Firewall trouble

My answer here is the same as the one I gave in comp.security.firewalls . I know you must have read it, because it's the same message that suggested comp.dcom.sys.cisco to you.

To summarize: delete line 100 of your access list.

I did not look at your first post closely enough, Thank you for your response though, it gives me a much better understanding, I will try this fix as soon as I get to the office. Thanks again!

Walter Robers> >

Hmmm. Here are the inspect/ACL again

####### Begin quote When there is no access list applied to my outside WAN interface, I can

view web sites. When I apply this access-list I can not.

ip inspect name firewall tcp

ip inspect name firewall pop3 ####End quote

You haven't said whether this is applied inbound or outbound.

not going to give you much of a firewall.

For Inspect to protect you from external traffic heading inbound you need.

ip inspect name firewall udp ! added? ip inspect name firewall tcp

ip inspect name firewall pop3

int external ip access-group ACL.deny.all in ip inspect firewall out

ip access-list extended ACL.deny.all deny ip any any ! Yes that is OK deny any any is all I mean to put.

The above will not allow any traffic in EXCEPT responses to outbound traffic. This is what is usually wanted and is what the inspect does.

You then add the following to control outbound sessions.

int external ip access-group ACL.permit.outbound

ip access-list extended ACL.permit.outbound 10 permit tcp any host xxx.xxx.xxx.89 eq ftp

In fact I think that it is best to control the outbound traffic on the inside interface since it seems most sensible to block it as soon as possible and not wast system resources routing first and then blocking it.

You are still left with a few possible issues, for example the firewall cannot be managed from outside, the firewall cannot do its own dns to outside the firewall cannot do its own ntp, logging whatever to outside.

Good luck.

Yeah, I saw such problems with rising max-incomplete values from defaults to: one-minute (sampling period) thresholds are [10000:27000] connections max-incomplete sessions thresholds are [10000:27000]

But before this you should check how many active NAT translations you have while experiencing problems with web sites? I had a lot of active translations (about 3000), because I don't have pretty much outbound things (p2p, etc.) banned and maybe some worms are operating in the network and trying to access the Net which rises the number of active NAT translations.

Try the following config and let me know if it helps: ip inspect max-incomplete high 27000 ip inspect max-incomplete low 10000 ip inspect one-minute high 27000 ip inspect one-minute low 10000

B.R. Igor

Is xxx.xxx.xxx.89 a server that you wish to give external users access to?

If so, then I find that it is better to inspect the traffic as it enters the Interface. Remove any "ip inspect firewall out" commands from your interfaces and then change them to "ip inspect firewall in" commands e.g:-

interface fastethernet 0/0 ip inspect firewall in access-list internal in

interface serial 0/0 ip inspect firewall in access-list external in

Now the router will dynamically open ports in the access-list attached to the oposite interface.

You don't have to have an access-list on the Internal Interface and you can create seperate ip inspect lists for the two Interfaces if you wish.

It is perfectly ok to have the deny any any rule in the access-list, in fact I normally add this at the end and use the log keyword. However in your list the deny statement is before line 110 so you should make sure it is the last line in the access-list.

There is now the router-traffic keyword which enables the Inspection of traffic generated by or bound for the router itself:-

ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name Router tcp router-traffic ip inspect name Router icmp router-traffic

You can then bind both rules to your Outside Interface:-

ip inspect DEFAULT100 in ip inspect Router out

Hope this helps.

James

inspect router-traffic

Thanks for that - very handy. Must try to keep up!

Huh! Not on 837 yet. First thing I thought to play with.

Following acording to

Nor 0n 2800, 3800.

Is on 836, 831, 851, 857, 877

It is in 12.4(3f) for 7200 but not in 12.4(10) for 2800?

Is it me or are Cisco straying from the plot?

Of course maybe fn is just broken again?

Huh! Not on 837 yet. First thing I thought to play with.

Following acording to

Nor 0n 2800, 3800.

Is on 836, 831, 851, 857, 877

It is in 12.4(3f) for 7200 but not in 12.4(10) for 2800?

Is it me or are Cisco straying from the plot?

Of course maybe fn is just broken again?

I am using it on 1760's and 2621's. Strange that it's not on the other platforms?

James

snipped-for-privacy@hotmail.co.uk wrote: