I have a strange problem – after rebooting my Cisco 867 router running IOS 15.5 all inside NAT translations do not work until I remove and re-establish the access group on the outside interface. I'm sure there is an ordering problem on reboot but I can't figure out why. My configs are listed:
ip inspect name Internet-out icmp router-traffic
ip inspect name Internet-out tcp router-traffic
ip inspect name Internet-out udp router-traffic
Outside interface config:
interface GigabitEthernet2
ip address dhcp
ip access-group Internet in
no ip unreachables
ip inspect Internet-out out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
Access group causing the issue:
ip access-list extended Internet
permit udp any any eq domain log
permit tcp any any eq domain log
permit tcp any any eq www log
permit tcp any any eq 443 log
deny ip any any log
After a reboot – I have to manually do the following otherwise no inside NAT translations work -"show ip nat translations" shows nothing in the table.
interface GigabitEthernet2
no ip access-group Internet in
ip access-group Internet in
And like magic it all starts working. I've checked the running-config order and it is exactly the same after I issue the command to when it reboots. I'm stumped and can't figure this out.
Best Answer
After upgrading IOS from 15.5 to 15.5.3 I was finally able to use ZBF instead of CBAC. Because of bugs in that version you could not create policies. I was then able to remove the inspect rules and substitute them for policies and also remove the access-lists. Since making these changes, the issues on reboot and the router hanging problems (yes the outside interface would hang after 4-5 hours) have gone away completely.
It appears that there are some serious bugs in CBAC for newer IOS versions and Cisco is not going to fix them according to their own documentation. My advice is to ditch CBAC and go for Zone Based Firewall in all newer IOS versions.