Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT on a Stick with IOS Firewall

I have two Internet routers configured to allow vpn clients to connect and NAT back out for Internet access. On my 2801 with a fast ethernet outside interface it works fine. On my 2811 with an mlppp outside interface ip inspect stops http from working properly (pinging works fine). Both routers are running the same version of ios (12.4.12). Below is a snip of code from the router I'm having problems with.

ip inspect hashtable-size 8192

ip inspect name cbac_inspect ftp

ip inspect name cbac_inspect icmp

ip inspect name cbac_inspect esmtp

ip inspect name cbac_inspect udp

ip inspect name cbac_inspect http java-list 2 urlfilter

ip inspect name cbac_inspect tcp


interface Loopback1

ip address

ip nat inside

ip virtual-reassembly


interface Multilink1

ip address ###

ip nat outside

ip virtual-reassembly

ip policy route-map vpn_in

crypto map vpnmap


ip local pool vpnpool


ip nat inside source list NAT-LIST interface Multilink1 overload


ip access-list extended NAT-LIST

permit ip any


ip access-list extended vpn_in

permit ip any


access-list 2 permit any


route-map vpn_in permit 10

match ip address vpn_in

set ip next-hop

Disabling ip inspect on the outside (multilink1) interface fixes the problem. I would like to have ip inspect on the interface though so I can apply an inbound ACL. When I use the "sh ip nat trans" and "sh ip inspect all" commands I see the proper entries. When I do a packet capture I see a SYN, SYN ACK, ACK, HTTP GET *dead silence*. Any ideas?


Re: NAT on a Stick with IOS Firewall

Please make sure here "dead silence " means the firewall allows the unwated traffic or anyother thing.

CreatePlease to create content