topic Re: Trouble passing HTTP traffic w/ IPS enabled on Multilink Int in Network Security

Trouble passing HTTP traffic w/ IPS enabled on Multilink Interface

Adam Frederick — Sun, 10 Mar 2019 09:52:57 GMT

Scenario:

I have a 2811 using 2 bonded T1s to the Internet (via MLPPP). Before I bonded the T1s and used the serial0 interface to access the net, I used the following statements on my public interface with no problems;

-ip ips myips in

-ip inspect myfw in

After I bonded the T1s and removed the above statements from the serial interface and placed them on them my multilink interface, everything stopped working (i.e. my in house DNS, websites), however a remote user could ping the internal websites. When I removed the above statements from the multilink interface traffic flowed fine, but I had no security. I've included my config. Anyone have any pointers? I also tried using "ip inspect myfw out" on fa0/0 to see if it would work any better and I received the same results, no access to my web servers from the outside world. Once I removed the statement however, everything flowed perfect.

Re: Trouble passing HTTP traffic w/ IPS enabled on Multilink Int

spremkumar — Tue, 07 Feb 2006 08:39:41 GMT

I would suggest a slight change in you ACLs which you have configured up at present.

do remove the access-group 101 commands from the multilink first and then remove the ACL 101 using no access-list 101.

once you are done with that pls paste the below mentioned config lines onto your router..

access-list 101 deny tcp any any eq 4444

access-list 101 deny udp any any eq 4444

access-list 101 deny udp any any eq tftp

access-list 101 deny udp any any eq 593

access-list 101 deny tcp any any eq 1025

access-list 101 deny tcp any any eq 1029

access-list 101 deny tcp any any eq 7789

access-list 101 deny udp any any eq 1025

access-list 101 deny udp any any eq 1029

access-list 101 deny udp any any eq 7789

access-list 101 deny tcp any any eq 135

access-list 101 deny tcp any any eq 136

access-list 101 deny tcp any any eq 137

access-list 101 deny tcp any any eq 139

access-list 101 deny udp any any eq 135

access-list 101 deny udp any any eq 136

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-ss

access-list 101 permit ip any any

At present you have the permit any any in the middle and start denying everything again.

That shuld be not the case while the ACLs are getting processed.

regds

Re: Trouble passing HTTP traffic w/ IPS enabled on Multilink Int

Adam Frederick — Fri, 10 Feb 2006 01:58:04 GMT

Along with cleaning up the ACL, this was received from TAC:

This bug was filed to remove the default connection limit

restrictions that are currently in the IOS Firewall feature.

In the past, the limits were increased from the original values to

the current values today:

ip inspect max-incomplete high 500

ip inspect max-incomplete low 400

ip inspect one-minute high 500

ip inspect one-minute low 400

ip inspect tcp max-incomplete host 50

However these arbitrary limits have caused a many, many customers to

open cases with the TAC when these limits have been hit, and normal

production traffic has been impacted.

Re: Trouble passing HTTP traffic w/ IPS enabled on Multilink Int

spremkumar — Fri, 10 Feb 2006 10:01:29 GMT

hi there good to see your mail with additional info/stuffs to overcome/solve the issue :-)..

regds