Issues with SPI / IP Inspect on a 1721 router

erik.doss · ‎03-31-2008

Ok, I am stumped, so here I am :)

I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... microsoft.com and southwest.com to name a few. This is my config for ip inspect now. Am I missing something?

ip inspect name FIREWALL udp

ip inspect name FIREWALL tcp

interface Dialer0

ip address *.*.*.* 255.255.255.248

ip access-group 102 in

ip mtu 1492

ip inspect FIREWALL out

ip nat outside

ip virtual-reassembly max-reassemblies 32

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

I have ran debug and it is not telling me anything.

I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.

Also, is there a version of IOS I can use that does not have SPI?

Than ks for any help!

sundar.palaniappan · ‎03-31-2008

I doubt ip inspect (CBAC) is causing the problem you are having as it's setup to inspect all TCP and UDP packets flowing through the interface. You might have a problem with MTU as you are connecting through DSL. Can you configure the command 'ip tcp adjust-mss 1440' under the LAN interface and test access to the sites you were having problem before.

HTH

Sundar

erik.doss · ‎03-31-2008

That did the trick! Thanks!

sundar.palaniappan · ‎03-31-2008

Glad it helped :)