topic Re: Possible IOS Firewall inspection problem in Network Security

Possible IOS Firewall inspection problem

Federico Coto Fajardo — Mon, 11 Mar 2019 16:56:55 GMT

Hi All,

I have two Routers running HSRP on the inside interfaces (LAN interfaces) tracking the outside interfaces (ISP interfaces). I have both routers handling both connections (two ISPs)

So, basically the configuration is as follows (for the primary router, the secondary router is the same):

######################################################################

ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW http
ip inspect name FW https
ip inspect name FW dns
ip inspect name FW esmtp
ip inspect name FW pop3
ip inspect name FW imap
ip inspect name FW bootpc
ip inspect name FW bootps
ip inspect name FW ms-sql
ip inspect name FW ftp
ip inspect name FW ipsec-msft
ip inspect name FW isakmp

interface GigabitEthernet0/1

description PRIMARY_ISP

ip address 201.195.231.154 255.255.255.240

ip nat outside
ip inspect FW in

ip inspect FW out

ip access-group METRO_IN

interface GigabitEthernet0/0

description SECONDARY_ISP
ip address 201.195.91.54 255.255.255.240
ip nat outside
ip inspect FW in

ip inspect FW out

ip access-group ACL_GSHDSL_IN

interface FastEthernet0/0/0
ip address 192.168.100.6 255.255.255.0
ip nat inside

ip inspect FW in

ip inspect FW out
standby 1 ip 192.168.100.5
standby 1 priority 115
standby 1 preempt
standby 1 track GigabitEthernet0/1 5
standby 1 track GigabitEthernet0/0 5

ip nat inside source static 192.168.2.175 201.195.91.50
ip nat inside source static 192.168.2.177 201.195.91.51
ip nat inside source static 192.168.2.178 201.195.91.52
ip nat inside source static 192.168.2.179 201.195.91.53

ip nat inside source static 192.168.2.75 201.195.231.150
ip nat inside source static 192.168.2.77 201.195.231.151
ip nat inside source static 192.168.2.78 201.195.231.152
ip nat inside source static 192.168.2.79 201.195.231.153

ip nat inside source route-map METRO interface GigabitEthernet0/1 overload
ip nat inside source route-map SHDSL interface GigabitEthernet0/0 overload

route-map METRO permit 10
match ip address ACL_METRO
match interface GigabitEthernet0/1

route-map SHDSL permit 10
match ip address ACL_SHDSL
match interface GigabitEthernet0/0

ip access-list extended ACL_METRO
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

ip access-list extended ACL_SHDSL
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any

ip sla 1
icmp-echo 201.195.231.145
threshold 2000
frequency 5
ip sla schedule 1 life forever start-time now

ip sla 3
icmp-echo 201.195.91.49
threshold 2000
frequency 5
ip sla schedule 3 life forever start-time now

track 100 ip sla 1 reachability
track 300 ip sla 3 reachability

ip route 0.0.0.0 0.0.0.0 201.195.231.145 10 track 100
ip route 0.0.0.0 0.0.0.0 201.195.91.49 20 track 300

######################################################################

So, connection to the Internet is fine (no problems)....

Everybody, gets out to the Internet using the primary METRO ISP.

The problem is with clients from the Internet accesing our internal servers.

For example, clients try to reach the servers and they either get a very slow response or no response at all.

If I remove the access-list from the ISP interfaces, and the inspection rules, then everything works fine.

If I add again the access-list it works fine.

When I add the inspection rules, is when the problem starts.

My question is: Would it be possible that since the clients connect from the outside via either ISP, the inspection sessions on the router are causing these problems?

Any suggestions are appreciated!!!

Federico.

Re: Possible IOS Firewall inspection problem

Kureli Sankar — Wed, 13 Jan 2010 00:32:25 GMT

I am not sure why you would have inspection applied IN and OUT on all interfaces.

ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW ftp

Usually it is either applied IN on the inside interface or OUT on the outside interface. Is there a way you can try to remove inspection on the inside interface F0/0/0 and see if that helps?

You can also reduce the inspections and leave it at the minimum above.

-KS

Re: Possible IOS Firewall inspection problem

Federico Coto Fajardo — Wed, 13 Jan 2010 04:50:45 GMT

I'm not sure why the inspection works only if I applied both inbound and outbound on the same interface.

Actually, I don't intend to inspect the incoming traffic from the Internet, only the outbound traffic.... but if I only apply the inspection in one direction, it won't work (not sure if it's a bug or something).......

That's a good point that I need to figure out.... besides that... do you think that having the inspection for the two ISP connections could be causing the problem for the incoming traffic?

Thank you.

Federico.

Re: Possible IOS Firewall inspection problem

Federico Coto Fajardo — Wed, 13 Jan 2010 19:20:39 GMT

Hey!

I think I've found the problem (not 100% sure yet)....

Traffic to the Internet is working fine throught the HSRP active router (either the primary or secondary).

But, incoming traffic from the Internet to the servers was the problem.

So, I started to see a lot of duplicate IP addresses messages on both routers (there are no duplicate addresses).....

What is happening is that, traffic coming from the Internet could enter either router to reach the servers.... For instance, I have the following static NAT on both routers:

Router(config)# ip nat inside source static 192.168.2.175 201.195.91.50

So, when clients from the Internet try to reach that server, they can reach it via both routers..... I'm not running BGP with my ISPs or controlling how the traffic enters the network (solely based on DNS). Since both routers have the same static NAT (even though one is the active HSRP one), traffic could enter via both routers.

And there's my problem. As soon as I removed the static NAT statements from the secondary router, everything works perfectly on the primary one.

My question then is..... how do I get to have two routers receiving two ISPs (having one as active HSRP) but controlling how the incoming traffic is handled? Or perhaps not controlling the incoming traffic? But how do I make this work?

Thank you!

Federico.

Re: Possible IOS Firewall inspection problem

Federico Coto Fajardo — Wed, 13 Jan 2010 20:24:43 GMT

Something called SNAT would work???

Stateful NAT???

Best Regards,

Federico.