IP Inspect and Browsing issues
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by KB on October 13, 2007, 2:08 pm
Please log in for more thread options
working properly. I have an inspect list that covers TCP and UDP outgoing, and an access list inbound that denys everything. For the most part, it works, but it doesn't load certain pages very well. Things like google maps don't load the maps, and other "dynamic" pages have problems. Has anyone else run into this before? Here are my statements: ip inspect max-incomplete high 9000 ip inspect max-incomplete low 9000 ip inspect one-minute high 9000 ip inspect one-minute low 9000 ip inspect name MYFW tcp audit-trail on timeout 1800 ip inspect name MYFW udp audit-trail on timeout 10 interface Dialer1 ip address negotiated ip inspect MYFW out ip access-group 101 in ip access-group ALL out ip nat outside ip virtual-reassembly max-fragments 45 max-reassemblies 300 timeout 60 encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ip access-list extended ALL permit ip any any access-list 101 permit tcp any any eq domain access-list 101 permit udp any any eq domain access-list 101 permit tcp any any established access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any Any suggestions would be great! Thanks, Kelly | ||||||||||
|
Posted by John on October 13, 2007, 2:31 pm
Please log in for more thread options  the problem? if you remove the ACLs and the inspect commands everything works properly? Since you use CBAC, you don't need "permit tcp any any established" in acl 101. That's what CBAC is for. if you have confirmed that cbac makes the problem, I would suggest to add as last lines in list 101: access-list 101 deny tcp any gt 0 any gt 0 log access-list 101 deny udp any gt 0 any gt 0 log access-list 101 deny ip any any log and try to correlate the logs of the router with the pages that fail to load. also you should add the line: ip inspect log drop-pkt , it will show you any drops that the CBAC engine does. John | ||||||||||
| Similar Threads | Posted |
| IP Inspect and Browsing issues | October 13, 2007, 2:08 pm |
| IP Inspect | May 18, 2006, 7:13 pm |
| HTTP Inspect | November 11, 2005, 3:05 pm |
| HTTP INSPECT | November 11, 2005, 3:11 pm |
| IP Inspect vs. established | March 12, 2009, 9:59 pm |
| IP INSPECT question | January 21, 2010, 6:28 am |
| CBAC / IP Inspect Confusion | December 6, 2005, 6:27 am |
| 2621XM - np ip inspect causes failure | December 13, 2005, 10:36 am |
| inspect pptp - disruptive? | February 14, 2008, 1:35 pm |
| ASA, static, icmp and inspect FTP | August 22, 2008, 5:11 am |
| NAT and access lists and IP INSPECT | January 22, 2010, 6:24 am |
| DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email | October 7, 2006, 6:47 pm |
| ip inspect causing problems joing domain | December 7, 2006, 9:43 pm |
| Using an ASA's AIP SSM module to inspect traffic going into and coming out of a VPN tunnel. | January 22, 2009, 12:14 pm |
| Web browsing issue behind PIX | May 31, 2006, 1:48 pm |
|
Home Cabling Guide
Finally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Click Here to learn more |
> working properly. I have an inspect list that covers TCP and UDP
> outgoing, and an access list inbound that denys everything. For the
> most part, it works, but it doesn't load certain pages very well.
> Things like google maps don't load the maps, and other "dynamic" pages
> have problems. Has anyone else run into this before? Here are my
> statements:
> Any suggestions would be great!
> Thanks,
> Kelly