IP Inspect and Browsing issues
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by KB on October 13, 2007, 2:08 pm
Please log in for more thread options working properly. I have an inspect list that covers TCP and UDP outgoing, and an access list inbound that denys everything. For the most part, it works, but it doesn't load certain pages very well. Things like google maps don't load the maps, and other "dynamic" pages have problems. Has anyone else run into this before? Here are my statements: ip inspect max-incomplete high 9000 ip inspect max-incomplete low 9000 ip inspect one-minute high 9000 ip inspect one-minute low 9000 ip inspect name MYFW tcp audit-trail on timeout 1800 ip inspect name MYFW udp audit-trail on timeout 10 interface Dialer1 ip address negotiated ip inspect MYFW out ip access-group 101 in ip access-group ALL out ip nat outside ip virtual-reassembly max-fragments 45 max-reassemblies 300 timeout 60 encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ip access-list extended ALL permit ip any any access-list 101 permit tcp any any eq domain access-list 101 permit udp any any eq domain access-list 101 permit tcp any any established access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny icmp any any Any suggestions would be great! Thanks, Kelly | |||||||||||||
|
Posted by John on October 13, 2007, 2:31 pm
Please log in for more thread options First of all are you sure that the inspection engine is the cause of the problem? if you remove the ACLs and the inspect commands everything works properly? Since you use CBAC, you don't need "permit tcp any any established" in acl 101. That's what CBAC is for. if you have confirmed that cbac makes the problem, I would suggest to add as last lines in list 101: access-list 101 deny tcp any gt 0 any gt 0 log access-list 101 deny udp any gt 0 any gt 0 log access-list 101 deny ip any any log and try to correlate the logs of the router with the pages that fail to load. also you should add the line: ip inspect log drop-pkt , it will show you any drops that the CBAC engine does. John | |||||||||||||
| Similar Threads | Posted |
| IP Inspect and Browsing issues | October 13, 2007, 2:08 pm |
| IP Inspect | May 18, 2006, 7:13 pm |
| HTTP Inspect | November 11, 2005, 3:05 pm |
| HTTP INSPECT | November 11, 2005, 3:11 pm |
| CBAC / IP Inspect Confusion | December 6, 2005, 6:27 am |
| 2621XM - np ip inspect causes failure | December 13, 2005, 10:36 am |
| inspect pptp - disruptive? | February 14, 2008, 1:35 pm |
| ASA, static, icmp and inspect FTP | August 22, 2008, 5:11 am |
| DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email | October 7, 2006, 6:47 pm |
| ip inspect causing problems joing domain | December 7, 2006, 9:43 pm |
| Web browsing issue behind PIX | May 31, 2006, 1:48 pm |
| AppleTalk Browsing | September 20, 2006, 8:30 am |
| PIX browsing sites error | November 10, 2005, 5:43 am |
| web browsing broke after 5 minutes | August 16, 2006, 1:32 pm |
| 2610 Nat or problem with browsing web | October 8, 2006, 11:00 am |
> working properly. I have an inspect list that covers TCP and UDP
> outgoing, and an access list inbound that denys everything. For the
> most part, it works, but it doesn't load certain pages very well.
> Things like google maps don't load the maps, and other "dynamic" pages
> have problems. Has anyone else run into this before? Here are my
> statements:
>
> Any suggestions would be great!
>
> Thanks,
> Kelly