?
Solved

IP INSPECT blocking one web site in particular - Help troubleshooting

Posted on 2008-02-04
6
Medium Priority
?
1,175 Views
Last Modified: 2010-04-21
Customer has a Cisco 871 running 12.4(4)T7 with ISO Firewall.  They called saying that one of their sites could not access a particular website.  It would load but hang after entering user/pass.  Removed IP INSPECT in from VLAN1 and out from FastEthernet4 (DSL).  Every thing started working.  Added either/or back and it would break.

is there anyway I can find out what is being blocked so i can open it up?

thanks....
ip inspect audit-trail
ip inspect name INFIRE ftp
ip inspect name INFIRE udp
ip inspect name INFIRE sqlnet
ip inspect name INFIRE realaudio
ip inspect name INFIRE h323
ip inspect name INFIRE http
ip inspect name INFIRE https
ip inspect name INFIRE ftps
ip inspect name INFIRE pop3
ip inspect name INFIRE ssh
ip inspect name INFIRE imap
ip inspect name INFIRE imap3
ip inspect name INFIRE pop3s
ip inspect name INFIRE dns
ip inspect name INFIRE esmtp alert on audit-trail on timeout 180
ip inspect name INFIRE tcp

Open in new window

0
Comment
Question by:ClayShooter
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 20825658
What protocol is the website using when they connect, e.g. http or https? You could try removing that inspect from the list. It will then be caught by the generic tcp inspect.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 20829500
Sounds like classic case of MTU issue on DSL w/PPPoE
Try setting Mtu on FastEthernet4 down to 1492
Or just remove the inspect for https. It does not make you any less secure.
0
 
LVL 1

Author Comment

by:ClayShooter
ID: 20833033
That was my first thought.  However, on the 871 the F4 interface doesn't support a user settable MTU.
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
LVL 10

Expert Comment

by:cstosgale
ID: 20834758
In which case you should be able to set it on Eth0. This is the actual interface on the router on 871s I believe. Unless there is a vlan interface.
0
 
LVL 1

Author Comment

by:ClayShooter
ID: 20834896
VLAN or FastEthernet4 (physical WAN interface) will allow user selectable MTU.
0
 
LVL 1

Author Closing Comment

by:ClayShooter
ID: 31428010
I had a brain freeze and was using the wrong command to set the MTU.  After I realized what I was doing wrong I changed the IP MTU on the WAN (F4) interface and it worked great.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question