Debug output of Java blocking

20 Mar

Listing 4.6: Debug output of Java blocking.

Router−3#debug ip inspect detail

: http session initiator (192.168.10.37:3271) sent 215 bytes −
responder (192.168.100.100:80) sent 3162 bytes
: http session initiator (192.168.10.28:4972) sent 143 bytes −
responder (192.168.200.200:80) sent 254 bytes
: http session initiator (192.168.10.37:3272) sent 324 bytes −
responder (192.168.100.10:80) sent 234 bytes
: http session initiator (192.168.10.28:4973) sent 343 bytes −
responder (192.168.200.200:80) sent 314 bytes
: http session initiator (192.168.10.37:3274) sent 344 bytes −
responder (192.168.100.100:80) sent 8 bytes
: http session initiator (192.168.10.28:4974) sent 360 bytes −
responder (192.168.200.200:80) sent 206 bytes
: http session initiator (192.168.10.37:3275) sent 345 bytes −
responder (192.168.100.100:80) sent 12276 bytes
: http session initiator (192.168.10.28:4975) sent 369 bytes −
responder (192.168.200.200:80) sent 206 bytes
: http session initiator (192.168.10.37:3276) sent 354 bytes −
responder (192.168.100.100:80) sent 278 bytes
: JAVA applet is blocked from (192.168.300.300:80) to
(192.168.10.28:8394).
: JAVA applet is blocked from (192.168.300.300:80) to −
(192.168.10.28:8395).
: http session initiator (192.168.10.37:1298) sent 215 bytes −
responder (192.168.100.100:80) sent 302 bytes
: JAVA applet is blocked from (192.168.300.300:80) to −
(192.168.10.37:1422).
: http session initiator (192.168.10.28:1203) sent 362 bytes −
responder (192.168.100.100:80) sent 162 bytes
: JAVA applet is blocked from (192.168.300.300:80) to −
(192.168.10.37:1723).

The CBAC configurations have been fairly basic so far. In the next example, Router 3 will be configured for CBAC, but this time, another interface has been added to the Router (see Figure 4.4). This interface, interface Ethernet1/0, will be used for providing Web, FTP, and mail services to the outside external Internet. Ethernet1/0 is connected to the “DMZ” network and has a single host within the network used to provide the services mentioned earlier to the outside world. Ethernet0/0 is connected to the internal local network. Router 3’s configuration is shown in Listing 4.7.

Figure 4.4: Router 3 configured for CBAC with three interfaces.
Listing 4.7: CBAC configuration of Router 3 with three interfaces.

ip inspect audit−trail
ip inspect tcp idle−time 14400
ip inspect udp idle−time 1800
ip inspect dns−timeout 7
!
ip inspect name cbactest cuseeme
ip inspect name cbactest ftp
ip inspect name cbactest h323
ip inspect name cbactest http
ip inspect name cbactest rcmd
ip inspect name cbactest realaudio
ip inspect name cbactest smtp
ip inspect name cbactest sqlnet
ip inspect name cbactest streamworks
ip inspect name cbactest tcp
ip inspect name cbactest tftp
ip inspect name cbactest udp
ip inspect name cbactest vdolive
ip inspect name cbactest fragment max 6000 timeout 8
!
interface ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip access−group 100 in
ip access−group 101 out
ip inspect cbactest in
!
interface ethernet1/0
ip address 192.168.20.1 255.255.255.0
ip access−group 102 in
ip access−group 103 out
!
interface serial0/0
ip address 192.168.30.1 255.255.255.0
ip access−group 104 in
ip access−group 105 out
ip inspect cbactest in
!
access−list 100 permit ip 192.168.10.0 0.0.0.255 any
access−list 100 deny ip any any
!
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
admin−prohibited
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
echo
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
echo−reply
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
packet−too−big
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
time−exceeded
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
traceroute
access−list 101 permit icmp any 192.168.10.0 0.0.0.255 −
unreachable
access−list 101 deny ip any any
!
access−list 102 permit ip 192.168.20.0 0.0.0.255 any
access−list 102 deny ip any any
!
access−list 103 permit udp any host 192.168.20.20 eq domain
access−list 103 permit tcp any host 192.168.20.20 eq domain
access−list 103 permit tcp any host 192.168.20.20 eq www
access−list 103 permit tcp any host 192.168.20.20 eq ftp
access−list 103 permit tcp any host 192.168.20.20 eq smtp
access−list 103 permit tcp 192.168.10.0 0.0.0.255 host −
192.168.20.20 eq pop3
access−list 103 permit tcp 192.168.10.0 0.0.0.255 any eq telnet
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 −
admin−prohibited
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 echo
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 echo−reply
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 −
packet−too−big
access−list 103 permit icmp any 192.169.20.0 0.0.0.255 −
time−exceeded
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 traceroute
access−list 103 permit icmp any 192.168.20.0 0.0.0.255 unreachable
access−list 103 deny ip any any
!
access−list 104 deny ip 192.168.10.0 0.0.0.255 any
access−list 104 deny ip 192.168.20.0 0.0.0.255 any
access−list 104 permit ip any any
!
access−list 105 permit icmp 192.168.10.0 0.0.0.255 any echo−reply
access−list 105 permit icmp 192.168.20.0 0.0.0.255 any echo−reply
access−list 105 permit icmp 192.168.10.0 0.0.0.255 any −
time−exceeded
access−list 105 permit icmp 192.168.20.0 0.0.0.255 any −
time−exceeded
access−list 105 deny ip 192.168.20.0 0.0.0.255 any
access−list 105 permit ip 192.168.10.0 0.0.0.255 any

