[c-nsp] CBAC - SIP & MSN Messenger
Luan Nguyen
luan.nguyen at mci.com
Wed Aug 17 17:17:42 EDT 2005
I would open a TAC case questioning that whitepaper
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_whit
e_paper0900aecd802efa46.shtml
Since msn doesn't get blocked (I also checked this config)
uusiteLuan1841#show ip inspect sessions detail
Established Sessions
Session 64DF8E1C (10.242.242.2:2338)=>(207.46.7.7:80) http SIS_OPEN
Created 00:02:23, Last heard 00:00:15
Bytes sent (initiator:responder) [5134:4450]
In SID 207.46.7.7[80:80]=>206.64.200.15[2338:2338] on ACL 110 (27
matches)
Session 64DF701C (10.242.242.2:2341)=>(64.4.15.61:80) http SIS_OPEN
Created 00:02:18, Last heard 00:01:04
Bytes sent (initiator:responder) [261:764]
In SID 64.4.15.61[80:80]=>206.64.200.15[2341:2341] on ACL 110 (5
matches)
While you are at that, please try to ask for more functionality with the
show appfw command. Currently,
uusiteLuan1841#show appfw ?
configuration Application Firewall Policy configuration
name Appfw name
...extremely lacking.
I would inspect more than sip since that obviously doesn't work. You have
the log at the end of the deny on acl 110 there, you could look at the
blocking port numbers...etc and figure that out. Should also clarify that
110 is inbound.
-luan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Wednesday, August 17, 2005 1:35 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] CBAC - SIP & MSN Messenger
Hi there...
We're working on implementing CBAC on a 3640 with IOS FW loaded replacing an
existing PIX515. Things are progressing along nicely right now except for
two items.
We are attempting to block MSN Messenger and cannot seem to stop it from
transversing the router.
ip port-map user-webmin port tcp 10000 description Webmin ip port-map
user-plesk port tcp 8443 description Plesk ip inspect name fw appfw
abuse-control ip inspect name fw sip ip inspect name fw pop3 ip inspect name
fw imap3 ip inspect name fw imap ip inspect name fw https ip inspect name fw
ftp ip inspect name fw icmp ip inspect name fw nntp ip inspect name fw
user-plesk ip inspect name fw ssh ip inspect name fw telnet ip inspect name
fw user-webmin ip inspect name fw esmtp ip inspect name fw dns
appfw policy-name abuse-control
application http
port-misuse default action reset alarm
access-list 110 permit ospf any any
access-list 110 permit icmp any any
access-list 110 deny ip any any log
NAT is in place on this router....
Three interfaces... FE0/0 & 1/0 are outside interfaces running OSPF via two
diverse routes to a pair of distribution routers. FE 3/0 is the inside NAT
interface.
Access list 110 is applied to FE0/0 and FE1/0.... Basically blocking
everything except what CBAC opens dynamically. We can surf, do email etc.
no problem.
"Ip inspect fw in" is applied on the FE3/0
This configuration is permitting MSN Messenger to function but I'm confused
as to why. Any of the ports that MSN would need to connect out to should be
blocked on the return. I'm told MSN will drop to using port 80 but this
shouldn't work neither because I has the "ip inspect name fw appfw
abuse-control" should block this I thought. Any thoughts?
Also, we run a bunch of SIP phones internally that must communicate to a
softswitch outside on internal network. When I bring up the access-list and
ip inspection they won't function properly. Since I know just enough to be
dangerous when it comes to SIP, can anyone tell me what's needed to make
them function (and yes, they use UDP datastream).... I though the "ip
inspect name fw sip" would look after everthing but obviously I'm wrong...
Thanks in advance,
Paul
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list