Announcement

Collapse
No announcement yet.

Problem firewall Cisco 836

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem firewall Cisco 836

    Hello,

    I'm using a Cisco 836-modem to make connection with the internet.
    Everything is working fine. (Internet, Incoming Mail, Outgoing Mail), except displaying ip-camera's within software.

    When using the same software in another network, it's working.

    The cameras are IP-Cameras, which are located elsewhere and are directly connected to the internet through different ports. (80, 81, 8081, 8082, etc)

    When viewing the camera in Internet Explorer everything is working. Only not in the software.

    I think the Cisco-modem is blocking something, but I cannot find where.

    Can someone please help me.

    Best regards,
    Joost Lauwen

  • #2
    Re: Problem firewall Cisco 836

    Are you using CBAC or Zone based firewall. Please post a sanitized config.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Problem firewall Cisco 836

      Code:
      Building configuration...
      Current configuration : 6211 bytes
      !
      version 12.3
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname Cisco-836
      !
      boot-start-marker
      boot-end-marker
      !
      security authentication failure rate 3 log
      security passwords min-length 6
      logging buffered 51200 debugging
      logging console critical
      enable secret 5 ***
      !
      clock timezone PCTime 1
      clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
      aaa new-model
      !
      !
      aaa authentication login default local
      aaa authentication login sdm_vpn_xauth_ml_1 local
      aaa authorization exec default local 
      aaa authorization network sdm_vpn_group_ml_1 local 
      aaa authorization network sdm_vpn_group_ml_2 local 
      aaa session-id common
      ip subnet-zero
      no ip source-route
      ip dhcp excluded-address 10.10.10.1 10.10.10.99
      ip dhcp excluded-address 10.10.10.200 10.10.10.254
      !
      ip dhcp pool sdm-pool1
         import all
         network 10.10.10.0 255.255.255.0
         dns-server 8.8.8.8 8.8.4.4 
         default-router 10.10.10.1 
      !
      !
      ip tcp synwait-time 10
      ip domain name yourdomain.com
      ip name-server 8.8.8.8
      ip name-server 8.8.4.4
      no ip bootp server
      ip cef
      ip inspect name SDM_LOW cuseeme
      ip inspect name SDM_LOW ftp
      ip inspect name SDM_LOW h323
      ip inspect name SDM_LOW icmp
      ip inspect name SDM_LOW netshow
      ip inspect name SDM_LOW rcmd
      ip inspect name SDM_LOW realaudio
      ip inspect name SDM_LOW rtsp
      ip inspect name SDM_LOW esmtp
      ip inspect name SDM_LOW sqlnet
      ip inspect name SDM_LOW streamworks
      ip inspect name SDM_LOW tftp
      ip inspect name SDM_LOW tcp
      ip inspect name SDM_LOW udp
      ip inspect name SDM_LOW vdolive
      ip ips po max-events 100
      ip ssh time-out 60
      ip ssh authentication-retries 2
      ip port-map pop3 port 110 list 2
      no ftp-server write-enable
      !
      !
      username Admin privilege 15 secret 5 ***
      !
      ! 
      crypto isakmp xauth timeout 15
      !
      !
      !
      interface Ethernet0
       description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
       ip address 10.10.10.1 255.255.255.0
       ip access-group 100 in
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       ip nat inside
       ip virtual-reassembly
       ip route-cache flow
       no cdp enable
      !
      interface BRI0
       no ip address
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       ip route-cache flow
       shutdown
       no cdp enable
      !
      interface ATM0
       no ip address
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       ip route-cache flow
       no atm ilmi-keepalive
       dsl operating-mode auto
      !
      interface ATM0.1 point-to-point
       description $ES_WAN$$FW_OUTSIDE$
       pvc 8/48 
        encapsulation aal5mux ppp dialer
        dialer pool-member 1
       !
      !
      interface FastEthernet1
       no ip address
       duplex auto
       speed auto
      !
      interface FastEthernet2
       no ip address
       duplex auto
       speed auto
      !
      interface FastEthernet3
       no ip address
       duplex auto
       speed auto
      !
      interface FastEthernet4
       no ip address
       duplex auto
       speed auto
      !
      interface Dialer0
       description $FW_OUTSIDE$
       ip address negotiated
       ip access-group 120 in
       no ip redirects
       no ip unreachables
       no ip proxy-arp
       ip nat outside
       ip inspect SDM_LOW out
       ip virtual-reassembly
       encapsulation ppp
       ip route-cache flow
       dialer pool 1
       dialer-group 1
       ppp authentication chap pap callin
       ppp chap hostname ***
       ppp chap password 7 002F2328
       ppp pap sent-username *** password 7 ***
      !
      ip local pool SDM_POOL_1 10.10.10.51 10.10.10.100
      ip classless
      ip route 0.0.0.0 0.0.0.0 Dialer0
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 5 life 86400 requests 10000
      ip nat inside source static tcp 10.10.10.10 3389 interface Dialer0 3389
      ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
      ip nat inside source static tcp 10.10.10.10 110 interface Dialer0 110
      !
      !
      logging trap debugging
      access-list 1 remark INSIDE_IF=Ethernet0
      access-list 1 remark SDM_ACL Category=2
      access-list 1 permit 10.10.10.0 0.0.0.255
      access-list 100 remark auto generated by SDM firewall configuration
      access-list 100 remark SDM_ACL Category=1
      access-list 100 deny   ip host 255.255.255.255 any
      access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
      access-list 100 permit ip any any
      access-list 102 remark CCP_ACL Category=2
      access-list 102 permit ip 10.10.10.0 0.0.0.255 any
      access-list 120 remark Inbound external interface 
      access-list 120 remark CCP_ACL Category=17
      access-list 120 permit udp host 8.8.4.4 eq domain any
      access-list 120 permit udp host 8.8.8.8 eq domain any
      access-list 120 remark The below set the rfc1918 private exclusions 
      access-list 120 deny   ip 192.168.0.0 0.0.255.255 any
      access-list 120 deny   ip 172.16.0.0 0.15.255.255 any
      access-list 120 deny   ip 10.0.0.0 0.255.255.255 any
      access-list 120 remark Allow established sessions back in 
      access-list 120 permit tcp any any established
      access-list 120 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
      access-list 120 permit tcp any any eq pop3
      access-list 120 permit tcp any any eq smtp
      access-list 120 permit tcp any any eq www
      access-list 120 permit tcp any any eq 3389
      access-list 120 permit tcp any any eq 22 log
      access-list 120 permit tcp any any eq ftp
      access-list 120 permit tcp any any eq ftp-data
      access-list 120 remark Passive FTP ports matching vsftpd config 
      access-list 120 permit tcp any any range 50000 50050
      access-list 120 permit gre any any
      access-list 120 permit udp any eq domain any
      access-list 120 remark Standard acceptable icmp rules 
      access-list 120 permit icmp any any echo
      access-list 120 permit icmp any any echo-reply
      access-list 120 permit icmp any any source-quench
      access-list 120 permit icmp any any packet-too-big
      access-list 120 permit icmp any any time-exceeded
      access-list 120 deny   ip any any
      dialer-list 1 protocol ip permit
      no cdp run
      route-map SDM_RMAP_2 permit 1
       match ip address 102
      !
      !
      control-plane
      !
      banner login ^CCAuthorized access only!
       Disconnect IMMEDIATELY if you are not an authorized user!^C
      !
      line con 0
       no modem enable
       transport output telnet
      line aux 0
       transport output telnet
      line vty 0 4
       transport input telnet ssh
      !
      scheduler max-task-time 5000
      scheduler interval 500
      !
      end

