cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2740
Views
45
Helpful
25
Replies

IP Inspect problem, dropping telnet and ftp sessions in VPN.

gloubier
Level 1
Level 1

Hi,

We recently activated IP Inspect in every router who connect to the main office via VPN. And we're starting to have problem with IP Inspect blocking telnet, ftp and traffic who is not supposed to be block. When we desactivate IP Inspect everything is fine. Or another problem we have, the traffic ( telnet of ftp ) is working for a short time and after the telnet or ftp connection is droped by ip inspect.

Anyone have a solution to my problem. I want to keep every router ( who are directly connected to Internet but also connected to the main office via VPN ).

We use Cisco 871 router with IOS 12.4(4)T4.

If someone could help me with my problem I'll really appreciate

Thanks!

25 Replies 25

oabduo983
Level 1
Level 1

If you have implemented CBAC, make sure you have explicit access-list allowing traffic to flow from outside to inside, this should include the traffic which will be initiating from outside to inside...

Have you played with the timout values?

if you have changed the idle timeout of a tcp session, you will have to bring it back to the default...

ip inspect tcp idel-time 3600

Could you please post your ip inspect (CBAC) configration... I will check the for you...

Hi, Thanks for your reply.

Yeah we set the "tcp idle-time" to 7200 it was 3600 before.

For the ip inspect we have in every vpn router here what we have:

General configuration:

ip inspect tcp idle-time 7200

ip inspect name xxFW http

ip inspect name xxFW https

ip inspect name xxFW tcp

ip inspect name xxFW udp

On the wan interface of the router:

ip inspect xxFW in

ip inspect xxFW out

Thanks!

Hi there...

I do not think you have to enable inspection on the inbound direction on the wan interface. i.e. remove the ip inspect xxFW in on the wan interface.

If you want normal inspection, then you only need to inpect tcp and udp, no need for http or https unless you want to inspect deep into there protocols, e.g. you want to filter JAVA (this is your case), or want to enable URL filtering...etc, so I think you can remove ip inspect name xxFW http and ip inspect name xxFW https. If you want to allow traffic to come from outside to inside, then you need to open explicit access-lists for them...

Let me know if you need further support...

Please rate this post if it was useful.

Hi,

Thanks again for your reply.

You think if I remove "ip inspect xxFW in" on the wan interface it could fix my problem with my telnet session being droped by ip inspect?

Hi,

yes, ip inspect xxFW in on the WAN interface means you are firewalling the outside world from your internal network and opening a return traffic for the traffic initiating from outside... you do not want to do this, right? BIG security hole!

Thanks,

In fact....I need help to make the best firewall configuration I could make for every vpn router we have ( who are directly connectected to internet and also with a VPN connection to the main office ) for the setup we use in our network.

Access-list + IP inspect.

So feel free to advise me! :)

Thanks

In your case, everyting we talked about is fine... but need to allow esp, udp 500 and 4500 to reach the wan interface of each router... you do this by creating access-lists from each router to router wan interfaces... and for ease of management you can deal with subnets instead of single IP's... depends on how many routers do you have and whether or not you use full mesh topology (In which case I would advise to use DMVPN less prossing and memory utilization)...

Finally do not forget to apply the acl to the wan interface...

Regards,

Ok ok I see. We have like 450-500 VPN router in our network. We already have these basic access-list in every router:

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit x.x.x.x x.x.x.255 = ( our public IP address )

access-list 1 deny any

You said in a previous reply to open all traffic from outside to inside, like this: access-list 1 permit 10.0.0.0 0.255.255.255 ?

I'm still kind of new with access-list and IP inspect.

Thanks for your help and time!

Hi Gloubier,

In the Cisco World, when we talk about Access-lists, they do not mean permit and block access... they mean control traffic to abide to a certain rule, this rule may be access, translation, VPN, QoS, route-map ...etc, therefore I'm not sure where are you applying the three access-lists above, because they are standard acls.

The second issue, I'm sorry if misworded it, but I mean you configure explicit access-list applied on the outside interface allowing relevant traffic (not all traffic, otherwise your CBAC config is meaningless). Relevant traffic typically include the VPN traffic, routing traffic if you are using Dynamic routing protocols like RIP or Eigrp...etc...

In your case if you want to establish ISec tunnels from all routers (500) to all routers, I would highly recommend you go with DMVPN solution, you will love it if you get it to work! It is probably a good idea to check with a network service provider in your region... Where are you staying BTW?

Thanks.

Hi,

Ok ok I understand!

The access-list I guess they are really general we don't have access-list applied yet. That's why I'm working on this.

Yeah we are using Eigrp, but every router are using dsl connection from supplier around the country ( Canada ).

And every routeur don't need connect to every router in the network. Each router connect to the main office ( to a concentrator vpn ). A few of them need to talk to other router.

And I'm from Canada, Quebec.

So if I'm understanding right, I need to add access-list rules, but general rules ( VPN traffic, routing traffic ), and let ip inspect do the last verification?

Thanks!

Ok lovely,

What I suggest in this case is one of two options (I'm assuming your DSL is using a static IP not a DHCP IP),

You can configure site to site VPN connection on each router terminating on main router.

But the better option is to configure the so called EZVPN on the HO router, which make it really easy to configure on the other 499 routers, less administration headache and less memory and CPU utilization on the routers...

everything else regarding CBAC and ACL's remains the same...

Thanks,

Hi,

For the DSL/pppoe we have static and dhcp IP.

We already use ezvpn to establish vpn connection to the main site. The VPN setup is working great, it's only the part of ACL + IP inspect / firewall that I'm working on and it's kind of new to me.

If you have other advise, feel free to post and I'll try to make a configuration for the acl + ip inspect part with the good advises you told me.

Thanks again!

Ok cool, In this case nothing other than what I said earlier... You will have the IP inspect rules as mentioned before and explicit ACL's as follows:

Access-list 101 permit esp host VPN_SERVER_IP host SELF_WAN_INTERFACE

Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 500

Access-list 101 permit udp host VPN_SERVER_IP host SELF_WAN_INTERFACE eq 4500

interface s0/0

ip access-group 101 in

you will have to do the same on the EZVPN server if you have the control on it and if you are implementing CBAC on it!

Best wishes

Great thanks a lot for you help and your time!

I'll try that monday morning at work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: