03-31-2008 03:58 PM - edited 03-03-2019 09:21 PM
Ok, I am stumped, so here I am :)
I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... microsoft.com and southwest.com to name a few. This is my config for ip inspect now. Am I missing something?
ip inspect name FIREWALL udp
ip inspect name FIREWALL tcp
interface Dialer0
ip address *.*.*.* 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly max-reassemblies 32
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
I have ran debug and it is not telling me anything.
I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.
Also, is there a version of IOS I can use that does not have SPI?
Than ks for any help!
03-31-2008 04:18 PM
I doubt ip inspect (CBAC) is causing the problem you are having as it's setup to inspect all TCP and UDP packets flowing through the interface. You might have a problem with MTU as you are connecting through DSL. Can you configure the command 'ip tcp adjust-mss 1440' under the LAN interface and test access to the sites you were having problem before.
HTH
Sundar
03-31-2008 04:29 PM
That did the trick! Thanks!
03-31-2008 04:53 PM
Glad it helped :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide