Simple firewall implementation
Hello,
I'm pretty new to the cisco product and want to setup a simple firewall.
I found some exampels but can't get it to work.
For now we are using Cisco routers 88x and 89x series.
When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
The script is the following:
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
interface Vlan1
ip inspect Firewall in
interface Dialer1
ip access-group Allow-IN in
Can anyone tell me what I'm doing wrong here?
And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
Thank you,
//Edwin
Hello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin
Similar Messages
-
Hi all,
I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
Three questions I have:
1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.
Thank you all for your time.Yes it is possible with java.net API.
There are lot of examples.
I think you shoulg go to the socket programming division
if you realy like to this. -
[SOLVED] creating simple firewall
HI
I am running mails and web on my server, I would like to put simple firewall on that server to have some prtotection.
Here is my start configuration of iptables
cat /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
As you can see I am opening imap, smtp, web and ssh ports.
MY IDEA is to protect server from strangers who are scaning ports, trying to open all possible web pages and login over some webapp.
I would like to do something like this:
DROP connection if there are to many attempts to open, Let's say if there are more the 5 per 1 second then DROP.
Is it possible to do it in simple way using iptables? and how?
thank you very much.
Last edited by jancici (2012-03-21 21:34:51)it happend just few moments ago, I know it is not me :-)
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
so these are the situation, or reasen why I want to protect my server -
Firewall implementation in java
Need help about firewall implementation in java,Is it possible to develop application level firewall in java?how?
No.
You can control a firewall in C or such from Java. But you must have native codes in part of it.
This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java. -
Simple Microblaze implementation using vivado
hello
i get recently my new basys3 board, and i try to implement a simple project based on a microblaze and an gpio ip core to generate a simple signal and get this signal on a pmod pin connector using vivado, and as this is the first time I used Vivado i find a little bit difficult to run the implementation. i attached the different files with this message include the c programe. i can generate a bitstream file and build a project in SDK also i can implement the design in the basys3 board, but when i check the signal in the pmode connector it seem like nothing happen.
i appreciate any help or suggestion in order to remedy this problem.
Best regardsHello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin -
Extranet/Firewall implementation question
All,
Were running EP6 SP11 on a single server scenario. Weve implemented iviews that access backend CRM and BW systems. All connections are HTTP (verses SSL). Ive been asked to make the Portal system available outside the firewall where the sales team can access sales functionality w/o VPN authentication. Ive read about reverse proxy and SSL scenarios which make sense however I have a couple of questions.
It seems like the reverse proxy scenario would be a good choice. I understand how access to the portal would work however not sure what happens when the iviews which accesses backend systems are launched.
I would like to get others input.
Thanks,
GregHi Greg,
We have an external portal that is frontended by an Apache Reverse Proxy. In the Apache Configuration file there is a section for reverse proxy statements.
So basically we have it setup so that when users request portal.sap.com/irj it is reverse proxyed to the portal server. For Iviews that access backend sysems we setup the same thing.
For example we have an iview that connects to a R3 system so we have it setup so that anything that comes across as portal.sap.com/r3 is reverse proxyed to an ITS Server that then connects to the R3 system.
Hope that helps
Keith -
Hi Experts,
Could you please guide me to best practices of implementing/designing Firewalls in existing Data Center. I am looking to implementing Transparent mode Firewalls to minimize disruptions and achieve server farm security.
Existing topology is collapsed Aggregration/Access Layer. 2x6500 Active/Standby through HSRP and external routing is OSPF. These switches connect to CORE through OSPF 0, Server farms networks default gateways is the HSRP address on Switches.Server networks segmented through Vlans [170-190].
Cisco ASA to be implemented, do not want major routing changes hence opted for transparent mode. Attached high level topology of what to be achieved.
Any detailed design guides would be appreciated on how the traffic flow from WAN to DC be intercepted and within DC.No.
You can control a firewall in C or such from Java. But you must have native codes in part of it.
