I am having a Cisco 2851 router with IOS firewall software(c2800nm-advipservicesk9-mz.124-15.T6.bin). I need to have two access-groups (one for in, and one for out) on the same interface.
Traffic initiated from this interface (so matched by the "in" access-list) is blocked by the "out" access-list. But in my opinion it shouldn't be blocked because the inspect configuration should permit it. Does somebody know what the problem is?
Do you need to have the "ip inspect" in both directions on your interface? I am not saying right now that it is not allowed but it is kind of unusual.
Second, from the output you have posted, I am confused by the "show log" output. It says that a packet destined to 22.214.171.124 was denied by the ABC_out. However, the ABC_out is applied on the Gi0/0.12 in the outbound direction (for packets going out that interface) and the IP 126.96.36.199 is the address of the Gi0/0.12 itself. From this it follows that the log entry describes an impossible situation:
1) The ABC_out could capture and drop this packet only if it was sent out the interface Gi0/0.12. However, a packet would never be sent out an interface if the interface's address is the same as the destination of the packet.
2) If the packet was coming into the Gi0/0.12 interface, the outbound ACL ABC_out was not consulted for that packet at all. It is thus impossible for it to log a drop.
Can you please double check the posted configuration and clarify this?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...