We have a Cisco 1921 running IOS 15.4(3)M4 that lands a tunnel to a cell carrier that we have a private APN on. We were having an issue where a specific device was attempting to communicate to a server on the internet and RST packets were reaching our firewall but no SYNs. Packet captures on the 1921 shows that RST from this device were egressing to our internal network (gig0/1), but SYNs from this device were egressing via the 1921's connection to the ISP (gig0/0). Adding a new entry at line 1 of the ACL in the route map fixed the problem, but as far as I can tell, this traffic should already have been caught by the ACL (and indeed RSTs were... but not SYNs). Does anyone have any ideas what might have been wrong? I've been staring at this for hours and can't see the problem.
Interesting traffic is 10.70.81.114 -> Internet on tcp/80, tcp/22221, and tcp/22222
Here's some of the config:
show ip route 0.0.0.0/0 via <ISP on gig0/0> 10.0.0.0/8 is variably subnetted, 121 subnets, 6 masks 10.0.0.0/8 via 10.192.1.2 <various /26-30s in 10.70.73.0-10.70.82.255> show route-map route-map CELL-MOBILE-INET, permit, sequence 10 Match clauses: ip address (access-lists)L CARRIER-MOBILE Set clauses: ip next-hop 10.192.1.2 Policy matches: lots show access-lists CARRIER-MOBILE Extended IP access list CARRIER-MOBILE 1 permit ip host 10.70.81.114 any 10 deny ip 10.70.81.128 0.0.0.15 10.0.0.0 0.255.255.255 20 deny ip 10.70.81.128 0.0.0.15 172.16.0.0 0.15.255.255 30 deny ip 10.70.81.128 0.0.0.15 192.168.0.0 0.0.255.255 40 permit ip 10.70.81.128 0.0.0.15 any 50 permit ip 10.102.100.0 0.0.0.255 any 60 permit ip host 10.70.81.147 any 70 permit ip 10.200.0.0 0.0.255.255 any 80 permit ip 10.70.74.128 0.0.0.15 any 90 permit object-group VENDOR-SERVICES object-group VENDOR-DEVICE-NETS object-group VENDOR-SERVERS 100 permit ip 10.70.81.112 0.0.0.15 any object-group VENDOR-DEVICE-NETS 192.168.20.0 255.255.255.0 10.70.73.48 255.255.255.240 192.168.110.0 255.255.255.0 10.70.79.160 255.255.255.224 10.70.77.224 255.255.255.240
No comments:
Post a Comment