CBAC Help - VPN & AOL

[kcbell]

I am learning and using a 3101 router with verion 12.1 IOS. I am using "ip inspect" with RULE1 for my Ethernet 0 port.

! Ethernet inside port
ip inspect RULE1 in

With these rules, I have problem with AOL (not web base) and VPN. I know VPN has to do with ipsec. I could remove the RULE1 and both worked. Can anyone offer some help on how to solve these problems and still keep CBAC?

Thanks

! Rules
ip inspect name RULE1 http
ip inspect name RULE1 tftp
ip inspect name RULE1 tcp
ip inspect name RULE1 udp
ip inspect name RULE1 ftp
ip inspect name RULE1 h323
ip inspect name RULE1 rcmd
ip inspect name RULE1 realaudio
ip inspect name RULE1 smtp
ip inspect name RULE1 sqlnet
ip inspect name RULE1 streamworks
ip inspect name RULE1 vdolive

 

[jamin123]

Are you using any access list with your CBAC config?

 

[kcbell]

Let me give you a little more information. The 3101 is for home network with cable modem coming in to E1 and home network in E0. All home computers are connected via a hub and DHCP by the 3101 and it is NATing to the internet.

ip access-group 101 in

access-list 101 permit icmp any any
access-list 101 permit udp host 10.128.128.20 any eq domain
access-list 101 permit tcp host 10.128.128.20 any eq smtp
access-list 101 permit tcp host 10.128.128.20 any eq pop3
access-list 101 permit ip any any

 

[jamin123]

I need the full config to identify the problem.



access-list 101 permit ospf any any
access-list 101 permit tcp 1.1.1.1 0.0.0.255 any eq www
access-list 101 deny ip any any
This will permit ospf traffic and will permit http traffic from 1.1.1.1 network and denied all other.

have you applied the access-list and inspection rule to the correct intface? If the access-list is applied in reverse it will not work.

Try sh and debug command. sh ip access-lists
debug ip inspect http ...etc.-