Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

udp traffic from wan to lan

Status
Not open for further replies.
lohelle

lohelle

Technical User
Mar 25, 2006
36
NO
We have recently swapped our firewall (linux + shorewall) with a Cisco router..
Everything is working fine I think (will certanly know on Tuesday when everyone come to work again), but one thing puzzles me.. My acl for lan out traffic (from dmz and internet TO the lan computers) have a deny any any log-input entry on the last line.. I'm logging to an internal syslog server.

In the logs I see udp traffic being blocked with source on the internet and destination on out lan subnet(s). I did not know that udp traffic could go from wan to local without port forwarding. As far as I know only tcp have established connections..
Should all udp traffic from wan to local just stay blocked (maybe with a seperate non-logging acl line so out syslog server is not flooded with acl messages)
It would be nice to have everything fit to fight when everyone come to work on Tuesday

Can someone please explain why I'm seing these wan -> local traffic?
 
Sort by date Sort by votes
nothing is going to change if udp comes in on the wan and it has a route in the table of the lan all it does is forward the traffic out the lan interface . If you are logging the deny statement then it will forward that to your syslog . I think this is unnecessary as this will just create unneeded traffic on your the links that go back to the server. If you don't want to log the denied stuff just remove the last deny line because by default there is an implicit deny any at the end of a ACL. Not sure your reasoning for wanting to block all UDP stuff but thats up to you..
 
Upvote 0 Downvote
I forgot to mention that I only have one public ip address and I'm running NAT/PAT so all computers go through that IP. And when there are no "established connections" etc with udp, how can a udp packet (lets say udp 123) go from the wan to internal ip 10.0.0.2 (udp 123) with no port forwarding?
Tcp have established connections, and that will enable external "computers" to answer using a high port that the router knows.. but how is this done with udp ?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
242
badwolf1686
B
CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
378
CPM86
CPM86
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
419
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
600
madwok
madwok
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
262
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top