I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... microsoft.com and southwest.com to name a few. This is my config for ip inspect now. Am I missing something?
ip inspect name FIREWALL udp
ip inspect name FIREWALL tcp
ip address *.*.*.* 255.255.255.248
ip access-group 102 in
ip mtu 1492
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly max-reassemblies 32
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
no cdp enable
I have ran debug and it is not telling me anything.
I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.
Also, is there a version of IOS I can use that does not have SPI?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...