[c-nsp] Problem with IP Inspect

[Joseph Mays]

Tried your suggestion, thanks. Created a the following ACL...

ip access-list extended FaInboundACL
 permit ip any any

Added it to the inbound traffic on the LAN interface....

interface FastEthernet0/0
 description Win.net Chestnut St Office LAN
 ip address 216.24.33.1 255.255.255.0
 ip access-group FaInboundACL in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip route-cache same-interface
 speed 100
 full-duplex
 no cdp enable

Not surprisingly, no effect, web browsing and everything work normally. I 
then added the "ip inspect" ...


interface FastEthernet0/0
 description Win.net Chestnut St Office LAN
 ip address 216.24.33.1 255.255.255.0
 ip access-group FaInboundACL in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 ip inspect WinnetOffice in
 ip route-cache same-interface
 speed 100
 full-duplex
 no cdp enable

And web browsing from the LAN stops working again.

----- Original Message ----- 
From: "Kevin Graham" <kgraham at industrial-marshmallow.com>
To: "Joseph Mays" <mays at win.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Friday, July 22, 2011 6:32 PM
Subject: Re: [c-nsp] Problem with IP Inspect



On Jul 22, 2011, at 1:23 PM, "Joseph Mays" <mays at win.net> wrote:

>  There is no way turning on ip inspection should break communications 
> anywhere in the absence of an ACL list, is there?

IIRC, ip inspect is creating a pseudo-acl, so you're being bitten by the 
default deny. You should apply a "permit ip any any" ACL inbound on that 
interface. (Adding more specific permits and making sure ACE counters aren't 
excessively increasing is also a really good way of making sure inspection 
is handling the traffic you intended it to during initial deployment 
without breaking anything).



>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/