[c-nsp] IOS FW oddness
Kevin Graham
kgraham at industrial-marshmallow.com
Wed Feb 27 13:36:03 EST 2008
> AaronComp#sh
ip
inspec
sis
det
> Established
Sessions
> Session
8334C194
(192.168.10.57:1036)=>(24.158.63.45:80)
http
SIS_OPEN
>
Created
00:58:42,
Last
heard
00:50:20
>
Bytes
sent
(initiator:responder)
[117:1741]
>
Initiator->Responder
Window
size
65535
Scale
factor
0
>
Responder->Initiator
Window
size
5840
Scale
factor
0
> In
SID
24.158.63.45[80:80]=>x.y.132.210[1036:1036]
on
ACL
From_WAN (7
matches)
This would certainly suggest that traffic is making it past CBAC properly (session
has gone SIS_OPEN, rather than stuck in SIS_OPENING), and there's both in and out
counters updated.
> But
I
never
see
those
dynamic
entries
added
to
the
ACL,
and
the
return
> traffic
gets
dropped.
I've
done
it
before,
worked
as
designed.
Is
> there
something
I'm
just
not
getting
here?
Note that since 12.3T ("IOS Firewall ACL Bybass"), CBAC doesn't prepend to ACL's.
Prior to that, a 'sh ip access-li' would show all of the active sessions, now those
are only reflected in 'sh ip inpsec sess'.
Since you have generic TCP inspection enabled, there's no value in using legacy CBAC
HTTP inspection -- try dropping 'ip inspect name To_WAN http' and see how it looks
(if you want to scrutinize HTTP, use appfw). Alternatively, try re-enabling 'ip
virtual-reassembly' on Fas0/0.100. Lastly, add 'ip inspect log drop-pkt' and see if
anything interesting it logged when the connections fail.
More information about the cisco-nsp
mailing list