[c-nsp] IOS firewall inspection blocking TACACS

[Andrew Harris]

Hi,

I have a fairly simple branch network with a 2911 as the edge router
and some 3750s behind it.

The 2911 terminates an IPSec tunnel over to our DC and all the 3750s
use TACACS with AAA servers in the DC, so the TACACS traffic goes over
the IPSec tunnel.

I have recently decided to use IOS firewall rather than slightly
un-eloquent reflexive ACLs on the router.

Everything works fine when I apply the inspection rules; users can
browse the Internet, I can ping to the DC through IPSec and I can
access Intranet servers through IPSec etc.

One thing that does not work however is TACACS, I can no longer
authenticate. The connections now time out

Does anyone know why this might be? Based on research the inspection
is carried out before encryption, but I cannot see why the TACACS
packets in particular would be blocked.

I have tried inspecting tacacs also but no joy. Also tried adding
inbound inspection on the inside interface of the router as well.

Here is the relevant configuration:


ip inspect name SES tcp router-traffic
ip inspect name SES udp router-traffic
ip inspect name SES icmp router-traffic
ip inspect name SES h323

ip access-list extended ACL-PO17-IN
 permit esp any any
 permit udp any any eq isakmp
 deny ip any any


interface Port-channel1.7
 description Outside VLAN
 bandwidth 100000
 encapsulation dot1Q 7
 ip address 213.x.x.x 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SES out
 ip access-group ACL-PO17-IN in
 ip nat outside
 no ip virtual-reassembly
 standby 101 ip 213.x.x.x
 standby 101 priority 110
 standby 101 preempt
 standby 101 name ISP
 standby 101 track 2 decrement 30
 crypto map IPSEC_VPN