Re: CBAC

sorry anantha,
disabling http server is not a good idea because it causes the immediate RST
to be sent out.

try to telnet on an non-existent ip passing through the CBAC router.

this will make your telnet session to last enough time to be RST-ed by the
CBAC router

/R

2009/9/7 Anantha Subramanian Natarajan <anantha.natarajan_at_gravitant.com>

> Hi Federico,
>
> Thank you very much ...I tried your scenario......Where R2 is performing
> CBAC HTTP inspection and R3 is initiating session tol R1.Where in R1 http
> server is disabled (no ip http server).The inspection rule was applied on
R2
> interface facing toward R1 in outbound direction.On R2 interface facing
> R3,an inbound access-list is configured to allow all TCP traffic.In R2
> interface facing toward R1,an inbound Extended ACL is applied to deny all
> tcp traffic.
>
> Increased R3 tcp synwait-time to 300 seconds,which is higher than ip
> inspect tcpsynwait-time default time of 30 seconds.
>
> Enabled audit-trial on R2 and debug ip inspect tcp.Got the below message
>
> *Mar 1 00:32:27.671: %FW-6-SESS_AUDIT_TRAIL_START: Start http session:
> initiato
> r (10.1.1.6:32812) -- responder (10.1.1.1:80)
> *Mar 1 00:32:27.671: FIREWALL sis 658EB810 pak 655CE9A0 SIS_CLOSED/LISTEN
> *TCP S
> YN SEQ* 694001311 LEN 0 *(10.1.1.6:32812) => (10.1.1.1:80)
> **Mar 1 00:32:27.775: FIREWALL* sis 658EB810 pak 65226C74
SIS_OPENING/*SYNSENT
> TC
> P RST ACK* 694001312 SEQ 0 LEN 0 *(10.1.1.1:80) <= (10.1.1.6:32812)
> **Mar 1 00:32:27.775: FIREWALL* sis 658EB810 http L7 inspect result: PASS
> packet
> *Mar 1 00:32:32.775: %FW-6-SESS_AUDIT_TRAIL: Stop http session: initiator
> (10.1
> .1.6:32812) sent 0 bytes -- responder (10.1.1.1:80) sent 0 bytes
>
> From the above it seems that,R1 immediately sends back TCP RST ACK packet
> to R3 and so the connection was disconnected.In that case I would assume
> that "ip inspect tcp synwait-time" will not even kickoff to see what
> messages the router sends assuming the three-way tcp session was not
> established before the synwait-timeout.Is my understanding right or I am
> missing something.Kindly let me know
>
> Thanks for the help
>
> Regards
> Anantha Subramanian Natarajan
>
> On Mon, Sep 7, 2009 at 2:29 AM, Federico Cossu
<federico.cossu_at_gmail.com>wrote:
>
>> i think you can test it easily with dynamips on a scenario like this
>>
>> R1 <----> R2 <----->R3
>>
>> apply CBAC on R2 looking for http connections coming from R3 towards R1,
>> on R3 increase the tcp synwait time to something larger than the CBAC
>> timeout for tcp port 80,
>>
>> on R1 http server is disabled, start telnetting R1:80 and capture the
>> traffic on both R2 interfaces.
>> see what happen as soon as the CBAC SYN timeout expires.
>>
>> /R
>>
>>
>>
>> 2009/9/7 Jacob Uecker <juecker_at_ccbootcamp.com>
>>
>>> Yersinia is perfect for this! I've always liked to use hping to spoof
>>> packets, but anything along that line works. I guess you could create a
>>> static route so that the SYN-ACK isn't received by the original sender.
>>> An
>>> ACL would also work.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Jacob Uecker
>>> CCIE# 24481
>>>
>>> Development Engineer
>>> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
>>> Toll Free: 877-654-2243
>>> International: +1-702-968-5100
>>> Skype: skype:ccbootcamp?call
>>> FAX: +1-702-446-8012
>>>
>>> YES! We take Cisco Learning Credits!
>>> Training And Remote Racks: http://www.ccbootcamp.com
>>>
>>> ________________________________
>>>
>>> From: Scott M Vermillion [mailto:scott_ccie_list_at_it-ag.com]
>>> Sent: Sun 9/6/2009 8:55 PM
>>> To: Jacob Uecker
>>> Cc: Anantha Subramanian Natarajan; Cisco certification
>>> Subject: Re: CBAC
>>>
>>>
>>> Hi Jacob,
>>>
>>> Yes, there are likely many ways to check -- assuming you can create the
>>> half-open scenario for IOS to react to in the first place. Any thoughts
>>> there? Yersinia or something along that line?
>>>
>>> Regards,
>>>
>>> Scott
>>>
>>> On Sep 6, 2009, at 9:07 , Jacob Uecker wrote:
>>>
>>>
>>> I have always heard of using TCP RSTs instead of FINs. You could
>>> always use
>>> a SPAN port and check :)
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Jacob Uecker
>>> CCIE# 24481
>>>
>>> Development Engineer
>>> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
>>> Toll Free: 877-654-2243
>>> International: +1-702-968-5100
>>> Skype: skype:ccbootcamp?call
>>> FAX: +1-702-446-8012
>>>
>>> YES! We take Cisco Learning Credits!
>>> Training And Remote Racks: http://www.ccbootcamp.com
>>> <http://www.ccbootcamp.com/>
>>>
>>>
>>> ________________________________
>>>
>>> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian
>>> Natarajan
>>> Sent: Sun 9/6/2009 7:21 PM
>>> To: Scott M Vermillion; Cisco certification
>>> Subject: Re: CBAC
>>>
>>>
>>>
>>> Thank you Scott M Vermillion for your thoughts and inferences.
