar problem has been posted on this subject without apparently being fully resolved (Gordon.Cooper October 26th 2001).

examples of entries ib my log are:

SMTP:

Local7.Info 192.168.10.254 296: %SEC-6-IPACCESSLOGP: list 101 denied tcp "ispmailserver"(25) -> "my m/c"(5317)

HTTP:

Local7.Info 192.168.10.254 299: %SEC-6-IPACCESSLOGP: list 101 denied tcp "HP Web site"(80) -> "my m/c"(5270)

NNTP:

Local7.Info 192.168.10.254 373: %SEC-6-IPACCESSLOGP: list 101 denied tcp "UseNet server"(119) -> my m/c(5895)

Are these the result of the CBAC time windows, if so should these be adjusted and how.

Any others with similar experience?

Any help gratefully appreciated.

I am a bit of a CISCO newbie here.

bbaley · ‎02-01-2002

I would worry about it only if you are getting user complaints. I suspect these are remnants of connections that were torn down but if you carefully analyze the debugs you’d likely find that there were a few TCP SYN requests and one of the SYN ACKs built the stateful connection. In a any case, it couldn’t hurt to have Cisco’s tech center run over your configuration to be sure.