[c-nsp] CBAC - SIP & MSN Messenger

Paul Stewart pstewart at nexicomgroup.net
Wed Aug 17 22:32:25 EDT 2005 

Thanks for the input..

I actually have a TAC case open on this issue but not getting very far.
They pointed me to that whitepaper which I had already read and told the
guy at Cisco that is just simple doesn't work.... So why?  No answer
yet....

Thanks re: SIP...

Take care,

Paul
 

-----Original Message-----
From: Luan Nguyen [mailto:luan.nguyen at mci.com] 
Sent: Wednesday, August 17, 2005 5:18 PM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] CBAC - SIP & MSN Messenger

I would open a TAC case questioning that whitepaper
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_
whit
e_paper0900aecd802efa46.shtml
Since msn doesn't get blocked (I also checked this config)

uusiteLuan1841#show ip inspect sessions detail Established Sessions
Session 64DF8E1C (10.242.242.2:2338)=>(207.46.7.7:80) http SIS_OPEN
  Created 00:02:23, Last heard 00:00:15
  Bytes sent (initiator:responder) [5134:4450]
  In  SID 207.46.7.7[80:80]=>206.64.200.15[2338:2338] on ACL 110  (27
matches)
 Session 64DF701C (10.242.242.2:2341)=>(64.4.15.61:80) http SIS_OPEN
  Created 00:02:18, Last heard 00:01:04
  Bytes sent (initiator:responder) [261:764]
  In  SID 64.4.15.61[80:80]=>206.64.200.15[2341:2341] on ACL 110  (5
matches)
  
While you are at that, please try to ask for more functionality with the
show appfw command.  Currently, uusiteLuan1841#show appfw ?
  configuration  Application Firewall Policy configuration
  name           Appfw name
...extremely lacking.


I would inspect more than sip since that obviously doesn't work.  You
have the log at the end of the deny on acl 110 there, you could look at
the blocking port numbers...etc and figure that out.  Should also
clarify that 110 is inbound.

-luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Wednesday, August 17, 2005 1:35 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] CBAC - SIP & MSN Messenger

Hi there...

We're working on implementing CBAC on a 3640 with IOS FW loaded
replacing an existing PIX515.  Things are progressing along nicely right
now except for two items.

We are attempting to block MSN Messenger and cannot seem to stop it from
transversing the router.

ip port-map user-webmin port tcp 10000 description Webmin ip port-map
user-plesk port tcp 8443 description Plesk ip inspect name fw appfw
abuse-control ip inspect name fw sip ip inspect name fw pop3 ip inspect
name fw imap3 ip inspect name fw imap ip inspect name fw https ip
inspect name fw ftp ip inspect name fw icmp ip inspect name fw nntp ip
inspect name fw user-plesk ip inspect name fw ssh ip inspect name fw
telnet ip inspect name fw user-webmin ip inspect name fw esmtp ip
inspect name fw dns

appfw policy-name abuse-control
  application http
    port-misuse default action reset alarm

access-list 110 permit ospf any any
access-list 110 permit icmp any any
access-list 110 deny   ip any any log


NAT is in place on this router....

Three interfaces... FE0/0 & 1/0 are outside interfaces running OSPF via
two diverse routes to a pair of distribution routers.  FE 3/0 is the
inside NAT interface.

Access list 110 is applied to FE0/0 and FE1/0.... Basically blocking
everything except what CBAC opens dynamically.  We can surf, do email
etc.
no problem.

"Ip inspect fw in" is applied on the FE3/0

This configuration is permitting MSN Messenger to function but I'm
confused as to why.  Any of the ports that MSN would need to connect out
to should be blocked on the return.  I'm told MSN will drop to using
port 80 but this shouldn't work neither because I has the "ip inspect
name fw appfw abuse-control" should block this I thought.  Any thoughts?

Also, we run a bunch of SIP phones internally that must communicate to a
softswitch outside on internal network.  When I bring up the access-list
and ip inspection they won't function properly.  Since I know just
enough to be dangerous when it comes to SIP, can anyone tell me what's
needed to make them function (and yes, they use UDP datastream).... I
though the "ip inspect name fw sip" would look after everthing but
obviously I'm wrong...

Thanks in advance,

Paul



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list