We have a 1720 router with FW feature set. We currently have it inspecting traffic exiting INT S0.
Now that we have a Pix behind this router we want to remove the inspection on this 1720 to free up CPU resources and hopefully improve the MLPPP problems we are running into (dropped packets due to high CPU load).
I added the following line to the Inbound ACL on the S0 interface
access-list 103 permit tcp any any gt 1023 established
Then I removed the IP Inspect from that interface. At that point I was no longer able to access the Internet (I believe the return traffic was being blocked).
Are there any temp ACL's that might still be attached to the S0 interface left over from the IP Inspect?
Are you still doing NAT on the router even with the PIX in place? If you are still doing NAT on the router have the PIX do the NAT. Then try removing the access list from the router and test. I don't think the access list is the problem.
Perhaps if you can clarify the setup a little bit more and post the sanitized PIX and router configuration that would help.
Prior to the Pix this 1720 was doing all of our NAT as well as FW. The Pix was configured completely off-line then put in place. For a few years now we've had double NAT going. The Pix would NAT the Internal machines to one address, then the 1720 would NAT that to our public addresses. This worked/works perfectly fine. Because of this I don't think the issue is with the Pix or it's configuration
We just added a second Internet T1 and bundled them using MLPPP. Our connectivity is still working but the CPU is running high during peak traffic periods on the 1720 and it's dropping fragments/packets. I was hoping to just disable the FW on the 1720 without going through the hassle of reconfiguring our Pix to see if that would free up the CPU enough to run MLPPP properly. I guess disabling all that NAT would also free up CPU cycles too, so I'm sure that would be the proper way to do it.
I realize my configuration is more complicated this way but one of the benefits is if this Pix ever died, we could quickly switch back to this 1720 and suffer very minimal downtime.
I will review my Pix configuration and see how much work would be involved in making all the NAT changes and just have this 1720 route the Internet traffic.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...