ACLs on Dot11Radio interface blocks ALL traffic

Similar Messages

• Blocking all ipv6 traffic

  Good morning -  I have an issue that has happened twice - and I need some advice.  I have a 4506 running version 12.2(46)SG. We recently encountered an issue where I BELIEVE the issue to be IPV6 sending out a broadcast storm, and completely flooded the core switch  - bad enough that I couldn't even console into the device.  After removing all connections that were plugged in when the switch went down.  After everything was back up, we found that it was a laptop with ipv6 enabled - exactly the same scenario as last time.  What we found after the first incident was that a faulty NIC driver caused the ipv6 broadcast storm.
  At any rate, as we do not use IPv6 for anything at all, I want to block all IPv6 traffic.  I know there are different ways to do it, but I'm reaching out to see what ideas you may have also...
  Thx in advance for any input!

  Joel,
  If VACLs with IPv6 ACLs are supported on your platform then I would probably use VACLs, as they allow a filter to be applied flatly to the entire VLAN. Your other option would be to configure per-port ACLs which is cumbersome and bloats the configuration unnecessary.
  With IPv6 ACLs, be sure to block ICMPv6 explicitly. As far as I remember, some ICMPv6 messages are allowed even if they are not explicitly permitted in the ACL (usually the RD and ND messaging).
  If your platform allowed filtering all incoming packets by MAC ACLs, yet another way would be to use VACLs with MAC ACLs, blocking all traffic with the EtherType of 0x86DD. However, newer platforms apply MAC ACLs only to non-IP traffic so they would have no effect on frames carrying IPv6 packets. You need to consult the documentation to your device.
  In any way, VACLs would be my personal preferred choice at this point.
  Best regards,
  Peter

• SA520W Content Filtering blocks all URL

  My current config is using the SA520W with firwmware 2.1.18.
  I have enabled ProtecLink Web with the following settings.
  Global Settings>Approved Clients = Enable approved Clients: Checked
  Global Settings>Approved URLs = Enable Approved URLs List: Checked
  Web Protection>Overflow Control = Temporarily Block URL requests: Checked
  Web Protection>Web Threat Protection = Not Enabled
  Web Protection>URL Filtering = Enable URL Filtering: Checked
  Web Protection>URL Filtering = Enable Check Referer: Checked
  Web Protection>URL Filtering = HTTP Ports: 80
  Filtered Catagories
  Computers/Harmful = All are checked for Business and Leisure hours.
  The issue I am having is that this is blocking all traffic through the device, accept for traffic on port 443 HTTPS. I am able to load pages that are directed to HTTPS. Is there an issue with how I have this configuration setup, or is there an issue with the firmware?
  Thanks
  Robert

  Hi Robert,
  I am using the setup described in your email below but not able to reproduce the issue reported. I have tried some sites and able to browse successfully. Few are the examples:
  www.google.com, www.yahoo.com, www.apple.com, www.cnn.com, www.facebook.com, www.ebay.com, www.amazon.com
  I did see some advertisements frames got blocked in some websites as well as advertisement sites like www.craigslist.com been blocked due to 'Computers/Harmful' category selected for URL filtering.
  Can you let me know some sites that are blocked in your setup. Also which browser are you using for your http traffic.
  Thanks,
  Nitin.

• Blocking all IGMP traffic

  Hello,
  I?m hoping someone may have the answer to this. I am trying to block ALL types of IGMP traffic on a particular interface on at 3560-24-TS-S.
  We have a Summit 5i switch acting as a core switch for 400 users which all (VLAN 3) participate in a multicast group sourced from one of the servers on the same VLAN 3. All the equipment is managed via VLAN 3. From this Summit 5i core switch we have an untagged hand off to a Cisco 3560 - 24-TS-S which also has 400 DIFFERENT users participating in a multicast group sourced from a server physically connected to this Cisco switch but on VLAN 6. All equipment on this switch is also managed via VLAN 3. The problem I believe is that this handoff between the Summit 5i and the Cisco 3560 are having IGMP querying conflicts and it?s causing multicast troubles on both VLAN 3 and VLAN 6. I did setup the port as protected, blocked "unknown" unicast, multicast traffic and issued a no IP IGMP snooping vlan 3. But still having troubles.
  I am using IGMP v2 and source filtering is not available until v3 so I am not sure how to block ALL IGMP traffic to try and help isolate this as 2 separate networks but still being managed on the same.
  Any help is greatly appreciated...
  Regards,
  Robert

  You can try this and control the IGMP queries on a given interface.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg/swmcast.htm#wp1177268
  To disable groups on an interface, use the no ip igmp access-group interface configuration command.
  This example shows how to configure hosts attached to a port as able to join only group 255.2.2.2:
  Switch(config)# access-list 1 255.2.2.2 0.0.0.0
  Switch(config-if)# interface gigabitethernet0/1
  Switch(config-if)# ip igmp access-group 1
  HTH-Cheers,
  Swaroop

• ACL do you define all traffic?

  Is it best practice to create an ACL on each interface that specificies what traffic is allowed and everything is denied?
  I've got a couple of interface on my ASA that someone has put in a rule that says allow any to any. I would assume that would not be a good idea.

  Hi,
  I personally prefer to only allow traffic from the actual source network that are located behind the interface instead of specifying the source as "any" in the ACL statement.
  I also tend to add a "deny ip any any" statement at the end of the interface ACL (even though it already contains Implicit Deny). This is because this will let me actually see the hitcount of denied traffic on that interface while the Implicit Deny counter cannot be seen.
  Naturally if you have the "ip verify reverse-path " configured for your LAN/DMZ interface then that will already make sure that traffic is not allowed from source addresses/networks that according to ASA routing table are NOT located behind the source interface.
  - Jouni

• RV110W Blocks all inbound traffic

  I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?

  Hi David,
  Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Regards,
  Cindy Toy
  Cisco Small Business Community Manager
  for Cisco Small Business Products
  www.cisco.com/go/smallbizsupport
  twitter: CiscoSBsupport

• Block all incoming traffic and Active FTP

  Will setting the firewall to Block all incoming traffic break Active FTP Connections?
  The firewall will normally dynamically create exceptions for the Connection using the Application Layer Gateway, but will the profile override these?

  Hi TribleTrouble,
  Do you have any issue about FTP active mode?
  If the clients are part of your domain, push the FTP firewall rules via GPO to your clients allowing FTP inbound sockets
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=TCP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  netsh advfirewall firewall add rule name="File Transfer Program" protocol=UDP profile=domain Program=C:\Windows\System32\ftp.exe dir=in action=allow
  For Windows 7, the entire networking stack was rewritten and several security measures were taken to further secure Windows.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• Block P2P traffic

  Hello,
  I have tried the below configuration to block the P2P traffic.But still the users can download using utorrent client. How do I effectively block all the P2P traffic. Please help.
  Class Map
  class-map type inspect match-any ALL-P2P-PROTOCOLS
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-all P2P-PROTOCOL
  match class-map ALL-P2P-PROTOCOLS
  match access-group name INTERNET-ACL
  class-map type inspect http match-any HTTP-PORT-MISUSE
  match  request port-misuse im
  match  request port-misuse p2p
  match  request port-misuse tunneling
  Policy Map
  policy-map type inspect http HTTP-PORT-MISUSE-POLICY
  class type inspect http HTTP-PORT-MISUSE
    reset
    log
  policy-map type inspect IN-TO-OUT-POLICY
  class type inspect P2P-PROTOCOL
    drop log
  class class-default
    drop log
  class type inspect HTTP-ACCESS
    inspect
    service-policy http HTTP-PORT-MISUSE-POLICY
  Also I am attaching the logs and 'show policy-map type inspect zone-pair IN-TO-OUT' output.
  Please help me out.
  Regards,
  Tony

