01-12-2011 08:34 AM - edited 03-10-2019 05:14 AM
I have a number of 891 routers deployed for VPN connectivity to a central site. The routers have an ACL as well as zone-based firewalling and IPS/IPS configured on their public interfaces. They are running IOS universal 15.1.1. They have been up for over six months.
Last week I started getting logs like this from the IPS instance:
Jan 12 09:51:21 ss260 378: Jan 12 15:51:20.551: %IPS-4-SIGNATURE: Sig:3041 Subsig:0 Sev:100 TCP SYN/FIN Packet [Source-that I can't identify-IP:25 -> MY-ROUTER-IP:25] VRF:NONE RiskRating:100
I know that the interface ACL is processed before the ZBF. I've been assuming that IPS happens after the ACL as well, but this packet should never have gotten past my ACL. The ACL allows only ESP, IKE, SSH and pings, and then only if they come from about half a dozen source IPs. The source of the trigger packet is NOT among those allowed.
Because my ACL doesn't allow any un-encrypted traffic (other than some pings that I generate), I was not really expecting the IPS instance to see anything likely to trigger an alert, and up until last week, that was true.
So far all the logs are for the same SYN/FIN signature. Is this a special case type signature for some reason or can I expect to see alerts every time a packet that the ACL is going to block anyway, matches a signature?
Solved! Go to Solution.
01-14-2011 09:12 AM
Hi,
First of I noticed that the packets dropped by IPS have both source and destination port of 25 - odd ;-)
If you're interested in order of operation with new CEF code you can check "show cef interface INTERFACE_NAME IFC_NUMBER" this is reliable and in the order they are done, but maybe in more detail than you'd need ;-)
Router#sh cef interface fa0/0
FastEthernet0/0 is down (if_number 4)
Corresponding hwidb fast_if_number 4
Corresponding hwidb firstsw->if_number 4
Internet address is 10.1.1.1/24
ICMP redirects are always sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Input features: Access List
Output features: Firewall (NAT), Firewall (inspect)
Inbound access list is 101
Outbound access list is not set
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is FastEthernet0/0
Fast switching type 1, interface type 18
IP CEF switching enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0x1, Output fast flags 0x0
ifindex 3(3)
Slot Slot unit 0 VC -1
Transmit limit accumulator 0x0 (0x0)
IP MTU 1500
HTH,
Marcin
01-14-2011 09:12 AM
Hi,
First of I noticed that the packets dropped by IPS have both source and destination port of 25 - odd ;-)
If you're interested in order of operation with new CEF code you can check "show cef interface INTERFACE_NAME IFC_NUMBER" this is reliable and in the order they are done, but maybe in more detail than you'd need ;-)
Router#sh cef interface fa0/0
FastEthernet0/0 is down (if_number 4)
Corresponding hwidb fast_if_number 4
Corresponding hwidb firstsw->if_number 4
Internet address is 10.1.1.1/24
ICMP redirects are always sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Input features: Access List
Output features: Firewall (NAT), Firewall (inspect)
Inbound access list is 101
Outbound access list is not set
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is FastEthernet0/0
Fast switching type 1, interface type 18
IP CEF switching enabled
IP CEF switching turbo vector
IP CEF turbo switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0x1, Output fast flags 0x0
ifindex 3(3)
Slot Slot unit 0 VC -1
Transmit limit accumulator 0x0 (0x0)
IP MTU 1500
HTH,
Marcin
01-14-2011 09:38 AM
Thanks Marcin!
I ran the command and it (unfortunately) shows that IPS is evaluated before the ACL:
GigabitEthernet0 is up (if_number 12)
Corresponding hwidb fast_if_number 12
Corresponding hwidb firstsw->if_number 12
Internet address is 173.84.169.126/30
ICMP redirects are never sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Input features: Stateless IN IPS (Atomic), Access List, IPSec input classification, Post Crypto IPS Atomic
Output features: IPSec output classification, CCE Post NAT Classification, Firewall (firewall component), IPSec: to crypto engine, Post-encryption output features
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet0
Fast switching type 1, interface type 27
IP CEF switching enabled
IP CEF switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0xA1, Output fast flags 0x400
ifindex 12(12)
Slot Slot unit 0 VC -1
IP MTU 1452
I really wish IPS happened AFTER the ACL because I get paged every time any router logs an IPS signature match.
Thanks ...jgm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide