ACE tcp & udp inspection
Hi,
I want to create a security model where one vlan is more trusted than the other (Like Pix/ASA or a router with inspection enabled). However, when i want to create a TCP or UDP inspection i can only select between a limited number of protocols.
I've created 2 class maps :
class-map match-all TCP_INSPECT
2 match port tcp any
class-map match-all UDP_INSPECT
2 match port udp any
The combined them into a policy-map :
policy-map multi-match INSPECTION
class TCP_INSPECT
class UDP_INSPECT
However when i enter the policy-map\TCP_INSPECT i can only choose between : dns Configure dns inspection ftp Configure ftp inspection http Configure http inspection icmp Configure icmp inspection rtsp Configure rtsp inspection
However, i do have for example SMB traffic running from one vlan to the other. How can i inspect that traffic so i don't have to enter an extra access-list entry ?
The ACE module comes with limited amount of security features.
You will not have all the PIX or FWSM features on the ACE module.
This is mostly a loadbalancer with some security features.
Gilles.
Similar Messages
-
Routing non-TCP/UDP traffic while using FWLB on CSS 11503s
Hello all,
I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
Thanks in advance.
(sorry for the dots in the drawing but the spaces kept getting deleted)
.| Internet |
..........|
.| CSS-outside |
.............|
........|...............|
.| FW1 |.....| FW2 |
.......|................|
............|
.| CSS-inside |
............|
.| Intranet |for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
So, it's not per packet loadbalancing.
The same source/destination ip/port will always go to the same firewall.
Gilles. -
TCP/UDP Ports and site used by FEP to download updates - needed to allow on perimeter firewall
Can some one point me with information like what TCP/UDP ports are utilized by FEP and what DNS / site Name it uses to download FEP Updates. This is needed to tighten perimeter FireWall policies
Thank youIt should be the same as the documentation for all Software Updates:
https://technet.microsoft.com/en-us/library/bcf8ed65-3bea-4bec-8bc5-22d9e54f5a6d#BKMK_ConfigureFirewalls
Make sure to expand the "restrict access to specific domains" section to see the update related URLs. -
Hello,
our customer has a problem with correct closing TCP connections on the ACE. TCP session (HTTP protocol) is closed _correctly_ (we can see it in the sniffer output), but 'sh conn' on the ACE shows it as 'established' (session is already closed). TCP timeout is set to default (60min).
Any new connection from the same src port (because many connection to the service) is closed after TCP session is established.
When I try generate 200 concurrent sessions TCP sessions in my lab, this are on the ACE closed correctly. Customer's traffic is around 20-30.000 concurrent session, but I can't generate so much traffic.
SW version on the ACE: 3.0(0)A1(3b)
thx
martinThanks Gilles!
The problem occurs only with traffic from WAP nodes (too many short HTTP requests).
We try it upgrade to A1(5b), but I'm not sure, if this is our problem...
Bug description:
Symptom:
With L7 LB configuration, Some times connections do not close.
Conditions:
SYN sent to Real server may result in ACK coming from server. ACE TCP module was not handling this ACK correctly.
...but our traffic is only L4 LB and we have a problem with connection state on the ACE from both sides (client and server). on the client and server side is connection closed properly, but on the ACE module ('sh conn') we can see it in 'established' state. It's closed after TCP timeout and that is not correct.
martin -
Should I block TCP/UDP ports 135 to 139 on my router?
For the sake of Internet and Desktop security should I block TCP/UDP ports 135 to 139 both ways at all times on my router? This seems to be recommended for Windows environments. Does Mavericks need these ports for its proper operation? When tested, ports 135, 137,18 show as closed whereas all other ports are Stealth. Ideally, they should all be Stealth.
Have a read here: http://securityspread.com/2013/07/26/firewall/
Stealth is just as good as closed, some would argue that stealth is just as much of a giveaway of the port being present as it being closed.
The specific ports you mention pose no risk to OS X as far as I am aware. -
Maximum number of tcp/udp connections
I've got a WRT54G and recently I contacted linksys suport due to some problems I was having with
BitTorrent clients(very common issue it seems). I have a home lan with 3 computers,
and if 2 or more of them are on at the same time(even when only 1 is using bittorrent), the connection keeps going
down.
Linksys support told me a lot of routers face this problem since bittorrent works by opening lots of simultaneous
tcp/udp connetions, and one thing I should do is try to limit these connections to a number the router can handle.
Even though I might experience some poor speeds limiting connections, it seems it's all I have left. So, not a
problem at all, except one question which brings us to the purpose of this message:
Approximately HOW MANY TCP/UDP CONNECTIONS can WRT54g handle at the SAME TIME?
Since I'm to share among 3 users, all of which are torrent freaks, I'm gonna have one heck of a hard time tryin' to
guess the maximum number of connections each should have, specially when they're all on at the same time.
Support said they don't have that information. So does anyone out there have a good guess?
And also, does anyone know of any Linksys router (for home use) that is able to work with torrents without any
problem at all?The wrt54g(s) upto v4 and the wrt54gL use a Linux 2.4.20 kernel.
This Linux-kernel set a max of 1024 connections and a hastable of max 128 buckets, the gs models with 32 Mbyte have 2048/256.
I see three problems:
1. The following patch is not applied to the kernel: Netfilter / connection Tracking Remote DoS, CVE: CAN-2003-0187
2. The hashsize is wrongly set, de default kernel 2.4.20 values are wrong, and may NOT be an even number (128), it should be a prime number.
3. The ratio between hashsize and max amount of connections should be set to 1 and not 8, this to increase performance.
Some improvement is made by Linksys in firmware version 4.21.1 and 4.30.9 (are neerly the same) .
I hope this information helps,
greetings,
jchuit
http://tarifa.sourceforge.net/ -
QOS Network Planning - TCP/UDP Ports used in CWMS 2.5 MDC deployment
Does anyone know if there is documentation that describes the WAN traffic in CWMS 2.5 MDC? I'm looking for the TCP/UDP ports that must be prioritized on the WAN to properly class our traffic between the two data centers. I can't find any such document.
Thanks,
MattHI Matt,
All the network requirements are listed in the CWMS 2.5 Planning Guide in Networking Checklist: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_0100.html
I hope this is what you are looking for.
-Dejan -
Iptables -p tcp/udp --dport no longer working
I had a simple firewall setup on my Arch router box. I'm trying to block some additional ports, and it looks like maybe a recent update has borked the tcp/udp extensions modules?
Running anything with
--dport
or
--destination-port
(or the source port variants) returns a "No chain/target/match by that name."
What is the module for the tcp/udp extensions? Is it one of these:
krovisser /etc/iptables :( # lsmod | grep ip
tulip 51905 0
ipt_MASQUERADE 2154 5
iptable_nat 3358 1
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
ipt_REJECT 2313 1
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
iptable_filter 1488 1
iptable_mangle 1584 0
ip_tables 17218 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 17351 6 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter,ipt_REJECT,iptable_mangle
krovisser /etc/iptables # lsmod | grep nf
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
Not sure what's going on, because using a bare `-p tcp` will work. So it should load the extension at that point.
Last edited by krovisser (2013-05-07 23:29:19)In addtion to what fukawi2 said, if you are running systemd and you make a change to your iptables you can do:
iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables
The updates will then take place without having to restart the server.
Hope this helps.
R.
edit: this also assumes that the modules you need are loaded.
Last edited by ralvez (2013-05-08 02:12:26) -
Hello,
Is there anyway to send the image grab from imaq usb grab through tcp/udp? The block I have tried is as below.. Anyhelp is really appreciated ty.
Message Edited by cheras on 05-12-2010 11:13 AMAttachments:
Send1.vi 66 KB
Receiver1.vi 46 KB -
TCP/UDP ports between Cisco PI 2.0 and WLC5508
Hello,
I will install Cisco PI 2.0 behind a firewall for security reason. The WLC5508 is before a firewall. Can anybody let me know which TCP/UDP ports need to be open specifically between the Cisco PI and WLC? I don't see that from the below link.
Cisco Prime Infrastructure 2.0 Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/quickstart/guide/cpi_qsg.html#wp46865
Thanks,
RobertFirewall Between the WCS and Controller or WCS and the WCS User Interface
When a PI server and a PI user interface are on different sides of a firewall, they cannot communicate unless these ports on the firewall are open to two-way traffic:
80 (for initial http)
69 (tftp)
162 (trap port)
443 (https)
Open these ports in order to configure your firewall to allow communications between a PI server and a PI user interface.
Regards
Dont forget to rate helpful posts -
What TCP/UDP ports need to be open for VPN Client version 4.8?
What TCP/UDP ports need to be open for Cisco VPN Client version 4.8 to work?
Thanks,Normally, you need the following ports and protocol :
UDP 500
UDP 4500
ESP
In case, you are using IPSec over TCP you have to open, TCP port 10000 or any other port you want to use for IPSec connections (Its configurable).
-Kanishka -
Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplayer?
Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplaer to operate properly? This would include updating, linking, and any subset of features.
The Acrobat Family uses TCP HTTP/HTTPS for all traffic. The following processes and ports may be active on a Windows client machine:
AdobeARM.exe - automatic updates - port 443
AcroRd32.exe - brand messages - port 443
AcroRd32.exe - links in documents - anything specified in the URL
Acrobat.exe - brand messages - port 443
Acrobat.exe - links in documents - anything specified in the URL
AdobeCollabSync.exe - Tracker review data - port 443
The same ports are used by the program components on OS X.
There are no inbound listening ports for any elements of the Acrobat Family. Automatic updates are not pushed and there are no server processes within the software. -
TCP/UDP Port Utilization question for CCX 8.5
Greetings,
I have gone through the CCX 8.5 TCP/UDP port utilization guide.
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_8_5/configuration/guide/uccx851pug.pdf
I always do this as a matter of practice and I had a question concerning Java RMI ports. In the guide there is an ephemeral range TCP:32768-61000 that is used for Java RMI. Based on the context clues in the footnote this is an intra-cluster communication between processes running on CCX. This jives with ACLs I have built for previous versions.
The hang up I have is that Table 1 (page 6) of the guide shows that one of the remote devices is "Editor". I take this to mean CRS Editor, which can run on a desktop in the environment. I want to keep the ACL as trim as possible, so I don't want to open up the TCP ephemeral range unnecessarily. So, I guess my question is:
When that document refers to "Editor" do they mean that the CRS Editor is communicating using the referenced ports? Or is there a server-side process called Editor listening on those ports. The shift in how I apparently have to account for RMI is causing me to question.
Thanks in advance,
BillI followed the port guide, but am still having issues connecting to the editor from my workstation with my access-list in place.
When I remove the ACL the editor connects and I can do reactive debugging. The ACL breaks this.
Followed this
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/crs/express_9_02/configuration/guide/UCCX_BK_P89325D5_00_port-utilization-guide-uccx-902.pdf
Does anyone have a sample acl that works? -
E4200 TCP UDP timeout configuration
There is anyway to change the timeout on the tcp/udp connection? So the router close the connection automatically.
ThanksI think it’s not part of the feature of this Soho router.
-
Connect a CMD600 charge amplifier in TCP/UDP with LV2009
hi there,
I 'm triing to connect an HMB CMD600 charge amplifier using LAN with TCP/UDP.
Should i use, the standart Open/Read/Close TCP functions or UDP or something else?
How can i know or set the IP or port to listen ?
I 've got 2 amplifiers to connect simultenaously, is it possible ? with a switch or with 2 wires from 2 LAN ports ?
And last one : What s the maximum frequency of aquisition ?
Sadly, i dont have access to the amplifier to test anyting.
Thanks a lotHi David,
I advise you to have a look at the following links, there are a lot of examples and tutorialon the ni.com website:
TCP/UDP LabVIEW 2009 Help
TCP/UDP examples on ni.com
TCP/UDP Tutorials on ni.com
Kind regards,
Olivier L. | Certified LabVIEW Developer
Maybe you are looking for
-
Touch Hider S60 E5/^3 Version 1.3 for my Nokia N8 ...
Hello, I have buy the Software Touch Hider S60 E5/^3 Version 1.3 for my Nokia N8 Belle in the Ovi Shop. I have paid for it. When I install the software there cames an error messages "abgelaufenes Zertifikat / expired certificate ". Please can you hel
-
I have a gift card but when I try to redeem it ask me for a code number, I am not sure which number to use but have tired all three that are on the gift card but none have worked. Can anyone tell me which number to use.
-
How to remove all OEM programs and get to a base OS - W7
Is there a utility that will bring the machine back to just the base Windows 7 OS? None of the OEM installed programs are needed, or wanted. Using Add/Remove Programs always leaves unwanted trash in the file system and registry. So is there a utili
-
How do I fix a corrupt playlist on my devices?
I've used Match on my iPhone for awhile. Now I have a playlist on the iPhone 4 that it won't play. It won't play any song. It plays songs in other playlists just fine. When I hit play for any track in this particular playlist, the phone has the pl
-
IPhoto to wireless storage to iPhone?
Hello all, I'm looking for a way to transfer photos from my iPhoto library to my iPhone individually as needed. Ideally, I would like to upload a bunch of my iPhoto images to a wireless storage space and then access that storage on my phone and downl