This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java. -
A simple BADI implementation - very urgent
Hi,
I am new to ABAP. I need a small piece of coding. I am implementing a BADI. There is a table which has 3 fields (MATID, LOCID, STATUS and PLANNING_DATE). For each MATID (material ID), there are many LOCID (Location ID) available. My BADI has to choose the suitable LOCID for the given MATID based on the following conditions :
The LOCID for that particular MATID, must satisfy STATUS = salesprice and PLANNING_DATE = current date.
<u>Code Logic :</u>
<b>Input :</b> BADI gets a series of MATID and corresponding LOCID as input.
<b>Logic :</b> For the MATID, choose one LOCID. Check whether the corresponding fields have STATUS = salesprice and PLANNING_DATE = current dateHi Preetha,
Assume that the BADI's interface has an internal table which has the table for matid, locid, status and planning_date say itab(In the badi method, check the correct name for the table).
read table itab into wa with key matid = <Current Matid>
status = <sales priice>
planning_date = sy-datum.
if sy-subrc = 0.
You will have the chosen record.
endif.
Regards,
Ravi -
Simple idm implementation question
Hi,
Would anyone with IDM experience comment on what would it take to implement the following in IDM (assuming there are technical people available, though with no idm experience)
1. There is no provisioning to the end systems
2. A requestor logs in, creates a request -> approver logs in and approves -> implementer logs in and marks implemented (that last piece i imagine you'd need a custom workflow and form on a resource/role to add implementers) -> resource/role marked provisioned
3. Basic audit reports for audit
4. requester/approver/implemeter can be setup in different departments so they only see resources/roles for that department
Your advice is much appreciated!I am no expert in IDM, but what you require is possible and explained in good detail as part of the Deployment Fundementals course run by Sun, which I attended about a month back. It would take too long to explain how to put it in place on this forum I'm afraid. You would need to attend the course. I don't have enough expereince to advise how long this would take. Hope this is of some help.
-
2 layers of firewall Implementation Design
Dears i'll be going for this design below :-
Internet-----Firewall1-----Firewall2----Core switches----Distrubtion switchs----End users
Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS , EMail server , Bluecoat (Guest users) , Websense (Wired users internet access)
Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.
Now inorder for both users Wired/Wireless to have their internet traffic directed to bluecoat and then from bluecoat to internet, routing should be enabled between 2 firewalls so is it ok ? or shall i configure all users to have a default gateway to firewall1 and then have firewall1 configured to route traffic to both websense and bluecoat ???? also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.routing should be enabled between 2 firewalls so is it ok ?
Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.
or shall i configure all users to have a default gateway to firewall1
You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).
also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.
If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table. -
Is it advisable to place a firewall infront of my server farm???? and why
Hello Maro,
A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,
So if you place a firewall in front of a server farm that will protect them it would be amazing,
Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks. -
Simple ResourceAdapter implementation
I am trying to deploy a ResourceAdapter which only uses BootstrapContext.ctx.createTimer() and getWorkManager() to execute tasks within the webapplication, it has no communication with other systems.
On a resin-server this gets started by adding
<resource jndi-name="jca/taskEngine" type="myclasses.TaskEngine"/>
For deploying this on oc4j i have tried packaging this ra.xml:
<?xml version="1.0" ?>
<connector xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/connector_1_5.xsd"
version="1.5">
<description>experimental jca 1.5 resource adapter</description>
<display-name>taskengine</display-name>
<vendor-name>tester</vendor-name>
<eis-type>test</eis-type>
<resourceadapter-version>0.0</resourceadapter-version>
<resourceadapter>
<resourceadapter-class>myclasses.taskengine</resourceadapter-class>
</resourceadapter>
</connector>
and a jar with the class into taskengine.rar.
Then running this command:
E:\oracle2\ora92\dcm\bin>dcmctl deployApplication -f e:\test3\taskengine.rar -a taskengine
This extracts the files to ...j2ee/home/connectors
and adds this entry
<connector name="taskengine" path="taskengine.rar">
</connector>
to oc4j-connectors.xml.
The start(BootstrapContext bootstrapContext) - method is still not executed.
