836 - ios 12.3(11)T5 - ip inspect issue with smtp/ssl and sftp

Unanswered Question
Sep 15th, 2010

Dear Cisco Administrators,

I'm looking for something like ip_conntrack/iptables on cisco ios. I want to block all incoming traffic on the outer interface exept answer-packages for inside initiated connections. I found ip inspect which seems to be what i want.

Now when in send emails with attachments (my last test was with a mail with 118kb total) it get's stuck. Same goes for scp-connections to remote hosts. I thought it might be an mtu issue but i guess i ruled that out by limiting the mtu values to a reasonable value.

I ran out of ideas - help is greatly appreciated.


!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 836router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
no logging on
enable secret 5 changed-for-posting
!
username changed-for-posting password 0 changed-for-posting
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
!
!
ip inspect name CONNTRACK udp
ip inspect name CONNTRACK icmp
ip inspect name CONNTRACK tcp
ip ips po max-events 100
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1390
no cdp enable
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode annexb-ur2
pvc 1/32
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
mtu 1454
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect CONNTRACK out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip tcp compression-connections 64
no ip mroute-cache
dialer pool 1
dialer string 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname changed-for-posting
ppp chap password 0 changed-for-posting
ppp pap sent-username changed-for-posting password 0 changed-for-posting!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any traceroute
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
!
tftp-server archive
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 120 0
length 0
transport input ssh
!
scheduler max-task-time 5000
!
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion