Hi Federico,
Thank you very much ...I tried your scenario......Where R2 is performing
CBAC HTTP inspection and R3 is initiating session tol R1.Where in R1 http
server is disabled (no ip http server).The inspection rule was applied on R2
interface facing toward R1 in outbound direction.On R2 interface facing
R3,an inbound access-list is configured to allow all TCP traffic.In R2
interface facing toward R1,an inbound Extended ACL is applied to deny all
tcp traffic.
Increased R3 tcp synwait-time to 300 seconds,which is higher than ip inspect
tcpsynwait-time default time of 30 seconds.
Enabled audit-trial on R2 and debug ip inspect tcp.Got the below message
*Mar 1 00:32:27.671: %FW-6-SESS_AUDIT_TRAIL_START: Start http session:
initiato
r (10.1.1.6:32812) -- responder (10.1.1.1:80)
*Mar 1 00:32:27.671: FIREWALL sis 658EB810 pak 655CE9A0 SIS_CLOSED/LISTEN
*TCP
S
YN SEQ* 694001311 LEN 0 *(10.1.1.6:32812) => (10.1.1.1:80)
**Mar 1 00:32:27.775: FIREWALL* sis 658EB810 pak 65226C74
SIS_OPENING/*SYNSENT
TC
P RST ACK* 694001312 SEQ 0 LEN 0 *(10.1.1.1:80) <= (10.1.1.6:32812)
**Mar 1 00:32:27.775: FIREWALL* sis 658EB810 http L7 inspect result: PASS
packet
*Mar 1 00:32:32.775: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator
(10.1
.1.6:32812) sent 0 bytes -- responder (10.1.1.1:80) sent 0 bytes
From the above it seems that,R1 immediately sends back TCP RST ACK packet to
R3 and so the connection was disconnected.In that case I would assume that
"ip inspect tcp synwait-time" will not even kickoff to see what messages the
router sends assuming the three-way tcp session was not established before
the synwait-timeout.Is my understanding right or I am missing
something.Kindly let me know
Thanks for the help
Regards
Anantha Subramanian Natarajan
On Mon, Sep 7, 2009 at 2:29 AM, Federico Cossu
<federico.cossu_at_gmail.com>wrote:
> i think you can test it easily with dynamips on a scenario like this
>
> R1 <----> R2 <----->R3
>
> apply CBAC on R2 looking for http connections coming from R3 towards R1,
> on R3 increase the tcp synwait time to something larger than the CBAC
> timeout for tcp port 80,
>
> on R1 http server is disabled, start telnetting R1:80 and capture the
> traffic on both R2 interfaces.
> see what happen as soon as the CBAC SYN timeout expires.
>
> /R
>
>
>
> 2009/9/7 Jacob Uecker <juecker_at_ccbootcamp.com>
>
>> Yersinia is perfect for this! I've always liked to use hping to spoof
>> packets, but anything along that line works. I guess you could create a
>> static route so that the SYN-ACK isn't received by the original sender.
>> An
>> ACL would also work.
>>
>>
>>
>> Thanks,
>>
>> Jacob Uecker
>> CCIE# 24481
>>
>> Development Engineer
>> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
>> Toll Free: 877-654-2243
>> International: +1-702-968-5100
>> Skype: skype:ccbootcamp?call
>> FAX: +1-702-446-8012
>>
>> YES! We take Cisco Learning Credits!
>> Training And Remote Racks: http://www.ccbootcamp.com
>>
>> ________________________________
>>
>> From: Scott M Vermillion [mailto:scott_ccie_list_at_it-ag.com]
>> Sent: Sun 9/6/2009 8:55 PM
>> To: Jacob Uecker
>> Cc: Anantha Subramanian Natarajan; Cisco certification
>> Subject: Re: CBAC
>>
>>
>> Hi Jacob,
>>
>> Yes, there are likely many ways to check -- assuming you can create the
>> half-open scenario for IOS to react to in the first place. Any thoughts
>> there? Yersinia or something along that line?
>>
>> Regards,
>>
>> Scott
>>
>> On Sep 6, 2009, at 9:07 , Jacob Uecker wrote:
>>
>>
>> I have always heard of using TCP RSTs instead of FINs. You could
>> always use
>> a SPAN port and check :)
>>
>>
>>
>> Thanks,
>>
>> Jacob Uecker
>> CCIE# 24481
>>
>> Development Engineer
>> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
>> Toll Free: 877-654-2243
>> International: +1-702-968-5100
>> Skype: skype:ccbootcamp?call
>> FAX: +1-702-446-8012
>>
>> YES! We take Cisco Learning Credits!
>> Training And Remote Racks: http://www.ccbootcamp.com
>> <http://www.ccbootcamp.com/>
>>
>>
>> ________________________________
>>
>> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian
>> Natarajan
>> Sent: Sun 9/6/2009 7:21 PM
>> To: Scott M Vermillion; Cisco certification
>> Subject: Re: CBAC
>>
>>
>>
>> Thank you Scott M Vermillion for your thoughts and inferences.
