After applying an access list, connection works for a while then stops

[Hunterslb]

PROBLEM:
When I apply an inbound extended access list I retain connectivity for up to 10 minutes, but then loose the ability to connect, and smtp traffic also slows then stops.
NAT is in use.
ip inspect is in use
Only 3 ports are required to be open inbound 25, 80, 110 (also have 5800 and 5900 open in this)
A little background.
The configuration I'll post shows both networks being private. This is how the router is configured. The 192 addresses are then translated through a DSL modem to public addresses. This was only done because the provider would not support the configuration if the back end (ethernet network of the DSL router) 192. network was changed from the default, and the customer already had the 172. network in place with static addresses.

If anyone has any ideas, I'd appreciate them.

CONFIG:

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NAME
!
logging buffered 16384 debugging
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
ip subnet-zero
no ip domain-lookup
!
no ip bootp server
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0 tcp
ip inspect name Ethernet_0 udp
ip inspect name Ethernet_0 cuseeme
ip inspect name Ethernet_0 ftp
ip inspect name Ethernet_0 h323
ip inspect name Ethernet_0 rcmd
ip inspect name Ethernet_0 realaudio
ip inspect name Ethernet_0 smtp
ip inspect name Ethernet_0 streamworks
ip inspect name Ethernet_0 vdolive
ip inspect name Ethernet_0 sqlnet
ip inspect name Ethernet_0 tftp
ip inspect name Ethernet_1 tcp
ip inspect name Ethernet_1 smtp
!
!
!
interface Ethernet0
description Connection to Local Area Network ( Cisco FastHubs )
ip address 172.29.44.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip access-group 100 in
ip inspect Ethernet_0 in
no cdp enable
!
interface Ethernet1
description Connection to Wide Area Network ( DSL Router )
ip address 192.168.254.101 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 101 in
ip inspect Ethernet_1 in
no cdp enable
!
ip nat pool Cisco1605-natpool-1 192.168.254.104 192.168.254.105 netmask 255.255.255.0
ip nat inside source list 1 pool Cisco1605-natpool-1 overload
ip nat inside source static 172.29.44.5 192.168.254.102
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.254.254
ip route 172.29.44.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 172.29.44.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp host 172.29.44.5 any eq www
access-list 100 permit ip host 172.29.44.5 any
access-list 101 deny ip host 192.168.254.102 any
access-list 101 permit tcp any host 192.168.254.102 eq www
access-list 101 permit tcp any host 192.168.254.102 eq pop3
access-list 101 permit tcp any host 192.168.254.102 eq smtp
access-list 101 permit tcp any host 192.168.254.101 eq telnet
access-list 101 permit tcp any host 192.168.254.102 eq 5800
access-list 101 permit tcp any host 192.168.254.102 eq 5900
no cdp run
snmp-server community xxxxxx RO
snmp-server location xxxxxx Corp
snmp-server contact Administrator,xxx-xxx-xxxx
banner motd  ------------------------------------------------------------------------------------------------------------
This is a private site. If you have connected to this site in error,
please disconnect now.
------------------------------------------------------------------------------------------------------------

!
!
scheduler interval 4000
end

Again, any help is appreciated

 

[migueljr3]

Is this the correct DG ?
ip route 0.0.0.0 0.0.0.0 192.168.254.254

 

[Hunterslb]

That is the correct DG. As mentioned in the message, the configuration is ultimately NATted twice.

"The configuration I'll post shows both networks being private. This is how the router is configured. The 192 addresses are then translated through a DSL modem to public addresses. This was only done because the provider would not support the configuration if the back end (ethernet network of the DSL router) 192. network was changed from the default, and the customer already had the 172. network in place with static addresses."

 

[kse]

Maybe you have to remove the no proxy-arp since you're using NAT because I think you use the command no proxy-arp if NAT is not enabled
Try it !!!

 

[nakona]

I've just returned home after overdosing on chinese food so bear that in mind.

Now, this is WAY out of left field so please don't laugh but...
Are you letting the router and nodes auto-negotiate full/hlaf duplex?

 

[Hunterslb]

KSE and Nakona,
Thank both of you for your responses.
Nakona--the router is set for 100 full and the nodes are a mix.

KSE,
I will try removing proxy-arp, thanks.

 

[nakona]

Well, this may not fix your problem...
It's a good idea anyway.

I was reading an article by Eric Pearce in Packet Magazine and he was mentioning that when autonegotion doesn't work right it might leave one end full and the other half.

Apparently it can cause some odd problems.

All I'm saying is that it can't hurt and really should be done anyway.

 

[ers5]

I am having similar problems with my Cisco 2600 series router connecting to an Efficient Networks DSL router. Did you ever find a resolution to this problem (incomplete ARPs)?

 

[JKIM7]

DO you have a dns server? I dont see any rule for allowing DNS.... Remember requests originate from high ports... >1023 and you need to allow for replies to these high ports. One way is to use the "established" key word but this ony works for tcp connections and DNS is UDP, so ypu need to allow high ports at least for UDP.