      Comment


      • #4
        Re: Problem firewall Cisco 836

        From your config you are running CBAC. I assume when connecting to these cameras with the browser it is over port 80. From the inside network to the outside, this session is being inspected by CBAC and the return traffic is allowed back through based on a connection existing in the firewall state table.

        show ip inspect sessions


        Is the camera software itself using some different ports? If so what ports is it using? You can add custom ports to CBAC and ZBPF using ip port-map commands. If the firewall is dropping the packets you can use the command:


        ip inspect log drop-pkt to see if CBAC is indeed dropping the traffic. I would log this to the buffer or to syslog as if you log this to the console you may get locked out if there are alot of drops.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Problem firewall Cisco 836

          I have 4 camera's. They are all using a different port. 80, 8080, 8081, 8082.

          The software is using the same address as we use in Internet Browser.
          For example: http://ipaddress:8080

          Comment


          • #6
            Re: Problem firewall Cisco 836

            When you try to connect with the software do you see the connection in the state table?


            show ip inspect sessions


            Also from looking at your dialer interface (the internet facing interface) I dont see an acl inbound from the outside. CBAC requires that ACL in order to do the inspection. Even if its a deny any.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Problem firewall Cisco 836

              when using the
              Code:
              show ip inspect session
              line, I see the connection to the 2 camera's defined in the table.

              Code:
              Session 81C0ACC0 <10.10.10.100:49380>=><31.161.117.*:8081> tcp SIS_OPEN
              and
              Code:
              Session 81C0FDC0 <10.10.10.100:49379>=><188.204.130.*:80> tcp SIS_OPEN
              I replaced the last digit of the address with * for security reasons.

              Comment


              • #8
                Re: Problem firewall Cisco 836

                Well the tcp session is getting established. What do you see from the software client? Anything? Also did you log the drops? Did you add the ACL inbound to the outside interface?



                ip inspect log drp-pkt
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Problem firewall Cisco 836

                  The software is not showing anything.

                  The log cannot be shown, when using the command
                  Code:
                  ip inspect log drp-pkt
                  .

                  Can you tell how i setup the inbound ACL?

                  Comment


                  • #10
                    Re: Problem firewall Cisco 836

                    Are you logging to the buffer?



                    logging buffered 5


                    show log




                    CBAC requires the ACL coming inbound on the outside interface.


                    Example:


                    ip access-list CBAC_OUTSIDE_IN extended
                    deny ip any any

                    Dialer0
                    ip access-group CBAC_OUTSIDE_IN in




                    This ACL will deny any traffic initiated from the outside to inside. If a session already exists in the firewall's state table (initiated from inside to outside and was inspected with CBAC then the return traffic will be permitted through as the return flow is part of an existing flow in the state table. IOS firewall (and the ASA) first check the state table for a valid session and if one exists then the traffic is permitted effectively bypassing the ACL. If you are hosting servers internally you will need to add exceptions manually in this ACL.
                    Last edited by auglan; 4th July 2012, 13:06.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment

                    Working...
                    X