05-16-2008 03:41 PM - edited 03-11-2019 05:46 AM
I'm trying to set up a cisco 2821 is drop in mode and have some weird traffic anomalies.
Essentially, I would like ALL traffic on the inside on my network to be allowed out to the Internet. I would like no traffic to be allowed to enter my internal network with out it being a part of a connection made from the inside.
Some troubles I'm have are every connection from my internal network to the outside has a lag of a few seconds before the traffic makes a connection to the internet. From what I can see it's everything, even if a try and ping s/t on the outside the traffic lags then is permitted and successful. I have abt 8 asterisks boxes behind this router and all the phone calls have a lag (abt th same length) before the SIP traffic goes outside.
Any advice would help
My config is below, i've also included my ip inspect config.
wmr#show start
Using 2963 out of 245752 bytes
!
! Last configuration change at 03:37:45 NewYork Fri May 16 2008 by xxxx
! NVRAM config last updated at 03:45:52 NewYork Fri May 16 2008 by xxxx
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cwmr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging buffered 4096 debugging
enable secret xxx
!
aaa new-model
!
!
!
aaa session-id common
clock timezone NewYork -5
!
!
ip cef
!
!
ip domain name cwinet.local
ip name-server 4.2.2.2
ip inspect log drop-pkt
ip inspect max-incomplete low 400
ip inspect max-incomplete high 500
ip inspect one-minute low 400
ip inspect one-minute high 500
ip inspect tcp block-non-session
ip inspect tcp max-incomplete host 50 block-time 0
ip inspect name fw udp
ip inspect name fw tcp
ip inspect name fw icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxx secret xxx
!
!
!
!
bridge irb
!
!
!
interface GigabitEthernet0/0
description OUTSIDE
no ip address
ip access-group from_outside in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect fw in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
bridge-group 1
!
interface GigabitEthernet0/1
description INSIDE
no ip address
ip access-group from_inside in
ip access-group allow_out out
ip inspect fw in
ip inspect fw out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
bridge-group 1
!
interface BVI1
ip address x.x.x.x 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip flow-export destination x.x.x.x
!
ip http server
no ip http secure-server
!
ip access-list extended allow_out
permit ip any any
ip access-list extended from_inside
permit ip any any
ip access-list extended from_outside
deny ip any any
ip access-list extended internal_out
!
logging trap debugging
logging origin-id string inet-wireless
logging x.x.x.x
access-list 23 permit x.x.x.x 0.0.0.255 log
access-list 23 deny any log
snmp-server community xxxxxx RO 23
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
!
!
!
!
!
end
My IP INSPECT CONFIG IS;
cwmr#show ip ins all
Dropped packet logging is enabled
Drop non-session initiated traffic is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400 : 500] connections
max-incomplete sessions thresholds are [400 : 500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
05-18-2008 04:51 PM
This is straight off of one of the 2821's that I built out.
Put the WAN IP address [provided by your ISP] on the outside interface with subnet mask.
Put the LAN, inside, private IP address on the inside interface with subnet mask. This IP address is the default gateway for your network.
Then, add:
ip nat inside source list 101 interface GigabitEthernet0/0 overload
NOTE: THIS ALLOWS MORE THAN ONE PERSON ACCESS AT A TIME, WHICH IS WHAT IS HAPPENING NOW.
access-list 101 permit ip
I will assume that the ip route [last resort} points to the default gateway provided by your ISP ... AND NOT 4-OCTETS OF X'S. ;-)
Lastly, make certain that your ISP DNS is used either from your DHCP forwarder or manually configured on the computers.
05-18-2008 05:05 PM
Okay, thanks for the reply.
That does not really solve the issue as I need to have my router in drop-in mode. I have (on both side of the router) routable Internet IP addresses. The issue I'm trying to solve is the IP Inspect firewall. I do not want to use NAT as I'm using SIP on my inside network and need it to go out w/o being translated.
Anyhow, the issue I'm trying to solve is that the outbound connections look like they are been stop by my router and held for abt 5 seconds then forwarded. This makes it painful to browse via http and the phone calls are a joke as the calls are held for abt 5 seconds before they go out...
This firewall is not the gateway to any on the inside devices. There is one more router beyond this that is the subnets gw.
Thanks,
05-20-2008 12:41 PM
Does anyone have a say on this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide