877w ZBFW issues

csc.nes-wa — Mon, 11 Mar 2019 23:17:10 GMT

Hi,

I am having a few issues since changing from a cbac firewall to a zone based firewall running on a Cisco 877w IOS:

c870-advipservicesk9-mz.124-24.T6.bin

1. Enabling http layer 7 inspection stops certain websites and downloads working. As a work around I have just enabled layer 3/4 inspection

In my config if I enable the following then it breaks certain websites and downloads:

class-map type inspect match-all cm_http

match protocol http

match access-group name zInternal_Subnets

2. I am seeing strange traffic being dropped from port 0 to port 3? This happens quite frequently, and it generally coincides with opening fatrat which is a download manager and bit torrent client. The only info I can find on this port is:

Port(s)	Protocol	Service	Details	Source
3	tcp,udp	compressnet	SynDrop trojan uses this port. Delta Force also uses port 3 (TCP). IANA assigned for: Compression Process Port also used by: Midnight Commander	SG
3	tcp,udp		Compression Process (official)	Wikipedia
3	tcp,udp	compressnet	Compression Process	IANA
3	tcp,udp	compressnet	Midnight Commander Sometimes this program is assigned to this port

Could be a trojan or related to compression process? - what I would like to know is whether or not I should be allowing this through the firewall, ie if it's used in compressing data between clients then that could be quite usefull!?

eg:

4049: [syslog@9 s_sn="4049"]: 004043: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.6:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4050: [syslog@9 s_sn="4050"]: 004044: %FW-6-LOG_SUMMARY: 1 packet were dropped from 118.4.250.164:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4051: [syslog@9 s_sn="4051"]: 004045: %FW-6-LOG_SUMMARY: 1 packet were dropped from 190.229.222.76:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4052: [syslog@9 s_sn="4052"]: 004046: %FW-6-LOG_SUMMARY: 1 packet were dropped from 180.180.81.94:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4053: [syslog@9 s_sn="4053"]: 004047: %FW-6-LOG_SUMMARY: 1 packet were dropped from 122.125.91.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4054: [syslog@9 s_sn="4054"]: 004048: %FW-6-LOG_SUMMARY: 1 packet were dropped from 63.142.161.35:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
4055: [syslog@9 s_sn="4055"]: 004049: %FW-6-LOG_SUMMARY: 1 packet were dropped from 91.205.69.186:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)

3. Lastly I am also getting a lot of dropped packets:

%FW-6-DROP_PKT: Dropping tcp session 10.10.0.2:34445 216.137.55.60:443  due to  RST inside current window with ip ident 0 
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:64664 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46151 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:60092 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 178.111.60.151:55755 => 10.10.0.10:40760 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 112.208.244.186:445 => 112.208.32.251:46620 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 113.160.85.70:0 => 10.5.0.3:3 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-DROP_PKT: Dropping tcp session 118.215.189.177:443 10.10.0.3:40047 on zone-pair ZP_out_nat class class-default due to  DROP action found in policy-map with ip ident 0 
%FW-6-DROP_PKT: Dropping tcp session 118.215.178.110:443 10.10.0.3:52182  due to  Stray Segment with ip ident 0 
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:40047 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 118.215.189.177:443 => 10.10.0.3:39282 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:51745 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:33809 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:44424 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:37326 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:57595 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)
%FW-6-LOG_SUMMARY: 3 packets were dropped from 112.208.244.186:58464 => 85.200.97.32:65477 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)
%FW-6-LOG_SUMMARY: 2 packets were dropped from 118.215.178.110:443 => 10.10.0.3:45402 (target:class)-(ZP_out_nat:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from 112.208.244.186:40047 => 118.215.189.177:443 (target:class)-(ZP_self_out:inspect_self_OUTBOUND)

I have attached my config also - if someone could help me out with any or all of the above would be much appreciated.

Regards,

Peter

877w ZBFW issues

mightymouse2045 — Sat, 09 Jun 2012 01:29:09 GMT

I have downgraded to c870-advipservicesk9-mz.124-20.T3.bin as per the suggestion from this thread https://supportforums.cisco.com/thread/2089462 and this has resolved problem 1, with http inspection enabled all traffic is working as expected.

I will try upgrading one release at time and see what IOS version starts causing this problem and report back

I still have problems with 2 & 3 however. So any answers/suggestions regarding those would be appreciated

877w ZBFW issues

Henrik Grankvist — Sat, 09 Jun 2012 19:56:00 GMT

For problem 2&3: Are you having problems with some applications not working properly? Because for what I can see 95% of the dropped packets are from outside to the inside... which is good, the firewall is doing its work.

But for this for example:

"%FW-6-LOG_SUMMARY: 1 packet were dropped from 10.5.0.3:32856 => 98.137.129.181:80 (target:class)-(ZP_OUTBOUND:cm_generic_traffic)"

The packet is being dropped from inside to outside by a policy-map that is inspecting... I don't have an answer for that.

877w ZBFW issues

mightymouse2045 — Sun, 10 Jun 2012 11:04:39 GMT

Hey Henrik,

Yeah I have a problem uploading from within fatrat bit torrent client.... I can download but can't upload.

As I said the connections to port :3, are coinciding with opening fatrat.

As far as the configuration is concerned it looks fine to you?

topic 877w ZBFW issues in Network Security

877w ZBFW issues

877w ZBFW issues

877w ZBFW issues

877w ZBFW issues