cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1601
Views
0
Helpful
20
Replies

CBAC configured on 2800 router.

johnleeee
Level 1
Level 1

Hi all,

I need urgent help about CBAC configured

on our 2821 router.

We have configuration as obvious as it can be. One interface inside (ethernet)

and outside serial interface with CBAC applied OUT and inside ACL. For as it is crucial to connect our users to Internet. But with this feature Internet is so slow almost unuseable.

I discover with ethereal that my client ..obtain DNS IP address..but after it send SYN packet to connect ..it doesnt obtain SYN ACK packet..and try to send SYN packet again and so on.What I see is that my browsers window is white. When I do this process again (press refresh button)it sometimes proceed correctly.

BUT when we use reflexive ACLs instead of CBAC it function good. I think that sometimes Cisco advertise features which doesnt function.

We use ADV SEC IOS 12.3.14T.

For as it is crucial maintain CBAC.

Can someone help us.

Is over there some bug in this release?

BR

jl

20 Replies 20

Hi all,

Iv implemented SPI policy to our 2821.

What do you think about this output:

What does it mean?

Packet inspection statistics [process switch:fast switch]

tcp packets: [138434:3828330]

udp packets: [310169:1597235]

smtp packets: [0:122593]

http packets: [22:1297267]

ftp packets: [143:1221]

Interfaces configured for inspection 3

Session creations since subsystem startup or last reset 402500

Current session counts (estab/half-open/terminating) [226:6:39]

Maxever session counts (estab/half-open/terminating) [336:34:77]

Last session created 00:00:00

Last statistic reset never

Last session creation rate 456

Last half-open session total 6

Half-open session count or session creation rate exceeded

BR

jl

Hi,

It would be great if you can paste or attach your router configurations. however things seems ok since most of http/ftp/smtp packets are going through cef mode.I believe you must have got java-list in the firewall policy

ip inspect name test http java-list 20

access-list 20 permit ip any.

Just FYI you're seeing lots of generic tcp/udp going through process mode, the reason is the first packet of any multi-channel protocol goes through process mode so this is normal to have some process mode packets but not everything.

Are you still seeing performance degradation by turning on IOS Firewall ?

Thanks and Regards

Arshad

Hi Arshad,

thanks for your help. First I have to say

that last ACL you wrote is right because after

I did it as you mentioned it said me only standard

ACLs are allowed for java inspection. Second when

I configured ip inspect name .... http java-list...

with the same ACL as you wrote above ,communication

for http users slowed down immediately. I still

unfortunately observe problem in that, that Internet communication is sometimes slow and sometimes good.

Iv debug every possible debug related to SPI and I have outputs. Is overe there on Cisco help for this

debug ...object starting, object deleting ....and so on.?

Below is part of my config related to security:

ip cef

ip inspect name Sec_to_inet udp alert on audit-trail off

ip inspect name Sec_to_inet ftp alert on audit-trail off

ip inspect name Sec_to_inet tcp alert on audit-trail off

interface Serial0/3/0.1 point-to-point

bandwidth 2048

ip address .....

ip access-group ACLs_Inet in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect Sec_to_inet out

no ip mroute-cache

traffic-shape group 101 512000 12800 12800 1000

no cdp enable

frame-relay interface-dlci 100 IETF

Any suggestions?

Every help is invited.

BR

jl

Hi all,

so I have new informations for you.

First as I wrote before configuring no Java

inspection doesnt help.

What on the other hand is helpful for me ..is to tune values of one-minute high and low. As I tuned

it in accordance design guide it seems to function

properly.

I have one question. Is it posible inspect http on

port 80 and other nondefault simultaneously.?

I know that over there is possibility change default

port than that which I can see in show ip port-map.

BR

jl

If you want traffic to be classified as http, you will need to use the "ip port-map" command to add additional ports for http. For instance, to add tcp 81 as your additional http port:

ip port-map http port tcp 81

Your results with java inspection are atypical. Can you please post the configuration you used to remove java inspection?

Did you have any comments about the DoS Inspection tuning procedure, or did it work well?

Hi,

first I have to say that my config was as it is

recomended in document.

ip inspect name Sec_to_inet http java-list 20 alert on audit-trail off

access-list 20 permit ip any

I dont understand your question. Pls. go to deeper

explanation.

BR

jl