03-14-2007 07:32 AM - edited 03-09-2019 05:36 PM
My scenario is as such: Trusted <--> g0/0:IOS FIREWALL(HSRP&NAT):g0/1 <--> Extranet. I have inspect rules setup for the very basic inspection (udp/tcp). I have not changed any of the default settings for timeouts, etc. I have applied inbound acls to both interfaces. (See Extranet perimeter Configuration -- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html)
When I apply an inbound inspection rule to the external interface for some reason all traffic sourced from the extranet is not granted access to the trusted network even though I have explicit permit statements in the ACLS allowing for specific tcp port access to services hosed in the trusted net. When I remove the inbound inspection rule from the extranet interface and leave the acl the traffic is allowed in?
03-20-2007 07:08 AM
Probably, the acl permits the traffic whatever you intended to allow, it deviates from the rule programmed in the inspection program rules.
03-20-2007 07:17 AM
Please go into futher detail. Are you stating that the rule as compiled in the IOS is conflicting with the ACL or visa versa. How is that possible if the inspection rule is "inspecting" the same port range on the ACL.
03-21-2007 02:30 AM
Hi
Could you post a copy of the config you are using
Thanks
Jon
03-21-2007 06:31 AM
I attached the file:
Here is a log debug as well:
njdg01#sh log | include 2189
048883: Mar 20 13:01:51.040 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57168) -- responder (204.10.80.130:2189)
048939: Mar 20 13:02:12.036 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57169) -- responder (204.10.80.130:2189)
048940: Mar 20 13:02:12.108 EST: %FW-6-DROP_TCP_PKT: Dropping Other pkt 10.202.212.14:57169 => 204.10.80.130:2189 due to Invalid Segment -- ip ident 16595 tcpflags 0x5010 seq.no 1944175712 ack 504166107
048954: Mar 20 13:02:17.108 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57170) -- responder (204.10.80.130:2189)
048961: Mar 20 13:02:20.884 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57168) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes
048980: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57169) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes
048985: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57170) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide