ACL filtering icmp ECHO-Reply Behavior
Hello Guys....
I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask
i have just 2 routers connected directly like this...... R1<------------> R2, The network between them is 10.1.12.0/24, R1 has an ip address of
10.1.12.1 & R2 has an ip address of 10.1.12.2.....Well so far so good hmmm
Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2 simple as that But it only works if i apply an ACL on R2's
Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ???
THE ACL is this one# access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply
access-list 100 permit ip any any
It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?
Please do help me out thanks :)
Hi,
I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."
See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135
for details.
Best regards,
Milan
Similar Messages
-
Blocking unsolicited echo-reply from the outside of firewall
What is the easiest way to stop unsolicited icmp echo-reply packets coming from the outside of an Cisco ASA 5500 firewall?
Hi,
The firewall should now allow any ICMP Echo replys through the firewall if it hasnt seen a Echo for that same reply.
Instead of allowing Inbound ICMP from the WAN with an ACL you should configure ICMP Inspection
In a very default ASA configuration they would be added in the following way
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Hope this helps
- Jouni -
Icmp and concept of their messages (echo-reply, time-exceeded,,etc)
If we have these type of ACLs
permt icmp any any echo-reply
permt icmp any any time-exceeded
permt icmp any any port-unreachable
As we know that an echo-reply means, if I send an echo-request, I am going to expect to receive an ech-reply,,,,(i.e. an echo-reply is response (result) to an echo-request.,,,to my knowledge an echo-reply can not be initiated unless there is an echo-request,,,Am I right ? )
1- Does all other types of icmp messages relay on an echo-request as well (i.e. behave as an echo-reply ) ? or they are independent ?
2- Does an ACL statement "deny icmp any any ", deny all types of icmp messages ?Suppose I have got R1 with these reflexive ACL
R1:
ip access-list extended FILTER-IN
permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS
permit ip any any
ip access-list extended FILTER-OUT
deny udp any any eq snmp
permit icmp any any time-exceeded
permit icmp any any port-unreachable
evaluate GOODGUYS
deny icmp any any
permit ip any any
interface Ethernet0/1
ip access-group FILTER-IN in
ip access-group FILTER-OUT out
FILTER-IN list monitors packet data as it is sent into the E0/1 interface. The data is captured and put into a temporary list called GOODGUYS.
The FILTER-OUT list looks at the data stored in GOODGUYS and monitor TCP/IP traffic being delivered out the E0/1 interface.
Any TCP/IP traffic that originated from the 10.0.0.0 network is allowed to come back into the network.
1- Does the traffic will be filtered only on base of icmp protocol ?
2- How does the reflaxive ACL check the originate of packet ? does it compare the destination ip address of a returned packet with the source ip address of a dispatched packet ?
3- What will the case be if I replaced the "permit icmp 10.0.0.0 0.0.0.255 any reflect GOODGUYS" with "permit ip (instead of icmp) 10.0.0.0 0.0.0.255 any reflect GOODGUYS" ? Am I going to include permission of an icmp packet as well? -
How to make tcp have establish option's function or reflexive in ASA like icmp have echo reply
how to make tcp have establish option's function or reflexive in ASA like icmp have echo reply
rather than permit tcp in both sideAn ASA firewall is stateful.
The reflexive access for TCP connections (or UDP flows) is allowed by default as the firewall checks for established connections prior to applying an access-list on traffic that arrives at an interface.
Excerpted from this document (emphasis mine):
"Here are the individual steps in detail:
Packet is reached at the ingress interface.
Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.
Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.
If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged." -
On several Solaris 10 08/07 boxes following ipfilter rules do not work:
pass out all keep state
pass in quick proto icmp all icmp-type echo
pass in quick proto tcp from any to any port = ssh keep state
block in log all
ssh goes through, but there is no ping reply. Can't see anything in ipmon.log, so it seems the connection is not blocked.
Any hints?I am trying to figure out how to block ICMP ping reply. I have a static ip that I have given to Airport Extreme.
Kind of shocked as routers 1/3rd the cost allow this. -
IPM 4.2.0 and icmp-echo 0.0.0.0 problem
Hi,
I'm having a problem with IPM.
