I have a problem with the comunication between two sites, one of them has IP A.B.C.D and the other one has IP 22.214.171.124. I can not have a connection between the two IPs, I modified the ACLs and I've added in inbound ACL "permit ip host 126.96.36.199 any log" and in the outbound ACL "permit ip host 188.8.131.52 any log" but still have not connectivity, it can be due to ip inspect?
the configuration is:
ip inspect audit-trail ip inspect max-incomplete low 100 ip inspect max-incomplete high 200 ip inspect one-minute low 100 ip inspect one-minute high 200 ip inspect tcp synwait-time 15 ip inspect tcp max-incomplete host 20 block-time 1 ip inspect name C_inspect icmp ip inspect name C_inspect udp ip inspect name C_inspect tcp ... interface ATM0/0/0.1 point-to-point ip address A.B.C.D 255.255.255.0 ip access-group INBOUND in ip access-group OUTBOUND out ip nbar protocol-discovery ip nat outside ip inspect C_inspect in ip virtual-reassembly no ip route-cache no ip mroute-cache crypto map VPN pvc 8/32 encapsulation aal5snap pppoe max-sessions 10 ... ip access-list extended INBOUND permit ip host 184.108.40.206 any log permit esp any any reflect VUELTAin permit udp any any eq isakmp reflect VUELTAin permit udp any any eq non500-isakmp reflect VUELTAin permit tcp any eq ftp 220.127.116.11 0.0.255.255 reflect VUELTAin permit tcp any eq ftp-data 18.104.22.168 0.0.255.255 reflect VUELTAin permit tcp any eq ftp host A.B.C.D reflect VUELTAin permit tcp any eq ftp-data host A.B.C.D reflect VUELTAin permit ip host 22.214.171.124 any permit ip 126.96.36.199 0.0.0.255 any evaluate VUELTA deny ip any any log
ip access-list extended OUTBOUND permit ip any host 188.8.131.52 log permit ip 184.108.40.206 0.0.0.255 220.127.116.11 0.0.0.255 reflect VUELTA permit ip 18.104.22.168 0.0.0.255 22.214.171.124 0.0.0.255 reflect VUELTA permit icmp 126.96.36.199 0.0.0.255 188.8.131.52 0.0.0.255 reflect VUELTA permit tcp 184.108.40.206 0.0.255.255 any eq smtp reflect VUELTA permit tcp 220.127.116.11 0.0.255.255 any eq www reflect VUELTA permit tcp 18.104.22.168 0.0.255.255 any eq 443 reflect VUELTA permit tcp 22.214.171.124 0.0.255.255 any eq pop3 reflect VUELTA permit tcp 126.96.36.199 0.0.255.255 any eq ftp reflect VUELTA permit tcp 188.8.131.52 0.0.255.255 any eq ftp-data reflect VUELTA permit udp 184.108.40.206 0.0.255.255 any eq domain reflect VUELTA permit udp any any eq domain reflect VUELTA permit icmp any any reflect VUELTA permit tcp any 220.127.116.11 0.0.0.255 deny ip any 18.104.22.168 0.0.7.255 evaluate VUELTAin deny tcp 22.214.171.124 0.0.255.255 0.0.0.0 255.255.248.0 permit tcp host A.B.C.D any eq www reflect VUELTA permit tcp host A.B.C.D any eq 443 reflect VUELTA permit tcp host A.B.C.D any eq smtp reflect VUELTA permit tcp host A.B.C.D any eq ftp reflect VUELTA permit tcp host A.B.C.D any eq pop3 reflect VUELTA permit tcp host A.B.C.D any eq 8443 reflect VUELTA deny ip any any
I find it actually confusing to see both reflexive ACLs and IP Inspect combined. As the IP Inspect is effectively a superset of reflexive ACLs, I do not see any specific reason to combine them. Do you have any particular need to use both IP Inspect and reflexive ACLs?
Second, your IP Inspect is used in the inbound direction on your ATM/DSL interface. Is that by intent? Usually, on an outside interface, the IP Inspect is used in the outbound direction to track all connections initiated from inside, and to automatically permit replies to those connections to enter the router. However, you have the IP Inspect used in the opposite direction which, while possible, does not make much sense to me in your current deployment.
I originally wanted to directly suggest a change to your configuration but I do not understand your network well. Please try to include more info on the following topics:
The ATM/DSL interface is marked ip nat outside. Are all internal network privately addresses and do you NAT/PAT all internal networks?
Are there any servers in your internal networks that must be accessible from the outside (i.e. the INBOUND ACL must contain open ports for these servers and services)?
Do you limit your internal networks to a selected set of services outside, or should the internal networks be able to access all services in the outside?
Simplifying your redundant ACL configuration is of the essence here - I believe that your current ACLs, especially when combined with the IP Inspect, are unnecessarily convoluted.
I have erased the configuration of "ip inspect" (I no longer applied in the ATM interface), and also i can't get to establish communication between the two IPs, however, I can see matches in the ACL inbound and outbound..
After deleting all the entries of ip inspect configuration: no ip inspect tcp-time synwait 15 no ip inspect tcp max-incomplete host 20 block-time 1
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...