Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLAN Problem 871W with ip inspect name half-open

Hello everybody,

i have a new Cisco 871W-G-E-K9 for home office.

Everything is running on LAN side, but WLAN has no internet connect.

a) Working with Ethernet on VLAN1 is fine with NAT, VPN, internet connect etc......

b) Working with the Dot11Radio does work to LAN side but does not to WAN side.

> Configuration Firewall from WLAN via BVI and connect PC on VLAN1 ist fine.

> RADIUS auth works also

> WLAN and internet works ONLY if i remove the ip inspect from the WAN interface FastE4 and modify access-list to allow ip ack or remove the access-list from WAN.

i tried days long with different configs; using Bridge or direct dot11radio ..... and i can not see my mistake. Give me your view. Tried all IOS now - Version 12.4(4)T.

The config is long so i attached it as TXT file. sh runn and sh vers.

"sh ip nat tr" show me NAT is working.

"sh ip inspect sess" show me the sessions in half-open mode ???

Thank's Robert

2 REPLIES
Silver

Re: WLAN Problem 871W with ip inspect name half-open

To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. Use the no form of this command to reset the threshold to the default of 500 half-open sessions.

ip inspect max-incomplete high number

no ip inspect max-incomplete high

An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, "half-open" means that the session has not reached the established state. For UDP, "half-open" means that the firewall has detected traffic from one direction only.

Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

New Member

Re: WLAN Problem 871W with ip inspect name half-open

Hi,

i have the following solution in the meantime.

give the WLAN PC 192.168.121.251 his own public ip (nat). And removing the 192.168.121.0/24 from NO-NAT list

............

ip nat inside source route-map NAT-RMAP interface FastEthernet4 overload

ip nat inside source static 192.168.121.251 83.y.y.y1

ip nat inside source static 192.168.120.129 83.y.y.y2

ip nat inside source static 192.168.120.161 83.y.y.y3

!

ip access-list extended NO-NAT

remark SDM_ACL Category=2

deny ip 192.168.120.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 192.168.120.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.120.0 0.0.0.255 any

!

route-map NAT-RMAP permit 10

match ip address NO-NAT

................

but normaly it should also work with the route-map on the interface FastE4 when it is in NO-NAT see'n at attached config.

This workaroung now works only for one WLAN Host.

regards Robert

151
Views
0
Helpful
2
Replies