in
Questions and answers to issues related to Hardware: Apple, Components, Monitors, Handhelds, Laptops, motherboard, Networking, Storage. » Networking Hardware » Routers » Turning off SPI no internet access

Turning off SPI no internet access

Hi
I want to completley turn off Stateful Packet inspection, I have two problems when I do this
1. My VPN tunnel goes down
2. No one can access the internet on the LAN

The reason why I need to turn it off is because windows vista cannot browse the web when SPI is turned on a router.
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:

Current configuration : 7545 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname -RTR-01
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 
enable password password
!
username acrelec privilege 15 password 0 password
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.14.1.1 10.14.1.49
ip dhcp excluded-address 10.14.1.101 10.14.1.254
!
ip dhcp pool default
   import all
   network 10.14.1.0 255.255.255.0
   dns-server 62.24.128.17 62.24.128.18
   default-router 10.14.1.1
!
!
ip name-server 62.24.128.18
ip name-server 62.24.128.17
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW tcp
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 tcp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 90.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to90.x.x.x
 set peer 90.x.x.x
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.14.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 92.x.x.x 255.255.255.128
 ip access-group 101 in
 ip nat outside
 ip inspect sdm_ins_in_100 in
 ip inspect SDM_LOW out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname 
 ppp chap password 0 
 ppp pap sent-username password 0 
 crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http secure-server
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.14.1.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 permit 192.168.0.0
access-list 2 permit 90.x.x.x
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 82.29.157.64 0.0.0.3
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 92.24.4.0 0.0.0.127 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 92.x.x.x eq telnet
access-list 101 permit tcp host 90.x.x.x host 92.x.x.x eq telnet
access-list 101 permit tcp 82.29.157.64 0.0.0.3 host 92.x.x.x eq telnet
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 92.x.x.x eq 22
access-list 101 permit tcp host 90.x.x.x host 92.x.x.x eq 22
access-list 101 permit tcp 82.29.157.64 0.0.0.3 host 92.x.x.x eq 22
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 92.x.x.x eq www
access-list 101 permit tcp host 90.x.x.x host 92.x.x.x eq www
access-list 101 permit tcp 82.29.157.64 0.0.0.3 host 92.x.x.x eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 92.x.x.x eq 443
access-list 101 permit tcp host 90.x.x.x host 92.x.x.x eq 443
access-list 101 permit tcp 82.29.157.64 0.0.0.3 host 92.x.x.x eq 443
access-list 101 permit tcp 192.168.0.0 0.0.0.255 host 92.x.x.x eq cmd
access-list 101 permit tcp host 90.x.x.x host 92.x.x.x eq cmd
access-list 101 permit tcp 82.29.157.64 0.0.0.3 host 92.x.x.x eq cmd
access-list 101 permit udp 192.168.0.0 0.0.0.255 host 92.x.x.x eq snmp
access-list 101 permit udp host 90.x.x.x host 92.x.x.x eq snmp
access-list 101 permit udp 82.29.157.64 0.0.0.3 host 92.x.x.x eq snmp
access-list 101 permit udp host 62.24.128.17 eq domain host 92.x.x.x
access-list 101 permit udp host 62.24.128.18 eq domain host 92.x.x.x
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.14.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.14.1.0 0.0.0.255
access-list 101 permit udp host 90.x.x.x host 92.x.x.x eq non500-isakmp
access-list 101 permit udp host 90.x.x.x host 92.x.x.x eq isakmp
access-list 101 permit esp host 90.x.x.x host 92.x.x.x
access-list 101 permit ahp host 90.x.x.x host 92.x.x.x
access-list 101 permit udp host 62.24.128.17 eq domain any
access-list 101 permit udp host 62.24.128.18 eq domain any
access-list 101 deny   ip 10.14.1.0 0.0.0.255 any
access-list 101 permit icmp any host 92.x.x.x echo-reply
access-list 101 permit icmp any host 92.x.x.x time-exceeded
access-list 101 permit icmp any host 92.x.x.x unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit ip 10.14.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.14.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 10.14.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 10.14.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.14.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.14.1.0 0.0.0.255 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 permit ip host 90.x.x.x any
access-list 104 permit ip 82.29.157.64 0.0.0.3 any
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 access-class 104 in
 password password
 login
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end
Open in New Window
Select All
Movie Stars

Solution: Turning off SPI no internet access

The inspection rules still exist but they aren't applied to an interface so they are not active or in effect.  The access-list is simply allowing the return traffic from connections initiated from the inside LAN hosts.  It essentially does what the IOS Firewall does in a less elaborate fashion.  Regardless, you are no less secure from the outside with this configuration.

Well, hold that thought, you didn't actually apply the access-list to the interface :)

Do this:

conf t
ip access-list ext 101
no deny ip any any log
deny ip any any log    <--the deny needs to be at the bottom

The apply it to the WAN interface:

int Dialer0
ip access-group 101 in

Popular Tags

Browse All Tags