02-18-2004 01:48 PM - edited 03-09-2019 06:28 AM
Hi group,
I have a problem with my Cisco 837 router when using CBAC firewall feature
I used Cisco's SDM to configure the device - SDM works a treat - nice piece of software - much better than CRWS
The final configuration works 100% for access from the local network to the internet.
However there seems to be a conflict between the CBAC "ip inspect" command & static NATing the internal mail server to the internet.
The router allows packets from the internet into the mail server but a TCP session is never established and so the connection fails.
If I remove the "ip inspect DEFAULT100 out" command, the internal mail server is accessible with no problems.
So it appears that the "ip inspect" command is causing the problem.
Can anyone offer any suggestions as to what I might need to change to get it to work correctly ?
Note : the IOS is latest on Cisco site (c837-k9o3y6-mz-123-4.T2)
The full configuration is below (sensitive data removed)
thanks & regards
Tony C
---------------------
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 **********
!
username ********** privilege 15 password 7 **********
clock timezone Australia/Adelaide 9 30
clock summer-time Australia/Adelaide recurring last Sun Oct 2:00 last Sun Mar 3:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name **********
ip name-server ***.***.***.***
!
no ip bootp server
ip cef
ip inspect tcp idle-time 600
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
no crypto isakmp enable
!
interface Null0
no ip unreachables
!
interface Ethernet0
description **********
ip address 10.0.0.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
description **********
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description **********
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description **********
ip address ***.***.***.*** ***.***.***.***
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname **********
ppp chap password 7 **********
ppp pap sent-username ********** password 7 **********
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.0.10 25 ***.***.***.*** 25 extendable
ip nat inside source static tcp 10.0.0.10 110 ***.***.***.*** 110 extendable
ip nat inside source static tcp 10.0.0.10 143 ***.***.***.*** 143 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
!
logging trap debugging
logging 10.0.0.10
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
access-list 2 permit 10.0.0.0 0.0.0.255
!
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 143
access-list 101 permit udp host 203.21.37.18 eq ntp any eq ntp
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 deny ip any any
!
dialer-list 1 protocol ip permit
!
snmp-server community ********** RO
snmp-server location **********
snmp-server contact **********
snmp-server enable traps tty
no cdp run
!
control-plane
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
access-class 102 in
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 203.21.37.18
!
end
---------------------------------
02-18-2004 07:14 PM
This is probably the often-hit CBAC bug CSCec78231 (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search), where Internet-initiated TCP connections to inside hosts get dropped.
This is already fixed in later code that is currently not available. You're best bet for now is to regress back to something like 12.3(1)a mainline (of course this may stop you using SDM, but until we can get the fix out there's not much choice, sorry).
02-18-2004 07:52 PM
Thanks for your help - reading the bug report & checking available IOS images for the 837, it looks like 12.3(2)XE is the one that will fix my problem.
I will load it up after business hours tonight & test
I will report the result tomorrow
02-19-2004 01:19 PM
Glenn
Loaded IOS 12.3(2)XE
"ip inspect" working fine
as a bonus, SDM still work with 12.3(2)XE
thanks - problem solved :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide