Topic '[Config] Cisco 2821 Router - Firewall Mysteriously Dropped Packe' in forum 'Cisco'

Topic '[Config] Cisco 2821 Router - Firewall Mysteriously Dropped Packe' in forum 'Cisco' - dslreports.com http://www.dslreports.com/forum/Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-Packe-23107745 en Thu, 20 Jun 2013 06:52:17 EDT Thu, 20 Jun 2013 06:52:17 EDT Re: [Config] Cisco 2821 Router - Firewall Mysteriously Dropped P http://www.dslreports.com/forum/Re-Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-P-23116792
Interface Gig0/0
no ip virtual-reassembly

and see what you get. When the packets cross this interface it allows them to get a sequence number, since there broken up to 1500 bite packets, and be routed. Since you have this turned off on your multilink the sequence number gets dropped on the return trip. Andrew]]> http://www.dslreports.com/forum/Re-Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-P-23116792 Thu, 01 Oct 2009 20:55:03 EDT Re: [Config] Cisco 2821 Router - Firewall Mysteriously Dropped P http://www.dslreports.com/forum/Re-Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-P-23112874 http://www.dslreports.com/forum/Re-Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-P-23112874 Thu, 01 Oct 2009 11:03:50 EDT [Config] Cisco 2821 Router - Firewall Mysteriously Dropped Packe http://www.dslreports.com/forum/Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-Packe-23107745
I'm new to this Board and am at my wit's end. I do not have any Cisco certifications but have used a variety of their devices, this is my first endeavor into the IOS world however.

I have done a fair bit of searching and could find no relevant posts to issue.

I have a Cisco 2821 (revision 53.50), running Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3).

I am using the Zone Based Firewall and have so far been able to configure it successfully. My problem arises when I try to allow the following traffic to a specific computer (10.10.20.5) on my internal network:

5060 UDP, TCP
10,000-10,500 UDP
5222 TCP
843 TCP

It should be noted that port 5060 is SIP however my particular implementation requires that SIP inspection be disabled. The SIP packets are the ones I am having trouble with...

When I configure "ip inspect log drop-pkt" and enable terminal monitoring I am shown dropped packets:

000074: Sep 30 08:24:59.632 MDT: %FW-6-DROP_PKT: Dropping udp session 64.201.102.162:53402 10.10.20.5:5060 due to Invalid Seq# with ip ident 0
000075: Sep 30 08:25:30.793 MDT: %FW-6-DROP_PKT: Dropping udp session 63.253.254.250:9870 10.10.20.5:5060 due to Invalid Seq# with ip ident 0
000076: Sep 30 08:26:01.134 MDT: %FW-6-DROP_PKT: Dropping udp session 64.201.102.162:53402 10.10.20.5:5060 due to Invalid Seq# with ip ident 0
000077: Sep 30 08:26:31.154 MDT: %FW-6-DROP_PKT: Dropping udp session 98.243.175.140:61070 10.10.20.5:5060 due to Invalid Seq# with ip ident 0

Here is my config (with some sensitive lines edited):

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname bdbfrouter
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-24.t1.bin
boot-end-marker
!
card type t1 0 0
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 4096
enable secret 5 blahblahblah
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
aaa session-id common
clock timezone MDT -7
clock summer-time MDT date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 0
!
dot11 syslog
no ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.11.1 192.168.11.11
!
ip dhcp pool GuestWiFi
import all
network 192.168.11.0 255.255.255.0
dns-server 66.255.85.8 66.255.85.9
default-router 192.168.11.1
!
!
ip port-map user-Switchboard1 port tcp 5222
ip port-map user-Switchboard2 port tcp 843
ip port-map user-Switchvox port udp from 10000 to 10500 description ports for VoIP phones
no ip bootp server
ip domain name domain.local
ip name-server 66.255.85.8
ip name-server 66.255.85.9
ntp update-calendar
ntp server 10.10.20.200 source GigabitEthernet0/0
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com

