Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
638
Views
0
Helpful
3
Replies

CBAC "ip inspect" conflicts with static NAT - IOS config help required

amcusack
Level 1
Level 1

‎02-18-2004 01:48 PM - edited ‎03-09-2019 06:28 AM

Hi group,

I have a problem with my Cisco 837 router when using CBAC firewall feature

I used Cisco's SDM to configure the device - SDM works a treat - nice piece of software - much better than CRWS

The final configuration works 100% for access from the local network to the internet.

However there seems to be a conflict between the CBAC "ip inspect" command & static NATing the internal mail server to the internet.

The router allows packets from the internet into the mail server but a TCP session is never established and so the connection fails.

If I remove the "ip inspect DEFAULT100 out" command, the internal mail server is accessible with no problems.

So it appears that the "ip inspect" command is causing the problem.

Can anyone offer any suggestions as to what I might need to change to get it to work correctly ?

Note : the IOS is latest on Cisco site (c837-k9o3y6-mz-123-4.T2)

The full configuration is below (sensitive data removed)

thanks & regards

Tony C

---------------------

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco837

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 **********

!

username ********** privilege 15 password 7 **********

clock timezone Australia/Adelaide 9 30

clock summer-time Australia/Adelaide recurring last Sun Oct 2:00 last Sun Mar 3:00

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip domain name **********

ip name-server ***.***.***.***

!

no ip bootp server

ip cef

ip inspect tcp idle-time 600

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 smtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

no crypto isakmp enable

!

interface Null0

no ip unreachables

!

interface Ethernet0

description **********

ip address 10.0.0.254 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface ATM0

description **********

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description **********

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface Dialer0

description **********

ip address ***.***.***.*** ***.***.***.***

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip inspect DEFAULT100 out

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname **********

ppp chap password 7 **********

ppp pap sent-username ********** password 7 **********

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 10.0.0.10 25 ***.***.***.*** 25 extendable

ip nat inside source static tcp 10.0.0.10 110 ***.***.***.*** 110 extendable

ip nat inside source static tcp 10.0.0.10 143 ***.***.***.*** 143 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

!

logging trap debugging

logging 10.0.0.10

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

access-list 2 permit 10.0.0.0 0.0.0.255

!

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

!

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq pop3

access-list 101 permit tcp any any eq 143

access-list 101 permit udp host 203.21.37.18 eq ntp any eq ntp

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

!

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 deny ip any any

!

dialer-list 1 protocol ip permit

!

snmp-server community ********** RO

snmp-server location **********

snmp-server contact **********

snmp-server enable traps tty

no cdp run

!

control-plane

!

line con 0

login local

no modem enable

transport preferred all

transport output telnet

line aux 0

login local

transport preferred all

transport output telnet

line vty 0 4

access-class 102 in

privilege level 15

login local

transport preferred all

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

scheduler interval 500

sntp server 203.21.37.18

!

end

---------------------------------

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎02-18-2004 07:14 PM

This is probably the often-hit CBAC bug CSCec78231 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), where Internet-initiated TCP connections to inside hosts get dropped.

This is already fixed in later code that is currently not available. You're best bet for now is to regress back to something like 12.3(1)a mainline (of course this may stop you using SDM, but until we can get the fix out there's not much choice, sorry).

0 Helpful

amcusack
Level 1
Level 1
In response to gfullage

‎02-18-2004 07:52 PM

Thanks for your help - reading the bug report & checking available IOS images for the 837, it looks like 12.3(2)XE is the one that will fix my problem.

I will load it up after business hours tonight & test

I will report the result tomorrow

0 Helpful

amcusack
Level 1
Level 1
In response to gfullage

‎02-19-2004 01:19 PM

Glenn

Loaded IOS 12.3(2)XE

"ip inspect" working fine

as a bonus, SDM still work with 12.3(2)XE

thanks - problem solved :)

0 Helpful
Customers Also Viewed These Support Documents