Issues with SPI / IP Inspect on a 1721 router

Unanswered Question
Mar 31st, 2008
User Badges:

Ok, I am stumped, so here I am :)

I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... and to name a few. This is my config for ip inspect now. Am I missing something?

ip inspect name FIREWALL udp

ip inspect name FIREWALL tcp

interface Dialer0

ip address *.*.*.*

ip access-group 102 in

ip mtu 1492

ip inspect FIREWALL out

ip nat outside

ip virtual-reassembly max-reassemblies 32

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

I have ran debug and it is not telling me anything.

I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.

Also, is there a version of IOS I can use that does not have SPI?

Than ks for any help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Mon, 03/31/2008 - 16:18
User Badges:
  • Green, 3000 points or more

I doubt ip inspect (CBAC) is causing the problem you are having as it's setup to inspect all TCP and UDP packets flowing through the interface. You might have a problem with MTU as you are connecting through DSL. Can you configure the command 'ip tcp adjust-mss 1440' under the LAN interface and test access to the sites you were having problem before.




This Discussion