Posted on 2006-11-01
Client has a win2K server running a php+mysql db published on IIS which works perfect
with netgear dsl router. Every time I try to introduce a cisco 837, I run into
1) Https Internetbanking from client pcs works up until the point a payment is made.
They can login, pull up accounts, employees etc, amounts to transfer etc.
(I ran ethereal and the entire conversation is (*high port e.g. 2247) > 443 and back)
It's SSLv3 traffic, but there appears to be a cypher change when the submit
button is hit for a transaction payment in the ethereal logs.
2) External http users can login to main form on webpage for the php+mysql db but cannot access the forms which do the important stuff.
ie the pages that pull up the database stuff!
I suspect CBAC is to blame because encryption is happening which is preventing it following
the session properly. The problem is that I don't really understand CBAC and how to implement it
properly. I could disable it I guess, but might as well leave the netgear there if that's the case.
I understand that CBAC allows sessions initiated on the inside to create openings for return
traffic in the firewall. So If user A launches a http session on e.g. tcp port 2247 to the outside on 80
then returning traffic with sip 80 and dip 2247 will be allowed back in.
So, I setup firewall on outside interface blocking everything but incoming http and a few other things I need like remote
access and smtp from my office's STATIC ips.
Then I activate generic tcp and udp inspection (the sdm creates one called DEFAULT100 which has tcp,udp,realaudio,smtp etc)
by applying the DEFAULT100 inspection rule to my ATM0.1 outbound interface. Users can now surf etc. but Internet banking now fails
at the point mentioned earlier. I send the output to a syslog server and see sessions starting and stopping, but it's now my basic lack
of understanding that becomes the problem. Without really understanding CBAC I am not comfortable examing the logs.
Bollocks! to that I say to myself, let's fix the access to the webserver database.
I have STATIC NAT translations setup for ports 80 and 25 to the mail/webserver and
have the ports permitted through the firewall but cannot telnet on 25 from my office or access the
webserver from any outside IP.
If I apply the DEFAULT100 inspection rule to my ATM0.1 Inbound interface I can now connect
on 25 from my office to the exchange server, and login to the webserver database from anywhere.
I don't know if I should define separate/unique inspection rules for the incoming and outbound section of the
interface, tried but they both basically say same thing anyways, i.e. to inspect tcp and udp traffic.
This is the bit I don't understand, if CBAC is looking at deeper layers to establish if traffic is part
of a valid session, why inspect traffic that starts from the outside UNTRUSTED network?
I'm allowing any outgoing traffic in the firewall while I try to resolve the issue. It seems dangerous/illogical
to me to allow some untrusted IP to determine the source and destination ports
for inspection. CBAC/Inspect rules on inbound for the Outside Interface makes no sense to me.
Yet, I cannot connect at all unless I do it. The problem then becomes, that I cannot load any of the
important web pages, I can login to system but the useful stuff doesn't work. The thing that
drives me crazy is that there is one IP on the outside that can open the useful pages
properly, the IP for my office which is allowed only 3389 (remote desktop) and SMTP access.
I tried giving full access through the firewall to other IPs but they could not load the pages.
The only thing different about my office IP from the cisco's point of view is that it inititiates
the odd smtp 25 connection out to it when sending email.
I was expecting this to be a 10 line question.