2911 zbfw problem

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
ODPOWIEDZ
Wiadomość
Autor
maciejdeb
wannabe
wannabe
Posty: 61
Rejestracja: 15 kwie 2006, 20:07

2911 zbfw problem

#1

#1 Post autor: maciejdeb »

mam bardzo podstawowa konfiguracje zone based firewall ale cos nie chce dzialac, kiedy proboje sie polaczyc z out to in co moze byc nie tak? nie wiem jak z in to out bo robie to zdalnie ale prawdopodobnie tez nie idzie

Kod: Zaznacz cały

class-map type inspect match-any classmap2
 match access-group 101
class-map type inspect match-any classmap1
 match protocol tcp
 match protocol udp
 match protocol icmp

policy-map type inspect policymap1
 class type inspect classmap1
  inspect
 class class-default
  drop log
policy-map type inspect policymap2
 class type inspect classmap2
  inspect
 class class-default
  drop log
!
zone security inside
zone security outside
zone-pair security in-to-out source inside destination outside
 service-policy type inspect policymap1
zone-pair security out-to-in source outside destination inside
 service-policy type inspect policymap2


access-list 101 permit tcp any host 10.28.3.2 eq smtp
access-list 101 permit tcp any host 10.28.3.2 eq www
access-list 101 permit tcp any host 10.28.3.2 eq 443
access-list 101 permit tcp any host 10.28.24.2 eq 443
access-list 101 permit tcp any host 10.28.24.2 eq www
access-list 101 permit tcp any host 10.28.24.2 eq smtp
access-list 101 permit tcp any host 10.28.24.2 eq 987
access-list 101 permit tcp any host 10.28.24.2 eq 1723
Na górę
Awatar użytkownika
mx_krzak
CCIE
CCIE
Posty: 798
Rejestracja: 18 lis 2005, 00:19
Lokalizacja: Wrocław

#2

#2 Post autor: mx_krzak »

opisz może z jakimi adresami IP masz problem i w jaki sposób próbujesz się połączyć. konfiguracja wygląda na poprawną, poza tym, że nie pokazałes czy strefy przypisałeś do interfejsów. czy sh log pokazuje jakieś dropy?
Z każdym upadkiem nabieramy większego doświadczenia.......to nie upadek czyni nas przegranymi, lecz brak chęci do powstania....
Na górę
maciejdeb
wannabe
wannabe
Posty: 61
Rejestracja: 15 kwie 2006, 20:07

#3

#3 Post autor: maciejdeb »

testuje polaczenie na outlook web access - dziala ok dopuki nie zaloze zbfw
strefy sa przypisane poprawnie

sh log pokazuje cos takiego
  • Sep 28 13:33:34: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x25B9AB34z reading 0xC
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9AB34z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9AB38z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9AB4Cz 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9D2BCz 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9D428z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9D434z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9D4ACz 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9D93Cz 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9DA70z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x2324B2CCz 0x25B95B98z 0x25B9DBC0z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z
    Sep 28 13:33:34: %ALIGN-3-TRACE: -Traceback= 0x25B9DCD4z 0x25BA9EE8z 0x25BAA9C8z 0x2285529Cz 0x2286BBECz 0x21188204z 0x21189E64z 0x2118AF8Cz
Na górę
dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:
Skontaktuj się z dorvin

#4

#4 Post autor: dorvin »

To nieładnie z jego strony. Te tracebacki pojawiają się za każdym razem jak zakładasz ZBFW, czy to jakaś przypadkowa historia? Zasadniczo jak pojawiają się częściej, to chyba przyda się TAC. Ewentualnie wymiana softu na inny.
Na górę
maciejdeb
wannabe
wannabe
Posty: 61
Rejestracja: 15 kwie 2006, 20:07

#5

#5 Post autor: maciejdeb »

problem rozwiazany zamiast na podinterfejsy (vlany) nalozyc strefe zalozylem tylko na interfejs glowny...

dziekuje za pomoc
Na górę
maciejdeb
wannabe
wannabe
Posty: 61
Rejestracja: 15 kwie 2006, 20:07

#6

#6 Post autor: maciejdeb »

Oct 4 09:49:42: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:50:27: %FW-6-DROP_PKT: Dropping tcp session 69.63.189.70:80 10.28.3.111:51275 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:51:15: %FW-6-DROP_PKT: Dropping tcp session 66.220.158.75:443 10.28.56.13:53542 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:51:53: %FW-6-DROP_PKT: Dropping tcp session 66.220.158.75:443 10.28.56.13:39885 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
oecl#
Oct 4 09:52:25: %FW-6-DROP_PKT: Dropping icmp session 194.190.130.33:0 10.28.3.65:0 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:53:00: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:53:43: %FW-6-DROP_PKT: Dropping icmp session 81.148.239.30:0 10.28.58.3:0 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:54:40: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:55:29: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:56:10: %FW-6-DROP_PKT: Dropping icmp session 216.6.121.70:0 10.28.3.40:0 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:57:08: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:57:57: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:58:31: %FW-6-DROP_PKT: Dropping tcp session 199.30.80.32:80 10.28.3.59:49737 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:59:08: %FW-6-DROP_PKT: Dropping tcp session 199.30.80.32:80 10.28.3.59:49809 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 09:59:40: %FW-6-DROP_PKT: Dropping tcp session 199.30.80.32:80 10.28.3.59:49846 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
oecl#
Oct 4 10:00:26: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
oecl#
Oct 4 10:01:04: %FW-6-DROP_PKT: Dropping icmp session 90.194.245.167:0 10.28.3.40:0 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 10:01:34: %FW-6-DROP_PKT: Dropping tcp session 93.184.220.20:80 10.28.3.87:49919 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 10:02:05: %FW-6-DROP_PKT: Dropping udp session 72.246.184.10:3478 10.28.20.2:65284 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 10:02:47: %FW-6-DROP_PKT: Dropping tcp session 93.184.220.20:80 10.28.3.87:49919 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0
Oct 4 10:03:33: %FW-6-DROP_PKT: Dropping tcp session 66.220.158.76:80 10.28.3.41:49846 on zone-pair out-to-in class class-default due to DROP action found in policy-map with ip ident 0

zastosowalem firewalla powyzszego zeszlej nocy, dzis rano regularnie (co minute) dostaje powyzsze wpisy, czy to normalne? narazie nie zauwazylem zeby mi cos blokowalo, ani nikt mi tego niczego zareportowal - albo moze to kwestia czasu.
Na górę
ODPOWIEDZ

Wróć do „Security”