We are running LMS 3.2 with IPM 4.2.0.
I used IPM to configure a device to perform a ping to an ad-hoc target, the source router was configured as:
ip sla 182611
icmp-echo 0.0.0.0
request-data-size 64
owner ipm|<name>
tag <tag>
ip sla schedule 182611life forever start-time now ageout 3600
The target device is an ad-hoc with an ip-address but the IP SLA job ends up as 0.0.0.0.
When I'm running 'show ip sla statistics' it shows that the ping are timed out (as they are being sent to 0.0.0.0 instead of the real IP address).
The source router is running:
Cisco IOS Software, 3800 Software (C3825-ADVSECURITYK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
Anyone had familiar problems?
Thanks,
Amitjclarke wrote:I haven't seen this before. Can you redo the configuration, and collect a sniffer trace of SNMP traffic between the IPM server and the device? This will help determine if the problem is with IPM or IOS.
Hi,
My IPM is running on Solaris 10.
Can you advise what/how I can sniff the SNMP traffic between the server and the IOS device?
Here is more information from the device:
#show version
Cisco IOS Software, C3550
Software (C3550-IPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE
(fc2)
#show running-config | inc 154366
ip sla 154366
ip sla schedule 154366 life forever start-time now ageout 3600ip sla reaction-configuration 154366 react timeout threshold-type immediate action-type trapOnly
ip sla reaction-configuration 154366 react rtt threshold-value 4000 3000 threshold-type consecutive 2 action-type trapOnly
35PROB#show ip sla configuration 154366
IP SLAs, Infrastructure Engine-II.
Entry number: 154366Owner: ipm|unix107776a44Tag: 35PROB_AMIT
Type of operation to perform: echoTarget address: 0.0.0.0
Source address: 0.0.0.0Request size (ARR data portion): 64
Operation timeout (milliseconds): 5000Type Of Service parameters: 0x0
Verify data: NoVrf Name:
Schedule: Operation frequency (seconds): 60
Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE
Randomly Scheduled : FALSE Life (seconds): Forever
Entry Ageout (seconds): 3600 Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): ActiveThreshold (milliseconds): 4000
Distribution Statistics:
Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
History Statistics: Number of history Lives kept: 0
Number of history Buckets kept: 15 History Filter Type: None
Enhanced History:
Thanks -
ASA 8.4(2) doesn't respond to ICMP echo on ip address with port forwarding only
Hello,
In order to meet our requirements we had to configure PAT for TCP 80 on 2 external IP addresses to one internal IP in DMZ. TCP port 80 is being translated for both external IP addresses and it works as expected. However, since we have migrated to ASA both external IP addresses don't respond to ICMP echo requests generating following error:
%ASA-3-106014: Deny inbound icmp src outside:<Source IP> dst outside:<Destination IP> (type 8, code 0)
Previously we have been using Cisco router to achieve the same objective and it worked well.
I have noticed that when I add "same-security-traffic permit intra-interface" to a configuration the message mentioned above stops appearing in a logs.
As far as I can tell ASA sends packet back through outside interface, despite the fact that appliance advertises its mac address in response to arp request for the same external IP address.
Is there any way to make ASA realise that it should respond to ICMP echo requests on external IP addresses that have forwarding setup?
I do realise that ICMP would work in 1-to-1 NAT scenario, but we can't apply 1-to-1 NAT for 2 external IP addresses to point to one internal IP address.
Kind Regards,
Paul PrestonHi Julio,
Interesting. I have tried to map two external IP addresses with using 1 to 1 nat to a single internal IP, but when I tried to configure a second one I remember a message "mapping exists"...
I think that it might be easier if I paste relevent config:
access-list From_Internet extended permit icmp any any
access-list From_Internet extended permit tcp any gt 1023 host 172.17.0.103 eq www
access-list From_Internet extended deny ip any any log warnings
object network www-91-17.103
host 172.17.0.103
object network www-92-17.103
host 172.17.0.103
icmp permit any outside
object network www-91-17.103
nat (DMZ,outside) static x.x.x.91 service tcp www www
object network www-92-17.103
nat (DMZ,outside) static x.x.x.92 service tcp www www
With a config above NAT works for both IP addresses, but unfortunately neither IP address respond to icmp echo requests.
