Re: IP TCP INTERCEPT

kjanakiraman · ‎04-27-2003

have a cisco 3640 router with 12.x ios running. I wanted to make my router as application firewall to intercept all the connections for my web server and i configured like this

ip tcp intercept list 103

access-list 103 permit tcp any host x.x.x.x1( my web server ip address)

I did not configure any other intercept command and left everything to default.

Now when i try to browse the site x.x.x.x1 from outside the page is not getting displayed. But in the show tcp intercept statistics i could see establised session from the outside ip address of the system from which i am trying to browse x.x.x.x1. Now when i make the tcp intercept mode to watch mode

Ip tcp intercept mode watch.

Then my site is accessable from outside. I am having a pix firewall between my router and the web server.

I tried disabling the ip cef, gave

no ip route-cache

no ip mroute-cache on all the interface

and also tried from two webservers one kept inside and the other kept outside the firewall and both are not working.

When i type in sh tcp intercept connections I could see the connections in the establised mode but the web server is not accessable from outside. Once i move in it watch mode my web servers are working. MLS is disabled in the router.

One more thing is that when i am in the intercept mode and i could establised status but the connection is not resetting or refreshing after 8 hours also. It was still showing the connection establised though i have disconnected the session long back.

Can some one advice me what is the mistake i am making and how to solve this problem

Thanks in Advance

Georg Pauwen · ‎04-28-2003

Hello,

can you post the output you get from 'debug ip tcp intercept' while trying to access the web site ?

kjanakiraman · ‎04-28-2003

Hi,

Thanks for your mail. Below is the debug output that i got

icodenet#debug ip tcp intercept

TCP intercept debugging is on

icodenet#

1d11h: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from 63.251.161.99 to

12.109.150.211

1d11h: %IDS-4-ICMP_UNREACH_SIG: 2001:ICMP Host Unreachable - from 12.125.6.185 t

o 65.199.28.4

1d11h: INTERCEPT: new connection (206.135.105.10:1445 SYN -> 12.109.150.150:80)

1d11h: INTERCEPT(*): (206.135.105.10:1445 <- ACK+SYN 12.109.150.150:80)

1d11h: INTERCEPT: 1st half of connection is established (206.135.105.10:1445 ACK

-> 12.109.150.150:80)

1d11h: INTERCEPT(*): (206.135.105.10:1445 SYN -> 12.109.150.150:80)

1d11h: INTERCEPT: 2nd half of connection established (206.135.105.10:1445 <- AC

K+SYN 12.109.150.150:80)

1d11h: INTERCEPT(*): (206.135.105.10:1445 ACK -> 12.109.150.150:80)

1d11h: INTERCEPT(*): (206.135.105.10:1445 <- WINDOW 12.109.150.150:80)

1d12h: %IDS-4-ICMP_UNREACH_SIG: 2001:ICMP Host Unreachable - from 12.125.6.185 t

o 65.199.28.4

1d12h: %IDS-4-ICMP_TIMXCEED_SIG: Sig:2005:ICMP Time Exceeded for a Datagram - fr

om 144.232.19.70 to 65.199.28.2

1d12h: %IDS-4-ICMP_UNREACH_SIG: 2001:ICMP Host Unreachable - from 12.125.6.185 t

o 65.199.28.4

1d12h: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from 208.184.39.130 to

12.109.150.2

1d12h: %IDS-4-ICMP_UNREACH_SIG: 2001:ICMP Host Unreachable - from 64.191.63.3 to

12.109.150.2

1d12h: %IDS-4-ICMP_TIMXCEED_SIG: Sig:2005:ICMP Time Exceeded for a Datagram - fr

om 144.232.19.70 to 65.199.28.2

Thanks in Advance