CBAC / IP Inspect Confusion

We have recently installed a new Cisco 837 router running IOS version

12.3(2)XC2 and an issue relating to CBAC / 'ip inspect' command has come to light.

When the 'ip inspect' command is applied outbound only on the Dialer0 interface, we are able to access/browse the Internet from the internal network successfully but cannot receive incoming mail. Outgoing e-mail is fine.

However, when the 'ip inspect' command (outbound) is removed from the Dialer0 interface altogether, we are able to receive incoming mail but cannot get to the Internet at all.

We've worked around this by applying the 'ip inspect' commands to the Dialer0 interface both in AND outbound so as not to disrupt service but think that surely this must only be a temporary measure due to the increased security risk.

This router is configured in practically exactly the same way as another 837 also running IOS version 12.3(2)XC2. With the 'ip inspect' command applied outbound only on the Dialer0 interface of this second router, we see none of the same issues and everything works fine.

I think that this may be a symptom of a misconfiguration rather than a problem in itself but I don't know what. Could it be NAT or route maps?

I will post config if anyone wants to have a look.

Thank you in advance for you help & suggestions.

Reply to
Loading thread data ...

You put an Access-list on the Dialer0 that permits incoming mail and keep the Inspect.

access-l 100 permit tcp any host my.mail.server eq 25

int d0 access-g 100 in

substitute the EXTERNAL address of the mail server for "my.mail.server".

Reply to

Correct me if I'm wrong, but isn't the point of "ip inspect" to get around manually defining ACL's? In fact, I believe in 12.3T, a feature called "firewall ACL bypass" was introduced. If I understand it correctly, that feature is to eliminate redundant ACL processing - an inbound pass, inspect, and outbound pass, with the idea being that if inspect "sees" the traffic, the other two ACL processes are assumed to be performed.

I ask this because I'm starting to work with the firewall feature set myself, and too have noticed odd behavior. In my case, with inspect on, RTP flows between IP phones work. Shut it down, and I get one-way audio. All of this with no ACL's. However, I have to explicitly define ACL's for skinny even though it's configured to be inspected. Very odd, and I don't understand the inconsistency.

Any insights would be appreciated!

Reply to
slim Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.