Kind Regards,
Paul Preston -
Event filter question Nachi Worm ICMP Echo Request (2156)
The intent is to only see this alert when the source is my IP space. Is it possible to create 2 seperate event filters for this sig? I'd like one sig to filter events when my IP space when it is the destination and the other would allow alerts when my IP space is the source. Would they need to be in some order like access lists i.e. allow specific icmp then deny other icmp?
Yes this is possible.
In version 4,x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination and set Exception to True for that filter.
The create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and leave Exception as the default False.
The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
The second will prevemt the signature 2156 for firing on any other address combinations like:
Source IN and Destination IN
Source OUT and Destination IN
Source OUT and Destination OUT
(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
NOTE: In version 4.x the order of the 2 filters is unimportant. The Exclusion TRUE filter will always override all Exclusion FALSE filters so the Exclusion TRUE filter will always cause the signature to fire.
In version 5.x the ordering of the filters is important.
In version 5.x create a filter that matches SIGID 2156, and also matches $IN for the source and $OUT for the destination, leave the Actions to Subtract field blank (so not actions are removed) and set Stop On Match to True for that filter.
Then create a second filter to match SIGID 2156 and leave the address fields defaulted so that all addresses will be matched and select ALL Actions in the Actions To Subtract field.
The first filter line will allow the 2156 to fire when the source is IN your network and the destination is OUT of your netowrk.
This is because that first filter will be matched and no actions will be removed (like produceAlert). The Stop On Match being True will prevent the checking of the next filter.
The second will prevemt the signature 2156 for firing on any other address combinations like:
Source IN and Destination IN
Source OUT and Destination IN
Source OUT and Destination OUT
(Note: You asked that no alarms be generated for Destination IN, but also assume you don't want alarms for source OUT and destination OUT either)
NOTE: In version 5.x the order of the 2 filters is important. The sensor will start at the top of the filter list. If that filter matches it will remove the actions in the Actions To Subtract field and then check the Stop On Match field.
If Stop On Match is true then it stops processing the rest of the filter lines.
But if Stop On Match is false then it will continue processing the rest of the filter lines.
If the second filter had come first then it would have been matched even on the Source IN Destination OUT alerts and would have removed all actions and prevented the sig from firing. So the ordering is important.
Also be aware that if Stop On Match was accidentally set to false on the first filter, then the sensor would have continued and also matched the second filter and would have removed all actions because of the second filter. -
DAP ACL filters - why only 'all allow' or 'all deny'
Hi folks.
I'm doing DAP (dynamic Access policies) on an ASA 8.0 for SSL VPN via the AnyConnect client.
Could someone explain the requirement that ACLs used for Network or Web filters must consist of either all permit or all deny statements (i.e. no mixing permit/denys)
Also, I'm trying to wrap my head around Downloadable ACLs in general. Do people actually use these (either local to the ASA or downloaded from an ACS, for example)?Hi, Troubleshooting is like trying to find a needle in a haystack, right? LOL I'm always amazed computers work at all:-)
Hats off to the Microsofts, the Apples, the Adobes and all of the others that do all they do, so I don't mind a glitch here and there.
You are probably correct about the allow/deny selection for Zone Alarm. I used it at one time and I had a hard time with it due to not understanding what an allow or deny would do:-) Glad you were able to see that.
The FF vs 3.6.9 from what I have read was all about Security. I was over there late last night reading. Link here:
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.9
Also, here is some additional info and it covers the DLL preloading attack that is going on:
http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=227400031&cid =nl_IW_SMB_2010-09-09_h
Microsoft came out on 8/23 on the latter link.
Thanks for the appreciation:-) There are many other volunteers on the other Adobe Forums as well and I'm sure they are all appreciated. Many have been on the other Forums for a very long time. I'm always amazed at the number of posts they have accumulated over the years! Very Hi-Tech people over there!
