Anyone, I've got an issue with a 2650 running 12.4(18) Adv Sec and using IOS FW. It's doing NAT, and that portion works fine. The problem is the CBAC isn't opening the holes in the inbound ACL on the exterior interface like it's supposed to. IP Inspect is enabled on the outside interface outbound, there is a restrictive ACL inbound on the outside interface, and a permissive ACL outbound on the outside interface. 'sh ip inspect sis det' shows the various sessions (http, sip, etc) and references the ACLs involved: AaronComp#sh ip inspec sis det Established Sessions Session 8334C194 (192.168.10.57:1036)=>(24.158.63.45:80) http SIS_OPEN Created 00:58:42, Last heard 00:50:20 Bytes sent (initiator:responder) [117:1741] Initiator->Responder Window size 65535 Scale factor 0 Responder->Initiator Window size 5840 Scale factor 0 In SID 24.158.63.45[80:80]=>x.y.132.210[1036:1036] on ACL From_WAN (7 matches) Session 8334F614 (192.168.2.51:5060)=>(165.166.25.4:5060) sip SIS_OPEN Created 00:09:01, Last heard 00:00:27 Bytes sent (initiator:responder) [31526:16875] Initiator->Responder Window size 0 Scale factor 0 Responder->Initiator Window size 0 Scale factor 0
But I never see those dynamic entries added to the ACL, and the return traffic gets dropped. I've done it before, worked as designed. Is there something I'm just not getting here? Thanks, Chuck Relevant config: ip inspect name To_WAN tcp ip inspect name To_WAN udp ip inspect name To_WAN realaudio ip inspect name To_WAN netshow ip inspect name To_WAN tftp ip inspect name To_WAN http ip inspect name To_WAN sip timeout 3600 ip inspect name To_WAN esmtp ip inspect name To_WAN icmp ip inspect name To_WAN ftp ip inspect name To_WAN dns ip inspect name To_WAN pop3 interface FastEthernet0/0.100 encapsulation dot1Q 100 ip address x.y.132.210 255.255.255.248 ip access-group From_WAN in ip access-group Block-outbound out ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nbar protocol-discovery ip inspect To_WAN out ip nat outside no ip virtual-reassembly service-policy output upload-all ip access-list extended Block-outbound deny tcp any any eq 135 deny tcp any any eq 137 deny tcp any any eq 139 deny tcp any any eq 445 permit ip any any ip access-list extended From_WAN permit icmp any host x.y.132.210 administratively-prohibited permit udp any any eq isakmp permit esp any any permit icmp any host x.y.132.210 echo-reply permit icmp any host x.y.132.210 packet-too-big permit icmp any host x.y.132.210 time-exceeded permit icmp any host x.y.132.210 traceroute permit icmp any host x.y.132.210 unreachable permit tcp any host x.y.132.210 eq 5800 permit tcp any host x.y.132.210 eq 5503 permit tcp any host x.y.132.210 eq www permit tcp any host x.y.132.210 eq 3389 permit tcp any host x.y.132.210 eq 5500 permit tcp any host x.y.132.210 eq 5700 permit udp any host x.y.132.210 eq 5800 permit udp any host x.y.132.210 eq 5503 permit udp any host x.y.132.210 eq 80 permit udp any host x.y.132.210 eq 3389 permit udp any host x.y.132.210 eq 5500 permit udp any host x.y.132.210 eq 5700 permit tcp w.x.42.0 0.0.0.255 any eq 22 permit tcp w.x.55.0 0.0.0.255 any eq 22 permit tcp 71.15.89.0 0.0.0.255 any eq 22 permit ip any any <---- Added as a stop-gap until I can resolve the issue. Without this, issue still exists, and no return traffic is permitted! _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/