02-06-2006 05:59 PM - edited 03-10-2019 01:52 AM
Scenario:
I have a 2811 using 2 bonded T1s to the Internet (via MLPPP). Before I bonded the T1s and used the serial0 interface to access the net, I used the following statements on my public interface with no problems;
-ip ips myips in
-ip inspect myfw in
After I bonded the T1s and removed the above statements from the serial interface and placed them on them my multilink interface, everything stopped working (i.e. my in house DNS, websites), however a remote user could ping the internal websites. When I removed the above statements from the multilink interface traffic flowed fine, but I had no security. I've included my config. Anyone have any pointers? I also tried using "ip inspect myfw out" on fa0/0 to see if it would work any better and I received the same results, no access to my web servers from the outside world. Once I removed the statement however, everything flowed perfect.
Solved! Go to Solution.
02-07-2006 12:39 AM
hi
I would suggest a slight change in you ACLs which you have configured up at present.
do remove the access-group 101 commands from the multilink first and then remove the ACL 101 using no access-list 101.
once you are done with that pls paste the below mentioned config lines onto your router..
access-list 101 deny tcp any any eq 4444
access-list 101 deny udp any any eq 4444
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq 593
access-list 101 deny tcp any any eq 1025
access-list 101 deny tcp any any eq 1029
access-list 101 deny tcp any any eq 7789
access-list 101 deny udp any any eq 1025
access-list 101 deny udp any any eq 1029
access-list 101 deny udp any any eq 7789
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 136
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any
At present you have the permit any any in the middle and start denying everything again.
That shuld be not the case while the ACLs are getting processed.
regds
02-07-2006 12:39 AM
hi
I would suggest a slight change in you ACLs which you have configured up at present.
do remove the access-group 101 commands from the multilink first and then remove the ACL 101 using no access-list 101.
once you are done with that pls paste the below mentioned config lines onto your router..
access-list 101 deny tcp any any eq 4444
access-list 101 deny udp any any eq 4444
access-list 101 deny udp any any eq tftp
access-list 101 deny udp any any eq 593
access-list 101 deny tcp any any eq 1025
access-list 101 deny tcp any any eq 1029
access-list 101 deny tcp any any eq 7789
access-list 101 deny udp any any eq 1025
access-list 101 deny udp any any eq 1029
access-list 101 deny udp any any eq 7789
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 136
access-list 101 deny tcp any any eq 137
access-list 101 deny tcp any any eq 139
access-list 101 deny udp any any eq 135
access-list 101 deny udp any any eq 136
access-list 101 deny udp any any eq netbios-ns
access-list 101 deny udp any any eq netbios-ss
access-list 101 permit ip any any
At present you have the permit any any in the middle and start denying everything again.
That shuld be not the case while the ACLs are getting processed.
regds
02-09-2006 05:58 PM
Along with cleaning up the ACL, this was received from TAC:
This bug was filed to remove the default connection limit
restrictions that are currently in the IOS Firewall feature.
In the past, the limits were increased from the original values to
the current values today:
ip inspect max-incomplete high 500
ip inspect max-incomplete low 400
ip inspect one-minute high 500
ip inspect one-minute low 400
ip inspect tcp max-incomplete host 50
However these arbitrary limits have caused a many, many customers to
open cases with the TAC when these limits have been hit, and normal
production traffic has been impacted.
02-10-2006 02:01 AM
hi there good to see your mail with additional info/stuffs to overcome/solve the issue :-)..
regds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide