Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
4
Replies

IOS Firewall Inbound access issues

plavine
Level 1
Level 1

‎03-14-2007 07:32 AM - edited ‎03-09-2019 05:36 PM

My scenario is as such: Trusted <--> g0/0:IOS FIREWALL(HSRP&NAT):g0/1 <--> Extranet. I have inspect rules setup for the very basic inspection (udp/tcp). I have not changed any of the default settings for timeouts, etc. I have applied inbound acls to both interfaces. (See Extranet perimeter Configuration -- http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html)

When I apply an inbound inspection rule to the external interface for some reason all traffic sourced from the extranet is not granted access to the trusted network even though I have explicit permit statements in the ACLS allowing for specific tcp port access to services hosed in the trusted net. When I remove the inbound inspection rule from the extranet interface and leave the acl the traffic is allowed in?

Labels:
0 Helpful
4 Replies 4

ebreniz
Level 6
Level 6

‎03-20-2007 07:08 AM

Probably, the acl permits the traffic whatever you intended to allow, it deviates from the rule programmed in the inspection program rules.

0 Helpful

plavine
Level 1
Level 1
In response to ebreniz

‎03-20-2007 07:17 AM

Please go into futher detail. Are you stating that the rule as compiled in the IOS is conflicting with the ACL or visa versa. How is that possible if the inspection rule is "inspecting" the same port range on the ACL.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to plavine

‎03-21-2007 02:30 AM

Hi

Could you post a copy of the config you are using

Thanks

Jon

0 Helpful

plavine
Level 1
Level 1
In response to Jon Marshall

‎03-21-2007 06:31 AM

I attached the file:

Here is a log debug as well:

njdg01#sh log | include 2189

048883: Mar 20 13:01:51.040 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57168) -- responder (204.10.80.130:2189)

048939: Mar 20 13:02:12.036 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57169) -- responder (204.10.80.130:2189)

048940: Mar 20 13:02:12.108 EST: %FW-6-DROP_TCP_PKT: Dropping Other pkt 10.202.212.14:57169 => 204.10.80.130:2189 due to Invalid Segment -- ip ident 16595 tcpflags 0x5010 seq.no 1944175712 ack 504166107

048954: Mar 20 13:02:17.108 EST: %FW-6-SESS_AUDIT_TRAIL_START: Start user-FLEX session: initiator (10.202.212.14:57170) -- responder (204.10.80.130:2189)

048961: Mar 20 13:02:20.884 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57168) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048980: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57169) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

048985: Mar 20 13:02:25.084 EST: %FW-6-SESS_AUDIT_TRAIL: Stop user-FLEX session: initiator (10.202.212.14:57170) sent 0 bytes -- responder (204.10.80.130:2189) sent 0 bytes

Preview file
8 KB
0 Helpful
Customers Also Viewed These Support Documents