I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.
When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.
Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.
I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? [code]
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't work.
im in the progress of Configuring a Cisco 881 Router, for a branch office.Behind this Router they have an PBX, is it prossible to inspect SIP packet using CBAC, and thereby open for RSTP pinholes.i only have 1 Public ip adresser, and im not fond of configuring thousands of PAT to the PBX.i have with success, Accomplished this with Global Inspection on ASA Firewalls, but i dont know if this can be done with IOS as well.
View 5 Replies View RelatedI have a Cisco 3745 that is my internet router, I have a domain that directs the web address to the WAN IP address...Can I set up my 3745 to forward incoming connections to my server?
View 3 Replies View RelatedI have a 857 doing NAT for the internal vlan1 interface (192.168.20.0/24) attached traffic.ip nat source static tcp 192.168.20.5 3389 interface dialer0 3389 ip nat inside source list aclAllowNAT interface dialer0 overload I would like to turn CBAC (packet inspection) off, but still maintain an ACL on the ingress to Dialer0 (traffic in from the Web) to protect access to some sensitive material (doctor's surgery) and only allow RDP from designated sites. I realise there are other ways to publish the access to the terminal servers but this way has advantages we need, and is in place.
ip access-list extended aclAllowNAT
permit ip 192.168.16.20.0 0.0.0.255
ip access-list extended aclIngressFromInternet
permit tcp host xx.xx.xx.xx any eq 3389
...
But of course when i do this and apply the access list to dialer0 all NAT traffic stops as it doesn't have CBAC there telling to allow the inspected traffic.
What do i need to put in the aclIngressFromInternet ACL to allow the NAT traffic with CBAC off?
I need to configure the access list on the outbound internet port to accept the following:
ip access list 10
access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx
access-list 10 permit RDP any xxx.xxx.xxx.xxx
access-list 10 permit FTP any xxx.xxx.xxx.xxx
access-list 10 permit Postgresql any xxx.xxx.xxx.xxx
access-list 10 permit MacARD any xxx.xxx.xxx.xxx
This method does not work on the Cisco 2921 router with FW
ip inspect firewall should be performing no inspection on traffic traversing an IPSec VPN right?
View 2 Replies View RelatedSince upgrading some of computers in my LAN to Windows 7 they all experience upload issues. I have narrowed it down to CBAC inspection on my Cisco 1711 router, I am running IOS 12.3 I have a simple CBAC inspection set for TCP/UDP only without any application-specific inspects. Download works fine however upload does not seem to work atl all- unless I disable the ip inspection. It is all working fine for any Windows XP but not for Windows 7 machines. Is this a known issue, I am not sure how I can go about this - I don't want to build ACLs now for outside interface and disable stateful inspection mechanisms because CBAC has been working fine for me until recently.
View 7 Replies View RelatedI have a cisco ASA5520 box running with IOS version8.2(5)13 where default policy map is applied globally. But I have not seen any traffic being inspected through included protocol defined under policy map.All configuration seems to be ok for me.
service-policy global_policy global
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 0, drop 0, reset-drop 0
[code]....
how to enable inspect http on ASA 5510, so that URL information populate in the syslogs?
View 2 Replies View RelatedASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz. The problem is a new use. I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far. The ASA inside interface is the default gateway for the inside network. My test worksttion can PING inside hosts, so the static route is OK.
ASA 10.1.1.2/16 DNS Server 10.1.5.1/16
| |
------------------------------------------------------------------
|
Switch 10.1.8.20/16
[code]....
But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives. I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak". I can't find any more there to tell just what is invlid about it. So I'm trying to figure out global inspection. Here's an extract from the config:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
[code]....
I have two questions about ZBF on ASR1000 with Firewall and Flexible Packet Inspection license:
1 is IPv6 supported?
2 can I use police action in an inspect rule? I want to limit some protocols to low bandwidth. There is no police command in ZBF policy map.
I want to block some social networking sites using ASA 5510-CSC-SSM, As I searched and come to know that ASA 5510 can't inspect and intercept for https traffic because it is encrypted while traversing throught the ASA. I want the ASA to make functioning for https too, not only http. Can i perform this task by updating any software on existing device?
