Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IP Inspect ???
- Thread starter Dolphy
- Start date
- Thread starter
- #4
Here is my config ! I tried different sites and still the same. It stopped replying when I created the IP INSPECT commands.
Thanks !!!
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
interface Tunnel0
description Other Site
ip unnumbered FastEthernet0
tunnel source FastEthernet0
tunnel destination x.x.x.x
!
interface Ethernet0
description Private Side
ip address x.x.x.x 255.255.255.0
ip nat inside
ip inspect myfw in
half-duplex
!
interface FastEthernet0
description Public Side
ip address x.x.x.x 255.255.255.240
ip access-group 101 in
ip nat outside
speed 10
half-duplex
!
ip nat inside source list 1 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 Tunnel0
no ip http server
ip pim bidir-enable
!
access-list 1 permit x.x.x.x 0.0.0.255
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit gre host x.x.x.x host x.x.x.x
Thanks !!!
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
interface Tunnel0
description Other Site
ip unnumbered FastEthernet0
tunnel source FastEthernet0
tunnel destination x.x.x.x
!
interface Ethernet0
description Private Side
ip address x.x.x.x 255.255.255.0
ip nat inside
ip inspect myfw in
half-duplex
!
interface FastEthernet0
description Public Side
ip address x.x.x.x 255.255.255.240
ip access-group 101 in
ip nat outside
speed 10
half-duplex
!
ip nat inside source list 1 interface FastEthernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 Tunnel0
no ip http server
ip pim bidir-enable
!
access-list 1 permit x.x.x.x 0.0.0.255
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit gre host x.x.x.x host x.x.x.x
I see the problem, your ICMP replies are being dropped by ACL 101.
To prove this you could add an entry as the last line in the list, access-list 101 deny ip any any log
When you send the ping this ACL entry will log the denied packets to the console port.
The way around this is to permit ICMP to your host, for test purposes you could use permnit ip any any, but remove it once your testing is complete as its a big security exposure.
If you need to allow ICMP then have a play around with ACL 101, but makesure you tighten it down, I generally wouldnt recommend allowing it.
To prove this you could add an entry as the last line in the list, access-list 101 deny ip any any log
When you send the ping this ACL entry will log the denied packets to the console port.
The way around this is to permit ICMP to your host, for test purposes you could use permnit ip any any, but remove it once your testing is complete as its a big security exposure.
If you need to allow ICMP then have a play around with ACL 101, but makesure you tighten it down, I generally wouldnt recommend allowing it.
- Status