  Hello Tony,
  Okay. I have seen on the last couple of days that because of how this protocols are being tunneled or jumping from one port to another, etc. Its pretty difficult to blok it with ZBFW.
  So instead of doing that I would like to check if we can block it with NBAR, can we give it a try ??? If yes, here is how
  class-map match-any p2p
  match protocol edonkey
  match protocol fasttrack
  match protocol gnutella
  match protocol kazaa2
  match protocol winmx
  match protocol skype
  match protocol cuseeme
  match protocol novadigm
  match protocol ssh
  match protocol irc
  policy-map P2P-DROP
  class p2p
  drop
  Apply the policy to the user-facing (incoming) interface.
  int xxxxx
  You can verify the status by doing:
  sh policy-map int xxx
  sh ip nbar protocol-discovery
  Let me know the result,
  Remembe to rate all of the helpful posts
  service-policy input P2P-DROP

• Denying all traffic on the inside unless specified

  Hi Is there a way to configure my asa5505 to dent all traffic on the inside so i can specify what ip or host  can access specific protocol or ports via access list? im thinking mabe i ned to set the inside security level to 0 also and then specify any ideas.

  Hi,
  Well it is pretty simple,
  You will have to use ACL and simply only allow the traffic you need to allow. Since the ACL automatically denies any traffic that isnt specifically permitted you dont really need any deny statements even.
  You cant make specific rules with the "security-level" alone and using an interface ACL basically makes the "security-level" useless for the most part.
  As soon as you configure an ACL like this for example
  access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80
  access-group INSIDE-IN in interface inside
  It will mean that only traffic that is allowed is TCP/80 traffic to destination IP address 1.1.1.1. All other traffic will be blocked because of the Implicit Deny in every ACL. It wont show in the CLI configuration. Naturally if you want you can always add the deny rule to the ACL to see the hitcount of traffic that has not matched the previous rules
  access-list INSIDE-IN permit tcp any host 1.1.1.1 eq 80
  access-list INSIDE-IN deny ip any any
  access-group INSIDE-IN in interface inside
  You will have to make sure that you dont block any essential services your users might need like usually HTTP, HTTPS, DNS for example. It really depends on what you are trying to achieve.
  - Jouni

• Howto block p2p traffic of clients connected to the same ssid on different wlc

  Hi all,
  I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
  Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
  ===
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  ===
  Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
  Many thanks in advance,
  Thorsten

  Hi Sasha,Thorsten
  The bug is Junked and I believe which is what you are running into with your tests:
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
  Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  To answer your original query :
  ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
  ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
  Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
  Multicast traffic is not applicable for p2p.
  Your ACL can be as simple as this for the scenario :
  WLC 1 - clientvlan = 10
  WLC 2 - clientvlan = 10
  and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
  Basically in that case the ACL should look like on both WLCs :
  1. Permit statement to talk to gateway.
  2. Deny to subnet.
  3. Permit all.
  4. If DHCP/DNS other services are on same subnet then you would need to add a permit
  statement before the deny.
  5. Attach the ACL to SSID or dymanic interface.
  Thanks..Salil
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.

• Cisco RV042 Firewall Blocking LAN Traffic

  Hello Everyone,
  I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
  Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.
  Priority
  Enable
  Action
  Service
  Source
  Interface
  Source
  Destination
  Time
  Day
  Delete
  123
  Allow
  All Traffic [1]
  LAN
  10.10.21.1 ~ 10.10.21.31
  10.10.10.10 ~ 10.10.10.10
  Always
  123
  Allow
  All Traffic [1]
  LAN
  10.10.10.10 ~ 10.10.10.10
  10.10.21.1 ~ 10.10.21.31
  Always
  123
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN1
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN2
  Any
  Any
  Always

  I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 
  Below is a scrubbed copy of my switch configuration. 
  config-file-header
  SWITCH01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  vlan database
  vlan 2
  exit
  no bonjour enable
  hostname SWITCH01
  no logging console
  ip ssh server
  ip ssh password-auth
  clock timezone CEST +1
  interface vlan 1
  ip address 10.10.10.2 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name VIRTUAL-MANAGEMENT
  ip address 10.10.21.1 255.255.255.224
  interface gigabitethernet1
  description ESXI01:VMNIC0:MGMT
  switchport trunk allowed vlan add 2
  interface gigabitethernet20
  description UPLINK
  exit
  ip route 0.0.0.0 /0 10.10.10.1 metric 15
  The routes I have defined is:
  Destination IP
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  10.10.21.0
  255.255.255.224
  10.10.10.2
  1
  eth0
  10.10.10.0
  255.255.255.0
  0
  eth0
  255.255.252.0
  0
  eth1
  239.0.0.0
  255.0.0.0
  0
  eth0
  default
  0.0.0.0
  40
  eth1
  Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

