[c-nsp] IOS CBAC Experience
Ahmad Cheikh Moussa
acm at netuse.de
Fri Jul 20 06:47:49 EDT 2007
Hi Kevin,
Kevin Graham wrote:
> You should probably reconsider using 'tcp' and 'udp' as inspect rules, as
> they'll be passing anything, but that's unrelated to your problem...
I only want stateful firewalling. The rest doesn't matter.
> Also go ahead and add a "ip inspect log drop-pkt" -- its output is
> frustratingly terse, but will help a little...
>
I added this line. I made some test and made several http connects.
Sometimes I got this error message:
*Nov 26 14:35:47.326: %FW-6-DROP_TCP_PKT: Dropping tcp pkt 1.2.2.1:8080
=> 1.2.1.2:1053 due to Stray Segment -- ip ident 22894 tcpflags 0x8018
seq.no 1703233031 ack 146867275
What means this ?
The other thing is. I could normally browse the internet without any
problem. I don't know why, but it works now. With or without the command
"ip inspect log drop-pkt". Do I have to understand this ??
Regards,
Ahmad
--
Ahmad Cheikh-Moussa
ISP-Technik
NetUSE AG
Dr.-Hell-Straße, 24107 Kiel, Germany
Telefon: +49 431 2390 400 -- Telefax: +49 431 2390 499
Service: Service at NetUSE.DE -- http://NetUSE.DE/
Vorstand: Andreas Seeger (Vorsitz), Dr. Roland Kaltefleiter, Dr. Joerg Posewang
Aufsichtsrat: Detlev Huebner (Vorsitz)
Sitz der AG: Kiel, HRB 5358 USt.ID: DE156073942
Diese E-Mail enthaelt vertrauliche oder rechtlich geschuetzte Informationen.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
The information contained in this message is confidential or protected by
law. Any unauthorised copying of this message or unauthorised distribution
of the information contained herein is prohibited.
More information about the cisco-nsp
mailing list