cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


209
Views
0
Helpful
0
Replies
Beginner

IOS CBAC is dropping already permitted packets. is it possible to exclude /32 IP from CBAC inspection?

Hello.

 

My router x.x.x.x utilizing CBAC time to time drops packets from y.y.y.y to x.x.x.x
x.x.x.x is writes following in log file:
+++++++++
Nov 7 01:01:47 gate.sta17.net 998275: Nov 7 01:01:46: %FW-6-DROP_PKT: Dropping tcp session x.x.x.x:55802 y.y.y.y:443 due to RST inside current window with ip ident 24576 tcpflags 0x5014 seq.no 2217371408 ack 3597684402
+++++++++

gate router config looks like:

+++++++++
gate(config)#do sh runn | s ip inspect
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect max-incomplete high 10000
ip inspect max-incomplete low 8900
ip inspect one-minute low 8900
ip inspect one-minute high 10000
ip inspect udp idle-time 360
ip inspect dns-timeout 20
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 32
ip inspect tcp max-incomplete host 800 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 120
ip inspect tcp reassembly memory limit 512000
ip inspect tcp reassembly alarm on
ip inspect name DIAL_OUT ftp alert on audit-trail off timeout 120
ip inspect name DIAL_OUT router alert on audit-trail off timeout 120
ip inspect name DIAL_OUT tcp alert on audit-trail off timeout 120
ip inspect name DIAL_OUT udp alert on audit-trail off timeout 120
ip inspect name DIAL_OUT rtsp alert on audit-trail off timeout 120
+++++++++

where interface gi8 is outside one connected to ISP:

+++++++++
gate(config)#do sh ip inspec inter
Interface Configuration
Interface GigabitEthernet8
Inbound inspection rule is not set
Outgoing inspection rule is DIAL_OUT
ftp alert is on audit-trail is off timeout 120
router alert is on audit-trail is off timeout 120
tcp alert is on audit-trail is off timeout 120
udp alert is on audit-trail is off timeout 120
rtsp alert is on audit-trail is off timeout 120
Inbound access list is DI_IN
Outgoing access list is not set

gate(config)#
+++++++++

 

Could you suggest what wrong with config above? Also please suggest how to exclude IP y.y.y.y from x.x.x.x's CBAC inspection?

 

Thank you.

Thank you.

Everyone's tags (1)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here