NFS traffic must be routed?

NFS traffic on a non-routable network, or can it go through a layer 3 device?

The main question that concerns me is the performance.  I realize that, from a safety point of view, it may be preferable to make it on one vlan not routed.  However in this ad I am answering the question so if keep movement of NFS one VLAN private which is not routed is important from the point of view of performance.  If so, how is it important from a performance perspective?  And what is the best way to predict what will be the impact on the performance of NFS packets sent over a virtual private LAN vs?

Keep in mind these requirements for NFS routed on vSphere:

vSphere 5.0 Update 1 supports a L3 routed NFS access to storage when ensure you that your environment meets the following conditions:

  • Using Hot Standby Router Protocol Cisco (HSRP) router IP. If you use a non-Cisco router, remember to use Virtual Router Redundancy Protocol (VRRP) instead.
  • Quality of Service (QoS) allows you to prioritize the L3 NFS traffic on networks with limited bandwidth, or networks who know a congestion. See the documentation of your router for more details business.
  • Follow routed NFS L3 methods recommended by the storage provider. For more information, contact your storage vendor.
  • Disable the management of network i/o resources (NetIORM)
  • If you plan to use systems with top-of-rack switches or dependent I/O device to the switch of partitioning, provider of system compatibility and support.
In an environment of L3 the following additional restrictions are applied:
  • The environment doesn't support VMware Site Recovery Manager.
  • The environment supports only the NFS protocol. Do not use other protocols such as FCoE storage on the same physical network.
  • The NFS traffic in this environment is not IPv6.
  • The NFS traffic in this environment can be sent only via a local network. Other environments such as WAN are not supported.
  • The environment does not support the distributed virtual switch (DVS).

Source: http://blogs.vmware.com/vsphere/2012/06/vsphere-50-u1-now-supports-routed-nfs-storage-access.html

Tags: VMware

Similar Questions

  • Traffic generated by router IOS inspect IPv6

    I try to configure the IPv6 packets on a router 2911 deep inspection (IOS 15.1 (2) T5) but I'm not able to inspect the traffic generated by router. It is not an option "ipv6 inspect name xxxx udp router-traffic' as in IPv4. So I am unable to ping to the router to a remote host.

    I could solve the problem of ping by simply adding a "permit any any icmp echo response" on my ACL, but I still can't access TCP or UDP based services (DNS, HTTP,...).

    Anyone knows if it is possible to activate the traffic generated by IPv6 router, or is there another solution for this problem? If so, how can I do that?

    Partial configuration:

    ipv6 unicast-routing

ipv6 inspect name SPI_DIALER1_OUT tcpipv6 inspect name SPI_DIALER1_OUT udpipv6 inspect name SPI_DIALER1_OUT icmpipv6 inspect name SPI_DIALER1_OUT ftp
    interface Dialer1 ipv6 inspect SPI_DIALER1_OUT out ipv6 traffic-filter acl6_dialer1_in in
    ipv6 access-list acl6_dialer1_in sequence 10 permit icmp any any nd-ns sequence 20 permit icmp any any nd-na sequence 30 permit icmp any any router-advertisement sequence 40 permit icmp any any echo-reply deny ipv6 any any log

    Former Cisco's IOS 'inspect' system has indeed been deprecated.  You should use zone based firewall now.

    Here is the guide for the care of the IPv6 zone based firewall.

    http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_data_zbf/configuration/XE-3s/sec-data-ZBF-XE-book/sec-ZBF-IPv6.html

    If you want to go at a faster speed for the area based ipv4 firewall, try to use my Config Wizard and copy the bits you need.

    http://www.IFM.NET.nz/cookbooks/890-ISR-Wizard.html

  • RV180W of WLAN traffic is not routed to WAN

    My WIFI traffic is not routed to WAN.

    I can access LAN and plug to NIR all on the local network. But internet access is not possible. WAN LAN access is allowed.

    I have reset the RV180w to factory settings and also reflashed the firmware to make sure.

    To configure a static route to wlan to wan?

