Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

836 - ios 12.3(11)T5 - ip inspect issue with smtp/ssl and sftp

Dear Cisco Administrators,

I'm looking for something like ip_conntrack/iptables on cisco ios. I want to block all incoming traffic on the outer interface exept answer-packages for inside initiated connections. I found ip inspect which seems to be what i want.

Now when in send emails with attachments (my last test was with a mail with 118kb total) it get's stuck. Same goes for scp-connections to remote hosts. I thought it might be an mtu issue but i guess i ruled that out by limiting the mtu values to a reasonable value.

I ran out of ideas - help is greatly appreciated.


!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 836router
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
no logging on
enable secret 5 changed-for-posting
!
username changed-for-posting password 0 changed-for-posting
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
!
!
ip inspect name CONNTRACK udp
ip inspect name CONNTRACK icmp
ip inspect name CONNTRACK tcp
ip ips po max-events 100
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 101 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1390
no cdp enable
!
interface BRI0
no ip address
shutdown
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode annexb-ur2
pvc 1/32
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
mtu 1454
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect CONNTRACK out
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
ip tcp compression-connections 64
no ip mroute-cache
dialer pool 1
dialer string 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname changed-for-posting
ppp chap password 0 changed-for-posting
ppp pap sent-username changed-for-posting password 0 changed-for-posting!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip any any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any traceroute
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
!
tftp-server archive
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 120 0
length 0
transport input ssh
!
scheduler max-task-time 5000
!
end

1 REPLY
New Member

Re: 836 - ios 12.3(11)T5 - ip inspect issue with smtp/ssl and sf

solved after upgrading to 12.4!

195
Views
0
Helpful
1
Replies