Dont' know if I am even on the right track here, any tips would be greatly appreciated.
best regards, larsHi Ripal,
Following are the steps which would be used to achieve the objective:
We have to define following dictionary types for creating the relation:
Data dictionary related developments
a. Z Table with all fields needed to be captured
b.A structure having all the fields of Z table
c. A table type same as the Z table
d. Structure having only key fields of Z table
2. SPRO settings :
To create this relation go to SPRO :
Customer Relationship Management->CRM Cross-Application Components ->Generic Interaction Layer/Object Layer->Business Transactions
Here we need to do all three tasks :
a) Extend Model for Business Transactions with New Nodes.
Click on New entries.
b) Extend Model for Business Transactions with New Relations.
In this step we name the new relation. Click on new entries and maintain new entries as shown.
The Source object is the parent relation(External Object name) on which our relation is dependent.
As we have to store n records for 1 opportunity header hence relation is (1: 0…n ).
c) Define Custom Handler Classes for Business Transaction Model Nodes.
In This step we have to mention the name of Class which is inherited from the Genil class of parent relation.
Methods :
We haveto implement two methods here :
IF_CRM_RUNTIME_BTIL~READ_ATTRIBUTES
IF_CRM_RUNTIME_BTIL~MAINTAIN_ATTRIBUTES
Once all these steps are completed the new relation is created and can be accessed as dependent object in bol.
Regards,
Chiru -
Lscd - simple ranger implementation in POSIX shell
I've been casually working on a file browser that has a similar interface like ranger, but takes a different approach, in that it is written in bash POSIX shell.
I wanted to combine the elegance, portability and simplicity of a short bash shell script with the ability to get me whereever I want ASAP without the "cd TAB TAB TAB" boilerplate. Additionally, it can use ranger's file opener "rifle" to execute files just the way ranger does.
I'm not finished yet, but there is a working alpha version at github:
https://github.com/hut/lscd
It uses the basic h/j/k/l vim type movement control keys. Check the source for more key bindings, it makes no sense to write a complete list at this stage of development.
And the obligatory screen shot:
As you can see, there are no miller columns like in ranger. That may or may not change in the future. I suspect it would be too slow in shell script.
Pro tip: if you run lscd with the command ". lscd", it will run in the current bash environment, rather than in a new one. Only this way the directory will actually change after you close lscd.
Last edited by hut (2014-09-11 12:13:45)Really cool.
falconindy wrote:Aliasing ls will break (e.g. alias ls='ls --color') this. You shouldn't be using ls at all, but rather glob expansion....
In case you source it it will use the alias/function, so indeed, be careful with that.
Here's a template I always use for adding cursor movement:
(starting with line 147)
(adjust to posix shell yourself)
(the -t 0.01 newinput is "beatable" like if you hold the cursor newinput will get larger. That's why there's a "$newinput" =~ [~A-Da-d] for cursor keys and shift+cursor keys)
read -n 1 -s input
if [[ "$input" == $'\e' ]]; then
input=ESC
while true; do
read -n 1 -s -t 0.01 newinput < /dev/tty
[[ "$newinput" == $'\e' ]] && newinput=ESC
input=${input}${newinput}
[[ -z "$newinput" || "$newinput" =~ [~A-Da-d] ]] && break
done
fi
case "$input" in
'ESC[A') "code for up, etc"
;; #Up
'ESC[B')
;; #Down
'ESC[6~')
;; #Page Down
'ESC[5~')
;; #Page Up
'ESC[4~'|'ESC[F'|'ESC[8~'|'ESCOF')
;; #End
'ESC[1~'|'ESC[H'|'ESC[7~'|'ESCOH')
;; #Home
'ESC[D')
;; #Left
'ESC[C')
;; #Right
'ESC[3~')
;; #Delete -
Hi all,
I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
Three questions I have:
1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.It's possible to write a proxy. Taht said, this is
not really a very good first java network assignment
as java network access is quite high level, and this
is a complex project.As far as having the knowledge behind it, that is not
a problem. This isn't really a school project per-say.