In the configuration in Listing 4.7, the first command line enables audit trail logging of session information, the second and third lines set the length of time a TCP and UDP session is managed after no activity is received, and the fourth line sets the length of time a DNS name lookup session is still managed after no activity is received. The next set of configuration lines sets up an inspection list that is named cbactest; this CBAC inspection list will be used for inspection of inbound traffic on Ethernet0/0 and inbound return traffic on Serial0/0. Under interface Ethernet0/0, access list 100 is applied to allow all legitimate traffic from the inside network. Access list 101 is also applied to allow some ICMP traffic and deny everything else. The inspection list cbactest will add entries to this list to permit return traffic for connections established from the inside. Finally, under interface Ethernet0/0, the inspection list cbactest is applied to inspect inbound traffic on Ethernet0/0.

Under interface Ethernet1/0, access list 102 is applied to permit inbound traffic initiated from hosts within the DMZ. Access list 103 is also applied, which allows only certain services to establish a connection with the hosts within the DMZ network. The inspection rules that are configured on other interfaces will add temporary entries to this list. Under interface Serial0/0, access list 104 is applied; it is configured to prevent any spoofing of packets that are inbound on Serial0/0 and contain a source address in the header of the packet such that the packet appears to have originated from within the “inside” network. Access list 105 is also configured; it allows Ping replies from the inside network or the DMZ network and permits inside traffic back out.

CBAC can also function on a router that also has Network Address Translation (NAT) or Port Address Translation (PAT) configured. The configuration in the next example works well for any office connected directly to the Internet and utilizing the functionality of NAT.

In the sample network shown in Figure 4.5, no services are run on the inside network behind Router

3. Ethernet1/0 is the “inside” network. Serial0/0 is the outside interface. Users on the inside local network of 192.168.10.0 must have their IP addresses translated to public routable addresses within the 192.168.20.0 address space. Also, CBAC services must be provided for users on the inside network. The configuration for Router 3 that is shown in Listing 4.8 meets these requirements.

Figure 4.5: CBAC and NAT network design.

Note The 192.168.20.0 network is actually private address space as allocated from RFC 1918,
which can be found at http://www.ietf.org/rfc/rfc1918. It is only used here for the benefit of protecting the innocent.

Listing 4.8: Router 3 configured for CBAC and NAT.

ip inspect name cbacnat cuseeme timeout 3600
ip inspect name cbacnat ftp audit−trail on timeout 3600
ip inspect name cbacnat h323 timeout 3600
ip inspect name cbacnat http timeout 3600
ip inspect name cbacnat realaudio timeout 3600
ip inspect name cbacnat smtp timeout 3600
ip inspect name cbacnat sqlnet timeout 3600
ip inspect name cbacnat streamworks timeout 3600
ip inspect name cbacnat tcp timeout 3600
ip inspect name cbacnat tftp timeout 30
ip inspect name cbacnat udp timeout 15
!
ip inspect tcp synwait−time 15
ip inspect tcp idle−time 1800
ip inspect udp idle−time 60
ip inspect max−incomplete high 250
ip inspect max−incomplete low 150
ip inspect one−minute high 250
ip inspect one−minute low 150
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
ip access−group 101 in
no ip directed−broadcast
ip nat inside
ip inspect cbacnat in
!
interface Serial0
ip address 192.168.20.1.1 255.255.255.0
ip access−group 112 in
no ip directed−broadcast
ip nat outside
!
ip nat pool natpool 192.168.20.3 192.168.20.254 −
netmask 255.255.255.0
ip nat inside source list 1 pool natpool
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.20.2
ip route 192.168.10.0 255.255.255.0 192.168.10.2
!
access−list 1 permit 192.168.10.0 0.0.0.255
access−list 101 permit tcp 192.168.10.0 0.0.0.255 any
access−list 101 permit udp 192.168.10.0 0.0.0.255 any