>>
>> Regards
>> Anantha Subramanian Natarajan
>>
>> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
>> scott_ccie_list_at_it-ag.com> wrote:
>>
>> > My understanding is that it sends TCP RST in both directions,
>> although I
>> > couldn't come up with a direct quote to offer as proof (plenty of
>> quotes
>> > that state that as fact where TCP intercept is concerned, but not
>> CBAC
>> > specifically). A TCP FIN wouldn't be my first guess, as that's
>> the means
>> of
>> > closing an *established* socket. What we're dealing with here is
>> half-open
>> > connections instead. So my vote is on a RST, but I'm not sure
>> how to lab
>> > this up. A means to generate a TCP SYN followed by nothing else
>> would be
>> > required. No doubt such a thing exists but I'm just not sure I
>> have it
>> > readily available on any of my existing lab gear. Anyone else?
>> >
>> >
>> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
>> >
>> > Hi Ananatha,
>> >>
>> >> I have never noticed that part of the description before : "it
>> notifies
>> >> both parties that the connection has been terminated". I can
>> only assume
>> >> that it sends a FIN packet in both directions after the timeout
>> occurs
>> >> to fully close the connection, though I have not tested this
>> specific
>> >> function in my lab, i.e. CBAC sending TCP packets on behalf of
>> hosts.
>> >> Can anyone else confirm or otherwise explain the action of "ip
>> inspect
>> >> tcp synwait-time".
>> >>
>> >> Thanks, Andy
>> >>
>> >> Anantha Subramanian Natarajan wrote:
>> >>
>> >>> Hi Andy,
>> >>>
>> >>> Thank you very much for the explanation.I am trying to
>> understand
>> >>> the below highlighted statement,how it notifies the parties
>> that the
>> >>> connection is terminated,is it by sending some signal (Some
>> thing like
>> >>> RST or ?) ....Kindly help me to understand
>> >>>
>> >>> "This command specifies how long the cisco IOS waits for a TCP
>> session
>> >>> to be established (to complete three-way handshake).The default
>> is 30
>> >>> seconds.If the three way handshake is not completed by end of
>> this
>> >>> timeout,Cisco IOS removes the entry from its state table and
>> the
>> >>> dynamic entry in the ACL(before FAB) and* it notifies both
>> parties
>> >>> that the connection has been terminated*"
>> >>>
>> >>> Thanks for the help
>> >>>
>> >>> Regards
>> >>> Anantha Subramanian Natarajan
>> >>>
>> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
>> >>> <mailto:ccie_at_reid.it>> wrote:
>> >>>
>> >>> Hi Anantha,
>> >>>
>> >>> The command "ip inspect tcp finwait-time" is used when
>> waiting for
>> >>> the FIN packets (default is 5 seconds).
>> >>>
>> >>> The "ip inspect tcp synwait-time" is used to protect against
>> half
>> >>> open sessions (default is 30 seconds) where the session never
>> >>> becomes fully established, and therefore FIN packets are
>> never sent.
>> >>>
>> >>> regards Andy
>> >>>
>> >>> Anantha Subramanian Natarajan wrote:
>> >>>
>> >>> Hi All,
>> >>>
>> >>> I was going through CBAC and trying to understand the
>> >>> different global
>> >>> settings on the same.One of that was "ip inspect tcp
>> >>> synwait-time".The way
>> >>> in which understood was as stated below(Actually Just
>> pasting the
>> >>> statements)
>> >>>
>> >>>
>> >>> "This command specifies how long the cisco IOS waits for
>> a TCP
>> >>> session to be
>> >>> established (to complete three-way handshake).The default
>> is
>> >>> 30 seconds.If
>> >>> the three way handshake is not completed by end of this
>> >>> timeout,Cisco IOS
>> >>> removes the entry from its state table and the dynamic
>> entry
>> >>> in the
>> >>> ACL(before FAB) and it notifies both parties that the
>> >>> connection has been
>> >>> terminated"
>> >>>
>> >>> In the above I am trying to understood,what kind of
>> >>> notification it provides
>> >>> to both the parties when the timeout as reached ..Is it
>> TCP
>> >>> RST or something
>> >>> different.
>> >>>
>> >>>
>> >>>
>> >>> Kindly let me know
>> >>>
>> >>>
>> >>>
>> >>> Thanks for the help
>> >>>
>> >>>
>> >>>
>> >>> Regards
>> >>>
>> >>> Anantha Subramanian Natarajan
>> >>>
>> >>>
>> >>> Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>> >>> <http://www.ccie.net/>
>> >>>
>> >>>
>> >>>
>> _______________________________________________________________________
>> >>> Subscription information may be found at:
>> >>> http://www.groupstudy.com/list/CCIELab.html
>> >>>
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net <
>> http://www.ccie.net/>
>> >>
>> >>
>> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net <
>> http://www.ccie.net/>
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Faeddare pagu, sabidorla meda.
Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 07 2009 - 06:33:51 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART