Re: Re: class-map on border router for virus

From: Sam Munzani (sam@xxxxxxxxxxx)
Date: Wed Nov 14 2001 - 12:33:17 GMT-3

• Next message: Wade Edwards: "RE: How to calculate CAR?"
• Previous message: Jim Graves: "Re: Home-made PIXs"
• Maybe in reply to: Brad Ellis: "Re: Re: class-map on border router for virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Now a trick question. Does "ip cef" work with "ip inspect". I seem to have
problem with inbound smtp traffic when "ip cef" is turned on. The router is
configured with firewall IOS using "ip inspect"

Sam

> Helo, All
>
> Pls share the newest class-map match-any http-hacks.
>
>
> Thanks and Best regards//Jiang Ling
>
> >From: "Brad Ellis" <bellis@ccbootcamp.com>
> >To: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>,
> > "Martin, Chris"
> > <chris@pacinter.net>, <ccielab@groupstudy.com>
> >Cc: "Jeff K." <jeffbk@austin.rr.com>
> >Subject: Re: class-map on border router for virus
> >Date: Wed, 19 Sep 2001 02:26:55 -0400
> >Organization: Network Learning Inc
> >X-Mailer: Microsoft Outlook Express 5.50.4807.1700
> >Sender: nobody@groupstudy.com
> >Reply-To: "Brad Ellis" <bellis@ccbootcamp.com>
> >
> >Here's my working config (with thanks to John Kaberna and Chris Martin)
on a
> >2610 router:
> >
> >
> >ip cef
> >
> >class-map match-any http-hacks
> > match protocol http url "*default.ida*"
> > match protocol http url "*x.ida*"
> > match protocol http url "*.ida*"
> > match protocol http url "*cmd.exe*"
> > match protocol http url "*root.exe*"
> > match protocol http url "*_vti_bin*"
> > match protocol http url "*_mem_bin*"
> > match protocol http mime "*readme.exe*"
> > match protocol http mime "*readme.eml*"
> >
> >policy-map mark-inbound-http-hacks
> > class http-hacks
> > set ip dscp 1
> >
> >interface Serial0/0
> > ip access-group 101 in
> > service-policy input mark-inbound-http-hacks
> >
> >interface Ethernet0/0
> > ip access-group 101 out
> >
> >access-list 101 deny ip any any dscp 1 log
> >access-list 101 permit ip any any
> >
> >thanks,
> >-Brad Ellis
> >CCIE#5796
> >Network Learning Inc
> >bellis@optsys.net
> >used Cisco: www.optsys.net
> >
> >----- Original Message -----
> >From: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>
> >To: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>; "Martin, Chris"
> ><chris@pacinter.net>; <ccielab@groupstudy.com>
> >Cc: "Jeff K." <jeffbk@austin.rr.com>
> >Sent: Wednesday, September 19, 2001 1:18 AM
> >Subject: RE: class-map on border router for virus
> >
> >
> > > Answering my own post:
> > >
> > > ACL needs to be applied on egress, and be "out"
> > >
> > > Now I have it working!
> > >
> > > Przemek
> > >
> > > -----Original Message-----
> > > From: Przemyslaw Karwasiecki [mailto:karwas@ifxcorp.com]
> > > Sent: Wednesday, September 19, 2001 12:48 AM
> > > To: Martin, Chris; ccielab@groupstudy.com
> > > Cc: Jeff K.
> > > Subject: RE: class-map on border router for virus
> > >
> > >
> > > Hi Chris,
> > >
> > > In my case classification policy seems to work:
> > >
> > > USMIANOC3662x1#sh policy-map interface Serial1/0:0
> > > (... snip ...)
> > > QoS Set
> > > ip dscp 1
> > > Packets marked 1539
> > > (... snip ...)
> > >
> > > But for some unexplained reason access list applied to the
> > > same interface doesn't:
> > >
> > > USMIANOC3662x1#sh access-lists 102
> > > Extended IP access list 102
> > > deny ip any any dscp 1 log
> > > permit ip any any (226583 matches)
> > > USMIANOC3662x1#
> > >
> > >
> > > Any ideas why?
> > >
> > > Przemek
> > >
> > > PS.
> > > Opps, I've forgotten IOS ver:
> > > USMIANOC3662x1#sh ver
> > > Cisco Internetwork Operating System Software
> > > IOS (tm) 3600 Software (C3660-P-M), Version 12.2(2)T, RELEASE
SOFTWARE
> > > (fc1)
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > Martin, Chris
> > > Sent: Tuesday, September 18, 2001 6:31 PM
> > > To: ccielab@groupstudy.com
> > > Cc: Jeff K.
> > > Subject: class-map on border router for virus
> > >
> > >
> > > Hi Group:
> > > As we all know there has been much discussion on the
current
> > > virus
> > > floating around. I have a class-map statement on my border router that
> >seems
> > > to be doing the trick, from what my sniffer tells me. Anyway, try it
out
> >and
> > > see if it works for you, if you have anything to add, please email me
so
> > > that
> > > i may benefit from your findings as well:
> > >
> > > class-map match-any http-hacks
> > > match protocol http url "*default.ida*"
> > > match protocol http url "*x.ida*"
> > > match protocol http url "*.ida*"
> > > match protocol http url "*cmd.exe*"
> > > match protocol http url "*root.exe*"
> > > match protocol http url "*_vti_bin*"
> > > match protocol http url "*_mem_bin*"
> > > match protocol http mime "*readme.exe*"
> > > match protocol http mime "*readme.eml*"
> > >
> > >
> > > policy-map mark-inbound-http-hacks
> > > class http-hacks
> > > set ip dscp 1
> > >
> > > int ser 1/1
> > > ip access-group 110 in
> > >
> > >
> > > access-list 110 deny ip any any dscp 1 log
> > > access-list 110 permit ip any any
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > > **Please read:http://www.groupstudy.com/list/posting.html
> >**Please read:http://www.groupstudy.com/list/posting.html
> Name: Jiang Ling
> System Engineer
> EC-NSP team
> Tel No. 0086-21-53966161x4547
> Mobile: 13701808109

• Next message: Wade Edwards: "RE: How to calculate CAR?"
• Previous message: Jim Graves: "Re: Home-made PIXs"
• Maybe in reply to: Brad Ellis: "Re: Re: class-map on border router for virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:15 GMT-3