07-18-2010 12:16 PM - edited 03-11-2019 11:12 AM
Hi,
I got a Cisco 877W set up and have problems with the Firewall setup using Cisco Configuration Professional.
I am new to the security field so I decided to use CCP to configure the firewall. I would like to block all traffic from the internet and allow all traffic originating inside the LAN, I do not care which traffic is originating as I consider the LAN to be completely trusted.
After I configured the default template of Low Security my connection dropped dramatically, from a 10Mbps ADSL connection that I fully utilized, I started getting 150kbps just after I enabled the firewall.
I checked the router's CPU and it showed peaks of up to 87% (Usually was jumping around between 20%-87%).
I turned the firewall off since I need to use my connection, but am I missing something? How come my $20 D-Link router blocks incoming traffic from the internet and performs well while my pricey 877W can't run the firewall.
If I will drop the zone based firewall and go back to the classic one will it be better?
Thanks a lot!
Solved! Go to Solution.
07-19-2010 01:04 AM
choosing inspection rules is your choice depending what you need
for example you might or might not need ftp depending on whether it is active or passive
but definately http is not advisable becuase it will leed to slowing of traffic especially if you line has lot of out of order packets
as far as layer 7 inspections r concerned you will need them only if the server/client on the outside needs to open any ports
with cbac you are options are as such limited to basic inspection, so i think u can probably continue with just icmp, tcp and udp and if there is requirement you can use layer 7 inspection for ftp or voice or something like that
hope this answers your questions, if so i request you to mark this as answered for the benifit of the other users
07-18-2010 09:41 PM
i think for you r setup the classic firewall makes sense
since you need to block everything from wan and allow everything from lan, i think cbac or classid firewall should be enough to begin with
07-19-2010 12:13 AM
Hey Jathaval,
I indeed used CBAC eventually and got it working, but got some weird results while trying to do so.
At first I set up these rules:
ip inspect name FIREWALL_RULES dns
ip inspect name FIREWALL_RULES ftp
ip inspect name FIREWALL_RULES http
ip inspect name FIREWALL_RULES https
ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES imap
ip inspect name FIREWALL_RULES smtp
ip inspect name FIREWALL_RULES pop3
ip inspect name FIREWALL_RULES tftp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp
But I got the same behavior as I did with the ZBF, my bandwidth usage dropped to 10%.
Eventually I left it with:
ip inspect name FIREWALL_RULES icmp
ip inspect name FIREWALL_RULES tcp
ip inspect name FIREWALL_RULES udp
And then it started behaving normally.
But I don't get it, lets say I wanted to do some VOIP classifications. According to the results above If I started to match protocols and classify them, the traffic would drop dramatically and both the web traffic and VOIP traffic will be useless (I didn't check the delays but I bet they suffered too).
How come Cisco manufactures a SOHO product that can't handle more than 3 classifications? Luckily it does what I need it to.
Oren.
07-19-2010 12:16 AM
i think the issue is caused because of inspecting http and https
can you disable them and verify the results again with the rest of the inspections
07-19-2010 12:53 AM
Yep, you are dead on. And since I don't use https that often it's probably the http, wow that is very shameful isn't it?
Luckily I don't do classification between HTTP and other traffic or my connection would be very bad...
I got two questions though:
1. Do I need all the other inspections rules? Cause most of them are TCP & UDP anyway, won;t be enough to inspect them?
2. Does the order of the inspection matter? Does it behave like an ACL, when it identifies something as one of the inspections it stops inspecting?
Thanks!
07-19-2010 01:04 AM
choosing inspection rules is your choice depending what you need
for example you might or might not need ftp depending on whether it is active or passive
but definately http is not advisable becuase it will leed to slowing of traffic especially if you line has lot of out of order packets
as far as layer 7 inspections r concerned you will need them only if the server/client on the outside needs to open any ports
with cbac you are options are as such limited to basic inspection, so i think u can probably continue with just icmp, tcp and udp and if there is requirement you can use layer 7 inspection for ftp or voice or something like that
hope this answers your questions, if so i request you to mark this as answered for the benifit of the other users
07-19-2010 01:16 AM
Hey Jathaval,
Thank you very much for the help!
One last question I have regarding this issue is if the inspection list behaves as an ACL and if the order matters.
If one inspection rule is identified, does it continue inspecting or does it break the inspection list?
Thanks again,
Oren.
07-19-2010 01:28 AM
i think such a situation will never arise because if we are talking about at layer 3-4 it will be tcp or udp
if at layer 7 http, ftp smtp etc
so the question of order doesnt arise as each rule is unique
07-19-2010 01:33 AM
Fair Enough.
Thank you very much for you kind help, I really appreciate it!
07-19-2010 01:37 AM
hi oren, i just confirmed with one of my collegue i
would like to correct myself
the order does matter
more specific ones first and then general ones
so layer 7 first and then layer 4 like tcp/udp
so it does go like access-list if it finds the match in the first rule it will not look at others
inspect tcp
inspect http
inspect http has no effect
inspect http
inspect ftp
inspect tcp
sorry for the confusion
07-19-2010 02:16 AM
That makes more sense.
Thank you, and thank your colleague too
Oren.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide