Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
5
Helpful
2
Replies

IPS/ACL/ZBF precedence on IOS router

Go to solution
darthnul
Level 1
Level 1

‎01-12-2011 08:34 AM - edited ‎03-10-2019 05:14 AM

I have a number of 891 routers deployed for VPN connectivity to a central site. The routers have an ACL as well as zone-based firewalling and IPS/IPS configured on their public interfaces. They are running IOS universal 15.1.1. They have been up for over six months.

Last week I started getting logs like this from the IPS instance:

Jan 12 09:51:21 ss260 378: Jan 12 15:51:20.551: %IPS-4-SIGNATURE: Sig:3041 Subsig:0 Sev:100 TCP SYN/FIN Packet [Source-that I can't identify-IP:25 -> MY-ROUTER-IP:25] VRF:NONE RiskRating:100

I know that the interface ACL is processed before the ZBF. I've been assuming that IPS happens after the ACL as well, but this packet should never have gotten past my ACL. The ACL allows only ESP, IKE, SSH and pings, and then only if they come from about half a dozen source IPs. The source of the trigger packet is NOT among those allowed.

Because my ACL doesn't allow any un-encrypted traffic (other than some pings that I generate), I was not really expecting the IPS instance to see anything likely to trigger an alert, and up until last week, that was true.

So far all the logs are for the same SYN/FIN signature. Is this a special case type signature for some reason or can I expect to see alerts every time a packet that the ACL is going to block anyway, matches a signature?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-14-2011 09:12 AM

Hi,

First of I noticed that the packets dropped by IPS have both source and destination port of 25 - odd ;-)

If you're interested in order of operation with new CEF code you can check "show cef interface INTERFACE_NAME IFC_NUMBER" this is reliable and in the order they are done, but maybe in more detail than you'd need ;-)

Router#sh cef interface fa0/0
FastEthernet0/0 is down (if_number 4)
  Corresponding hwidb fast_if_number 4
  Corresponding hwidb firstsw->if_number 4
  Internet address is 10.1.1.1/24
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is disabled
  Input features: Access List
  Output features: Firewall (NAT), Firewall (inspect)
  Inbound access list is 101
  Outbound access list is not set
  IP policy routing is disabled
  BGP based policy accounting on input is disabled
  BGP based policy accounting on output is disabled
  Hardware idb is FastEthernet0/0
  Fast switching type 1, interface type 18
  IP CEF switching enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0x1, Output fast flags 0x0
  ifindex 3(3)
  Slot  Slot unit 0 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1500

HTH,

Marcin

View solution in original post

2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-14-2011 09:12 AM

Hi,

First of I noticed that the packets dropped by IPS have both source and destination port of 25 - odd ;-)

If you're interested in order of operation with new CEF code you can check "show cef interface INTERFACE_NAME IFC_NUMBER" this is reliable and in the order they are done, but maybe in more detail than you'd need ;-)

Router#sh cef interface fa0/0
FastEthernet0/0 is down (if_number 4)
  Corresponding hwidb fast_if_number 4
  Corresponding hwidb firstsw->if_number 4
  Internet address is 10.1.1.1/24
  ICMP redirects are always sent
  Per packet load-sharing is disabled
  IP unicast RPF check is disabled
  Input features: Access List
  Output features: Firewall (NAT), Firewall (inspect)
  Inbound access list is 101
  Outbound access list is not set
  IP policy routing is disabled
  BGP based policy accounting on input is disabled
  BGP based policy accounting on output is disabled
  Hardware idb is FastEthernet0/0
  Fast switching type 1, interface type 18
  IP CEF switching enabled
  IP CEF switching turbo vector
  IP CEF turbo switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0x1, Output fast flags 0x0
  ifindex 3(3)
  Slot  Slot unit 0 VC -1
  Transmit limit accumulator 0x0 (0x0)
  IP MTU 1500

HTH,

Marcin

Go to solution
darthnul
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-14-2011 09:38 AM

Thanks Marcin!

I ran the command and it (unfortunately) shows that IPS is evaluated before the ACL:

GigabitEthernet0 is up (if_number 12)
  Corresponding hwidb fast_if_number 12
  Corresponding hwidb firstsw->if_number 12
  Internet address is 173.84.169.126/30
  ICMP redirects are never sent
  Per packet load-sharing is disabled
  IP unicast RPF check is disabled
  Input features: Stateless IN IPS (Atomic), Access List, IPSec input classification, Post Crypto IPS Atomic
  Output features: IPSec output classification, CCE Post NAT Classification, Firewall (firewall component), IPSec: to crypto engine, Post-encryption output features
  IP policy routing is disabled
  BGP based policy accounting on input is disabled
  BGP based policy accounting on output is disabled
  Hardware idb is GigabitEthernet0
  Fast switching type 1, interface type 27
  IP CEF switching enabled
  IP CEF switching turbo vector
  IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
  Input fast flags 0xA1, Output fast flags 0x400
  ifindex 12(12)
  Slot  Slot unit 0 VC -1
  IP MTU 1452

I really wish IPS happened AFTER the ACL because I get paged every time any router logs an IPS signature match.

               Thanks   ...jgm

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card