Transparant firewall on 2600 series with 12.3

beheer.nedfox · ‎11-06-2008

I am looking for days already why this config does not work. I even don't get any debug message out of it. The problem is that it seems that the router passes all traffic, regarding access-lists or whatever. It's just like if both Ethrnet ports on the router are a hub or switch, the router engine is just being ignored.

Quit the same config runs fine on 12.4 router, but I can't get it to work on 12.3 Is there something special I forgot?

Greets!

Mark.

Richard Burts · ‎11-06-2008

Mark

You are right that your access lists are being ignored. And the reason is that you have applied them to the physical interfaces (FastE0/0 and FastE0/1) but they have no IP address and therefore are not processing IP and can not process the access list. You need to move the access lists to the BVI interface which is where the IP processing for these interfaces takes place.

I will also note that it seems very strange to me to be using IRB and to bridge together the interfaces whose comments indicate that they are the DMZ and the Internet. Why are you bridging between the DMZ and the Internet?

HTH

Rick

HTH

Rick

beheer.nedfox · ‎11-06-2008

Hi Rick,

Tnx for your reply. I would like to believe you, but the example is from the Cisco website at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_trans.html

Half way is a complete script setup with an access-group on a physical Ethernet interface.

But I tried your suggestion, without result...

I have also issue a debug all for a short while, and this is what I see:

SNMP: HC Timer 82C3EC48 fired

*Mar 1 06:20:50.826: SNMP: HC Timer 82C3EC48 rearmed, delay = 20000

*Mar 1 06:20:51.138: SNMP: HC Timer 82C49DBC fired

*Mar 1 06:20:51.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000

*Mar 1 06:20:51.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 06:20:53.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 06:20:55.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 06:20:56.138: SNMP: HC Timer 82C49DBC fired

*Mar 1 06:20:56.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000

*Mar 1 06:20:57.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

rokscom-brfw01#no

*Mar 1 06:20:58.378:

*Mar 1 06:20:58.378: Rudpv1 Sent: Pkts 0, Data Bytes 0, Data Pkts 0

*Mar 1 06:20:58.378: Rudpv1 Rcvd: Pkts 0, Data Bytes 0, Data Pkts 0

*Mar 1 06:20:58.378: Rudpv1 Discarded: 0, Retransmitted 0

*Mar 1 06:20:58.378:

*Mar 1 06:20:59.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 06:20:59.358: CBAC FUNC: inspect_timers

*Mar 1 06:20:59.358: CBAC FUNC: insp_sample_session_rate debug all

All possible debugging has been turned off

rokscom-brfw01#

*Mar 1 06:21:01.138: SNMP: HC Timer 82C49DBC fired

*Mar 1 06:21:01.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000

*Mar 1 06:21:01.286: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

rokscom-brfw01#

It keeps saying no chunk available.

Can you tell me what you mean with bridge irb > it's also from the example and I am bridging between Internet and DMZ with a number of access-lists... (at least I am trying :-)

Greets,

Mark.

beheer.nedfox · ‎11-06-2008

Please also mind this debug:

rokscom-brfw01#debug all

This may severely impact network performance. Continue? (yes/[no]): yes

All possible debugging has been turned on

rokscom-brfw01#

*Mar 1 00:03:25.275: SNMP: HC Timer 82C2DD3C fired

*Mar 1 00:03:25.275: SNMP: HC Timer 82C2DD3C rearmed, delay = 5000

*Mar 1 00:03:26.275: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 00:03:26.435:

*Mar 1 00:03:26.435: Rudpv1 Sent: Pkts 0, Data Bytes 0, Data Pkts 0

*Mar 1 00:03:26.435: Rudpv1 Rcvd: Pkts 0, Data Bytes 0, Data Pkts 0

*Mar 1 00:03:26.439: Rudpv1 Discarded: 0, Retransmitted 0

*Mar 1 00:03:26.439:

*Mar 1 00:03:27.911: CDP-PA: Packet received from dmz2lan on interface FastEthe

rnet0/1

*Mar 1 00:03:27.911: **Entry found in cache**

*Mar 1 00:03:27.931: CDP-IP: IP TLV length (5) invalid for default route.

Expecting default route from hub router

*Mar 1 00:03:28.119: CDP-IP: Writing prefix 217.166.55.96/27

*Mar 1 00:03:28.119: CDP-PA: version 2 packet sent out on FastEthernet0/0

*Mar 1 00:03:28.123: CDP-IP: Writing prefix 217.166.55.96/27

*Mar 1 00:03:28.123: CDP-PA: version 2 packet sent out on FastEthernet0/1

*Mar 1 00:03:28.275: STP: opt: Bridge group 10: get ports: no free chunk availa

ble

*Mar 1 00:03:28.823: IRB-CEF: LE vector failed on BVI10, enqueued to IP queue

>> Expecting default route from hub router....

Greets,

Mark.

Richard Burts · ‎11-06-2008

Mark

The documentation in the link you posted does show access list and ip inspect on the physical interfaces which have no ip addresses. In my experience if you attempt to do something like an ip access list on an interface that did not have an ip address it would not work. There must be something special in the code for transparent firewall (or perhaps it is associated with the bridge-group on the interface) that allows the access list to function.

I am not clear what the error messages indicate. no free chunk sounds to me like a problem with memory. Perhaps it is time to think about opening a case with Cisco TAC.

HTH

Rick

HTH

Rick