View 2 Replies View RelatedI have a strange problem in my ASA 5510 firewall. I turned on HTTP inspect policy to block certain URLs, but that destroyed svn communication. Interestingly, if I use simple web-browser to access svn server - it works, but any svn-client requests fail with an error "Could not read status line: An existing connection was forcibly closed by the remote host". I did some packet sniffing, and discovered that with HTTP inspect off the Webbed request is answered, but with HTTP inspect on it is rejected with an error unauthorized. Here are examples of success and failed conversation packets:
Success:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=58882, PayloadLen=0, Seq=4139355337, Ack=3464798063, Win=258 (scale factor 0x8) = 66048 {TCP:2, IPv4:1}
4. <Server-IP> <Client-IP> WEBDAV WEBDAV:Response, HTTP/1.1, Status: UNHANDLED HTTP Status Code, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
Failure:
1. <Client-IP> <Server-IP> WEBDAV WEBDAV:Request, PROPFIND /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
2. <Client-IP> <Server-IP> WEBDAV WEBDAV:HTTP Payload, URL: /svn/repos/myrepo/trunk {HTTP:3, TCP:2, IPv4:1}
3. <Server-IP> <Client-IP> TCP TCP:Flags=...A.R.., SrcPort=HTTP(80), DstPort=1137, PayloadLen=0, Seq=1075661931, Ack=4049054406, Win=64240 (scale factor 0x0) = 64240 {TCP:2, IPv4:1}
4. <Client-IP> <Server-IP> TCP TCP:Flags=......S., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908784, Ack=0, Win=64240 ( ) = 64240 {TCP:4, IPv4:1}
5. <Server-IP> <Client-IP> TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=1138, PayloadLen=0, Seq=4184445498, Ack=1032908785, Win=8192 ( Scale factor not supported ) = 8192 {TCP:4, IPv4:1}
6. <Client-IP> <Server-IP> TCP TCP:Flags=...A...., SrcPort=1138, DstPort=HTTP(80), PayloadLen=0, Seq=1032908785, Ack=4184445499, Win=64240 (scale factor 0x0) = 64240 {TCP:4, IPv4:1}
Packet # 4 is an actual differentiators.
I found one mentioning of that error with that assessment: "Older firewall/proxies do not understand the Webbed related HTTP requests for accessing Subversion using HTTP{ URL} in that post But not any useful tips.
I am trying to configure my ASA 7.2(4) to inspect SCCP traffic from a CUCM v7.I have been advised that the ASA device needs to support the version of Skinny I am running.What version of Skinny does ASA 7.2(4) support? How can I find out what version my phones are using?
View 3 Replies View RelatedWe are currently looking at design models for a Multi-Tenancy solution.The firewall layer will be 2 X ASA's running 9.X to take advantage of VPN's in multiple context mode and mixed L3 and L2 contexts.
We will be delivering services through multiple L3 contexts (between 2 and 5 L3 contexts for services) and 1 transparent context for customers infrastructure who will then have virtual firewalls for NAT's and VPN's etc withing their own environment.
I am not very experienced with IPS so my query is; if we were to get an IPS license for both ASA's how would the IPS fit in, can we use it to inspect traffic for all the L3 contexts and the transparent context?
I have 2 ASA 5510 firewalls at 2 different sites. Both running on version 8.0.4. Users are using an Instant Messaging type of application provided by a local telco here which is able to send and receive SMS using SIP (from the packet capture that I've done).
When users use the IM in site A, they are able to send and receive text messages via the IM from behind the firewall. However, when the users are in site B, users are able to send out text messages but not able to receive them.
I noticed that when I remove "inspect sip" from site-B's global policy map, users from site-B can successfully receive text messages. I have confirmed that it is the firewall that drops the packets as I have captured the inside and outside interfaces of site-B's ASA and I can see the incoming sip "request: MESSAGE" packet on the outside interface but I do not see the packet exiting the inside interface.
I have cross check both firewall configurations, and I do not see anything suspicious commands relating to sip that might cause this issue. Is there any command to troubleshoot why the sip inspection is dropping the sip packets on site-B?
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router:
hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
[code]....
I just got my PIX515e configured and thought I had it working correctly, but on my 3745 router, the line protocol is down, I've looked through the configs for bot the PIX and the 3745 and can't seem to figure out why I don't have access.
Pix515E config:
pixfirewall# show run
: Saved
:
PIX Version 8.0(4)32
!
hostname pixfirewall
domain-name home.jkkcc.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
View 23 Replies View RelatedI am connected to unencrypted wireless, firewall turned off. My dropbox will sync and if I open IE I can access www.microsoft.com [very slowly] but so far that is all. Chrome wont open anything - just says proxy server problem. If I run diagnose from IE it say my connection is fine. I have AVG free software. I do get a error from totalnetguard when I boot up that says it can't log on. If I use my aircard direct on the computers usb slot and connect that way everything works fine.