>>>
>>> Regards
>>> Anantha Subramanian Natarajan
>>>
>>> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
>>> scott_ccie_list_at_it-ag.com> wrote:
>>>
>>> > My understanding is that it sends TCP RST in both directions,
>>> although I
>>> > couldn't come up with a direct quote to offer as proof (plenty
>>> of quotes
>>> > that state that as fact where TCP intercept is concerned, but
>>> not CBAC
>>> > specifically). A TCP FIN wouldn't be my first guess, as that's
>>> the means
>>> of
>>> > closing an *established* socket. What we're dealing with here
>>> is
>>> half-open
>>> > connections instead. So my vote is on a RST, but I'm not sure
>>> how to lab
>>> > this up. A means to generate a TCP SYN followed by nothing else
>>> would be
>>> > required. No doubt such a thing exists but I'm just not sure I
>>> have it
>>> > readily available on any of my existing lab gear. Anyone else?
>>> >
>>> >
>>> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
>>> >
>>> > Hi Ananatha,
>>> >>
>>> >> I have never noticed that part of the description before : "it
>>> notifies
>>> >> both parties that the connection has been terminated". I can
>>> only assume
>>> >> that it sends a FIN packet in both directions after the timeout
>>> occurs
>>> >> to fully close the connection, though I have not tested this
>>> specific
>>> >> function in my lab, i.e. CBAC sending TCP packets on behalf of
>>> hosts.
>>> >> Can anyone else confirm or otherwise explain the action of "ip
>>> inspect
>>> >> tcp synwait-time".
>>> >>
>>> >> Thanks, Andy
>>> >>
>>> >> Anantha Subramanian Natarajan wrote:
>>> >>
>>> >>> Hi Andy,
>>> >>>
>>> >>> Thank you very much for the explanation.I am trying to
>>> understand
>>> >>> the below highlighted statement,how it notifies the parties
>>> that the
>>> >>> connection is terminated,is it by sending some signal (Some
>>> thing like
>>> >>> RST or ?) ....Kindly help me to understand
>>> >>>
>>> >>> "This command specifies how long the cisco IOS waits for a TCP
>>> session
>>> >>> to be established (to complete three-way handshake).The
>>> default is 30
>>> >>> seconds.If the three way handshake is not completed by end of
>>> this
>>> >>> timeout,Cisco IOS removes the entry from its state table and
>>> the
>>> >>> dynamic entry in the ACL(before FAB) and* it notifies both
>>> parties
>>> >>> that the connection has been terminated*"
>>> >>>
>>> >>> Thanks for the help
>>> >>>
>>> >>> Regards
>>> >>> Anantha Subramanian Natarajan
>>> >>>
>>> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
>>> >>> <mailto:ccie_at_reid.it>> wrote:
>>> >>>
>>> >>> Hi Anantha,
>>> >>>
>>> >>> The command "ip inspect tcp finwait-time" is used when
>>> waiting for
>>> >>> the FIN packets (default is 5 seconds).
>>> >>>
>>> >>> The "ip inspect tcp synwait-time" is used to protect against
>>> half
>>> >>> open sessions (default is 30 seconds) where the session
>>> never
>>> >>> becomes fully established, and therefore FIN packets are
>>> never sent.
>>> >>>
>>> >>> regards Andy
>>> >>>
>>> >>> Anantha Subramanian Natarajan wrote:
>>> >>>
>>> >>> Hi All,
>>> >>>
>>> >>> I was going through CBAC and trying to understand the
>>> >>> different global
>>> >>> settings on the same.One of that was "ip inspect tcp
>>> >>> synwait-time".The way
>>> >>> in which understood was as stated below(Actually Just
>>> pasting the
>>> >>> statements)
>>> >>>
>>> >>>
>>> >>> "This command specifies how long the cisco IOS waits for
>>> a TCP
>>> >>> session to be
>>> >>> established (to complete three-way handshake).The
>>> default is
>>> >>> 30 seconds.If
>>> >>> the three way handshake is not completed by end of this
>>> >>> timeout,Cisco IOS
>>> >>> removes the entry from its state table and the dynamic
>>> entry
>>> >>> in the
>>> >>> ACL(before FAB) and it notifies both parties that the
>>> >>> connection has been
>>> >>> terminated"
>>> >>>
>>> >>> In the above I am trying to understood,what kind of
>>> >>> notification it provides
>>> >>> to both the parties when the timeout as reached ..Is it
>>> TCP
>>> >>> RST or something
>>> >>> different.
>>> >>>
>>> >>>
>>> >>>
>>> >>> Kindly let me know
>>> >>>
>>> >>>
>>> >>>
>>> >>> Thanks for the help
>>> >>>
>>> >>>
>>> >>>
>>> >>> Regards
>>> >>>
>>> >>> Anantha Subramanian Natarajan
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> <http://www.ccie.net/>
>>> >>> <http://www.ccie.net/>
>>> >>>
>>> >>>
>>> >>>
>>> _______________________________________________________________________
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net <
>>> http://www.ccie.net/>
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net <
>>> http://www.ccie.net/>
>>>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Faeddare pagu, sabidorla meda.
>>
>
>

--
Faeddare pagu, sabidorla meda.
Blogs and organic groups at http://www.ccie.net