Re: IP Inspect problem, dropping telnet and ftp sessions in VPN. - Page 2

gloubier · ‎04-26-2007

Hi,

We recently activated IP Inspect in every router who connect to the main office via VPN. And we're starting to have problem with IP Inspect blocking telnet, ftp and traffic who is not supposed to be block. When we desactivate IP Inspect everything is fine. Or another problem we have, the traffic ( telnet of ftp ) is working for a short time and after the telnet or ftp connection is droped by ip inspect.

Anyone have a solution to my problem. I want to keep every router ( who are directly connected to Internet but also connected to the main office via VPN ).

We use Cisco 871 router with IOS 12.4(4)T4.

If someone could help me with my problem I'll really appreciate

Thanks!

gloubier · ‎04-30-2007

Hi,

And I guess I need to add "ip access-group 101 in" on the int dialer1 ( for the PPPoE client ) ?

Thanks

oabduo983 · ‎04-30-2007

Perfectly correct!

gloubier · ‎05-09-2007

Hi,

I finally started to test my firewall setup in 3 production routers. Everything seems to be working fine on 2 PPPoE clients but with the DHCP client he couldn't do a renew of his IP address and when I remove "ip access-group 101 in" ( after a shut/no shut of the interface ) the renew was working.

Is there a access-list rules I need to accept dhcp request from their ISP?

Thanks!

gloubier · ‎05-09-2007

I found the problem.

I need those 2 access-list rules for the DHCP request:

access-list 101 permit udp any any eq bootps

access-list 101 permit udp any any eq bootpc

Thanks!

joshua.walton · ‎05-12-2007

Theres no point to do inspection over an IPSEC tunnel. Thats what IPSEC is for!

gloubier · ‎05-14-2007

Hi,

Maybe I'm wrong and feel free to correct me. But the ip inspect is not only for the traffic in the VPN. The client are also using internet directly from their provider ( they're not using the VPN for http ) and they are directly connected to internet so a source of attack.

oabduo983 · ‎05-14-2007

Hi Guillaume

You are right, you use IP inspect for the normal traffic and you create the access-lists to exempt the IPSec traffic from being blocked...

Remember your IP inspect command is inspecting TCP and UDP (not esp which is meaningless and maybe even not there!)

Regards,

gloubier · ‎05-14-2007

Hi,

Cool thanks!

And by the way, everything is working great since I configured 5 routers to use my access-list/ip inspect config.

I want to thank you again for your really good help!

gloubier · ‎05-28-2007

Hi,

Another question about a problem we have on a few router.

Sometimes the internet stop working for the computer who are connected in the router ( who is connected VPN to the main office ), it's like the router is refusing the connexion to internet.

Here the log we have when we do a debug ip ( on the private ip the computer his using ) :

EDT: IP: tableid=0, s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), routed via FIB

EDT: IP: s=10.1.1.1 (Vlan1), d=PROXY (Dialer1), g=GATEWAYPUBLICIP, len 48, forward

TCP src=1121, dst=80, seq=2099553562, ack=0, win=65535 SYN

IP: tableid=0, s=10.1.1.1 (local), d=PROXY (Dialer1), routed via FIB

IP: s=10.1.1.1 (local), d=PRPXY (Dialer1), len 40, sending

TCP src=1121, dst=80, seq=2099553563, ack=0, win=0 RST

I don't understand why the router is doing a "RST" on the connexion. He's not suppose to block the connexion, anyone have an idea why we have that kind of problem on like 5% of our router.

Thanks!

oabduo983 · ‎05-28-2007

Make sure you are enabling split tunneling using the route-map command and access-lists... if you post your full config of one of the routers which do not work I will try and help you!

Regards,

gloubier · ‎05-28-2007

Hi,

No we don't use split tunneling because we're using ezvpn.

Thanks for your help!