PROBLEM:
When I apply an inbound extended access list I retain connectivity for up to 10 minutes, but then loose the ability to connect, and smtp traffic also slows then stops.
NAT is in use.
ip inspect is in use
Only 3 ports are required to be open inbound 25, 80, 110 (also have 5800 and 5900 open in this)
A little background.
The configuration I'll post shows both networks being private. This is how the router is configured. The 192 addresses are then translated through a DSL modem to public addresses. This was only done because the provider would not support the configuration if the back end (ethernet network of the DSL router) 192. network was changed from the default, and the customer already had the 172. network in place with static addresses.
If anyone has any ideas, I'd appreciate them.
CONFIG:
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NAME
!
logging buffered 16384 debugging
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 cuseeme
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 h323
ip inspect name Ethernet_0 rcmd
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 streamworks
ip inspect name Ethernet_0 vdolive
ip inspect name Ethernet_0 sqlnet
ip inspect name Ethernet_0 tftp
ip inspect name Ethernet_1 tcp
ip inspect name Ethernet_1 smtp
!
!
!
interface Ethernet0
description Connection to Local Area Network ( Cisco FastHubs )
ip address 172.29.44.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip access-group 100 in
ip inspect Ethernet_0 in
no cdp enable
!
interface Ethernet1
description Connection to Wide Area Network ( DSL Router )
ip address 192.168.254.101 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 101 in
ip inspect Ethernet_1 in
no cdp enable
!
ip nat pool Cisco1605-natpool-1 192.168.254.104 192.168.254.105 netmask 255.255.255.0
ip nat inside source list 1 pool Cisco1605-natpool-1 overload
ip nat inside source static 172.29.44.5 192.168.254.102
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.254
ip route 172.29.44.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 172.29.44.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp host 172.29.44.5 any eq www
access-list 100 permit ip host 172.29.44.5 any
access-list 101 deny ip host 192.168.254.102 any
access-list 101 permit tcp any host 192.168.254.102 eq www
access-list 101 permit tcp any host 192.168.254.102 eq pop3
access-list 101 permit tcp any host 192.168.254.102 eq smtp
access-list 101 permit tcp any host 192.168.254.101 eq telnet
access-list 101 permit tcp any host 192.168.254.102 eq 5800
access-list 101 permit tcp any host 192.168.254.102 eq 5900
no cdp run
snmp-server community xxxxxx RO
snmp-server location xxxxxx Corp
snmp-server contact Administrator,xxx-xxx-xxxx
banner motd ------------------------------------------------------------------------------------------------------------
This is a private site. If you have connected to this site in error,
please disconnect now.
------------------------------------------------------------------------------------------------------------
!
!
scheduler interval 4000
end
Again, any help is appreciated
When I apply an inbound extended access list I retain connectivity for up to 10 minutes, but then loose the ability to connect, and smtp traffic also slows then stops.
NAT is in use.
ip inspect is in use
Only 3 ports are required to be open inbound 25, 80, 110 (also have 5800 and 5900 open in this)
A little background.
The configuration I'll post shows both networks being private. This is how the router is configured. The 192 addresses are then translated through a DSL modem to public addresses. This was only done because the provider would not support the configuration if the back end (ethernet network of the DSL router) 192. network was changed from the default, and the customer already had the 172. network in place with static addresses.
If anyone has any ideas, I'd appreciate them.
CONFIG:
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NAME
!
logging buffered 16384 debugging
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 cuseeme
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 h323
ip inspect name Ethernet_0 rcmd
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 streamworks
ip inspect name Ethernet_0 vdolive
ip inspect name Ethernet_0 sqlnet
ip inspect name Ethernet_0 tftp
ip inspect name Ethernet_1 tcp
ip inspect name Ethernet_1 smtp
!
!
!
interface Ethernet0
description Connection to Local Area Network ( Cisco FastHubs )
ip address 172.29.44.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip access-group 100 in
ip inspect Ethernet_0 in
no cdp enable
!
interface Ethernet1
description Connection to Wide Area Network ( DSL Router )
ip address 192.168.254.101 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 101 in
ip inspect Ethernet_1 in
no cdp enable
!
ip nat pool Cisco1605-natpool-1 192.168.254.104 192.168.254.105 netmask 255.255.255.0
ip nat inside source list 1 pool Cisco1605-natpool-1 overload
ip nat inside source static 172.29.44.5 192.168.254.102
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.254
ip route 172.29.44.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 172.29.44.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp host 172.29.44.5 any eq www
access-list 100 permit ip host 172.29.44.5 any
access-list 101 deny ip host 192.168.254.102 any
access-list 101 permit tcp any host 192.168.254.102 eq www
access-list 101 permit tcp any host 192.168.254.102 eq pop3
access-list 101 permit tcp any host 192.168.254.102 eq smtp
access-list 101 permit tcp any host 192.168.254.101 eq telnet
access-list 101 permit tcp any host 192.168.254.102 eq 5800
access-list 101 permit tcp any host 192.168.254.102 eq 5900
no cdp run
snmp-server community xxxxxx RO
snmp-server location xxxxxx Corp
snmp-server contact Administrator,xxx-xxx-xxxx
banner motd ------------------------------------------------------------------------------------------------------------
This is a private site. If you have connected to this site in error,
please disconnect now.
------------------------------------------------------------------------------------------------------------
!
!
scheduler interval 4000
end
Again, any help is appreciated