[c-nsp] Problem with IP Inspect

David Prall dcp at dcptech.com
Fri Jul 22 18:44:26 EDT 2011


What versions of code? There is a place, much older code 12.3(4)T, where ip
inspect would add entries to the top of the defined interface acl, you would
use "show access-list" to see the entries. Then there is more recent code
where the entries are dynamically created, you use "show ip inspect
sessions" to see the entries. IP inspect is sort of dependent on the ACL to
define the policy, what happens if you add an acl with a single permit ip
any any. What does "show ip inspect sessions" give you.

David

--
http://dcp.dcptech.com


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Joseph Mays
> Sent: Friday, July 22, 2011 4:24 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Problem with IP Inspect
> 
> Okay, we had a router that had the internal LAN on fastethernet0/0, and
> the
> external WAN on Serial1. The internal lan had the follwoing entries...
> 
> interface FastEthernet0/0
>  ip access-group OfficeACL out
>  ip inspect WinnetOffice in
> 
> Which were associated with....
> 
> ip inspect max-incomplete high 1000
> ip inspect max-incomplete low 800
> ip inspect one-minute high 1000
> ip inspect one-minute low 800
> ip inspect dns-timeout 60
> ip inspect tcp idle-time 10800
> ip inspect name WinnetOffice icmp
> ip inspect name WinnetOffice fragment maximum 500 timeout 15
> ip inspect name WinnetOffice netshow
> ip inspect name WinnetOffice realaudio
> ip inspect name WinnetOffice tcp
> ip inspect name WinnetOffice udp
> ip inspect name WinnetOffice tftp
> ip inspect name WinnetOffice ftp audit-trail off
> 
> ...and a long OfficeACL list that I won't go into at the moment.
> 
> We moved to a router that has the WAN connecion on a pair bonded
> ethernet
> ports connected to a bridged ADSL modem, and the LAN port on
> Fastethernet0/0
> 
> I tried added the ip inspect line and the acl line to Fastethernet0,
> but I
> found with nothing else changing, including the LAN IP's not changing,
> connections to the outside world broke. In trying various thing, I
> found
> adding the "ip inspect WinnetOffice in" line broke communications to
> the
> outside world *by itself*, even if the ACL list was not being activated
> by
> the ip access-group line. This shouldn't happen, should it? There is no
> way
> turning on ip inspection should break communications anywhere in the
> absence
> of an ACL list, is there?
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list