IP INSPECT DROP-IN MODE

dunkscrashburn · ‎05-16-2008

I'm trying to set up a cisco 2821 is drop in mode and have some weird traffic anomalies.

Essentially, I would like ALL traffic on the inside on my network to be allowed out to the Internet. I would like no traffic to be allowed to enter my internal network with out it being a part of a connection made from the inside.

Some troubles I'm have are every connection from my internal network to the outside has a lag of a few seconds before the traffic makes a connection to the internet. From what I can see it's everything, even if a try and ping s/t on the outside the traffic lags then is permitted and successful. I have abt 8 asterisks boxes behind this router and all the phone calls have a lag (abt th same length) before the SIP traffic goes outside.

Any advice would help

My config is below, i've also included my ip inspect config.

wmr#show start

Using 2963 out of 245752 bytes

!

! Last configuration change at 03:37:45 NewYork Fri May 16 2008 by xxxx

! NVRAM config last updated at 03:45:52 NewYork Fri May 16 2008 by xxxx

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cwmr

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 2 log

logging buffered 4096 debugging

enable secret xxx

!

aaa new-model

!

aaa session-id common

clock timezone NewYork -5

!

ip cef

!

ip domain name cwinet.local

ip name-server 4.2.2.2

ip inspect log drop-pkt

ip inspect max-incomplete low 400

ip inspect max-incomplete high 500

ip inspect one-minute low 400

ip inspect one-minute high 500

ip inspect tcp block-non-session

ip inspect tcp max-incomplete host 50 block-time 0

ip inspect name fw udp

ip inspect name fw tcp

ip inspect name fw icmp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

voice-card 0

no dspfarm

!

username xxx secret xxx

!

bridge irb

!

interface GigabitEthernet0/0

description OUTSIDE

no ip address

ip access-group from_outside in

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip inspect fw in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

bridge-group 1

!

interface GigabitEthernet0/1

description INSIDE

no ip address

ip access-group from_inside in

ip access-group allow_out out

ip inspect fw in

ip inspect fw out

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

bridge-group 1

!

interface BVI1

ip address x.x.x.x 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly

ip route-cache flow

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip flow-export destination x.x.x.x

!

ip http server

no ip http secure-server

!

ip access-list extended allow_out

permit ip any any

ip access-list extended from_inside

permit ip any any

ip access-list extended from_outside

deny ip any any

ip access-list extended internal_out

!

logging trap debugging

logging origin-id string inet-wireless

logging x.x.x.x

access-list 23 permit x.x.x.x 0.0.0.255 log

access-list 23 deny any log

snmp-server community xxxxxx RO 23

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

end

My IP INSPECT CONFIG IS;

cwmr#show ip ins all

Dropped packet logging is enabled

Drop non-session initiated traffic is enabled

Session audit trail is disabled

Session alert is enabled

one-minute (sampling period) thresholds are [400 : 500] connections

max-incomplete sessions thresholds are [400 : 500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

samuellthomasjr · ‎05-18-2008

This is straight off of one of the 2821's that I built out.

Put the WAN IP address [provided by your ISP] on the outside interface with subnet mask.

Put the LAN, inside, private IP address on the inside interface with subnet mask. This IP address is the default gateway for your network.

Then, add:

ip nat inside source list 101 interface GigabitEthernet0/0 overload

NOTE: THIS ALLOWS MORE THAN ONE PERSON ACCESS AT A TIME, WHICH IS WHAT IS HAPPENING NOW.

access-list 101 permit ip

I will assume that the ip route [last resort} points to the default gateway provided by your ISP ... AND NOT 4-OCTETS OF X'S. ;-)

Lastly, make certain that your ISP DNS is used either from your DHCP forwarder or manually configured on the computers.

dunkscrashburn · ‎05-18-2008

Okay, thanks for the reply.

That does not really solve the issue as I need to have my router in drop-in mode. I have (on both side of the router) routable Internet IP addresses. The issue I'm trying to solve is the IP Inspect firewall. I do not want to use NAT as I'm using SIP on my inside network and need it to go out w/o being translated.

Anyhow, the issue I'm trying to solve is that the outbound connections look like they are been stop by my router and held for abt 5 seconds then forwarded. This makes it painful to browse via http and the phone calls are a joke as the calls are held for abt 5 seconds before they go out...

This firewall is not the gateway to any on the inside devices. There is one more router beyond this that is the subnets gw.

Thanks,

dunkscrashburn · ‎05-20-2008

Does anyone have a say on this?