Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Inspect ???

Status
Not open for further replies.
Dolphy

Dolphy

MIS
Joined
Feb 14, 2002
Messages
59
Location
CA
Hi,

Here is my problem:

I'm using IP Inspect TCP and UPD commands on 1710, but I'm not able to ping a Public IP Address. There is no IP Inspect ICMP ???

What can I do ???

Thanks
 
Sort by date Sort by votes
Can you give us a bit more info on what types of interfaces you have on this router? Do all other IP functions work from the router? How have you set up you ip inspect rule base?
 
Upvote 0 Downvote
Not all public IP addresses will respond to ICMP anyway, have you tried pinging more than one site?
 
Upvote 0 Downvote
Here is my config ! I tried different sites and still the same. It stopped replying when I created the IP INSPECT commands.

Thanks !!!

ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
interface Tunnel0
description Other Site
ip unnumbered FastEthernet0
tunnel source FastEthernet0
tunnel destination x.x.x.x
!
interface Ethernet0
description Private Side
ip address x.x.x.x 255.255.255.0
ip nat inside
ip inspect myfw in
half-duplex
!
interface FastEthernet0
description Public Side
ip address x.x.x.x 255.255.255.240
ip access-group 101 in
ip nat outside
speed 10
half-duplex
!
ip nat inside source list 1 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 Tunnel0
no ip http server
ip pim bidir-enable
!
access-list 1 permit x.x.x.x 0.0.0.255
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit gre host x.x.x.x host x.x.x.x
 
Upvote 0 Downvote
I see the problem, your ICMP replies are being dropped by ACL 101.
To prove this you could add an entry as the last line in the list, access-list 101 deny ip any any log

When you send the ping this ACL entry will log the denied packets to the console port.

The way around this is to permit ICMP to your host, for test purposes you could use permnit ip any any, but remove it once your testing is complete as its a big security exposure.

If you need to allow ICMP then have a play around with ACL 101, but makesure you tighten it down, I generally wouldnt recommend allowing it.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
416
badwolf1686
B
jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
548
DavetheChef
DavetheChef
Delta5
  • Locked
  • Question Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
1K
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question Question
Create ACL for ip range
Replies
2
Views
385
acabezas2014
acabezas2014
JDCre63
  • Locked
  • Question Question
SIP sets behind CISCO firewall connecting to public IP
Replies
1
Views
344
nyy1023
nyy1023

Part and Inventory Search

Sponsor

Back
Top