Hi, Has anyone actually been playing with Cisco TCP intercept lately? Does this piece of crap work at all? I am running both IOS version 12.1.5(T9) and 12.2.15(T) and TCP intercept is not working in "intercept" mode. TCP intercept does work in "watch" mode. when it is running in "intercept" mode, I can not get to the web page at all. It works in "watch" mode. Any ideas why? In "intercept" mode, it has to handle the connection for the server. In "watch" mode, it just watchs the connection. Here is what I am testing with: 1) Apache web server in linux, 2) hping2 utility to generate 10,000 concurrent http connections I also use NAT to make the apache web server available to the external so that hping2 can DOS it. Here is my config: C2610#sh run Building configuration... Current configuration : 4222 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname C2610 ! logging buffered 8192 notifications logging rate-limit 10000 no logging console aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NONE none aaa authentication login TACACS group tacacs+ local enable aaa authentication login LOCAL local enable aaa authorization auth-proxy default group tacacs+ enable secret 5 $1$Bj2H$ad4Dn5rkgKvwPZzJDKAgZ1 ! memory-size iomem 10 ip subnet-zero no ip source-route ! ! no ip finger ip tcp intercept list 100 ip tcp intercept connection-timeout 3600 ip tcp intercept watch-timeout 5 ip tcp intercept max-incomplete low 300 ip tcp intercept max-incomplete high 1000 ip tcp intercept one-minute low 100 ip tcp intercept one-minute high 500 ip domain-name micronetsolution.com ip host tac 2065 10.10.10.10 ip name-server 172.17.1.2 ip name-server 129.174.1.8 ip dhcp excluded-address 10.100.0.71 ip dhcp excluded-address 10.100.0.72 ip dhcp excluded-address 10.100.0.254 ip dhcp ping packets 5 ! ip dhcp pool DHCP network 10.100.0.0 255.255.255.0 netbios-name-server 172.17.1.2 129.174.1.8 dns-server 172.17.1.2 129.174.1.8 default-router 10.100.0.254 domain-name micronetsolution.com lease 3 ! ip inspect audit-trail ip inspect dns-timeout 15 ip inspect name CBAC tcp timeout 3600 ip inspect name CBAC udp timeout 3600 ip auth-proxy auth-proxy-banner ip auth-proxy auth-proxy-audit ip auth-proxy auth-cache-time 1 ip auth-proxy name AUTH-PROXY http ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit notify log ip audit po max-events 100 ip audit name ATTACK attack action alarm ip audit name INFO info action alarm ! ! call rsvp-sync cns event-service server ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! interface Ethernet0/0 ip address 172.18.1.1 255.255.0.0 ip nat outside half-duplex ! interface FastEthernet1/0 ip address 10.100.0.254 255.255.255.0 ip nat inside speed 100 full-duplex ! ip kerberos source-interface any ip nat pool natpool 172.18.1.1 172.18.1.1 netmask 255.255.0.0 ip nat inside source list 130 interface Ethernet0/0 overload ip nat inside source static 10.100.0.71 172.18.0.71 ip classless ip route 0.0.0.0 0.0.0.0 172.18.1.254 ip http server ip http authentication aaa ! ! ip access-list extended NAMEDACL permit tcp any any permit udp any any permit ip any any ip access-list extended in2out permit udp 10.100.0.0 0.0.0.255 any eq domain reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq www reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq telnet reflect traffic deny ip any any ip access-list extended out2in permit icmp any any evaluate traffic deny ip any any logging trap notifications logging facility local5 logging source-interface Ethernet0/0 logging 172.17.1.2 access-list 100 permit tcp any host 10.100.0.71 eq www access-list 100 permit tcp any host 10.100.0.71 eq 443 access-list 100 permit tcp any host 10.100.0.71 eq 22 access-list 100 permit tcp any host 10.100.0.71 eq telnet access-list 100 permit tcp any host 10.100.0.71 eq ftp access-list 100 permit tcp any host 10.100.0.71 eq ftp-data access-list 110 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq telnet access-list 110 dynamic lock-and-key permit ip 10.100.0.0 0.0.0.255 any access-list 110 deny ip any any access-list 120 permit udp 10.100.0.0 0.0.0.255 any eq domain access-list 120 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq www access-list 120 deny ip any any access-list 130 permit ip 10.100.0.0 0.0.0.255 any access-list 140 permit ip host 172.18.1.2 host 172.18.1.1 access-list 140 permit icmp any 10.100.0.0 0.0.0.255 access-list 140 permit icmp any host 172.18.0.71 access-list 140 deny ip any any ! tacacs-server host 172.18.1.2 tacacs-server attempts 2 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous login authentication NONE transport input none line aux 0 login authentication NONE transport input all line vty 0 4 login authentication LOCAL ! ntp clock-period 17208324 end C2610#
--------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71950&t=71950 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
