Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
0
Helpful
6
Replies

Cisco IOS Zone Firewall Loggin: Not logging everything as expected

teatrodelsogno
Level 1
Level 1

‎11-19-2015 07:33 AM - edited ‎03-11-2019 11:55 PM

Hi all,

I've one strange problem on my router 1801w with 12.4advance IOS.

I've enabled Zone secuity firewall and it's working very well for a better controlling of the traffic in my network.

-----Problem1

BTW I received an unexpected behvior in my drop class-defaul log policy. What I mean:

---Taking one class map like this:

class-map type inspect match-any internet-VIP-class
 description ---Class-map for match most of protocol for internet destination for VIP users---
 match protocol ftp
 match protocol ftps
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
 match protocol ntp
 match protocol user-apple

---Associated to one policy-map:

policy-map type inspect TRUST-to-OUTSIDE-policy
 class type inspect internet-VIP-class
  inspect
 class class-default
  drop log

---Associate to interfaces and zone pairs:

zone-pair security TRUST-Internet-access source TRUST destination OUTSIDE
 service-policy type inspect TRUST-to-OUTSIDE-policy

interface Dialer
ip nat outside
zone-member security OUTSIDE

interface Vlan30
 description DATA
 ip address 10.30.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security TRUST

---Problem?

%FW-6-DROP_PKT: Dropping udp session publicipx.x.x.x:6881 87.9.135.56:28304 on zone-pair TRUST-Internet-access class class-default due to  policy match failure with ip ident 0

FW-6-DROP_PKT: Dropping udp session publicipx.x.x.x:37356 118.163.30.162:443 on zone-pair TRUST-Internet-access class class-default due to  policy match failure with ip ident 1

---Problem description:

I was expecting, to find the internal TRUST IP addres. Maybe in the log appears the post nat (ip nat outside).

There is any way to switch the logging to appear the internal ip address?

Problem2

Still considering the information above. I've created some other zone, for example:

policy-map type inspect OUTSIDE-to-SELF-policy
class type inspect OUTSIDE-self
inspect
class class-default
drop log

class-map type inspect match-any OUTSIDE-self
match access-group name outside_access_in

Extended IP access list outside_access_in
    5 permit tcp x.x.x.x 0.0.0.255 any eq 22 (2 matches)
    20 permit udp x.x.x.x any eq non500-isakmp (7 matches)
    30 permit udp x.x.x.x. any eq isakmp (5 matches)

---Problem description:

BTW In the logging. NO entry if (for example), I try to permorm some ssh, http or other not included in the access-list linked to class-map.

Why? Why I'm able to see almost everything connected to the problem1 logs, and nothing from the other policy map with the same class drop log configured?

Some bugs or limited resource on my 1801?

If you have some suggestion other question, let me know.

regards in advance

Matteo

Labels:
0 Helpful
6 Replies 6

Andre Neethling
Level 4
Level 4

‎11-19-2015 09:55 PM

HI.

With Problem 1....... do you have SSL VPN configured? Or are your users doing SSL VPN connections out?

With Problem 2....... Is the IP addressing you specify in the ACL private addressing? Or is the connection you are expecting coming from a specific IP range on the OUTSIDE?

0 Helpful

teatrodelsogno
Level 1
Level 1
In response to Andre Neethling

‎11-20-2015 12:22 AM

Hi,

1) I've configured VPN Client IPSEC. VPN Virtual-Template interfaces are BTW belonging to other zone (VPN).

2) NO, for sure from the outside the source configures is the "pubblic one"

Many regards in while.

0 Helpful

Andre Neethling
Level 4
Level 4
In response to teatrodelsogno

‎11-20-2015 06:17 AM

Ok.

It could be that there is a ssl vpn connection from your network. To test can you try matching DTLS in your VIP class map. If you don't find it in the protocol list, then try matching udp 443 in an ACL. See if the drop messages disappear

Then on your outside to self policy........is your ipsec vpn working?

0 Helpful

teatrodelsogno
Level 1
Level 1
In response to Andre Neethling

‎11-24-2015 03:02 AM

Hi,

Yes Vpn is working well. (allowe isakmp and nat-t udp port...)

if I try to connect from another public IP address, connect is dropped but NO logs forwarded to the syslog or to the console. That's strange.... I'm starting to thinking some bugs...
Also RAM full supspecting, but i have some memory free the same, and not always could appen this fact, (new 256MB is coming btw..)

And... the other issue is strange too, (maybe we have misunderstanding about the issues.)

As you can see in the logs, I have [ PUBLIC ip address-source port ->to public destination...]

I was expecting, PRIVATE ip address-source port -> to public destination]

What do you think about that too?

many regards

0 Helpful

Andre Neethling
Level 4
Level 4
In response to teatrodelsogno

‎11-24-2015 08:33 PM

In the log is the one public IP your router IP? If so, then it is correct.

0 Helpful

teatrodelsogno
Level 1
Level 1
In response to Andre Neethling

‎11-25-2015 01:00 AM

yes! Correct.

Ok, maybe I didn't get how IOS properly work on it... But I was expecting that "inside" ip address was forwarded into. (10.x.x.x in my case).... Othervise is more complicated understand which inside IP address is doing that traffic if the "PAT" address is only show.

Means than, Zone firewall in case of overload nat confiugured, is must showing the post nat address?

Still some not-understanding about problem 2...

from outside to router it self, any other connection are not logged on the system.


Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card