Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
4
Replies

Remove Inspect from Interface

dennylester
Level 1
Level 1

‎06-04-2007 12:56 PM - edited ‎03-03-2019 05:17 PM

We have a 1720 router with FW feature set. We currently have it inspecting traffic exiting INT S0.

Now that we have a Pix behind this router we want to remove the inspection on this 1720 to free up CPU resources and hopefully improve the MLPPP problems we are running into (dropped packets due to high CPU load).

I added the following line to the Inbound ACL on the S0 interface

access-list 103 permit tcp any any gt 1023 established

Then I removed the IP Inspect from that interface. At that point I was no longer able to access the Internet (I believe the return traffic was being blocked).

Are there any temp ACL's that might still be attached to the S0 interface left over from the IP Inspect?

Any theories?

Denny

Labels:
0 Helpful
4 Replies 4

sundar.palaniappan
Level 10
Level 10

‎06-04-2007 02:15 PM

Denny,

Can you check whether the access list entry you had added 'permit tcp any any gt 1023 established' isn't entered sequentially after the explicit 'deny any' statement.

HTH

Sundar

0 Helpful

dennylester
Level 1
Level 1
In response to sundar.palaniappan

‎06-04-2007 02:28 PM

Hello,

Thank you for the reply.

Yeah, I checked. Here is the access list

access-list 103 permit tcp any host x.x.x.28 eq domain

access-list 103 permit udp any host x.x.x.28 eq domain

access-list 103 permit tcp any host x.x.x.29 eq domain

access-list 103 permit udp any host x.x.x.29 eq domain

access-list 103 permit tcp any host x.x.x.29 eq ftp

access-list 103 permit tcp any host x.x.x.29 eq ftp-data

access-list 103 permit tcp any host x.x.x.35 eq smtp

access-list 103 permit tcp any host x.x.x.35 eq pop3

access-list 103 permit tcp any host x.x.x.35 eq www

access-list 103 permit tcp any host x.x.x.11 eq www

access-list 103 permit tcp any host x.x.x.37 eq www

access-list 103 permit tcp any host x.x.x.37 eq 443

access-list 103 permit tcp any host x.x.x.38 eq www

access-list 103 permit tcp any host x.x.x.38 eq 443

access-list 103 permit tcp any host x.x.x.39 eq www

access-list 103 permit tcp any host x.x.x.39 eq 443

access-list 103 permit tcp any host x.x.x.40 eq www

access-list 103 permit tcp any host x.x.x.40 eq 443

access-list 103 permit tcp any host x.x.x.41 eq www

access-list 103 permit tcp any host x.x.x.41 eq 443

access-list 103 permit tcp any host x.x.x.42 eq www

access-list 103 permit tcp any host x.x.x.42 eq 443

access-list 103 permit icmp any x.x.x.0 0.0.0.255 unreachable

access-list 103 permit icmp any x.x.x.0 0.0.0.255 echo-reply

access-list 103 permit icmp any x.x.x.0 0.0.0.255 packet-too-big

access-list 103 permit icmp any x.x.x.0 0.0.0.255 time-exceeded

access-list 103 permit icmp any x.x.x.0 0.0.0.255 administratively-prohibited

access-list 103 permit tcp any x.x.x.0 0.0.0.255 gt 1023 established

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip any any

I know the final deny deny isn't really needed, I just like having it there so I can see the counters..

I'm wondering if the problem may be with my NAT setup.

When I drop the inspect is seems like I can access a webpage or two, then is just stops working. I can see the counters incrementing on the permit though..

The version in this router is a little old (12.1(21)), so that may be part of the problem.

0 Helpful

sundar.palaniappan
Level 10
Level 10
In response to dennylester

‎06-04-2007 02:40 PM

Are you still doing NAT on the router even with the PIX in place? If you are still doing NAT on the router have the PIX do the NAT. Then try removing the access list from the router and test. I don't think the access list is the problem.

Perhaps if you can clarify the setup a little bit more and post the sanitized PIX and router configuration that would help.

0 Helpful

dennylester
Level 1
Level 1
In response to sundar.palaniappan

‎06-04-2007 03:05 PM

That does sound like the ideal solution.

Prior to the Pix this 1720 was doing all of our NAT as well as FW. The Pix was configured completely off-line then put in place. For a few years now we've had double NAT going. The Pix would NAT the Internal machines to one address, then the 1720 would NAT that to our public addresses. This worked/works perfectly fine. Because of this I don't think the issue is with the Pix or it's configuration

We just added a second Internet T1 and bundled them using MLPPP. Our connectivity is still working but the CPU is running high during peak traffic periods on the 1720 and it's dropping fragments/packets. I was hoping to just disable the FW on the 1720 without going through the hassle of reconfiguring our Pix to see if that would free up the CPU enough to run MLPPP properly. I guess disabling all that NAT would also free up CPU cycles too, so I'm sure that would be the proper way to do it.

I realize my configuration is more complicated this way but one of the benefits is if this Pix ever died, we could quickly switch back to this 1720 and suffer very minimal downtime.

I will review my Pix configuration and see how much work would be involved in making all the NAT changes and just have this 1720 route the Internet traffic.

Thank you for the suggestion.

Denny

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card