Cisco Firewall :: 871 / 2811 / 1841 - ZBFW Default Inspection Specification
May 6, 2011
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies
ADVERTISEMENT
Jul 31, 2012
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
View 3 Replies
View Related
Sep 21, 2011
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
View 3 Replies
View Related
May 9, 2012
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
View 2 Replies
View Related
Jan 10, 2011
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
View 9 Replies
View Related
May 25, 2011
I currently have the default inspection engine configured in my firewall to inspect http traffic. I noticed that the ASA will drop packets when visting legitimate websites. I've tried googling for a workaround but have been unsucsselful. How can I exclude some websites or IP's from being affected by the inspection engine?
View 1 Replies
View Related
May 10, 2012
i have removed the icmp inspection from my default policy-map in my ASA 5520,now i could not able to ping to 4.2.2.2 from my LAN even though i have configured an ICMP Access-list in my asa like ,but I can't ping 4.2.2.2 for testing the Internet connectivity,what shall i do to allow only my self as admin to ping outside?
-icmp permit host 192.168.60.60 echo
-icmp permit host 192.168.60.60 echo-reply
View 1 Replies
View Related
Feb 16, 2012
I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network.
My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protocol matching, I can't really get this to pass properly. What is the new IOS versions support SCTP? Any options to pass this traffic through the firewall?
View 7 Replies
View Related
Apr 22, 2013
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
View 5 Replies
View Related
Dec 27, 2011
I need to update my Cisco 881W config to allow port forwarding FROM the Internet TO the following inside device as follows:
IP Address: 192.168.1.254
Protocol: TCP/UDP
Port: 5001
This device is a Slingbox Pro-HD and I want to be able to view it from the Internet.
Attached is a copy of my 881W config. I am horrible at properly configuring my zone based firewall (ZBFW) config
View 9 Replies
View Related
Nov 30, 2011
What the user specification with the asa5505 means.there is a 50 user and an unlimited license with the asa5505. with 50 user does this mean that only 50 user can work simultaneously over the asa, or what?
View 10 Replies
View Related
Aug 2, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.
View 2 Replies
View Related
Jun 21, 2011
We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.
View 1 Replies
View Related
May 4, 2011
I have a Cisco 2811 and a Cisco 1841 and I cannot get these cards to show up. My IOS for the 1841 is c1841-spservicesk9-mz.124-6.T7 and my IOS for the 2811 is c2800nm-spservicesk9-mz.124-17. When I do a "sh diag" the cards come up as: "unknown daughter card WIC module is not supported/disabled in this slot".
So I am guessing I need a different IOS.
View 1 Replies
View Related
Jun 9, 2012
I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
View 4 Replies
View Related
Feb 18, 2012
i have 2811 router can, i use the below image on it , i m thinking to run bgp with ISP to accept just default route.
View 1 Replies
View Related
Jun 9, 2012
I'm trying to get a 2811 router with a NM-AIR-WLC6 Wireless Controller Module to work with an c1200 series access point. The LWAP is connected to a 2690 switch which has a trunk connected to the router. My configuration looks very similar to example 2 on this page: [URL] . The LWAP does get an IP from the DHCP pool on the router. I can also connect to the GUI of the controller from a PC on VLAN 250 (which also is connected to the switch).
[URL]
The moment I join my Wireless network I get no IP and when I enter a valid static IP, I still can't ping the gateway. I also noticed that the controller could ping the gateway before I configured the interface. After configuring an interface with that gateway, the controller loses the ability to ping to it. I can't seem to figure out why. I've been working all week on getting this controller and LWAP to broadcast a fully working network.
View 3 Replies
View Related
May 8, 2011
My 2811 is connected with two ISP,s as below and have VPN with Central branch.I want to set DSL as primary and WiMax as secondary but problem is that routes learned via BGP get precedence over default route as they are specific one.I think i may need to put all static specific routes of central branch over DSL along defautl but I want any idea if my default route stay active and when it down then BGP neighborship can be establish (like ip sla tracking.)
View 3 Replies
View Related
May 25, 2011
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
View 3 Replies
View Related
May 21, 2013
Does ip default-gateway have any effect on a L3 device such as a 2811 router? I always thought that on a L3 device the default route would supersede any such command assuming it is accepted.
We have a client device that cannot be reached for managment directly and wanted to add that statment only if it might work.
View 1 Replies
View Related
Jan 29, 2013
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies
View Related
Jun 13, 2012
I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
View 2 Replies
View Related
Aug 9, 2012
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
View 2 Replies
View Related
May 3, 2011
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies
View Related
Jun 17, 2012
I would like to set up a POTS Dial connection between 2 Cisco routers, using the modem card WIC-1AM-V2. I'd like to use this as an out-of-band connection to a remote site, if the primary internet connection fails. So, this setup will only be used in one direction, 1 router placing calls, the other one receiving calls.Here's my config of the receiving router:
chat-script dial "" ATZ AT OK "ATX3D T" ATS0=8 TIMEOUT 120 CONNECT C
interface Async0/2/0 description out of band for network no ip address encapsulation slip async mode interactive
line 0/2/0 session-timeout 5 absolute-timeout 10 script connection dial login local modem InOut transport input all escape-character BREAK autoselect ppp stopbits 1 speed 115200 flowcontrol hardware
[code]....
This config is working fine, when dialing in via a Windows Hyperterminal Dial connection. After a while of dialing I get the login prompt of the router.Now I want to have a router placing calls instead of a Windows Server. I can't figure out how to tell a router to place calls to a POTS phone number.
Receiving router: 2811, WIC-1AM-V2, IOS c2800nm-ipbasek9-mz.124-25a
Calling router: 1841, WIC-1AM-V2, IOS c1841-advsecurityk9-mz.124-25a
View 5 Replies
View Related
Jul 22, 2009
I have a working BGP session established. With "debug ip bgp events" I see many (2/3 every second) messages like this:
*Jul 23 11:23:48.773: BGP: default originate timer at max delay of 64 sec
*Jul 23 11:23:48.997: BGP: default originate timer at max delay of 64 sec
I can find nothing about this message. IOS version is 12.4(24)T and platform is Cisco 2811
View 8 Replies
View Related
Jul 6, 2010
Cannot access console baud rate has been changed by customer and I have tried all the standard ones 1200,2400 ect, have tried the J7 baud jumper on the mother board....?
View 11 Replies
View Related
Jul 16, 2009
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
View 2 Replies
View Related
Jan 18, 2012
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
View 1 Replies
View Related
Dec 31, 2011
I have a branch office set up were all traffic goes back to the core, iincluding internet acces.
It has been working fine for a year, but recently I have started to see the firewalls Asa 5505 closing the connection and stopping the phone from answering the calls.
I have skinny inspection turned on all my branch offices, but had to turn it off at the one site to get one of my phones to registered.
I haven't made any changes to the network that would trigger this issue, such as upgrading phone firmware.
My firewall is configured for default deny, other than Skinny (tcp 2000), do I need Skinny inspection to be turned on?
It's turned on my 5 other branches.How can I debug why the skinny inspection is closing the connection?As a separate note this phone is part of a pool of phones that shares a common DN, would this be causing the issue?
View 1 Replies
View Related
Mar 8, 2011
I Have a 2821 Router with a IOS Version 12.4(13r)T. When i enabled the firewall, my download speed slows down to 10-20kbps (the normal is 5-6 Mbps).
View 11 Replies
View Related
Jun 5, 2012
I need to allow traffic between webserver in dmz and mssql (Microsoft SQL Server 2008).MSSQL use dynamic port (now it is 63796) and this cannot be changed.
Basically, I can allow such traffic using next configuration:access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 1433access-list dmz extended permit udp host 1.2.3.4 host 5.6.7.8 eq 1434 access-list dmz extended permit tcp host 1.2.3.4 host 5.6.7.8 eq 63796
But, I would like to add mssql inspection and I did the next:
class-map class_sqlnetmatch port tcp eq 1433policy-map global_policyclass inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet service-policy global_policy global
[Code] ..........
View 1 Replies
View Related
Feb 12, 2012
I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
View 4 Replies
View Related