access−list 101 permit icmp 192.168.10.0 0.0.0.255 any
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
unreachable
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
echo−reply
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
packet−too−big
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
time−exceeded
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
traceroute
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 −
admin−prohibited
access−list 112 permit icmp any 192.168.20.0 0.0.0.255 echo
access−list 112 deny ip 127.0.0.0 0.255.255.255 any
access−list 112 deny ip any any

Related solution: Found on page:
Configuring Dynamic NAT Translations 145
Configuring Port Application Mapping

The configuration of Port Application Mapping (PAM) is relatively straightforward and simple, but the power of PAM is really the way in which CBAC uses the information in the PAM table to identify a service or application from traffic flowing through the firewall. With PAM, CBAC can associate nonstandard port numbers with specific protocols. To configure PAM, use the commands in the following steps:

1.Use this global configuration command to establish a port mapping entry using TCP or UDP port number and application name:

ip port−map <application−name> port <port−number> −
list <list−number>

The list argument is optional and is used to specify a standard access list that matches specific hosts or subnets that have an application that uses a specific port number.

2.Optionally, configure a standard access list that specifies the specific hosts or subnets that should be configured for host−specific port application mapping.

Looking at the network detailed in Figure 4.6, you can see that Router 3 is the perimeter router, which provides Internet access for Company A. Router 3 has a connection to its ISP via its Serial1/1/0 outside interface. Router 3 also has a connection to its local inside network with FastEthernet0/1/0 interface. Router 3 is configured for PAM. Users on the local inside network use their Web browsers to access Web servers on the outside network using the nonstandard HTTP ports of 6100 through 6105. For Router 3 to map HTTP traffic to port 6100 through 6105, use the configuration shown in Listing 4.9.

Figure 4.6: Network layout for PAM.
Listing 4.9: PAM configuration for Router 3.

#ip port−map http port 6100
#ip port−map http port 6101
#ip port−map http port 6102
#ip port−map http port 6103
#ip port−map http port 6104
#ip port−map http port 6105
#end

Notice in Listing 4.9 that Router 3 has been configured to map six sequential port numbers to HTTP traffic. You can view port map table information on the router by issuing the following command:

show ip port−map {application−name | port port−number}

To view the port mapping table of Router 3, issue the show ip port−map http command. The port mapping of Router 3 is displayed in Listing 4.10.

Listing 4.10: Port mapping table on Router 3.

Router−3#show ip port−map http
Default mapping: http port 6100 user defined
Default mapping: http port 6101 user defined
Default mapping: http port 6102 user defined
Default mapping: http port 6103 user defined
Default mapping: http port 6104 user defined
Default mapping: http port 6105 user defined
Default mapping: http port 80 system defined
Router−3#

I issued the show ip port−map command above in Listing 4.10 with the application−name argument to specify that I wanted to display only information related to HTTP traffic. Each of the ports that were configured earlier is displayed in Listing 4.10; notice that they are configured as a user−defined table entry. Also, note that the final line specifies a system−defined entry for HTTP. Table 4.1 earlier in this chapter stated that HTTP was a system−defined entry on the default port 80.

While on the subject of system−defined entries, I’ll remove the configuration that created the user−defined entries and display the default PAM table. First I’ll remove the prior configuration:

Router−3#config
t Router−3(config)#no ip port−map http port 6100
Router−3(config)#no ip port−map http port 6101
Router−#(config)#no ip port−map http port 6102
Router−3(config)#no ip port−map http port 6103
Router−3(config)#no ip port−map http port 6104
Router−3(config)#no ip port−map http port 6105
Router−3(config)#end
Router−3#

I can now issue the show ip port−map command without using any argument to display the entire PAM table. Issuing the command on Router 3 should now display the default PAM table. Listing 4.11 displays Router 3’s default PAM table.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.