Fw Inspect and how to turn off

Live2 Bicycle · ‎10-01-2005

I have a rtr with the FW feature set installed. I am trying to troubleshoot some polycom video conference traffic. I want to remove the FW Inspect rule from my serial interface going to the internet. When I go to s0/1/0 and do a NO ip inspect fw out it kills all my connections going out s0/1/0. So I thought I would turn off all the ip inspect rules by:

no ip inspect name fw ftp timeout 3600

no ip inspect name fw http java-list 3 timeout 3600

no ip inspect name fw rcmd timeout 3600

no ip inspect name fw realaudio timeout 3600

no ip inspect name fw tcp timeout 3600

no ip inspect name fw tftp timeout 30

no ip inspect name fw udp timeout 15

no ip inspect name fw vdolive timeout 3600

no ip inspect name fw streamworks timeout 3600

no ip inspect name fw sqlnet timeout 3600

no ip inspect name fw dns timeout 3600

no ip inspect name fw pop3 timeout 3600

no ip inspect name fw h323 timeout 3600

This also terminated all my connections trying to exit via s0/1/0 as well as this also removed the ip inspect fw out from the interface.

How can I turn off the FW and STILL ALLOW connections to flow through s0/1/0?

Attached is my config:

jackko · ‎10-01-2005

you don't have to diable individual ip inspect statements.

instead, you can

interface Serial0/1/0

no ip inspect fw out

with no ip inspect, decision on whether permit/deny traffic will totally rely on acl.

with your config,

interface FastEthernet0/0

ip access-group 105 in

interface Serial0/1/0

ip access-group 100 in

ip access-group 107 out

Live2 Bicycle · ‎10-06-2005

Thanks for the suggestion but as I stated in my question I did try going to S0/1/0 and executing a no ip inspect. When I did this all outbound traffic going to the internet was blocked. I also removed the ip access-group 105 in from FastE0/0 and ip access-group 107 out from S0/0 before testing this. My ONLY ACL is the 100 which blocks traffic coming in from the internet.

I am really perplexed why when I execute no ip inspect on S0/1/0 that I no longer can access the internet. This is not rocket science, or so I thought. ;-)

Do you have any other suggestion as to why I can not get out to the internet when I remove no ip inspect from S0/1/0 and have NO ACL's blocking outbound traffic?

dopenfield · ‎10-06-2005

It looks like you've already gotten a reply on how to turn off this.

I'm curious about the details of the problem you are seeing.

We are also investigating a problem with Video conferencing through a PIX (7.x). We've got a ticket open but troubleshooting (with the same suggested solution) got delayed with recent weather events.

We have identified duplicate Keepalives being returned to the unit which causes it to time-out the connection. We've not been able to identify the source of the second keepalive.

Live2 Bicycle · ‎10-06-2005

My issue was with my ACL 100. The below rule allow TCP but NOT UDP. I did an oopsy. Once I allow both TCP and UDP packets to the internal IP addresses users could then accept incoming calls to the ploycom. Before I did this we had to intiate call from insode our network outbound. We could not accept calls inbound. Darn ACL's will get ya every time. I still don't know why I can't remove FW inpect from my S0/1/0 interface though.

access-list 100 permit tcp any host xxx.xxx.xxx.4 gt 81 log

jackko · ‎10-06-2005

when cbac is enabled, the router keeps track of the outbound traffic. that is, router will create/maintain a state/session table, which is used to determine whether the traffic was initiated from an internal user. if so, then permit the traffic; if not, then check the inbound acl.

e.g.

an internal user try to access a smtp server out the internet. the server send a response back to the user, the router will verify the traffic and it is legitimate because the session was initiated by an internal user. the router will then permit and forward the traffic to the internal user.

now, when you remove the inspect on s0/1/0, router will no longer keep track of the traffic. so the only thing the router will rely on is the inbound acl.