Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IOS firewall - how to create an opening?

Reply
Thread Tools

IOS firewall - how to create an opening?

 
 
X-Eliminator
Guest
Posts: n/a
 
      03-23-2008
I have a 1721 router with IOS firewall that is blocking traffic as
expected. The problem is that I want to create an opening so that the
firewall does not block a certain IP address or UDP protocol. I
already have ACL permit statements applied to the WAN & fastethernet
ports to permit the desired UDP & IP's. I have looked at all the
options for the IP Inspect command but don't see where I can create
this exception and I have also removed all ip inspect statements
relating to UDP. Can anyone tell me how I can force the firewall to
permit the below traffic without disabling the FW completely?
It's the firewall that is giving me trouble, not the ACL's or my IPS.

Thanks in advance for any suggestions...

Here is the message in the log which shows that the FW is blocking my
traffic:

Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to
Bidirectional traffic disabled

and here are the IP Inspect statements:

ip inspect log drop-pkt
ip inspect one-minute low 200
ip inspect one-minute high 300
ip inspect dns-timeout 4
ip inspect tcp idle-time 15
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 40 block-time 30
ip inspect name myfw cuseeme timeout 15
ip inspect name myfw realaudio timeout 30
ip inspect name myfw h323 timeout 3600
ip inspect name myfw icmp alert on timeout 15
ip inspect name myfw rpc program-number 100008 timeout 15
ip inspect name myfw vdolive timeout 15
ip inspect name myfw streamworks timeout 5
ip inspect name myfw sqlnet timeout 5
ip inspect name myfw skinny timeout 5
ip inspect name myfw rtsp timeout 5
ip inspect name myfw netshow timeout 30
ip inspect name myfw rcmd alert on timeout 15
ip inspect name myfw sip alert on timeout 30
ip inspect name myfw tftp timeout 5
ip inspect name myfw http timeout 30
ip inspect name myfw fragment maximum 400 timeout 30
ip inspect name myfw tcp alert on timeout 30
ip inspect name myfw telnet alert on audit-trail on
ip inspect name myfw ftp timeout 15
ip inspect name mwfw imap alert on
ip inspect name mwfw dns alert on
ip inspect name mwfw pop3 alert on


1721a#show ver
Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
12.4(17a), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 07-Nov-07 10:52 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
 
Reply With Quote
 
 
 
 
News Reader
Guest
Posts: n/a
 
      03-23-2008
Create an exception?

You want to inspect the UDP traffic on the ingress interface so that the
router will open dynamic temporary holes in the return path.

e.g.: An internal host using DNS would require an appropriate entry
(ACE) in the ACL applied to the internal interface to facilitate the
query to the ISPs DNS server. An entry on the WAN interface for the
return traffic (DNS Response) is not require (IF) DNS/UDPinspection is
applied to the internal interface. The benefit of the inspection is that
the router will open dynamic temporary holes in the return path to
facilitate the return traffic from the DNS server. The inspection
timeouts relate to when those holes will be closed in the absence of
traffic to keep them open.

Remember that inspection must be applied to an interface. For sure, you
will want to apply inpection on the internal interface. If you have
traffic that is initiated from the Internet side, into your network, you
will want to apply inspection on that interface as well.

Your log makes reference to: 216.115.30.200:69 => 192.168.0.75:2060

Unless you are using some non-standard ports, I assume you are dealing
with TFTP (port 69).

It is important that you understand that although a command sent to a
TFTP server (e.g.: write request) will use port 69 (server side), the
majority of traffic (ACKs, data block transfer) resulting from TFTP
operations involves packets with "both" the source and destination ports
being >1023. This has ACL implications.

Also, your inspection list is huge. You don't need to inspect
applications you are not using.

I am not familiar with the specific reference "Bidirectional traffic
disabled" in the log.