Regards,
eidnolb -
Nexus 5500 duplicate ICMP echo-replay
I am experiencing inconsistent echo-replay from devices connected via VPC to Nexus 5500s while pinging from the Nexus exec prompt.
In some cases I receive normal response when pinging from one Nexus, but no response when pinging from the other switch. In other instance I receive normal response to one Nexus, and duplicate replays to the other. It looks like a VPC related bug. NXOS is 5.1.3.N2.1
5501# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=253 time=8.585 ms
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=9.227 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=1 ttl=253 time=1.011 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=253 time=8.097 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=9.429 ms (DUP!)
64 bytes from 10.12.12.232: icmp_seq=3 ttl=253 time=18.195 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=253 time=8.807 ms
5502# ping 10.12.12.232
PING 10.12.12.232 (10.12.12.232): 56 data bytes
64 bytes from 10.12.12.232: icmp_seq=0 ttl=254 time=0.985 ms
64 bytes from 10.12.12.232: icmp_seq=1 ttl=254 time=0.884 ms
64 bytes from 10.12.12.232: icmp_seq=2 ttl=254 time=0.875 ms
64 bytes from 10.12.12.232: icmp_seq=3 ttl=254 time=3.105 ms
64 bytes from 10.12.12.232: icmp_seq=4 ttl=254 time=8.378 ms
Thanks
JarekHi
I found this in the configuration guide for the Nexus 7000 configuring VPCs
"When you enable this feature (peer-gateway), Cisco NX-OS automatically disables IP redirects on all interface VLANs mapped over a vPC VLAN to avoid generation of IP redirect messages for packets switched through the peer gateway router."
However this is not happening automatically on the 5K, so you need to manually add "no ip redirects" on each VPC vlan interface to prevent duplicate pings. -
EA6300 ICMP request reply delay "request timed out"
Hi all,
I bought recently a EA6300 smart wifi to provide support for intranet & internet. Router is connected by cat6 cable from a 24 port local lan switch. I am getting icpm delay message "request timed out" frequently. User can't work properly due to having this interruption over lan. I can't understand why it is happening. Could any expert pls help me regarding this issue.
Rgds
ZahirMay I know where the computer is connected, Zahir? Is it behind the router or the switch? We have to properly look into what's causing this. What you mean by delay in ICMP, is it when you're pinging a website or the router IP Address? There are tons of reason for delay but with proper diagnostics, I'm pretty sure you'll get to the bottom of this.
By the way what kind of switch are you referring to?
You may check this for more info: SWITCH -
ASA5510 - 8.4(5) Filtering self generated flows
Dear all,
I am currently filtering in flows through the use of ACLs. However, I need to filter flows I do originate from my ASA appliance as well.
Ex : I want the ASA to be able to ping DEVICE1 but not DEVICE2.
I've investigated three ways to do that but without any successful results :
- route-map (cannot apply globally or locally on an interface like on a switch)
- ACL out (but block my flows allowed in. ex : ping is able from subnet connected to interface A to subnet connected to interface B. If I do apply an output ACL rule to interface B allowing AS to ping subnet B with a deny any at the end of the rule, it blocks flows from A to B unless I do add all flows authorized in interface A ACL to interface B ACL out)
- Global ACL : not a solution as only applied to inbound direction
- service-policy : not action to deny
Does anyone has a solution for this ? Is there a function for that ?
Thanks for your help.
SofyanHi,
The interface ACLs on the ASA tend to only control traffic "through the box" rather the "to the box"
There is an option to configure ACLs that are attached with the parameter "control-plane" but this only controls traffic "inbound" to the ASA itself and therefore does not limit connections from the ASA. I could for example deny all traffic inbound to the ASA but I could still ping the DNS server either with ICMP or TCP PING from the ASA.
If your aim was only to limit ICMP related traffic then you have another option though.
You could use the "icmp" command. To my understanding this doesnt really give you the flexibility of ACL configuration so you might have to redo the configuration completely every time you need to make a change (since you cant add the new configurations in between new ones.
