https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326601#M764228 <HTML><HEAD></HEAD><BODY><P>Thanks, I'll try that. One other question. I was looking on Cisco.com and found some sample configs, and they all had the inspect on the inside interface coming in to it. Is this a preferred method, as opposed to having it on the outside going out? Also, if the router is setup as a DNS server, what is required to let the dns replys back in, I kept seeing drops of udp(53). I had to change the workstation to use the dns server directly instead of relaying through the router.</P><P></P><P>Thank you.</P></BODY></HTML> Thu, 29 Oct 2009 13:36:04 GMT bdedek 2009-10-29T13:36:04Z https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326599#M764226 <P>I have a lab setup with a 1721 connected to the Internet. I have enabled ip inspection with several engines including http and https, on the outside interface out bound. I also have an access list on the outside interface blocking inbound traffic. It seems that recently I discovered that when trying to download from Rapidshare and Hotfile sites, the download begins and then hangs pretty quickly. I have confirmed that if I disable the ip inspect out and the ip access group in, the downloads work as expected.</P><P></P><P>I have also checked the logs and don't see any denys so I can't figure why the connection gets dropped. Is there any other debugs that might lead me to find the problem? I have never had this issue until recently, so I don't know if Rapidshare and other providers have changed something.</P><P></P><P>Thanks for any help you may provide.</P><P></P><P></P> Mon, 11 Mar 2019 16:33:28 GMT https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326599#M764226 bdedek 2019-03-11T16:33:28Z https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326600#M764227 <HTML><HEAD></HEAD><BODY><P>Keep the inspections to the minimum required and see if that helps.</P><P>inspect only tcp, udp, icmp and ftp</P><P></P><P>Leave the acl applied IN on the outside.</P><P></P><P>enable "ip inspect log drop" and watch the logs and see if the FW is dropping the packets for some reason.</P><P></P></BODY></HTML> Thu, 29 Oct 2009 04:00:40 GMT https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326600#M764227 Kureli Sankar 2009-10-29T04:00:40Z https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326601#M764228 <HTML><HEAD></HEAD><BODY><P>Thanks, I'll try that. One other question. I was looking on Cisco.com and found some sample configs, and they all had the inspect on the inside interface coming in to it. Is this a preferred method, as opposed to having it on the outside going out? Also, if the router is setup as a DNS server, what is required to let the dns replys back in, I kept seeing drops of udp(53). I had to change the workstation to use the dns server directly instead of relaying through the router.</P><P></P><P>Thank you.</P></BODY></HTML> Thu, 29 Oct 2009 13:36:04 GMT https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326601#M764228 bdedek 2009-10-29T13:36:04Z https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326602#M764229 <HTML><HEAD></HEAD><BODY><P>For the first question there is no difference. You can inspect out on the outside or in on the inside.</P><P></P><P>For the later, depending on the IOS version you can do inspect udp or inspect dns.</P><P></P><P>PK</P></BODY></HTML> Thu, 29 Oct 2009 16:47:04 GMT https://community.cisco.com/t5/network-security/stateful-inspection/m-p/1326602#M764229 Panos Kampanakis 2009-10-29T16:47:04Z