NAT on a Stick with IOS Firewall

Unanswered Question
Jan 24th, 2008
User Badges:

I have two Internet routers configured to allow vpn clients to connect and NAT back out for Internet access. On my 2801 with a fast ethernet outside interface it works fine. On my 2811 with an mlppp outside interface ip inspect stops http from working properly (pinging works fine). Both routers are running the same version of ios (12.4.12). Below is a snip of code from the router I'm having problems with.


ip inspect hashtable-size 8192

ip inspect name cbac_inspect ftp

ip inspect name cbac_inspect icmp

ip inspect name cbac_inspect esmtp

ip inspect name cbac_inspect udp

ip inspect name cbac_inspect http java-list 2 urlfilter

ip inspect name cbac_inspect tcp

!

interface Loopback1

ip address 172.20.202.17 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Multilink1

ip address ###

ip nat outside

ip virtual-reassembly

ip policy route-map vpn_in

crypto map vpnmap

!

ip local pool vpnpool 172.20.199.1 172.20.199.127

!

ip nat inside source list NAT-LIST interface Multilink1 overload

!

ip access-list extended NAT-LIST

permit ip 172.20.199.0 0.0.0.127 any

!

ip access-list extended vpn_in

permit ip 172.20.199.0 0.0.0.127 any

!

access-list 2 permit any

!

route-map vpn_in permit 10

match ip address vpn_in

set ip next-hop 172.20.202.18



Disabling ip inspect on the outside (multilink1) interface fixes the problem. I would like to have ip inspect on the interface though so I can apply an inbound ACL. When I use the "sh ip nat trans" and "sh ip inspect all" commands I see the proper entries. When I do a packet capture I see a SYN, SYN ACK, ACK, HTTP GET *dead silence*. Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Wed, 01/30/2008 - 13:20
User Badges:
  • Silver, 250 points or more

Please make sure here "dead silence " means the firewall allows the unwated traffic or anyother thing.

Actions

This Discussion