[nsp] Problems with IP AUDIT (ips) and PAT

Greg Romaniak greg at igillc.com
Tue Jul 20 15:07:32 EDT 2004 

I've been puling my hair out trying to figure out what's going on with this
problem and have come up dry.  I'm hoping someone here can shed some light.

I'm trying to run IP ADUIT (or IP IPS in 12.3) on a 2621 that's also doing
PAT from one interface to another.  Things worked fine with IOS 12.2(24)a,
but I'd rather run 12.3 for some of the new features.  I'm having the same
problem with 12.3(9) and 12.3(8)T1.  The problem is that ssh and https
connections won't work when IP IPS is enabled on the interface, but work
when it's turned off.  Plaintext protocols (http and smtp for sure) work
fine either way.  Has anyone else seen this problem and is there a solution?
I haven't been able to find anything on cisco.com.

I've included my whole config here so I don't leave out anything that may be
pertinant.  The config as it is shown below works, but adding a 

Int fa0/0
Ip ips IDSSENSOR in

Causes the SSH and HTTPS connections from the outside to stop working.


Thanks,

Greg

---


Current configuration : 3925 bytes
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname border
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging

clock timezone CST -6
clock summer-time CDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.128
!
ip dhcp pool test
   network 192.168.100.0 255.255.255.0
   domain-name test.com
   default-router 192.168.100.1
   dns-server 192.168.100.3
!
!
ip cef
no ip bootp server
ip domain name test.com
ip name-server 192.168.100.3
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall tcp timeout 43200
ip inspect name firewall udp
ip inspect name firewall h323
ip inspect name firewall cuseeme
ip inspect name firewall realaudio
ip inspect name firewall icmp
ip inspect name firewall sip
ip ips po max-events 100
ip ips protected 192.168.100.0 to 192.168.100.254
ip ips signature 1107 0 disable
ip ips signature 2001 0 disable
ip ips signature 2004 0 disable
ip ips name IDSSENSOR
no ftp-server write-enable
!
!
no crypto isakmp enable
!
!
interface FastEthernet0/0
 description Fast Ethernet to Internet
 ip address w.x.y.z 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 ntp disable
 no cdp enable
!
interface FastEthernet0/1
 description Fast Ethernet to LAN
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.112.193.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.3 995 interface FastEthernet0/0
995
ip nat inside source static tcp 192.168.100.3 993 interface FastEthernet0/0
993
ip nat inside source static tcp 192.168.100.3 443 interface FastEthernet0/0
443
ip nat inside source static tcp 192.168.100.3 80 interface FastEthernet0/0
80
ip nat inside source static tcp 192.168.100.3 53 interface FastEthernet0/0
53
ip nat inside source static tcp 192.168.100.3 25 interface FastEthernet0/0
25
ip nat inside source static tcp 192.168.100.3 22 interface FastEthernet0/0
22
ip nat inside source static udp 192.168.100.3 53 interface FastEthernet0/0
53
!
!
logging facility local0
logging 192.168.100.3
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit tcp any host w.x.y.z eq 22
access-list 101 permit tcp any host w.x.y.z eq smtp
access-list 101 permit tcp any host w.x.y.z eq domain
access-list 101 permit udp any host w.x.y.z eq domain
access-list 101 permit tcp any host w.x.y.z eq www
access-list 101 permit tcp any host w.x.y.z eq 443
access-list 101 permit tcp any host w.x.y.z eq 993
access-list 101 permit tcp any host w.x.y.z eq 995
access-list 101 deny   ip any any
snmp-server community public RO 1
snmp-server enable traps tty
no cdp run
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
line con 0
 session-timeout 60
 transport preferred none
 transport output none
line aux 0
 no exec
 transport output none
line vty 0 4
 session-timeout 60
 access-class 1 in
 transport input telnet ssh
 transport output telnet ssh
!
ntp server 192.168.100.3
!
end

More information about the cisco-nsp mailing list