Re: [c-nsp] Problem with IP Inspect

Fri, 22 Jul 2011 17:32:47 -0700 

Tried your suggestion, thanks. Created a the following ACL...

ip access-list extended FaInboundACL
permit ip any any

Added it to the inbound traffic on the LAN interface....

interface FastEthernet0/0
description Win.net Chestnut St Office LAN
ip address 216.24.33.1 255.255.255.0
ip access-group FaInboundACL in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip route-cache same-interface
speed 100
full-duplex
no cdp enable
Not surprisingly, no effect, web browsing and everything work normally. I then added the "ip inspect" ... 


interface FastEthernet0/0
description Win.net Chestnut St Office LAN
ip address 216.24.33.1 255.255.255.0
ip access-group FaInboundACL in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip inspect WinnetOffice in
ip route-cache same-interface
speed 100
full-duplex
no cdp enable

And web browsing from the LAN stops working again.
----- Original Message ----- From: "Kevin Graham" <[email protected]> 
To: "Joseph Mays" <[email protected]>
Cc: <[email protected]>
Sent: Friday, July 22, 2011 6:32 PM
Subject: Re: [c-nsp] Problem with IP Inspect



On Jul 22, 2011, at 1:23 PM, "Joseph Mays" <[email protected]> wrote:
There is no way turning on ip inspection should break communications anywhere in the absence of an ACL list, is there?
IIRC, ip inspect is creating a pseudo-acl, so you're being bitten by the default deny. You should apply a "permit ip any any" ACL inbound on that interface. (Adding more specific permits and making sure ACE counters aren't excessively increasing is also a really good way of making sure inspection is handling the traffic you intended it to during initial deployment without breaking anything). 





_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to