    The routing of the generated RV180 table

    Destination Entry door Genmask Metric REF Use Interface Type Flags
    127.0.0.1 127.0.0.1 255.255.255.255 1 0 0 Lo Static Upward, gateway, host
    172.16.0.0 0.0.0.0 255.255.254.0 0 0 0 BDG1 Dynamics UPWARD
    85.0.84.0 0.0.0.0 255.255.252.0 0 0 0 eth1 Dynamics UPWARD
    127.0.0.0 0.0.0.0 255.0.0.0 0 0 0 Lo Dynamics UPWARD
    0.0.0.0 85.0.84.1 0.0.0.0 0 0 0 eth1 Dynamics Upward, gateway

    Hi Pete,.

    I read your case, it seems that the problem is not related. What I am referring is an external AP connected to the RV180W when the wireless is enabled on the RV180W. Devices that connect to the AP will not be able to access the internet. If the radio on the RV180W is turned off, the devices that connect to the AP can connect to internet.

    -Marty

  • Can IPS deployment limit political from the traffic speed or router?

    Hello

    I have a small question: can deploy IPS traffic rate limiting political to Cisco switch or router?

    As we know, IPS sensor can throttle suspected trafficking instead of block, don't know if IPS can send policy lever swtich cisco gases or the router.

    Thank you

    -Alejin

    You will find the following on what the PPE can do in terms of rate limiting (it also includes what signature and what routers, what must be configured and what not to set up, etc.):

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_blocking.html#wp2005501

    The above is on IPS version 7.x.

    Hope that helps.

  • QUESTION by RV180W: All traffic through the router is considered to be the router IP

    Beta Firmware: 1.0.2.3

    Of Web server log showing the problem:

    2013-03-08 05:39:21 192.168.1.102 POST /somewebpage/somefile.htm - 80 - 192.168.1.1 - 404 0 0 6098 410 457

    QUESTION: 100% of the traffic transmitted via the router takes the IP address of the router when it arrives at the web server level. In this case, 192.168.1.1

    My mail server and FTP servers have adjustments because of the anti-hammering problem this creates.

    Has anyone seen this problem and know of a fix for this?

    @Cisco... Before you suggest that I have to call tech support, I already have. I just had the race and they told me to call level 2 support and do not provide me with a phone number. For some reason, he refused to escalate the call. He simply told me to contact a person of a previous issue, in which they gave me the beta firmware to download and I spent a lot of time on the phone to get there. I don't want to talk to the same person who spoke to my last question.

    Yes, I have seen this problem and reported it. Should have the Bug ID CSCue49377, but I can't verify this, because I don't have access to the bugs database.

    See https://supportforums.cisco.com/thread/2196509

  • How to transfer the traffic to my router?

    Good evening

    I have a problem, I hope someone can help me.

    I transfer my router Cisco 877W (10.10.10.1) traffic in a hardware firewall (ip: 10.10.10.50) and I can't do it.

    Could you give me some advice?

    Thank you for your attention.

    Hi Marco,.

    I don't know if this helped you, but if she helped so I ask of mark you resolved so that others can benefit.

    Kind regards

    ~ JG

  • 3050 j611 with hg532 router will be wk with Mac & W7 but not iPad 2 (iOS5.0.1). Must use Router #5

    Just bought HP 3050 has J611 all-in-1 which is in wireless network using channels 5 with 192.168.1.238 ip address (static IP) and the router is a Huawei HG532 of ISP "TalkTalk". All the functions work fine with XP, Vista, Windows7 and Apple Mac (10.6.8) but Apple iPad 2 (iOS 5.0.1) gives "No Airprint printers found" msg. Security is WPA-PSK/WPA2-PSK. All the equipment is up-to-date with the software. I don't want to change my channel I have experienced problems with adjacent systems.

    Solution would help because there is not really acceptable alternative method of printing from iPad.

    Problem with Huawei HG532 Wireless Router supplied by TalkTalk. The router is not compatible Airprint. Router replacement one DSL2780 of D-Link solves the problem.

  • Example config for 2 management vlan and ip Routing.

    We have a stack 6224, we use two vlan on it

    VLAN network 10.1.1.X 24 10

    VLAN network 192.168.0.X 24 40

    Our workstations reside also in the 10.1.1.X network, so we need to administer the switch there.

    192.168.0.X traffic must be routed to 192.168.0.X (and vice versa)

    How can I set this up, when I set up a 10.1.1.1 address for the administration interface and vlan 10 I can't configure the routing for this vlan?.

    (Actually I don't want to just out-of-band of our lan fault management)

    Please advice,

    Message edited by OnnoB on 08/09/2008 06:39

  • The AIP - SSM to unused ASA connection interface

    Hi people,

    Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

    Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

    It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

    This design is dictated by the lack of a free port on the switch.

    Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

    Is there a security feature hidden I don't know that prevent communication with the sensor.

    And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

    With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

    You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

    You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

    The other possibility is that the SAA itself can be deny traffic.

    Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

    NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

    You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

    How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

    The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

    Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

    In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

    SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

  • Cannot access the subnet

    Hello, new to ASA

    On a v7.2 (4) ASA5505, trying to allow traffic between two LANs.

    I have the local network 192.168.1.0 and 192.168.2.0 subnet behind another router. I also VPN IPsec on the safety device.

    When I connect a computer to the internet in the first network (192.168.1.0) using the ASA, this computer lost connection to the subnet (192.168.2.0). The ASA blocks all traffic through the network.

    I applied the same-security-traffic permit intra-interface command. I also applied the command

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0 and added the static route: route inside 192.168.2.0 255.255.255.0 192.168.1.254 1, but nothing works.

    When I ICMP echo, the Nat is declining the package requested.

    The output of packet tracer is as follows:

    Flow-Lookup enabled

    Authorized route search

    Authorized access list

    IP-Options allowed

    Inspect the permit

    NAT-free license

    NAT enabled

    NAT enabled

    Home-limit

    NAT denied

    The package was abandoned by NAT, and the same goes for the port 3389 (remote desktop).

    Thank you in advance.

    If you try to ping hair traffic inside the interface?

    In general, it is not advisable. If the traffic must be routed before the ASA please make sure the router RTR traffic on one subnet to another. The ASA has no need to see the traffic that goes from inside to inside.

    Now if you still insist on the fact that you can try to put in the translations for the CBC and the destination. In other words you need identity convert the 192.168.1.0/24 and 192.168.2.0/24. Are you nat exempting a sense but not the back.

    You can try

    inside_nat0_outbound to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.2.0 255.255.255.0

    inside_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    And then you can run a trace of package again to see if it fails or not.

    I hope it helps.

    PK

  • VPN IPSec ASA with two ISP active

    Hi ALL!

    I have a question.

    So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

    I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

    I have configured SLA and it works.

    ciscoasa # display route performance
    Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
    Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

    Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

    This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

    ciscoasa # display running nat
    NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
    NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec pmtu aging infinite - the security association
    card crypto cm_vpnc 10 correspondence address acl_vpn
    card crypto cm_vpnc 10 set pfs
    peer set card crypto cm_vpnc 10 172.22.10.5
    card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
    86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
    card crypto cm_vpnc interface isps1
    cm_vpnc interface isp2 crypto card
    trustpool crypto ca policy
    isps1 enable ikev1 crypto
    isp2 enable ikev1 crypto
    IKEv1 crypto policy 1
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    ciscoasa # show ip
    System of IP addresses:
    Subnet mask IP address name interface method
    Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
    Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
    Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

    The main question why?

    Thank you in advance,

    Anton

    Hi anton,.

    If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

    TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

    set peer 10.175.3.10 10.175.2.10

    Delete the track on your routing entries

    Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

    This should work for you.

    Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

    HTH

    Sandy

  • Routing of traffic between two VPN Site-to-Site Tunnels

    Hi people,

    I am trying to establish routing between two vpn Site-to-Site tunnels which are destined for the same outside the interface of my Cisco ASA.

    Please find attached flowchart for the same thing. All used firewalls are Cisco ASA 5520.

    Two VPN tunnels between Point A and Point B, Point B and Point C is too much upward. I activated same command to permit security level interface also intra.

    How can I activate the LAN subnets traffic behind Point to join LAN subnets behind C Point without having to create a tunnel separated between Point A and Point C

    Thank you very much.

    Hello

    Basically, you will need to NAT0 and VPN rules on each site to allow this traffic.

    I think that the configurations should look something like below. Naturally you will already probably a NAT0 configuration and certainly the L2L VPN configuration

    Site has

    access-list NAT0 note NAT0 rule for SiteA SiteC traffic

    access-list allowed NAT0 ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note L2L-VPN-CRYPTO-SITEB access-list interesting traffic for SiteA to SiteC

    access-list L2L-VPN-CRYPTO-SITEB permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteA LAN to LAN SiteC traffic must use the VPN L2L existing SiteB

    Site B

    access list OUTSIDE-NAT0 note NAT0 rule for SiteA SiteC traffic

    OUTSIDE-NAT0 allowed 192.168.1.0 ip access list 255.255.255.0 192.168.3.0 255.255.255.0

    NAT (outside) 0-list of access OUTSIDE-NAT0

    Note L2L-VPN-CRYPTO-SITEA access-list traffic for SiteA to SiteC through a Tunnel between A - B

    access-list L2L-VPN-CRYPTO-SITEA ip 192.168.3.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Note L2L-VPN-CRYPTO-SITEC access-list traffic for SiteA to SiteC through a Tunnel between B - C

    access-list L2L-VPN-CRYPTO-SITEC permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    Where

    • OUTSIDE-NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteA SiteC NAT traffic. It is this time tied to the 'outer' interface, as traffic will be coming in and out through this interface to SiteB
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEA (and SITEC) = are the ACL in the configurations of VPN L2L that defines the SiteA LAN to LAN SiteC traffic should use existing VPN L2L connections.

    Site C

    access-list NAT0 note NAT0 rule for SiteC SiteA traffic

    NAT0 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    NAT (inside) 0 access-list NAT0

    Note list-access-L2L-VPN-CRYPTO-SITEB SiteC to SiteA interesting traffic

    L2L-VPN-CRYPTO-SITEB 192.168.3.0 ip access list allow 255.255.255.0 192.168.1.0 255.255.255.0

    Where

    • NAT0 = is the ACL to be used in the NAT0 rules that will exempt SiteC to SiteA NAT traffic
    • NAT = is the line of configuration NAT0
    • L2l-VPN-CRYPTO-SITEB = LCA in configurations VPN L2L that defines the SiteC LAN to LAN SiteA traffic must use the VPN L2L existing SiteB

    To my knowledge, the foregoing must manage the selection NAT0 and traffic for VPN L2L connections. Naturally, the Interface/ACL names may be different depending on your current configuration.

    Hope this helps

    -Jouni

  • Configuration of the router to allow VPN traffic through

    I would like to ask for assistance with a specific configuration to allow VPN traffic through a router from 1721.

    The network configuration is the following:

    Internet - Cisco 1721 - Cisco PIX 506th - LAN

    Remote clients connect from the internet by using the Cisco VPN client. The 1721 should just pass the packets through to the PIX, which is 192.168.0.2. Inside of the interface of the router is 192.168.0.1.

    The pix was originally configured with a public ip address and has been tested to work well to authenticate VPN connections and passing traffic in the local network. Then, the external ip address was changed to 192.168.0.2 and the router behind.

    The 1721 is configured with an ADSL connection, with fall-over automatic for an asynchronous connection. This configuration does not work well, and in the local network, users have normal internet access. I added lists of access for udp, esp and the traffic of the ahp.

    Cisco VPN clients receive an error indicating that the remote control is not responding.

    I have attached the router for reference, and any help would be greatly apreciated.

    Manual.

    Brian

    For VPN clients reach the PIX to complete their VPN the PIX needs to an address that is accessible from the outside where the customers are. When the PIX was a public address was obviously easy for guests to reach the PIX. When you give the PIX one address private, then he must make a translation. And this becomes a problem if the translation is dynamic.

    You have provided a static translation that is what is needed. But you have restricted the TCP 3389. I don't know why you restricted it in this way. What is supposed to happen for ISAKMP and ESP, AHP traffic? How is it to be translated?

