04-23-2006 05:23 PM - edited 03-09-2019 02:41 PM
Hi all,
I'm testing IOS fw so in a lab envirement i connected 2 host through a router(IOSfw) in such way:
(internalhost)----------[e0/0](IOSfw)[s1/0]-----------(external host)
It seems that "ip inspect" has no effect and acl 101 is still blocking traffic from external zone
Here is ACL logs:
*Mar 1 01:16:38.730: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.0.1(23) (
Serial0/0 ) -> 10.0.0.1(57410), 1 packet
*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.1(0) (E
thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets
*Mar 1 01:17:06.595: %SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.0.0.1(0) (E
thernet0/0 0007.ebff.35a0) -> 192.168.0.1(0), 4 packets
ping the external host is successful as i'm allowing it through acl 101
Any idea? think you in advance
=========================================
IOSFW config
========================
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOS-FW
!
boot-start-marker
boot-end-marker
!
logging monitor notifications
!
no aaa new-model
ip subnet-zero
!
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name http_out http alert on audit-trail on
ip inspect name http_out tcp alert on audit-trail on
ip inspect name http_out udp alert on audit-trail on
ip inspect name http_out icmp alert on audit-trail on
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
ip access-group 101 out
half-duplex
!
interface Serial0/0
ip address 192.168.0.2 255.255.255.0
ip access-group 102 out
!
ip classless
ip http server
no ip http secure-server
!
logging facility local4
logging source-interface Ethernet0/0
logging 10.0.0.3
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip any host 10.0.0.3
access-list 100 permit icmp host 10.0.0.1 host 192.168.0.1 log-input
access-list 100 permit tcp host 10.0.0.1 host 192.168.0.1 log-input
access-list 101 permit ip host 10.0.0.3 any log-input
access-list 101 permit ip any host 10.0.0.3 log-input
access-list 101 permit icmp any any echo-reply log-input
access-list 101 permit icmp any any time-exceeded log-input
access-list 101 permit icmp any any traceroute log-input
access-list 101 permit icmp any any unreachable log-input
access-list 101 permit icmp any any packet-too-big log-input
access-list 101 deny tcp any any log-input
access-list 101 deny udp any any log-input
access-list 101 deny ip any any log-input
access-list 102 permit ip host 10.0.0.3 any
access-list 102 permit ip any host 10.0.0.3
access-list 102 permit icmp host 10.0.0.1 host 192.168.0.1 log-input
access-list 102 permit tcp host 10.0.0.1 host 192.168.0.1 log-input
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
!
end
IOS-FW#
04-23-2006 07:48 PM
Hi,
In the ACL 101, it seems that the tcp, udp & IP, e.g telnet TCP 23 (based on your log) was blocked.
Maybe you need to test it again by only permitting TCP, and maintain the remaining deny statements (for UDP & IP). BTW, the statement 'deny IP' is probably not necessary as you already specify TCP and UDP in the previous line. IP covers both TCP and UDP.
Rgds,
AK
04-23-2006 08:23 PM
Hi,
Even though IP inspect is enabled .. it will not work util you applied it ot the interfaces. ip inspect < options> from the interface mode. Yu cn check this link for some info
04-24-2006 03:04 AM
Sorry I posted the configuration before enabling "ip inspect" on the external interface and still didn't work even with it.
04-24-2006 02:00 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide