cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1190
Views
0
Helpful
12
Replies

FWSM failed to NAT icmp echo reply

hbenaouich
Level 1
Level 1

Hi,

We noticed on the border router that the private Network behind FWSM is not Nated to an external IP address. So the traffic get dropped by bogon list Here is an example:

Doesn't anyone have an insight regarding this?

Oct 2 19:26:56.263 UTC: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.x.80.80 (GigabitEthernet0 0011.bcc4.xxxx) -> 207.245.224.30 (0/0), 1 packet

Oct 2 19:26:56.263 UTC: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.x.81.101 (GigabitEthernet0 0011.bcc4.xxxx) -> 207.245.224.30 (0/0), 8 packets

Oct 2 19:27:17.071 UTC: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.x.26.10 (GigabitEthernet0 0011.bcc4.xxxx) -> 4.2.2.2 (0/0), 1 packet

Oct 2 19:30:36.176 UTC: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 10.x.83.90 (GigabitEthernet0 0011.bcc4.xxxx) -> 207.245.224.30 (0/0), 1 packet

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Hammani

Not sure how you expect a sensible answer with the details you have provided.

If the Natting should be taking place on the FWSM then the obvious thing would to do would be to post the config of the FWSM together with details of the layout ie. is it

internal -> FWSM -> gi0 Border router -> Internet

If the above layout is correct where should the traffic be Natted to an external IP address ?

Jon

The traffic should be nated by FWSM. All traffic is NATed just fine except for these icmp echo reply that leaking through the fwsm. Is this a known bug? I am also wondering if this some kind smurf attack?

Okay, that makes more sense.

If they are echo replies then as you say this doesn't seem normal traffic.

The echo reply could not be in response to a valid echo request because these internal clients are using private RFC1918 addressing which is not routable on the internet so no echo request could have been received from the Internet for these.

I'm assuming you are not allowing ICMP echo requests from the Internet through to your internal clients anyway ?

Jon

Actually we are allowing ICMP echo request through the border routers.

I guess my concern is why the fwsm is leaking these private IPs to outside?

"Actually we are allowing ICMP echo request through the border routers."

But even if you let these through you can't route to the internal addressing from the internet. So there are 2 issues -

1) why is the FWSM not translating the internal addresses

but more importantly

2) how can the internal hosts be responding to echo requests when the echo requests could not have been routed from the internet

Perhaps i'm not understanding your topology ?

Jon

I think you get it. Have you seen this issue before?

I've seen many random echo replies coming from multiple sources. Could be a smurf attack, could be a single host generating multiple ICMP echo replies with spoofed source IP addresses.

What is confusing me is that the traffic is getting through the FWSM and not being Natted,

Is there anything between the FWSM outside and the inside interface of the border router ? So do you have the FWSM outside interface connected to a vlan and the internal border router gi0 interface connected to the same vlan with no L3 SVI for that vlan on the MSFC ?

And is that the only path for traffic to get to the border router ie. does all traffic from these internal addresses in your post have to go through the FWSM to get to the border router.

Finally are you allowing any traffic through the FWSM from the internal hosts including echo replies ?

Jon

There is an internet core between fwsm and border router. This core have no access to the internal addresses.

Yep all internal addresses have to go through fwsm to reach the internet.

Answer is yes for last question.

Sorry for all the questions.

Do you have ICMP inspection turned on on the FWSM ?

If you don't perhaps turning it on would be a good way to filter these out at he FWSM rather than the border router.

Jon

No I don't. I will turn it on.

I still don't know why the fwsm is not natting the internal IPs? If you clarify this for me that will be great!!!

"I still don't know why the fwsm is not natting the internal IPs? If you clarify this for me that will be great!!!"

Yes it's not clear to me either at the moment. Is there any way a device could be generating this traffic that is not actually behind the FWSM ?

How often are you seeing these denies on the border router and do they come from the same set of source IPs. I ask because you could then apply a temporary entry to an acl on the inside interface of the FWSM to block it. If you still see the traffic hitting the border router then you know it is not from the real devices behind the FWSM.

Unfortunately i don't have access to an FWSM so i can't test anything. Is your NAT setup for the internal clients just for any traffic ie. whatever IP traffic is sent through the FWSM will it be natted ?

Jon

We just noticed this and not as often. Yes whatever traffic is hitting the firewall should be nated.

I found this link on net and similar to the issue that I have but no answer as well.

http://www.experts-exchange.com/Networking/Misc/Q_21678792.html

Also found this

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml

Review Cisco Networking for a $25 gift card