    If there is not a static translation for ISAKMP traffic, ESP and AHP so clients don't know how to reach the server. Which brings me to the question of what the address is configured in the client to the server?

    HTH

    Rick

  • Network Guest traffic is routed to the external network (LAN)

    I think this is a basic question, but I couldn't find a clear answer in blogs, so thank you for your patience.

    We want to make sure that all Guest network traffic is routed through our physical network.  Configuration: VMs are contained in several groups of ports that are 'under' a unique vSwitch.  The vSwitch is associated with a physical NETWORK adapter, and each group of Port represents a different subnet.

    It's all each guest traffic goes through the physical NIC to our physical network (routers, etc.), including traffic from customers who are in the same group of Port/subnet?

    Thanks in advance for your help.

    Steve

    VSwitches function as physical switches. .so if 2 virtual computers are ion the same ESX host and in the same subnet, there is no need of any traffic go via your physical network.

    Of course, if the virtual machines are on different ESX hosts, traffic must go physical interrrupteurs to reach the destination addresses.

  • Traffic Internet PIN for router ACL

    Hello, I create a router-on-a-stick typical configuration where remote locations running IOS Cisco direct Internet traffic out through an IPSec tunnel that ends on an ASA5510. I'm 99% it and can't seem to move between the rays and the Internet. I'm looking for advice on how to configure properly the ACL entering the router WAN interfaces spoke.

    My question is, what I specifically authorize the return of Internet traffic in the router speaks ACL? I was under the impression that what allows the Hub ASA IPSec traffic would include traffic Internet has hairpined through the ASA and I wouldn't need a specific ACL entry to addresses of Internet sources.

    The router has spoken, I work now is a 3620 running IOS 12.3.26. When I configure the ACL entering on the WAN Interface to allow only the esp/isakmp Hub ASA, I'm not able to receive traffic from the Internet. If I remove the inbound ACL everything works fine. Here are the current incoming ACL from the laboratory network router:

    access-list authorized note 130 incoming WAN connections

    Note access-list 130 IPSec

    Note LAN Access - list 130 subnets

    access-list 130 allow ip 192.168.75.0 0.0.0.255 192.168.168.0 0.0.0.255

    access-list 130 allow ip 192.168.50.0 0.0.0.255 192.168.168.0 0.0.0.255

    access-list 130 allow ip 10.199.199.0 0.0.0.255 192.168.168.0 0.0.0.255

    Note access-list 130 HUB ASA

    access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq non500-isakmp

    access-list 130 permit udp host 172.16.1.4 host 172.16.1.21 eq isakmp

    access-list 130 allow esp 172.16.1.4 host 172.16.1.21

    access-list 130 allow host 172.16.1.4 ahp 172.16.1.21

    Note access-list 130 NTP to the router

    access-list 130 permit udp host 192.43.244.18 ntp host 172.16.1.21 eq eq ntp

    access-list 130 authorized note ICMP traffic

    access-list 130 permit icmp any echo host 172.16.1.21

    access-list 130 permit icmp any any echo response

    access-list 130 permit icmp any any source-quench

    access-list 130 permit icmp any a package-too-big

    access-list 130 allow icmp all once exceed

    access-list 130 refuse icmp a whole

    access-list 130 authorized note circulation of Managment

    Note 130-list of access allow ssh

    access list 130 permit tcp any any eq 22

    With the list above applied inbound access on my WAN Interface, internal hosts are able to ping Internet addresses (allowing a response to ICMP echo) but cannot browse the Internet.

    Should I enable a firewall on the router policy to allow the return of the Internet traffic? I thought that rule of ESP permits that would cover.

    Any help is appreciated!

    Dan

    Dan

    Unless you're running the IOS Firewall feature on your spoke routers then the router is unable to keep the State of outbound connections. So yes, you will need to also allow the traffic unencrypted in your inbound ACLs on the WAN interface because once the traffic is decrypted, it is then checked against the acl on the interface, see this link to order operations.

    http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

    On ASA/Pix firewalls you can tell the device to check against the acl on the external interface once that traffic has been decrypted with the command "sysopt connection" but I'm not aware of a similar option for IOS.

    Jon

Maybe you are looking for