Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS Firewall Inbound access issues

My scenario is as such: Trusted <--> g0/0:IOS FIREWALL(HSRP&NAT):g0/1 <--> Extranet. I have inspect rules setup for the very basic inspection (udp/tcp). I have not changed any of the default settings for timeouts, etc. I have applied inbound acls to both interfaces. (See Extranet perimeter Configuration -- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html)

When I apply an inbound inspection rule to the external interface for some reason all traffic sourced from the extranet is not granted access to the trusted network even though I have explicit permit statements in the ACLS allowing for specific tcp port access to services hosed in the trusted net. When I remove the inbound inspection rule from the extranet interface and leave the acl the traffic is allowed in?

4 REPLIES
Silver

Re: IOS Firewall Inbound access issues

Probably, the acl permits the traffic whatever you intended to allow, it deviates from the rule programmed in the inspection program rules.

New Member

Re: IOS Firewall Inbound access issues

Please go into futher detail. Are you stating that the rule as compiled in the IOS is conflicting with the ACL or visa versa. How is that possible if the inspection rule is "inspecting" the same port range on the ACL.

Hall of Fame Super Blue

Re: IOS Firewall Inbound access issues

Hi

Could you post a copy of the config you are using

Thanks

Jon

New Member

Re: IOS Firewall Inbound access issues

I attached the file:

Here is a log debug as well:

njdg01#sh log | include 2189

048883: Mar 20 13:01:51.040 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57168) -- responder (204.10.80.130:2189)

048939: Mar 20 13:02:12.036 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57169) -- responder (204.10.80.130:2189)

048940: Mar 20 13:02:12.108 EST: %FW-6-DROP_TCP_PKT: Dropping Other pkt 10.202.212.14:57169 => 204.10.80.130:2189 due to Invalid Segment -- ip ident 16595 tcpflags 0x5010 seq.no 1944175712 ack 504166107

048954: Mar 20 13:02:17.108 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57170) -- responder (204.10.80.130:2189)

048961: Mar 20 13:02:20.884 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57168) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048980: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57169) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048985: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57170) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

253
Views
0
Helpful
4
Replies