[c-nsp] CBAC - SIP & MSN Messenger

Paul Stewart pstewart at nexicomgroup.net
Wed Aug 17 13:35:24 EDT 2005 

Hi there...

We're working on implementing CBAC on a 3640 with IOS FW loaded
replacing an existing PIX515.  Things are progressing along nicely right
now except for two items.

We are attempting to block MSN Messenger and cannot seem to stop it from
transversing the router.

ip port-map user-webmin port tcp 10000 description Webmin
ip port-map user-plesk port tcp 8443 description Plesk
ip inspect name fw appfw abuse-control
ip inspect name fw sip
ip inspect name fw pop3
ip inspect name fw imap3
ip inspect name fw imap
ip inspect name fw https
ip inspect name fw ftp
ip inspect name fw icmp
ip inspect name fw nntp
ip inspect name fw user-plesk
ip inspect name fw ssh
ip inspect name fw telnet
ip inspect name fw user-webmin
ip inspect name fw esmtp
ip inspect name fw dns

appfw policy-name abuse-control
  application http
    port-misuse default action reset alarm

access-list 110 permit ospf any any
access-list 110 permit icmp any any
access-list 110 deny   ip any any log


NAT is in place on this router....

Three interfaces... FE0/0 & 1/0 are outside interfaces running OSPF via
two diverse routes to a pair of distribution routers.  FE 3/0 is the
inside NAT interface.

Access list 110 is applied to FE0/0 and FE1/0.... Basically blocking
everything except what CBAC opens dynamically.  We can surf, do email
etc. no problem.

"Ip inspect fw in" is applied on the FE3/0

This configuration is permitting MSN Messenger to function but I'm
confused as to why.  Any of the ports that MSN would need to connect out
to should be blocked on the return.  I'm told MSN will drop to using
port 80 but this shouldn't work neither because I has the "ip inspect
name fw appfw abuse-control" should block this I thought.  Any thoughts?

Also, we run a bunch of SIP phones internally that must communicate to a
softswitch outside on internal network.  When I bring up the access-list
and ip inspection they won't function properly.  Since I know just
enough to be dangerous when it comes to SIP, can anyone tell me what's
needed to make them function (and yes, they use UDP datastream).... I
though the "ip inspect name fw sip" would look after everthing but
obviously I'm wrong...

Thanks in advance,

Paul

More information about the cisco-nsp mailing list