topic Re: Router Firewall Question in Network Security

Router Firewall Question

bbeal — Mon, 11 Mar 2019 10:05:02 GMT

I have a 2801 connected to the Internet running the Firewall Feature Set. Version is 12.3(8r)T8. I keep getting log messages that the router has denied access from some random webservers from Port 80. We are running NAT Overload and when I show the NAT translations, that Port is not in the translate table for that traffic. In other words, it almost looks like the router is denying return web traffic, but that port is not seen by the router as "established" traffic. Anyone have any ideas? Thanks.

Re: Router Firewall Question

Chandramohan Nagarajah — Thu, 26 Apr 2007 18:03:45 GMT

Do you have this command on your outside interface:

ip inspect FW-INSPECT out

Re: Router Firewall Question

bbeal — Thu, 26 Apr 2007 18:29:36 GMT

Yes, there is an inspect for TCP, so it should allow returning web traffic. Also, access to outside web servers seems to work, although I am curious to find out if some web access is failing.

Re: Router Firewall Question

oabduo983 — Thu, 26 Apr 2007 18:33:33 GMT

Do you have any ip port-map commands? do you have any port redirection commnds? Can you post your configuration?

Re: Router Firewall Question

bbeal — Thu, 26 Apr 2007 19:02:59 GMT

There is lots of port redirection on this router, but not on the NAT Overload IP address. Unfortunately, I can't post the whole config as there are some serious security issues that need to be addressed. Let me know if there are some specific parts that would be helpful to share.

Re: Router Firewall Question

bbeal — Thu, 26 Apr 2007 20:09:24 GMT

Here is an example of the log messages we get 2 or 3 times a minute. The from address is a valid web site. I changed the NAT Overload address to protect the innocent:

995990: Apr 26 20:56:20.315: %SEC-6-IPACCESSLOGP: list 105 denied tcp 170.107.179.50(80) -> 192.168.1.136(1900), 1 packet