• ASA5505 - Blocking internal traffic between 2 servers

  Hi guys/ladies
  I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
  10.50.15.4 > fileserver
  10.50.15.5 > domain controller (exchange)
  10.50.15.6 > terminal server
  10.50.15.7 > terminal server
  Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
  2
  Oct 27 2012
  14:51:05
  106007
  10.50.15.6
  55978
  DNS
  Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
  What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
  Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
  Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

  Result of the command: "show cap asp | include 10.50.15.6"
    15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163
    16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
    17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
    28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138:  udp 237
    29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138:  udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
    30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

• WSA blocking HTTPS traffic -allowing HTTP

  We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers.  The local network design is as follows:
  WLC5508 (Foreign)     >>     WLC5508 (Anchor)     >>     ACE20 Context     >>     WSA 170     >>     FWSM     >>     Internet
  Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
  Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
  ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
  HTTP traffic works fine, HTTPS traffic fails.  The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
  Fails
  57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
  1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
  I have seen this error posted before but no resolution.  I'm sure this is a config problem, but cannot figure why or where!
  Any ideas, thoughts or help would be great...
  Cheers

  Hi axa,
  This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator
  Message was edited by: Erik Kaiser

• WRT610N Configuration: blocking all UDP connections

   Hi all,
  I am the disapointed owner of the WRT610N. I previously had a buffalo N routeur in the UK, which had no firmware update in 9 months, and plenty of spelling mistakes and problems (router hanging, needed to reset). I managed to refund it and I paid nearly 200 pounds for that WRT610n.
  I can see the potential of such router, but with that price range and the many problems, it is a complete failure. I noticed many people complaining exactly the same way about that router, which is simply too expensive for the amount of problems it is encountering.
  This is not about blindly giving a critic about that router which certainly has some strenghts and potential, but it has been overpriced for the problems in progress. It looks like a "beta".
  The latest firmware (1.10?) released early 2009 has corrected a few problems (ftp and USB stick works better, the "wifi protected setup" does turn off properly in 2.4ghz mode, etc...) but still some remains such as that "wifi protected setup" from hell that keep asking me the code on the 5GHZ frequency when I use my intel 4965agn with it, even when I turned that feature off in the router config.
  Anyway my current "problem" is I want to block the flatmate from using all UDP connections, simply because she floods the network with that. 
  But it does not seems to works at all: I went to access restriction, created and enabled one entry with her IP.
  Then, I created an application name (blockUDP) and port 1 to 59 999, then I added it to the right side (Blocked List).
  It does not seems to work as when I run a "wireshark" I can still see packets coming in/out of that IP address.
  Ideally i would also like her to use only basic internet (port 80) because she keeps downloading/uploading with no limits, and telling her to stop does not make her change. She pretends being not guilty and show advance signs of retardness. For example, we all complained about downloading, and this person gave the wireless password to her friends leaving nearby... Of course they are now blocked, password changed and she will never have it but...
  I understood to block from all (TCP, UDP...) from "1 to 79" and from "81 to 59999": Again it does not seems to work as in wireshark I see traffic.
  She only have 1 "nic", the wired cable. No wireless.
  Thanks in advance!

  To accomplish what you need will take more than this router can offer. I would recommned you use the QOS feature and make her last place even to ping another note to keep in mind is you might want to set her up on a static ip.
  Under Access restrictions is where i would be lookin to accomplish what you need. Just a little advice if you want her to have just port 80 access and possibly 443 if she access her email online most are secured.
  Now make sure the policy is enabled and also make sure that the spi firewall is enabled under the security tab. Also she might be running P2P software since i am not aware of to many desktop apps that use UDP as a protocol
  Also almost forgot to mention is wireshark will see all traffic originating internally so if her computer is broadcasting wireswhark will see it, what you need to pay attention too is if the router is actually forwarding her traffic threw it's WAN interface.