Issues with SPI / IP Inspect on a 1721 router

Unanswered Question
Mar 31st, 2008

Ok, I am stumped, so here I am :)

I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... microsoft.com and southwest.com to name a few. This is my config for ip inspect now. Am I missing something?

ip inspect name FIREWALL udp

ip inspect name FIREWALL tcp

interface Dialer0

ip address *.*.*.* 255.255.255.248

ip access-group 102 in

ip mtu 1492

ip inspect FIREWALL out

ip nat outside

ip virtual-reassembly max-reassemblies 32

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

I have ran debug and it is not telling me anything.

I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.

Also, is there a version of IOS I can use that does not have SPI?

Than ks for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dongdongliu Wed, 04/02/2008 - 02:10

hi,

this is about other thing

pppoe cost is 8K,so you set mtu eq to 1492.

since you uesd vpn, it would increase header cost and not just 8K. suggest to reduce mtu size.

regards

Actions

This Discussion