For example I have gateway IP address 10.0.10.1 and 10.0.0.1 behind my ASA. If I would want to allow ICMP from the ASA to 10.0.10.1 but not from 10.0.0.1 then I could configure this
icmp permit host 10.0.10.1 echo-reply LAN
icmp deny any LAN
In the above the LAN is my LAN interfaces "nameif" on the ASA
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA(config)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
If I remove the configurations then they both reply
ASA(config)# clear configure icmp
ASA(config)# ping 10.0.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA(config)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Though the thing that ASA naturally does in the first example is that it just denied ICMP Echo reply messages from all but one source address. So you allow the ICMP Echo replys from where you want and block all the rest.
Hope this helps
- Jouni -
Hello I've a newly configured 5510 would appreciate a look over of the configuration and some questions I have: Its a long post and I appreciate anyone taking time to read through it.
My goals are the following:
to make the inside network 10.20.145.0 to allow internet access - as long as the connection starts inside
To allow neighbor network that comes in through outside interface origin 170.20.0.0/16 access to the 10.20.145.0 (bidirectional)
The tunnel from neighbor lan to inside lan happens through vpn concentrator that has external ip address and 77.76.19.35
Allow certain devices on the DMZ to access the internet and allow outside to inside connections on certain ports
Much of the settings I have configured are coming from juniper that is currently online but needs to be replaced.
The network is set up as below for a chart of traffic:
ISP ---- Internet router ---- switch (3 active connections) 1. firewall 2. internet router 3. vpn concentrator
There is an internal 3750 that I have configured with ip 10.20.145.15 since it comes up often
I'm using pub IPs on the machines on the DMZ though I'm thinking of changing that to an internal vlan and than nating it out. Well here's what I have so far:
=================================================================================================
ASA Version 8.3(2)
hostname ASA
domain-name a.domain.com
enable password l4Tu/tqHeN0MdD7t encrypted
passwd dL9fmCBkHiwx4Iib encrypted
names
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface GigabitEthernet1/0
description outside-interface-connected-to-internet-switch
speed 1000
duplex full
shutdown
nameif outside
security-level 0
ip address 76.77.19.34 255.255.255.240
interface GigabitEthernet1/1
description inside-int-10.20.145-network
speed 1000
duplex full
shutdown
nameif inside
security-level 100
ip address 10.20.145.3 255.255.255.192
interface GigabitEthernet1/2
shutdown
nameif DMZ
security-level 50
ip address 76.77.19.49 255.255.255.240
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
lock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 76.77.6.11
name-server 66.72.76.84
name-server 4.2.2.1
name-server 8.8.8.8
domain-name a.domain.com
object network Inside_lan
subnet 10.20.145.0 255.255.255.0
object network NET-neighbor
subnet 170.20.0.0 255.255.0.0
description neighbor_LAN
object network 76.77.19.44_cake
host 76.77.19.44
description cake
object network 76.77.19.59
host 76.77.19.59
description streaming
object network 76.77.19.61
host 76.77.19.61
description streaming
object network cindy
host 50.56.249.224
description cindy
object-group network internal-LAN
network-object object Inside_lan
object-group service 3306 tcp
description 3306
port-object eq 3306
object-group service 4567 tcp
description 4567
port-object eq 4567
object-group icmp-type ICM
description ICM_basic
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Retriever_SVC tcp
description Retriever
port-object range 8000 8001
object-group service Production tcp
description PM
port-object range www www
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service Streaming tcp
description streaming server
port-object eq 7009
object-group service UDP123 udp
description 123
port-object eq ntp
object-group service affordable tcp
description affordable legacy
port-object eq 85
object-group service market tcp
description ports for market dmz
port-object eq 2189
port-object eq 2190
port-object eq 2192
port-object eq 2194
object-group service messenger tcp
description air messenger
port-object eq 444
object-group service traffic-701 tcp
description 701
port-object eq 701
object-group service ntp1 udp
description ntp-udp-1
group-object UDP123
object-group service payroll tcp
description payroll port
port-object eq 714
object-group service snmp-udp udp
description snmp udp 1
port-object eq snmp
object-group service vitrol tcp
description vitrol custom
port-object eq 5986
object-group service webconferrence tcp
description webconference legacy port
port-object eq 1417
port-object eq 407
object-group service webmail tcp
description webmail ports
port-object eq 2095
object-group service INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service INLINE_SERVICE_1
service-object tcp
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq echo
service-object udp destination eq ntp
service-object udp destination eq radius
service-object udp destination eq radius-acct
service-object udp destination eq syslog
object-group network INLINE_NETWORK_1
network-object host 76.57.19.53
network-object host 255.255.255.255
object-group service INLINE_TCP_2 tcp
group-object Streaming
group-object vitrol
object-group service INLINE_SERVICE_2
service-object ip
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
access-list internet extended permit ip object Inside_lan interface outside
access-list internet extended permit object-group DM_INLINE_SERVICE_1 object Inside_lan any
access-list syndicaster extended permit tcp object Cindy object Inside_lan object-group INLINE_TCP_1
access-list streaming extended permit tcp interface DMZ any object-group Streaming
access-list streaming59 extended permit tcp object 76.77.19.59 interface outside object-group Streaming
access-list streaming_outside_in extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list neighbor extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
access-group neighbor in interface outside
access-group neighbor out interface inside
route outside 0.0.0.0 0.0.0.0 76.77.19.33 1
route inside 10.0.0.0 255.255.255.0 10.20.145.4 1
route inside 10.0.1.0 255.255.255.0 10.20.145.2 1
route inside 10.20.145.0 255.255.255.0 10.20.145.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.20.145.39 255.255.255.255 inside
telnet timeout 5
ssh 10.20.145.39 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 76.77.6.11 64.22.16.84
dhcpd domain a domain
dhcpd option 6 ip 4.2.2.1
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username joe password m6OO.pH/13qc7ypS encrypted privilege 15
username bob password N./x1Ut.gM.QGZLa encrypted privilege 15
username bill password uZjIWeHtovCOweHJ encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06eb82d8d8a3ae82352512cd707e7f4a
========================================================================================================================================================
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list internet; 14 elements; name hash: 0xb30cf7fe
access-list internet line 1 extended permit ip object Inside_lan interface outside 0xe073f975
access-list internet line 1 extended permit ip 10.20.1450 255.255.255.0 interface outside (hitcnt=0) 0xe073f975
access-list internet line 2 extended permit object-group INLINE_SERVICE_1 object Inside_lan any 0x2e33ca08
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any (hitcnt=0) 0xa576d14f
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any echo-reply (hitcnt=0) 0x15cccd5c
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any traceroute (hitcnt=0) 0x8aab2f53
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any unreachable (hitcnt=0) 0xe02606e1
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp (hitcnt=0) 0x6d0043b6
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp-data (hitcnt=0) 0xce904411
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq www (hitcnt=0) 0x1ddebc69
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq https (hitcnt=0) 0x1a3b15bc
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq echo (hitcnt=0) 0xadc66030
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq ntp (hitcnt=0) 0xa67a4406
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius (hitcnt=0) 0x230419e6
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius-acct (hitcnt=0) 0xa8ae0824
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq syslog (hitcnt=0) 0x051c7ef5
access-list cindy; 2 elements; name hash: 0x807c55e5
access-list cindy line 1 extended permit tcp object cindy object Inside_lan object-group DM_INLINE_TCP_1 0xe35e702c
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0x64b321cc
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x55109118
access-list streaming; 1 elements; name hash: 0xfd34cf16
access-list streaming line 1 extended permit tcp interface DMZ any object-group Streaming_custom 0x8b2e87d1
access-list streaming line 1 extended permit tcp interface DMZ any eq 7009 (hitcnt=0) 0xb13a2776
access-list streaming59; 1 elements; name hash: 0x959c1f3b
access-list streaming59 line 1 extended permit tcp object 76.77.19.59 interface outside object-group Streaming_custom 0xc173840d
access-list streaming59 line 1 extended permit tcp host 76.77.19.59 interface outside eq 7009 (hitcnt=0) 0x84cd9084
access-list streaming_outside_in; 4 elements; name hash: 0x3f86c9d4
access-list streaming_outside_in line 1 extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 7009 (hitcnt=0) 0x06c04720
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 5986 (hitcnt=0) 0x9ae9047e
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 7009 (hitcnt=0) 0x5e3553e8
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 5986 (hitcnt=0) 0x1f5d8fd9
access-list neighbor; 7 elements; name hash: 0xc99eb2b4
access-list neighbor line 1 extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan 0xc9688a21
access-list neighbor line 1 extended permit ip 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0xe1e8b995
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0x462beedc
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0xf238c75e
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x266e675b
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq www (hitcnt=0) 0x8627ec0a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq https (hitcnt=0) 0x3cae424a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ssh (hitcnt=0) 0xcb6666b3Hi,
For the Default Dynamic PAT rule that you are asking for the single "inside" network I would suggest the following
First remove the current NAT configurations
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
Then reconfigure the NAT in the following way
object-group network DEFAULT-PAT-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) after-auto sourece dynamic DEFAULT-PAT-SOURCE interface
This will create and "object-group" for the networks or hosts that should be PATed to the "outside" interface IP address when accessing the Internet. If you want more internal networks to get PATed the same way, you simply add the network under the "object-group" among the already existing "inside" network.
The "after-auto" parameter also makes sure that this NAT rule doesnt override any other future rules. The parameter in question moves the NAT rule at the bottom of the NAT rules so its one of the last matched agains when traffic arrives on the firewall from behind "inside"
With regards to the neighbor network of 172.20.0.0/16, is this some network that is going to be behind a L2L VPN or is simply almost directly behind the "outside" interface?
In general the NAT format for this kind NAT is
object network NEIGHBOR
subnet 172.20.0.0 255.255.0.0
object-group network NEIGHBOR-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) source static NEIGHBOR-SOURCE NEIGHBOR-SOURCE destination static NEIGHBOR NEIGHBOR
I basically use an "object network" to define the remote network and "object-group network" to define the source network for this NAT. I use "object-group" for the source again because it leaves us room to add more networks under it if needed. Notice that "object network" can only hold one subnet/range/host while "object-group network" can hold pretty much as many as you want.
I think the ACL configurations will have to be looked through also.
Notice that if you want to control traffic from a behind "outside" for example, then you can only use 1 interface bound ACL to control that traffic. So every rule from "outside" to "inside" or to "dmz" has to be in the same ACL. Also this ACL would be attached to the "outside" interface in "in" direction. For example "access-group OUTSIDE-IN in interface outside"
If we are talking about VPN connections configured directly to the ASA there are some other options compared to the above.
But as I said its better that your needs regards the ACL rules are gone through more in depth to really know how we should configure them as I am myself not sure what all the above ACL are supposed to do.
One final question for you. You have this network directly on the "inside" interface 10.20.145.3 255.255.255.192. But you also talk about it with mask /24. Is the ASA "inside" connected to some internal L3 device which hosts rest of the segments of this whole /24 network as currently the "inside" interface holds /26.
Is ANY users/networks behind the ASA "inside" interface using the ASA directly as their gateway? I noticed that you setup would seem to have (as I mentioned in another thread to you) several devices on connected by the same LAN network (Router,VPN,firewall). What I fear will happen is that IF any "inside" users uses the ASA as their gateway and has to be routed back through the ASA "inside" interface to some other gateway that this will result in asymmetric routing and the ASA doesnt really handle that kind of situation that well.
- Jouni -
Sun Cluster 3.2/Solaris 10 Excessive ICMP traffic
Hi all,
I have inherited a 2 node cluster with a 3510 san which I have upgraded to Cluster 3.2/Solaris 10. Apparently this was happening on Cluster 3.0/Solaris 8 as well.
The real interfaces on the two nodes seem to be sending excessive pings to the default gateway it is connected to. The configuration of the network adapters are the same - 2 NIC's on each are grouped for multi-home and 2 NIC's configured as private for cluster heartbeats.
The 2 NIC's that are grouped together on each of the servers are the cards generating the traffic.
23:27:52.402377 192.168.200.216 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.402392 192.168.200.1 > 192.168.200.216: icmp: echo reply
23:27:52.588793 192.168.200.217 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.588806 192.168.200.1 > 192.168.200.217: icmp: echo reply
23:27:52.818690 192.168.200.215 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:52.818714 192.168.200.1 > 192.168.200.215: icmp: echo reply
23:27:53.072442 192.168.200.214 > 192.168.200.1: icmp: echo request [ttl 1]
23:27:53.072479 192.168.200.1 > 192.168.200.214: icmp: echo reply
Here is the setup to one of the servers:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 2
inet 192.168.200.214 netmask ffffff00 broadcast 192.168.200.255
groupname prod
ether 0:3:ba:43:f4:f4
ce0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.200.212 netmask ffffff00 broadcast 192.168.200.255
ce1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 5
inet 172.16.0.129 netmask ffffff80 broadcast 172.16.0.255
ether 0:3:ba:43:f4:f3
qfe0: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 3
inet 192.168.200.216 netmask ffffff00 broadcast 192.168.200.255
groupname prod
ether 0:3:ba:34:95:4
qfe1: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 4
inet 172.16.1.1 netmask ffffff80 broadcast 172.16.1.127
ether 0:3:ba:34:95:5
clprivnet0: flags=1009843<UP,BROADCAST,RUNNING,MULTICAST,MULTI_BCAST,PRIVATE,IPv4> mtu 1500 index 6
inet 172.16.193.1 netmask ffffff00 broadcast 172.16.193.255
ether 0:0:0:0:0:1
Any suggestions on why the excessive traffic?I would guess these are the ipmp probes (man in.mpathd).
You can start in.mpathd in debug mode to find out.
HTH,
jono -
hi ,
i have found below result when enable bebug ip icmp ..while not traffic in or out..m enable this non-working hour:
is it DoS Attack of Normal?
*Nov 4 19:37:38.943: ICMP: echo reply sent, src 125.19.X.X, dst 203.178.148.19, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:09.483: ICMP: echo reply sent, src 125.19.X.X, dst 41.79.69.16, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:27.031: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:28.079: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:54.295: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:55.235: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:30.583: ICMP: echo reply sent, src 125.19.X.X, dst 203.62.195.170, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.147: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.303: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.451: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.603: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0hi ,
i have found below result when enable bebug ip icmp ..while not traffic in or out..m enable this non-working hour:
is it DoS Attack of Normal?
*Nov 4 19:37:38.943: ICMP: echo reply sent, src 125.19.X.X, dst 203.178.148.19, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:09.483: ICMP: echo reply sent, src 125.19.X.X, dst 41.79.69.16, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:27.031: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:28.079: ICMP: echo reply sent, src 125.19.X.X, dst 192.33.90.66, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:54.295: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:41:55.235: ICMP: echo reply sent, src 125.19.X.X, dst 137.165.1.114, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:30.583: ICMP: echo reply sent, src 125.19.X.X, dst 203.62.195.170, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.147: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.303: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.451: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
*Nov 4 19:43:51.603: ICMP: echo reply rcvd, src 192.33.90.66, dst 59.145.X.X, topology BASE, dscp 0 topoid 0
Maybe you are looking for
-
Unable to start OID server on Linux. Getting OS error 98.
Tried to start the oidldapd server after starting oidmon. oidctl connect=orcl server=oidldapd instance=2 host=oraidm configset=0 flags="-p 389" start. The command line message shows the server is started successfully. But in the server trace file, i
-
Hi, I have a struts application and I need to implement a logger for it. I would like to use Log4j but am having problems initializing it. Because I am using struts, I do no have access to the Action servlet and so cannot place the intiializing code
-
How to append existed jar file?
do existed jar file be append again? example: a.jar // existed jar file xyz // forlder that want append to a.jar
-
My scrollbars disappear when resizing my LabView8.6 Block Diagram window
My design can't be seen in it's entirety within the Block Diagram window so I need to use the vertical and horizontal scrollbars to navigate the design. The scrollbars disappear if I resize the Block Diagram window past "some point". If I shrink th
-
I have an iMac G4 1GHz. I've owned it for a little over a year. The computer is running INCREDIBLY SLOW. It's been doing this for months. Starting up takes about five minutes, opening Word takes a few minutes, Safari takes a while to load pages, etc.