View 3 Replies View RelatedI need to NAT a port range spanning from TCP and UDP 50,000 to 59,999 from inside global address 58.96.x.x on loopback2 to an inside local address of 192.168.5.5.Currently all the existing NAT translations are 1-to-1 that map inside global addresses on a wide span of Loopbacks and a Dialer Interface to inside local addresses on few subnets which are fine.I'm using an 1811 with an ADVIPSERVICESK9-M image, version 12.4(6)TS
View 1 Replies View RelatedI have about 30 remote EZVPN 1811 routers that never come up after a firewall reload for about an hour. I have watched the EZVPN remotes and they believe they still have an IPSEC SA and they never attempt to reconnect until their IKE SA times out. Is there any way I can change this behavior so that the remotes will more rapidly recognize that their SA is invalid and negotiate a new one?
View 2 Replies View RelatedCannot connect to Linksys Router 192.168.1.1 Webpage. I can only connect if I turn off my F-Secure firewall
View 1 Replies View RelatedWe are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.
I'm playing around with CBAC, trying to get a feel for it so I can manage it on some of our routers. I think I have the basics down, but for some reason I'm still having these issues with a 2801 running the attached config:- I had to add the "router-traffic" option to my ICMP inspect line to be able to ping anything at all on the 10.10.2.0 side from the router. We have a router doing firewall duty which is using CBAC but does not have the "router-traffic" option on its ICMP inspect line, but pings from it still work. What gives? I've read that by default (without the "router-traffic" option) traffic originating from within a router will not be inspected by CBAC, so it looks like my lab router is working as expected, I just can't figure out why pings work from the production firewall router.
- I can not copy a config via TFTP to 10.10.2.97. Other network devices can access the TFTP server on .97, so it's my lab router that has the problem. I can ping .97, it can ping this router (.5). It looks to me like I have TFTP allowed through this router, but it doesn't work. When I do a copy command, my TFTP server on .97 sees PUTs coming in, but then says it's not getting responses from the router, so it looks like traffic is only flowing out from the router but not back in. I thought the TFTP inspect would fix that. There doesn't seem to be a "router-traffic" option for the TFTP inspect[CODE]
XP slow boot for network connections When start PC it goes normal and quickly until comes to network icons in the right low window. It takes 5 minutes for network icons to show up.
View 2 Replies View RelatedI have a 851 that I'm trying to apply CBAC on. However, it seems that new sessions are stuck in SIS_OPENING. I'm guessing maybe because packets are not returned,I can't understand why - everything works just fine up-until I add ip inspect INBOUND out' on the WAN-interface.
View 19 Replies View RelatedI have decent Bandwidth, high download speeds (25.67mbps) low ping(16ms) And okay upload speeds (4.47mbps). I usually browse Reddit and my father usually plays CoD. The problem is, whenever I try and download anything, his game slows down to where he gets kicked from the room.
View 3 Replies View Relateduser from home PC via Anyconnect making RDP session to work PC, on this PC Microsoft policy allow making disk mappind via RDP. Is that posible to inspect this traffic and deny this(disk mapping) action on ASA5585-X with IPS?
View 1 Replies View RelatedI have a cisco 2811 router set up as a nat/firewall gateway for my network. I've configured it for CBAC on using ip inspect and an access list.What I want is to use audit-trail to record network traffic (which means sending syslog messages to a server) concerning established sessions from my own network to locations in the outside. If i configure this using ip inspect audit-trail and no ip inspect alert-off, the configuration looks like this: [code] which works just fine, but there is the matter of icmp packets.
Since i use polling software that needs to check some machines in the outside part of the network, it is only natural that several icmp sessions are established through the Inspection Rule per minute. The problem is that since these sessions are recorded along with everything else, my syslogs are flooded with these (since i am using logging trap informational) to the point that more messages are generated about icmp than all other traffic combined, especially in non-working hours.What I am asking is a way for the audit-trail to be selecively disabled for icmp, so that the outgoing (echo) &incoming (echo reply) sessions can be established without generating syslog messages.
I have a need to use a 3560 switch to terminate a provider's internet connection, but want to secure it so that it and the vlans connected to it are not wide open. At the same time, I'd like to use stateful packet inspection.
I have IOS 12.2(44)SE2, but IPBASE running on my 3560s. Is there an IOS (perhaps the ADVIPSERVICES of that version?) that allows a 3560 to use the 'ip inspect' command?
IOS Firewall (ZBF) Limit SMTP connections from same IP
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .