«

We have recently installed a new Cisco 837 router running IOS version
12.3(2)XC2 and an issue relating to CBAC / 'ip inspect' command has
come to light.

When the 'ip inspect' command is applied outbound only on the Dialer0
interface, we are able to access/browse the Internet from the internal
network successfully but cannot receive incoming mail. Outgoing e-mail
is fine.

However, when the 'ip inspect' command (outbound) is removed from the
Dialer0 interface altogether, we are able to receive incoming mail but
cannot get to the Internet at all.

We've worked around this by applying the 'ip inspect' commands to the
Dialer0 interface both in AND outbound so as not to disrupt service but
think that surely this must only be a temporary measure due to the
increased security risk.

This router is configured in practically exactly the same way as
another 837 also running IOS version 12.3(2)XC2. With the 'ip inspect'
command applied outbound only on the Dialer0 interface of this second
router, we see none of the same issues and everything works fine.

I think that this may be a symptom of a misconfiguration rather than a
problem in itself but I don't know what. Could it be NAT or route maps?

I will post config if anyone wants to have a look.

Thank you in advance for you help & suggestions.

You put an Access-list on the Dialer0 that
permits incoming mail and keep the Inspect.

access-l 100 permit tcp any host my.mail.server eq 25

int d0
access-g 100 in

substitute the EXTERNAL address of the mail server
for "my.mail.server".

wrote:
> You put an Access-list on the Dialer0 that
> permits incoming mail and keep the Inspect.
>
> access-l 100 permit tcp any host my.mail.server eq 25
>
> int d0
> access-g 100 in
>
> substitute the EXTERNAL address of the mail server
> for "my.mail.server".
>
Correct me if I'm wrong, but isn't the point of "ip inspect" to get
around manually defining ACL's? In fact, I believe in 12.3T, a feature
called "firewall ACL bypass" was introduced. If I understand it
correctly, that feature is to eliminate redundant ACL processing - an
inbound pass, inspect, and outbound pass, with the idea being that if
inspect "sees" the traffic, the other two ACL processes are assumed to
be performed.

I ask this because I'm starting to work with the firewall feature set
myself, and too have noticed odd behavior. In my case, with inspect on,
RTP flows between IP phones work. Shut it down, and I get one-way audio.
All of this with no ACL's. However, I have to explicitly define ACL's
for skinny even though it's configured to be inspected. Very odd, and I
don't understand the inconsistency.

Any insights would be appreciated!