[c-nsp] Problem with IP Inspect
Joseph Mays
mays at win.net
Fri Jul 22 16:23:31 EDT 2011
Okay, we had a router that had the internal LAN on fastethernet0/0, and the
external WAN on Serial1. The internal lan had the follwoing entries...
interface FastEthernet0/0
ip access-group OfficeACL out
ip inspect WinnetOffice in
Which were associated with....
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 800
ip inspect one-minute high 1000
ip inspect one-minute low 800
ip inspect dns-timeout 60
ip inspect tcp idle-time 10800
ip inspect name WinnetOffice icmp
ip inspect name WinnetOffice fragment maximum 500 timeout 15
ip inspect name WinnetOffice netshow
ip inspect name WinnetOffice realaudio
ip inspect name WinnetOffice tcp
ip inspect name WinnetOffice udp
ip inspect name WinnetOffice tftp
ip inspect name WinnetOffice ftp audit-trail off
...and a long OfficeACL list that I won't go into at the moment.
We moved to a router that has the WAN connecion on a pair bonded ethernet
ports connected to a bridged ADSL modem, and the LAN port on Fastethernet0/0
I tried added the ip inspect line and the acl line to Fastethernet0, but I
found with nothing else changing, including the LAN IP's not changing,
connections to the outside world broke. In trying various thing, I found
adding the "ip inspect WinnetOffice in" line broke communications to the
outside world *by itself*, even if the ACL list was not being activated by
the ip access-group line. This shouldn't happen, should it? There is no way
turning on ip inspection should break communications anywhere in the absence
of an ACL list, is there?
More information about the cisco-nsp
mailing list