Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issues with SPI / IP Inspect on a 1721 router

Ok, I am stumped, so here I am :)

I have a 1721 router with a DSL WIC for a location for their internet access and with a VPN tunnel to HQ. The problem is that SPI lets MOST traffic in and out, but it is blocking some sites... microsoft.com and southwest.com to name a few. This is my config for ip inspect now. Am I missing something?

ip inspect name FIREWALL udp

ip inspect name FIREWALL tcp

interface Dialer0

ip address *.*.*.* 255.255.255.248

ip access-group 102 in

ip mtu 1492

ip inspect FIREWALL out

ip nat outside

ip virtual-reassembly max-reassemblies 32

encapsulation ppp

no ip route-cache cef

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

I have ran debug and it is not telling me anything.

I am wondering if that version of IOS has a bug? It is c1700-advsecurityk9-mz.124-17.bin.

Also, is there a version of IOS I can use that does not have SPI?

Than ks for any help!

1 REPLY
New Member

Re: Issues with SPI / IP Inspect on a 1721 router

hi,

this is about other thing

pppoe cost is 8K,so you set mtu eq to 1492.

since you uesd vpn, it would increase header cost and not just 8K. suggest to reduce mtu size.

regards

167
Views
0
Helpful
1
Replies