Best regards,
News Reader


X-Eliminator wrote:
> I have a 1721 router with IOS firewall that is blocking traffic as
> expected. The problem is that I want to create an opening so that the
> firewall does not block a certain IP address or UDP protocol. I
> already have ACL permit statements applied to the WAN & fastethernet
> ports to permit the desired UDP & IP's. I have looked at all the
> options for the IP Inspect command but don't see where I can create
> this exception and I have also removed all ip inspect statements
> relating to UDP. Can anyone tell me how I can force the firewall to
> permit the below traffic without disabling the FW completely?
> It's the firewall that is giving me trouble, not the ACL's or my IPS.
>
> Thanks in advance for any suggestions...
>
> Here is the message in the log which shows that the FW is blocking my
> traffic:
>
> Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
> 216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to
> Bidirectional traffic disabled
>
> and here are the IP Inspect statements:
>
> ip inspect log drop-pkt
> ip inspect one-minute low 200
> ip inspect one-minute high 300
> ip inspect dns-timeout 4
> ip inspect tcp idle-time 15
> ip inspect tcp finwait-time 1
> ip inspect tcp synwait-time 15
> ip inspect tcp max-incomplete host 40 block-time 30
> ip inspect name myfw cuseeme timeout 15
> ip inspect name myfw realaudio timeout 30
> ip inspect name myfw h323 timeout 3600
> ip inspect name myfw icmp alert on timeout 15
> ip inspect name myfw rpc program-number 100008 timeout 15
> ip inspect name myfw vdolive timeout 15
> ip inspect name myfw streamworks timeout 5
> ip inspect name myfw sqlnet timeout 5
> ip inspect name myfw skinny timeout 5
> ip inspect name myfw rtsp timeout 5
> ip inspect name myfw netshow timeout 30
> ip inspect name myfw rcmd alert on timeout 15
> ip inspect name myfw sip alert on timeout 30
> ip inspect name myfw tftp timeout 5
> ip inspect name myfw http timeout 30
> ip inspect name myfw fragment maximum 400 timeout 30
> ip inspect name myfw tcp alert on timeout 30
> ip inspect name myfw telnet alert on audit-trail on
> ip inspect name myfw ftp timeout 15
> ip inspect name mwfw imap alert on
> ip inspect name mwfw dns alert on
> ip inspect name mwfw pop3 alert on
>
>
> 1721a#show ver
> Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
> 12.4(17a), RELEASE SOFTWARE (fc2)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2007 by Cisco Systems, Inc.
> Compiled Wed 07-Nov-07 10:52 by prod_rel_team
>
> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

 
Reply With Quote
 
 
 
 
X-Eliminator
Guest
Posts: n/a
 
      03-23-2008
Thanks.... I will tweak my config and see if I can see a change in the
log.

On Sun, 23 Mar 2008 13:10:20 -0400, News Reader <(E-Mail Removed)>
wrote:

>Create an exception?
>
>You want to inspect the UDP traffic on the ingress interface so that the
>router will open dynamic temporary holes in the return path.
>
>e.g.: An internal host using DNS would require an appropriate entry
>(ACE) in the ACL applied to the internal interface to facilitate the
>query to the ISPs DNS server. An entry on the WAN interface for the
>return traffic (DNS Response) is not require (IF) DNS/UDPinspection is
>applied to the internal interface. The benefit of the inspection is that
>the router will open dynamic temporary holes in the return path to
>facilitate the return traffic from the DNS server. The inspection
>timeouts relate to when those holes will be closed in the absence of
>traffic to keep them open.
>
>Remember that inspection must be applied to an interface. For sure, you
>will want to apply inpection on the internal interface. If you have
>traffic that is initiated from the Internet side, into your network, you
>will want to apply inspection on that interface as well.
>
>Your log makes reference to: 216.115.30.200:69 => 192.168.0.75:2060
>
>Unless you are using some non-standard ports, I assume you are dealing
>with TFTP (port 69).
>
>It is important that you understand that although a command sent to a
>TFTP server (e.g.: write request) will use port 69 (server side), the
>majority of traffic (ACKs, data block transfer) resulting from TFTP
>operations involves packets with "both" the source and destination ports
>being >1023. This has ACL implications.
>
>Also, your inspection list is huge. You don't need to inspect
>applications you are not using.
>
>I am not familiar with the specific reference "Bidirectional traffic
>disabled" in the log.
>
>Best regards,
>News Reader
>
>
>X-Eliminator wrote:
>> I have a 1721 router with IOS firewall that is blocking traffic as
>> expected. The problem is that I want to create an opening so that the
>> firewall does not block a certain IP address or UDP protocol. I
>> already have ACL permit statements applied to the WAN & fastethernet
>> ports to permit the desired UDP & IP's. I have looked at all the
>> options for the IP Inspect command but don't see where I can create
>> this exception and I have also removed all ip inspect statements
>> relating to UDP. Can anyone tell me how I can force the firewall to
>> permit the below traffic without disabling the FW completely?
>> It's the firewall that is giving me trouble, not the ACL's or my IPS.
>>
>> Thanks in advance for any suggestions...
>>
>> Here is the message in the log which shows that the FW is blocking my
>> traffic:
>>
>> Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
>> 216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to
>> Bidirectional traffic disabled
>>
>> and here are the IP Inspect statements:
>>
>> ip inspect log drop-pkt
>> ip inspect one-minute low 200
>> ip inspect one-minute high 300
>> ip inspect dns-timeout 4
>> ip inspect tcp idle-time 15
>> ip inspect tcp finwait-time 1
>> ip inspect tcp synwait-time 15
>> ip inspect tcp max-incomplete host 40 block-time 30
>> ip inspect name myfw cuseeme timeout 15
>> ip inspect name myfw realaudio timeout 30
>> ip inspect name myfw h323 timeout 3600
>> ip inspect name myfw icmp alert on timeout 15
>> ip inspect name myfw rpc program-number 100008 timeout 15
>> ip inspect name myfw vdolive timeout 15
>> ip inspect name myfw streamworks timeout 5
>> ip inspect name myfw sqlnet timeout 5
>> ip inspect name myfw skinny timeout 5
>> ip inspect name myfw rtsp timeout 5
>> ip inspect name myfw netshow timeout 30
>> ip inspect name myfw rcmd alert on timeout 15
>> ip inspect name myfw sip alert on timeout 30
>> ip inspect name myfw tftp timeout 5
>> ip inspect name myfw http timeout 30
>> ip inspect name myfw fragment maximum 400 timeout 30
>> ip inspect name myfw tcp alert on timeout 30
>> ip inspect name myfw telnet alert on audit-trail on
>> ip inspect name myfw ftp timeout 15
>> ip inspect name mwfw imap alert on
>> ip inspect name mwfw dns alert on
>> ip inspect name mwfw pop3 alert on
>>
>>
>> 1721a#show ver
>> Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
>> 12.4(17a), RELEASE SOFTWARE (fc2)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2007 by Cisco Systems, Inc.
>> Compiled Wed 07-Nov-07 10:52 by prod_rel_team
>>
>> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

