I have a 1721 router with IOS firewall that is blocking traffic as expected. The problem is that I want to create an opening so that the firewall does not block a certain IP address or UDP protocol. I already have ACL permit statements applied to the WAN & fastethernet ports to permit the desired UDP & IP's. I have looked at all the options for the IP Inspect command but don't see where I can create this exception and I have also removed all ip inspect statements relating to UDP. Can anyone tell me how I can force the firewall to permit the below traffic without disabling the FW completely? It's the firewall that is giving me trouble, not the ACL's or my IPS.
Thanks in advance for any suggestions...
Here is the message in the log which shows that the FW is blocking my traffic:
Mar 22 14:18:35 CDT: %FW-6-DROP_UDP_PKT: Dropping udp pkt
216.115.30.200:69 => 192.168.0.75:2060 with ip ident 16221 due to Bidirectional traffic disabledand here are the IP Inspect statements:
ip inspect log drop-pkt ip inspect one-minute low 200 ip inspect one-minute high 300 ip inspect dns-timeout 4 ip inspect tcp idle-time 15 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect tcp max-incomplete host 40 block-time 30 ip inspect name myfw cuseeme timeout 15 ip inspect name myfw realaudio timeout 30 ip inspect name myfw h323 timeout 3600 ip inspect name myfw icmp alert on timeout 15 ip inspect name myfw rpc program-number 100008 timeout 15 ip inspect name myfw vdolive timeout 15 ip inspect name myfw streamworks timeout 5 ip inspect name myfw sqlnet timeout 5 ip inspect name myfw skinny timeout 5 ip inspect name myfw rtsp timeout 5 ip inspect name myfw netshow timeout 30 ip inspect name myfw rcmd alert on timeout 15 ip inspect name myfw sip alert on timeout 30 ip inspect name myfw tftp timeout 5 ip inspect name myfw http timeout 30 ip inspect name myfw fragment maximum 400 timeout 30 ip inspect name myfw tcp alert on timeout 30 ip inspect name myfw telnet alert on audit-trail on ip inspect name myfw ftp timeout 15 ip inspect name mwfw imap alert on ip inspect name mwfw dns alert on ip inspect name mwfw pop3 alert on
1721a#show ver Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(17a), RELEASE SOFTWARE (fc2) Technical Support:ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)