Re: IP TCP INTERCEPT

kjanakiraman · ‎04-22-2003

I have a cisco 3640 router with 12.x ios running. I wanted to make my router as application firewall to intercept all the connections for my web server and i configured like this

ip tcp intercept list 103

access-list 103 permit tcp any host x.x.x.x1( my web server ip address)

I did not configure any other intercept command and left everything to default.

Now when i try to browse the site x.x.x.x1 from outside the page is not getting displayed. But in the show tcp intercept statistics i could see establised session from the outside ip address of the system from which i am trying to browse x.x.x.x1. Now when i make the tcp intercept mode to watch mode

Ip tcp intercept mode watch.

Then my site is accessable from outside. I am having a pix firewall between my router and the web server.

Can some one advice me what is the mistake i am making and how to solve this problem

Thanks in Advance

xge · ‎04-22-2003

Have you tried to disable cef and fast switch in the router ? Since the router have to process switch the intercepted traffic.

kjanakiraman · ‎04-23-2003

Hi,

Thanks for your reply. I disabled cef and tried and enabled cef and tried and both the time the web server is not accessable from outside. How can i disable fast switch in the router?

Thanks in Advance

mshickell · ‎04-23-2003

You disable fast switching on each interface individually.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_r/xrfscmd2.htm#1065562

kjanakiraman · ‎04-23-2003

Hi,

I gave no ip route-cache, no ip mroute-cache on all the interfaces and in the global configuration i gave no ip cef but still i could not browse my web site when i am in the interface mode. IS there anything i am missing.

Thanks in advance

rais · ‎04-23-2003

Do you have ICMPs allowed both ways? Is any of the sites using TCP Options?

Thanks.

kjanakiraman · ‎04-23-2003

We have diabled icmp in our cisco pix firewall from outside. What is TCP options?

Thanks in Advance

rais · ‎04-23-2003

I would enable ICMPs for a while and check if things start working. TCP options are options like MSS etc that are negotiated at startup.

Thanks.

kjanakiraman · ‎04-23-2003

I tried enabling the icmp and checked by both enabling cef and disabling the cef but the same result. I could not connect to my web server. But when i type

sh tcp intercept statistics i could see the result showing that the connecton is establised. When i type in sh tcp intercept connections i am able to see the connctions in the establised state with the source ip address from which i am trying to browse the web server. I have enabled in the cisco pix ip verify reverese path for both inside and outside. Should that be any issues in that.

Thanks for your time.

rais · ‎04-24-2003

I can only think of sniffing the packets and noticing where does the link break. If you are seeing connections, it means initial SYN and ACKs are ok. HTTP connection shouldn't be retained for a long time though. Once the page has been transferred, these connections should terminate.

Rais.

kjanakiraman · ‎04-25-2003

For testing purpose i kept the web server outside the firewall with public address but still the same result. When i gave ip tcp intercept mode watch/intercept i am getting an message

command accepted, interfaces with mls configured might cause inconsistent behavior

but there is not mls configured on any of the interface. Can you suggest may to sniff the packets.

Thanks in Advance

rais · ‎04-25-2003

So you are not getting anything in: show mls rp.

Can you anyways issue: no mls rp ip, in global mode.

Thanks.

kjanakiraman · ‎04-25-2003

the mls is disabled when i gave no mls rp ip i am getting message that multilayer switchiing is already disabled. But when i type in sh tcp intercept connections i am seeing some connections in the establised mode though it was tried 8 hours before and already revereted back to watch mode from the intercept mode. The connections is not getting cleared automatically.

Thanks in Advance for your time.