 
Reply With Quote
 
X-Eliminator
Guest
Posts: n/a
 
      03-23-2008
I removed the command "ip inspect name myfw tftp timeout 5" and I'm no
longer seeing that Bidirectional message in the log output. I just
need to be able to validate the success by being able to see log
messages against my permit ACL's with "log" keyword for tftp.
I also deleted all the firewal linspection rules for the stuff that I
don't really need to inspect.

Thanks for the tip !!

======================================
On Sun, 23 Mar 2008 13:10:20 -0400, News Reader <(E-Mail Removed)>
wrote:

>Create an exception?
>
>You want to inspect the UDP traffic on the ingress interface so that the
>router will open dynamic temporary holes in the return path.
>
>e.g.: An internal host using DNS would require an appropriate entry
>(ACE) in the ACL applied to the internal interface to facilitate the
>query to the ISPs DNS server. An entry on the WAN interface for the
>return traffic (DNS Response) is not require (IF) DNS/UDPinspection is
>applied to the internal interface. The benefit of the inspection is that
>the router will open dynamic temporary holes in the return path to
>facilitate the return traffic from the DNS server. The inspection
>timeouts relate to when those holes will be closed in the absence of
>traffic to keep them open.
>
>Remember that inspection must be applied to an interface. For sure, you
>will want to apply inpection on the internal interface. If you have
>traffic that is initiated from the Internet side, into your network, you
>will want to apply inspection on that interface as well.
>
>Your log makes reference to: 216.115.30.200:69 => 192.168.0.75:2060
>
>Unless you are using some non-standard ports, I assume you are dealing
>with TFTP (port 69).
>
>It is important that you understand that although a command sent to a
>TFTP server (e.g.: write request) will use port 69 (server side), the
>majority of traffic (ACKs, data block transfer) resulting from TFTP
>operations involves packets with "both" the source and destination ports
>being >1023. This has ACL implications.
>
>Also, your inspection list is huge. You don't need to inspect
>applications you are not using.
>
>I am not familiar with the specific reference "Bidirectional traffic
>disabled" in the log.
>
>Best regards,
>News Reader
>
>
>X-Eliminator wrote:
>> I have a 1721 router with IOS firewall that is blocking traffic as
>> expected. The problem is that I want to create an opening so that the
>> firewall does not block a certain IP address or UDP protocol. I
>> already have ACL permit statements applied to the WAN & fastethernet
>> ports to permit the desired UDP & IP's. I have looked at all the
>> options for the IP Inspect command but don't see where I can create
>> this exception and I have also removed all ip inspect statements
>> relating to UDP. Can anyone tell me how I can force the firewall to
>> permit the below traffic without disabling the FW completely?
>> It's the firewall that is giving me trouble, not the ACL's or my IPS.
>>
>> Thanks in advance for any suggestions...
>>
>> Here is the message in the log which shows that the FW is blocking my
>> traffic:
>>
>> Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
>> 216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to
>> Bidirectional traffic disabled
>>
>> and here are the IP Inspect statements:
>>
>> ip inspect log drop-pkt
>> ip inspect one-minute low 200
>> ip inspect one-minute high 300
>> ip inspect dns-timeout 4
>> ip inspect tcp idle-time 15
>> ip inspect tcp finwait-time 1
>> ip inspect tcp synwait-time 15
>> ip inspect tcp max-incomplete host 40 block-time 30
>> ip inspect name myfw cuseeme timeout 15
>> ip inspect name myfw realaudio timeout 30
>> ip inspect name myfw h323 timeout 3600
>> ip inspect name myfw icmp alert on timeout 15
>> ip inspect name myfw rpc program-number 100008 timeout 15
>> ip inspect name myfw vdolive timeout 15
>> ip inspect name myfw streamworks timeout 5
>> ip inspect name myfw sqlnet timeout 5
>> ip inspect name myfw skinny timeout 5
>> ip inspect name myfw rtsp timeout 5
>> ip inspect name myfw netshow timeout 30
>> ip inspect name myfw rcmd alert on timeout 15
>> ip inspect name myfw sip alert on timeout 30
>> ip inspect name myfw tftp timeout 5
>> ip inspect name myfw http timeout 30
>> ip inspect name myfw fragment maximum 400 timeout 30
>> ip inspect name myfw tcp alert on timeout 30
>> ip inspect name myfw telnet alert on audit-trail on
>> ip inspect name myfw ftp timeout 15
>> ip inspect name mwfw imap alert on
>> ip inspect name mwfw dns alert on
>> ip inspect name mwfw pop3 alert on
>>
>>
>> 1721a#show ver
>> Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
>> 12.4(17a), RELEASE SOFTWARE (fc2)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2007 by Cisco Systems, Inc.
>> Compiled Wed 07-Nov-07 10:52 by prod_rel_team
>>
>> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      03-23-2008
Glad it worked out.

Syslog is very useful for diagnosing ACL issues. I frequently use "deny
ip any any log" as the last ACE in interface ACLs. I then use a syslog
server that is configured to filter messages with specific content
(e.g.: list <acl-name> denied) into separate files. The mere presence of
a file draws to my attention that traffic is being blocked on an
interface, and depending on the interface, that may indicate that a
configuration error exists.

e.g.: No traffic is allowed into our LAN interface unless the ACL
permits it. If I see a syslog file for that ACL, I know something is
trying to get through that violates our security policy. This is also
useful when you are trying to troubleshoot attempts to implement new
functionality.

The combination of syslog, and a network sniffer really helps in
identifying configuration issues. Knowing what's happening on the wire
eliminates most of the guessing.

Best regards,
News Reader


X-Eliminator wrote:
> I removed the command "ip inspect name myfw tftp timeout 5" and I'm no
> longer seeing that Bidirectional message in the log output. I just
> need to be able to validate the success by being able to see log
> messages against my permit ACL's with "log" keyword for tftp.
> I also deleted all the firewal linspection rules for the stuff that I
> don't really need to inspect.
>
> Thanks for the tip !!
>
> ======================================
> On Sun, 23 Mar 2008 13:10:20 -0400, News Reader <(E-Mail Removed)>
> wrote:
>
>> Create an exception?
>>
>> You want to inspect the UDP traffic on the ingress interface so that the
>> router will open dynamic temporary holes in the return path.
>>
>> e.g.: An internal host using DNS would require an appropriate entry
>> (ACE) in the ACL applied to the internal interface to facilitate the
>> query to the ISPs DNS server. An entry on the WAN interface for the
>> return traffic (DNS Response) is not require (IF) DNS/UDPinspection is
>> applied to the internal interface. The benefit of the inspection is that
>> the router will open dynamic temporary holes in the return path to
>> facilitate the return traffic from the DNS server. The inspection
>> timeouts relate to when those holes will be closed in the absence of
>> traffic to keep them open.
>>
>> Remember that inspection must be applied to an interface. For sure, you
>> will want to apply inpection on the internal interface. If you have
>> traffic that is initiated from the Internet side, into your network, you
>> will want to apply inspection on that interface as well.
>>
>> Your log makes reference to: 216.115.30.200:69 => 192.168.0.75:2060
>>
>> Unless you are using some non-standard ports, I assume you are dealing
>> with TFTP (port 69).
>>
>> It is important that you understand that although a command sent to a
>> TFTP server (e.g.: write request) will use port 69 (server side), the
>> majority of traffic (ACKs, data block transfer) resulting from TFTP
>> operations involves packets with "both" the source and destination ports
>> being >1023. This has ACL implications.
>>
>> Also, your inspection list is huge. You don't need to inspect
>> applications you are not using.
>>
>> I am not familiar with the specific reference "Bidirectional traffic
>> disabled" in the log.
>>
>> Best regards,
>> News Reader
>>
>>
>> X-Eliminator wrote:
>>> I have a 1721 router with IOS firewall that is blocking traffic as
>>> expected. The problem is that I want to create an opening so that the
>>> firewall does not block a certain IP address or UDP protocol. I
>>> already have ACL permit statements applied to the WAN & fastethernet
>>> ports to permit the desired UDP & IP's. I have looked at all the
>>> options for the IP Inspect command but don't see where I can create
>>> this exception and I have also removed all ip inspect statements
>>> relating to UDP. Can anyone tell me how I can force the firewall to
>>> permit the below traffic without disabling the FW completely?
>>> It's the firewall that is giving me trouble, not the ACL's or my IPS.
>>>
>>> Thanks in advance for any suggestions...
>>>
>>> Here is the message in the log which shows that the FW is blocking my
>>> traffic:
>>>
>>> Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
>>> 216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to
>>> Bidirectional traffic disabled
>>>
>>> and here are the IP Inspect statements:
>>>
>>> ip inspect log drop-pkt
>>> ip inspect one-minute low 200
>>> ip inspect one-minute high 300
>>> ip inspect dns-timeout 4
>>> ip inspect tcp idle-time 15
>>> ip inspect tcp finwait-time 1
>>> ip inspect tcp synwait-time 15
>>> ip inspect tcp max-incomplete host 40 block-time 30
>>> ip inspect name myfw cuseeme timeout 15
>>> ip inspect name myfw realaudio timeout 30
>>> ip inspect name myfw h323 timeout 3600
>>> ip inspect name myfw icmp alert on timeout 15
>>> ip inspect name myfw rpc program-number 100008 timeout 15
>>> ip inspect name myfw vdolive timeout 15
>>> ip inspect name myfw streamworks timeout 5
>>> ip inspect name myfw sqlnet timeout 5
>>> ip inspect name myfw skinny timeout 5
>>> ip inspect name myfw rtsp timeout 5
>>> ip inspect name myfw netshow timeout 30
>>> ip inspect name myfw rcmd alert on timeout 15
>>> ip inspect name myfw sip alert on timeout 30
>>> ip inspect name myfw tftp timeout 5
>>> ip inspect name myfw http timeout 30
>>> ip inspect name myfw fragment maximum 400 timeout 30
>>> ip inspect name myfw tcp alert on timeout 30
>>> ip inspect name myfw telnet alert on audit-trail on
>>> ip inspect name myfw ftp timeout 15
>>> ip inspect name mwfw imap alert on
>>> ip inspect name mwfw dns alert on
>>> ip inspect name mwfw pop3 alert on
>>>
>>>
>>> 1721a#show ver
>>> Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
>>> 12.4(17a), RELEASE SOFTWARE (fc2)
>>> Technical Support: http://www.cisco.com/techsupport
>>> Copyright (c) 1986-2007 by Cisco Systems, Inc.
>>> Compiled Wed 07-Nov-07 10:52 by prod_rel_team
>>>
>>> ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
Replace a non IOS 350 Cisco Aironet bridge with IOS Mr Corbett Cisco 5 08-19-2005 09:40 PM
"ip addr dhcp" is not available for my IOS release, who has latest IOS for 2514 and 2509? Ed Kideys, Tech-Train Cisco 3 04-30-2004 07:51 PM
IOS to IOS VPN Problem Evan Mann Cisco 0 02-11-2004 04:42 PM



Advertisments