Re: Stateful Inspection

bdedek · ‎10-28-2009

I have a lab setup with a 1721 connected to the Internet. I have enabled ip inspection with several engines including http and https, on the outside interface out bound. I also have an access list on the outside interface blocking inbound traffic. It seems that recently I discovered that when trying to download from Rapidshare and Hotfile sites, the download begins and then hangs pretty quickly. I have confirmed that if I disable the ip inspect out and the ip access group in, the downloads work as expected.

I have also checked the logs and don't see any denys so I can't figure why the connection gets dropped. Is there any other debugs that might lead me to find the problem? I have never had this issue until recently, so I don't know if Rapidshare and other providers have changed something.

Thanks for any help you may provide.

Kureli Sankar · ‎10-28-2009

Keep the inspections to the minimum required and see if that helps.

inspect only tcp, udp, icmp and ftp

Leave the acl applied IN on the outside.

enable "ip inspect log drop" and watch the logs and see if the FW is dropping the packets for some reason.

bdedek · ‎10-29-2009

Thanks, I'll try that. One other question. I was looking on Cisco.com and found some sample configs, and they all had the inspect on the inside interface coming in to it. Is this a preferred method, as opposed to having it on the outside going out? Also, if the router is setup as a DNS server, what is required to let the dns replys back in, I kept seeing drops of udp(53). I had to change the workstation to use the dns server directly instead of relaying through the router.

Thank you.

Panos Kampanakis · ‎10-29-2009

For the first question there is no difference. You can inspect out on the outside or in on the inside.

For the later, depending on the IOS version you can do inspect udp or inspect dns.

PK