I have a rtr with the FW feature set installed. I am trying to troubleshoot some polycom video conference traffic. I want to remove the FW Inspect rule from my serial interface going to the internet. When I go to s0/1/0 and do a NO ip inspect fw out it kills all my connections going out s0/1/0. So I thought I would turn off all the ip inspect rules by:
no ip inspect name fw ftp timeout 3600
no ip inspect name fw http java-list 3 timeout 3600
no ip inspect name fw rcmd timeout 3600
no ip inspect name fw realaudio timeout 3600
no ip inspect name fw tcp timeout 3600
no ip inspect name fw tftp timeout 30
no ip inspect name fw udp timeout 15
no ip inspect name fw vdolive timeout 3600
no ip inspect name fw streamworks timeout 3600
no ip inspect name fw sqlnet timeout 3600
no ip inspect name fw dns timeout 3600
no ip inspect name fw pop3 timeout 3600
no ip inspect name fw h323 timeout 3600
This also terminated all my connections trying to exit via s0/1/0 as well as this also removed the ip inspect fw out from the interface.
How can I turn off the FW and STILL ALLOW connections to flow through s0/1/0?
Thanks for the suggestion but as I stated in my question I did try going to S0/1/0 and executing a no ip inspect. When I did this all outbound traffic going to the internet was blocked. I also removed the ip access-group 105 in from FastE0/0 and ip access-group 107 out from S0/0 before testing this. My ONLY ACL is the 100 which blocks traffic coming in from the internet.
I am really perplexed why when I execute no ip inspect on S0/1/0 that I no longer can access the internet. This is not rocket science, or so I thought. ;-)
Do you have any other suggestion as to why I can not get out to the internet when I remove no ip inspect from S0/1/0 and have NO ACL's blocking outbound traffic?
My issue was with my ACL 100. The below rule allow TCP but NOT UDP. I did an oopsy. Once I allow both TCP and UDP packets to the internal IP addresses users could then accept incoming calls to the ploycom. Before I did this we had to intiate call from insode our network outbound. We could not accept calls inbound. Darn ACL's will get ya every time. I still don't know why I can't remove FW inpect from my S0/1/0 interface though.
access-list 100 permit tcp any host xxx.xxx.xxx.4 gt 81 log
when cbac is enabled, the router keeps track of the outbound traffic. that is, router will create/maintain a state/session table, which is used to determine whether the traffic was initiated from an internal user. if so, then permit the traffic; if not, then check the inbound acl.
an internal user try to access a smtp server out the internet. the server send a response back to the user, the router will verify the traffic and it is legitimate because the session was initiated by an internal user. the router will then permit and forward the traffic to the internal user.
now, when you remove the inspect on s0/1/0, router will no longer keep track of the traffic. so the only thing the router will rely on is the inbound acl.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :