Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > IP Inspect and Browsing issues

Reply
Thread Tools

IP Inspect and Browsing issues

 
 
KB
Guest
Posts: n/a
 
      10-13-2007
Hello. I'm having a few problems getting my ip inspect statments
working properly. I have an inspect list that covers TCP and UDP
outgoing, and an access list inbound that denys everything. For the
most part, it works, but it doesn't load certain pages very well.
Things like google maps don't load the maps, and other "dynamic" pages
have problems. Has anyone else run into this before? Here are my
statements:


ip inspect max-incomplete high 9000
ip inspect max-incomplete low 9000
ip inspect one-minute high 9000
ip inspect one-minute low 9000
ip inspect name MYFW tcp audit-trail on timeout 1800
ip inspect name MYFW udp audit-trail on timeout 10

interface Dialer1
ip address negotiated
ip inspect MYFW out
ip access-group 101 in
ip access-group ALL out
ip nat outside
ip virtual-reassembly max-fragments 45 max-reassemblies 300 timeout
60
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1

ip access-list extended ALL
permit ip any any

access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any established
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny icmp any any


Any suggestions would be great!

Thanks,
Kelly
 
Reply With Quote
 
 
 
 
John
Guest
Posts: n/a
 
      10-13-2007
On Oct 13, 9:08 pm, KB <tfske...@gmail.com> wrote:
> Hello. I'm having a few problems getting my ip inspect statments
> working properly. I have an inspect list that covers TCP and UDP
> outgoing, and an access list inbound that denys everything. For the
> most part, it works, but it doesn't load certain pages very well.
> Things like google maps don't load the maps, and other "dynamic" pages
> have problems. Has anyone else run into this before? Here are my
> statements:
>
> Any suggestions would be great!
>
> Thanks,
> Kelly

First of all are you sure that the inspection engine is the cause of
the problem? if you remove the ACLs and the inspect commands
everything works properly?

Since you use CBAC, you don't need "permit tcp any any established" in
acl 101. That's what CBAC is for.

if you have confirmed that cbac makes the problem, I would suggest to
add as last lines in list 101:
access-list 101 deny tcp any gt 0 any gt 0 log
access-list 101 deny udp any gt 0 any gt 0 log
access-list 101 deny ip any any log
and try to correlate the logs of the router with the pages that fail
to load.

also you should add the line:
ip inspect log drop-pkt , it will show you any drops that the CBAC
engine does.

John
 
Reply With Quote
 
 
 
Reply

« balancing 2 ISP's with Cisco 1800 | pix site to site problem with NAT »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
inspect.stack() or inspect.currentframe() gives "list index out ofrange error" deluxstar Python 5 09-25-2010 05:12 PM
NAT and access lists and IP INSPECT JF Mezei Cisco 0 01-22-2010 11:24 AM
smart logging and the "inspect" module ... Darran Edmundson Python 1 05-28-2005 04:09 PM
Browsing issues =?Utf-8?B?U3R1YXJ0?= ASP .Net 2 01-27-2005 01:55 PM
ip inspect and access-list question didier Cisco 1 01-18-2004 01:02 AM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top