1. Home
  2. Cisco Systems
  3. IOS firewall - how to create an opening?

IOS firewall - how to create an opening?

I have a 1721 router with IOS firewall that is blocking traffic as expected. The problem is that I want to create an opening so that the firewall does not block a certain IP address or UDP protocol. I already have ACL permit statements applied to the WAN & fastethernet ports to permit the desired UDP & IP's. I have looked at all the options for the IP Inspect command but don't see where I can create this exception and I have also removed all ip inspect statements relating to UDP. Can anyone tell me how I can force the firewall to permit the below traffic without disabling the FW completely? It's the firewall that is giving me trouble, not the ACL's or my IPS.

Thanks in advance for any suggestions...

Here is the message in the log which shows that the FW is blocking my traffic:

Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt

216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to Bidirectional traffic disabled

and here are the IP Inspect statements:

ip inspect log drop-pkt ip inspect one-minute low 200 ip inspect one-minute high 300 ip inspect dns-timeout 4 ip inspect tcp idle-time 15 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect tcp max-incomplete host 40 block-time 30 ip inspect name myfw cuseeme timeout 15 ip inspect name myfw realaudio timeout 30 ip inspect name myfw h323 timeout 3600 ip inspect name myfw icmp alert on timeout 15 ip inspect name myfw rpc program-number 100008 timeout 15 ip inspect name myfw vdolive timeout 15 ip inspect name myfw streamworks timeout 5 ip inspect name myfw sqlnet timeout 5 ip inspect name myfw skinny timeout 5 ip inspect name myfw rtsp timeout 5 ip inspect name myfw netshow timeout 30 ip inspect name myfw rcmd alert on timeout 15 ip inspect name myfw sip alert on timeout 30 ip inspect name myfw tftp timeout 5 ip inspect name myfw http timeout 30 ip inspect name myfw fragment maximum 400 timeout 30 ip inspect name myfw tcp alert on timeout 30 ip inspect name myfw telnet alert on audit-trail on ip inspect name myfw ftp timeout 15 ip inspect name mwfw imap alert on ip inspect name mwfw dns alert on ip inspect name mwfw pop3 alert on

1721a#show ver Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(17a), RELEASE SOFTWARE (fc2) Technical Support:
formatting link
(c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 07-Nov-07 10:52 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

Reply to
X-Eliminator
Loading thread data ...

Create an exception?

You want to inspect the UDP traffic on the ingress interface so that the router will open dynamic temporary holes in the return path.

e.g.: An internal host using DNS would require an appropriate entry (ACE) in the ACL applied to the internal interface to facilitate the query to the ISPs DNS server. An entry on the WAN interface for the return traffic (DNS Response) is not require (IF) DNS/UDPinspection is applied to the internal interface. The benefit of the inspection is that the router will open dynamic temporary holes in the return path to facilitate the return traffic from the DNS server. The inspection timeouts relate to when those holes will be closed in the absence of traffic to keep them open.

Remember that inspection must be applied to an interface. For sure, you will want to apply inpection on the internal interface. If you have traffic that is initiated from the Internet side, into your network, you will want to apply inspection on that interface as well.

Your log makes reference to: 216.115.30.200:69 => 192.168.0.75:2060

Unless you are using some non-standard ports, I assume you are dealing with TFTP (port 69).

It is important that you understand that although a command sent to a TFTP server (e.g.: write request) will use port 69 (server side), the majority of traffic (ACKs, data block transfer) resulting from TFTP operations involves packets with "both" the source and destination ports being >1023. This has ACL implications.

Also, your inspection list is huge. You don't need to inspect applications you are not using.

I am not familiar with the specific reference "Bidirectional traffic disabled" in the log.

Best regards, News Reader

X-Elim> I have a 1721 router with IOS firewall that is blocking traffic as

Reply to
News Reader

Reply to
X-Eliminator

I removed the command "ip inspect name myfw tftp timeout 5" and I'm no longer seeing that Bidirectional message in the log output. I just need to be able to validate the success by being able to see log messages against my permit ACL's with "log" keyword for tftp. I also deleted all the firewal linspection rules for the stuff that I don't really need to inspect.

Thanks for the tip !!

====================================== >Create an exception?

Reply to
X-Eliminator

Glad it worked out.

Syslog is very useful for diagnosing ACL issues. I frequently use "deny ip any any log" as the last ACE in interface ACLs. I then use a syslog server that is configured to filter messages with specific content (e.g.: list denied) into separate files. The mere presence of a file draws to my attention that traffic is being blocked on an interface, and depending on the interface, that may indicate that a configuration error exists.

e.g.: No traffic is allowed into our LAN interface unless the ACL permits it. If I see a syslog file for that ACL, I know something is trying to get through that violates our security policy. This is also useful when you are trying to troubleshoot attempts to implement new functionality.

The combination of syslog, and a network sniffer really helps in identifying configuration issues. Knowing what's happening on the wire eliminates most of the guessing.

Best regards, News Reader

X-Elim> I removed the command "ip inspect name myfw tftp timeout 5" and I'm no

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.