[c-nsp] IOS FW oddness
Church, Charles
cchurc05 at harris.com
Wed Feb 27 10:31:58 EST 2008
Anyone,
I've got an issue with a 2650 running 12.4(18) Adv Sec and using IOS
FW. It's doing NAT, and that portion works fine. The problem is the
CBAC isn't opening the holes in the inbound ACL on the exterior
interface like it's supposed to. IP Inspect is enabled on the outside
interface outbound, there is a restrictive ACL inbound on the outside
interface, and a permissive ACL outbound on the outside interface. 'sh
ip inspect sis det' shows the various sessions (http, sip, etc) and
references the ACLs involved:
AaronComp#sh ip inspec sis det
Established Sessions
Session 8334C194 (192.168.10.57:1036)=>(24.158.63.45:80) http SIS_OPEN
Created 00:58:42, Last heard 00:50:20
Bytes sent (initiator:responder) [117:1741]
Initiator->Responder Window size 65535 Scale factor 0
Responder->Initiator Window size 5840 Scale factor 0
In SID 24.158.63.45[80:80]=>x.y.132.210[1036:1036] on ACL From_WAN
(7 matches)
Session 8334F614 (192.168.2.51:5060)=>(165.166.25.4:5060) sip SIS_OPEN
Created 00:09:01, Last heard 00:00:27
Bytes sent (initiator:responder) [31526:16875]
Initiator->Responder Window size 0 Scale factor 0
Responder->Initiator Window size 0 Scale factor 0
But I never see those dynamic entries added to the ACL, and the return
traffic gets dropped. I've done it before, worked as designed. Is
there something I'm just not getting here?
Thanks,
Chuck
Relevant config:
ip inspect name To_WAN tcp
ip inspect name To_WAN udp
ip inspect name To_WAN realaudio
ip inspect name To_WAN netshow
ip inspect name To_WAN tftp
ip inspect name To_WAN http
ip inspect name To_WAN sip timeout 3600
ip inspect name To_WAN esmtp
ip inspect name To_WAN icmp
ip inspect name To_WAN ftp
ip inspect name To_WAN dns
ip inspect name To_WAN pop3
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address x.y.132.210 255.255.255.248
ip access-group From_WAN in
ip access-group Block-outbound out
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip inspect To_WAN out
ip nat outside
no ip virtual-reassembly
service-policy output upload-all
ip access-list extended Block-outbound
deny tcp any any eq 135
deny tcp any any eq 137
deny tcp any any eq 139
deny tcp any any eq 445
permit ip any any
ip access-list extended From_WAN
permit icmp any host x.y.132.210 administratively-prohibited
permit udp any any eq isakmp
permit esp any any
permit icmp any host x.y.132.210 echo-reply
permit icmp any host x.y.132.210 packet-too-big
permit icmp any host x.y.132.210 time-exceeded
permit icmp any host x.y.132.210 traceroute
permit icmp any host x.y.132.210 unreachable
permit tcp any host x.y.132.210 eq 5800
permit tcp any host x.y.132.210 eq 5503
permit tcp any host x.y.132.210 eq www
permit tcp any host x.y.132.210 eq 3389
permit tcp any host x.y.132.210 eq 5500
permit tcp any host x.y.132.210 eq 5700
permit udp any host x.y.132.210 eq 5800
permit udp any host x.y.132.210 eq 5503
permit udp any host x.y.132.210 eq 80
permit udp any host x.y.132.210 eq 3389
permit udp any host x.y.132.210 eq 5500
permit udp any host x.y.132.210 eq 5700
permit tcp w.x.42.0 0.0.0.255 any eq 22
permit tcp w.x.55.0 0.0.0.255 any eq 22
permit tcp 71.15.89.0 0.0.0.255 any eq 22
permit ip any any <---- Added as a stop-gap until I
can resolve the issue. Without this, issue still exists, and no return
traffic is permitted!
More information about the cisco-nsp
mailing list