Home > CISCO, Security > Troubleshooting IOS Firewall

Troubleshooting IOS Firewall

March 11th, 2010

  • If too much traffic is denied by the IOS Firewall, study the logic of your list or try to define an additional broader list, and then apply it instead. For example:
  • access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
int <interface>
ip access-group # in|out
  • The show ip access-lists command shows which access lists are applied and what traffic is denied by them. If you look at the packet count denied before and after the failed operation with the source and destination IP address, this number increases if the access list blocks traffic.
  • If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use discretion with debugging commands.Temporarily add the no ip route-cache command to the interface:
    int <interface>
no ip route-cache

    Then, in enable (but not config) mode:

    term mon
debug ip packet # det

    produces output similar to this:

    *Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100 (Ethernet0),
   g=10.31.1.21, len 100, forward
*Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), g=9.9.9.9,
   len 100, forward
  • Extended access lists can also be used with the “log” option at the end of the various statements:
    access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
access-list 101 permit ip any any

    You therefore see messages on the screen for permitted and denied traffic:

    *Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 171.68.118.100
   -> 10.31.1.161 (0/0), 15 packets
*Mar  1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 171.68.118.100(0)
   -> 10.31.1.161(0), 1 packet
  • If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces output such as this output:
    Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223
   seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23)
Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378
   seq 3195751223(12) (10.31.1.5:11109) <= (12.34.56.79:23)
  • Source
    • Categories: CISCO, Security Tags:
    Comments are closed.