Re: [OSL | CCIE_Security] "ip inspect log drop-pkt" doesn't have any effect in CBAC

[Eugene Pefti]

This is what I originally thought. It's mostly about traffic not complying to 
standards, not about the traffic that violates the security policy. I just 
can't find a quick way to generate those packets while working on a lab.
Strange that in ZFW it reports traffic that is dropped by the class-default.

From: Mike Rojas <mike_c...@hotmail.com<mailto:mike_c...@hotmail.com>>
Date: Tuesday, July 31, 2012 11:06 PM
To: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>, 
"kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>" 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>>
Cc: 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: RE: [OSL | CCIE_Security] "ip inspect log drop-pkt" doesn't have any 
effect in CBAC

Hey,

Mostlikely is not going to be like Zone based where you have interface not cfg 
for zoning and such, it would be more like for invalid flags, retransmissions, 
IP ident 0 (which in lots of cases are caused by late packets or OoO).


Mike.

________________________________
From: eug...@koiossystems.com<mailto:eug...@koiossystems.com>
To: kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>
Date: Wed, 1 Aug 2012 05:32:24 +0000
CC: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: Re: [OSL | CCIE_Security] "ip inspect log drop-pkt" doesn't have any 
effect in CBAC

Hi Kings,
In this case these packets should be different from packets dropped by ACL ?
Can you please give me an example of the packet that is dropped by CBAC and 
reported by "FW-6-DROP_PKT".
I remember there's a table somewhere at Cisco docs with specific conditions 
qualifying to drop.
I just want to simulate and confirm that I can see events generated by FW for 
dropped packets.

Eugene

From: Kingsley Charles 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>>
Date: Tuesday, July 31, 2012 10:24 PM
To: Eugene Pefti <eug...@koiossystems.com<mailto:eug...@koiossystems.com>>
Cc: 
"ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>" 
<ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>>
Subject: Re: [OSL | CCIE_Security] "ip inspect log drop-pkt" doesn't have any 
effect in CBAC


It informs the packets dropped by CBAC.


With regards
Kings
CCNA,CCSP,CCNP,CCIP,CCIE #35914 (Security)


On Tue, Jul 31, 2012 at 5:13 PM, Eugene Pefti 
<eug...@koiossystems.com<mailto:eug...@koiossystems.com>> wrote:

Folks,

Has someone had any use of the above said command while having CBAC firewall?

I expected it to show me dropped packets that are not allowed inbound but the 
router was silent until I add “log” option to the incoming ACL.

On the other hand it works good in ZFW:



Jul 31 10:31:48.122: %FW-6-DROP_PKT: Dropping Unknown-l7 session 
200.13.111.12:52818<http://200.13.111.12:52818> 
200.13.25.2:23<http://200.13.25.2:23> on zone-pair INSIDE-OUTSIDE class 
class-default due to  DROP action found in policy-map with ip ident 0



Eugene

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://www.ipexpert.com>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>


_______________________________________________ For more information regarding 
industry leading CCIE Lab training, please visit www.ipexpert.com Are you a 
CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com