!
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint SSLCERT
enrollment selfsigned
serial-number
ip-address 73.243.75.98
revocation-check crl
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SSLCERT
certificate self-signed 0B
::certdata::
quit
!
!
username admin privilege 15 secret 5 blahblahblah
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key blahblahblahblah( address 82.175.38.244
crypto isakmp key blahblahblahblah( address 73.243.244.240
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime kilobytes 28800
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPNSteamboat esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.175.38.244
set peer 82.175.38.244
set transform-set VPNSteamboat
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
! Incomplete
description Tunnel to73.243.244.240
set transform-set VPNSteamboat
match address 104
!
!
!
T1 Controllers...
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
class-map type inspect match-any HTTPS
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map HTTPS
match access-group name SwitchVoxHTTPS
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any PRESIP
match protocol sip
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
class-map type inspect match-all VOIPOUTMAP
match access-group name VOIPOUTACL
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any VoipOUT
match protocol user-Switchboard1
match protocol user-Switchboard2
match protocol user-Switchvox
match protocol sip
class-map type inspect match-all sdm-cls-ccp-inspect-1
match class-map VoipOUT
match access-group name VoIPOut
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any PREVOIP
match protocol sip
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any VOIPINMAP
match access-group name VOIPINACL
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-any sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
!
!
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect PREVOIP
pass
class type inspect VOIPINMAP
pass
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-nat-https-1
inspect
class class-default
drop
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect PRESIP
pass
class type inspect VOIPOUTMAP
pass
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect sdm-cls-ccp-inspect-1
pass
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
!
!
!
interface Null0
no ip unreachables
!
interface Multilink1
description $FW_OUTSIDE$
ip address 73.243.75.99 255.255.255.240 secondary
ip address 73.243.75.100 255.255.255.240 secondary
ip address 73.243.75.101 255.255.255.240 secondary
ip address 73.243.75.98 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
zone-member security out-zone
no cdp enable
ppp multilink
ppp multilink group 1
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
no cdp enable
no mop enabled
!
::Serial and unused interfaces::
!
ip local pool SSLPOOL 10.10.20.30 10.10.20.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 73.243.75.97
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Multilink1 overload
ip nat inside source static 10.10.20.5 73.243.75.99
ip nat inside source static 10.10.20.210 73.243.75.100
!
ip access-list extended SwitchVoxHTTPS
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
ip access-list extended VOIPINACL
permit tcp any host 10.10.20.5 eq 5222
permit tcp any host 10.10.20.5 eq 843
permit tcp any host 10.10.20.5 eq 5060
permit udp any host 10.10.20.5 eq 5060
permit udp any host 10.10.20.5 range 10000 10500
ip access-list extended VOIPOUTACL
permit tcp host 10.10.20.5 eq 5222 any
permit tcp host 10.10.20.5 eq 843 any
permit tcp host 10.10.20.5 eq 5060 any
permit udp host 10.10.20.5 any eq 5060
permit udp host 10.10.20.5 any range 10000 10500
ip access-list extended VoIPOut
remark CCP_ACL Category=128
permit ip host 10.10.20.5 any
!
no logging trap
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 73.243.75.96 0.0.0.15 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.20.210
access-list 101 permit ip 192.168.11.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit esp 192.168.11.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 192.168.111.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit esp 192.168.111.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 104 permit ip 10.10.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny ip any 10.10.30.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 deny ip 10.10.20.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.10.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 105 permit ip 10.10.20.0 0.0.0.255 any
access-list 120 permit ip host 10.10.27.67 host 192.168.111.30
access-list 120 permit ip host 192.168.111.30 host 10.10.27.67
access-list 150 permit ip host 10.10.30.30 host 10.10.20.67
access-list 150 permit ip host 10.10.20.67 host 10.10.30.30
access-list 198 permit udp host 73.243.75.98 host 82.175.38.244 eq isakmp
access-list 198 permit udp host 82.175.38.244 eq isakmp host 73.243.75.98
access-list 199 permit ip 10.10.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 199 permit ip 192.168.111.0 0.0.0.255 10.10.20.0 0.0.0.255
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
radius-server host 10.10.20.200 auth-port 1645 acct-port 1646 key 7 062636234D4C5B0C44
!
control-plane
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
-----------------------------------------------------------------------

banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
login authentication LOCAL
transport input all
line vty 5 15
login authentication LOCAL
transport input all
!
scheduler allocate 20000 1000
!
webvpn gateway SSL
ip address 73.243.75.98 port 443
ssl trustpoint SSLCERT
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.3.2016-k9.pkg sequence 1
!
webvpn context SSL
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLPOOL"
svc default-domain "domain.local"
svc keep-client-installed
svc split include 10.10.20.0 255.255.255.0
svc dns-server primary 10.10.20.200
default-group-policy SSL_Policy
aaa authentication list local_authen
gateway SSL
inservice
!
end

Thank you in advance, all input is greatly appreciated!

-Pasta]]> http://www.dslreports.com/forum/Config-Cisco-2821-Router-Firewall-Mysteriously-Dropped-Packe-23107745 Wed, 30 Sep 2009 13:54:00 EDT