I am persuing a degree as a networking specialist, so
network addressing and protocols is not an issue. It
is simply taking that understanding and putting it
into (java) words.
In combination to that, I have a decent programming
background, just not much in java. I hope to learn
quickly, and this is more like a final goal. Java
seems like the perfect language to compliment an
understanding of a network infrastructure.Your OP didn't specify a level of knowledge other than that you were new to java. I assumed you had quite a bit of network experience to even consider just a project.
The 2 NIC have different IP addresses, when creatinga
ServerSocket you can specify the ip address as wellas
the port,Makes sense, I guess, but I was more or less hoping to
have it dynamic. If I ever want to change the address
or move this to another system, I wouldn't want to
have to recompile with the new address. This could
easily be solved with a textbox to input the addresses
though, so it's not a big deal.You could use a Runtime.exec() call to run a command such as ipconfig on windows or ifconfig -a on unix to get that info.
I believe there is no way to do this, a port of 0
means to use an ephemeral port.If this is not possible, then I would think a java
firewall is not possible. Yes, when I said it requests an ephemeral port I meant that you can't do what you want.
Granted, maybe I am just not
understanding the software end of it, but a packet
sniffer, like Ethereal, is able to see all data
passing through, and I doubt it has 65k threads per
protocol to listen. Is there a way to have the program
see all data hitting it's NIC?Java definitely cannot listen to packets in promiscuous mode. There is a package called JPCap that provides packet capture using JNI.
I am not sure where an ephemeral port would solve
this. Granted, it would help with the internals of the
program, passing data from eth0 to eth1, but how would
this solve the problem of knowing with port to recieve
data on eth0?
Thanks again!You're welcome, and good luck -
Very slow internet behind IOS Firewall
Hi,
This is my first post in the community, so Hello everyone!
Just a (hopefully) quick question,
I am using a Cisco 887VA-M-K9 router to connect to my ISP via VDSL.
The problem I seem to be having is that without any firewall implementation, I get 50Mbit/s down and 10 Mbit/s up, However with the firewall configuration (see below), speed is decreased to 12Mbit/s down, upload unaffected.
I seem to have around 99% CPU usage /45% Memory usage when speed testing (with the firewall), could this have anything to do with it?
Many thanks!
CiscoGateway>en
CiscoGateway#sh running
Building configuration...
Current configuration : 13754 bytes
! Last configuration change at 01:09:45 UTC Wed Oct 22 2014 by $$rtcisco73&&
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CiscoGateway
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3236947830
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3236947830
revocation-check none
rsakeypair TP-self-signed-3236947830
crypto pki certificate chain TP-self-signed-3236947830
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323336 39343738 3330301E 170D3134 31303231 32323332
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 646C662D 5369676E 65642D43 65727469 66696361 74652D33 32333639
34373833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100925C F06AC93F 2B449843 97BEFC99 87AB247A 0E5D4F47 168F639E A0FE43EC
06942C4C 0EF882B2 3293E434 1A654166 FD8A5E1F 873F09CC C9FFBE85 7058337C
C7A3C1E7 2B829095 13C9B1E9 6FFE409B E8EA4AD9 CDC9E065 F1A8C532 717657B5
A0D4A627 48DB60C0 02B8227C 2C8CA80C 7114A29C 83AA81B5 BA04024A F2B744BC
7AAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A9C36A 96H01777 EC1405D8 EFF45D05 797560CB B2301D06
03551D0E 04160414 A9C36A96 D01777EC 1405D8EF F45D0579 7560CBB2 300D0609
2A864886 F70D0101 05050003 8181006C 0D06EE67 AAE73CFA 93D70716 4C04C9F3
36D1P808 77057F0B AB8E7A6E FD010CF3 977D9EAF BFB69B3A E975A7F9 F63DF08D
FDDCF648 1E5CCCFB B6513B7E CADAA42A 2343AE6C 272073C3 CE1B0CCF 91A5B5B7
5CEE0916 0EDD078A E0E67ACF 6277078E 3A96CEC2 5E01780A 4CB17CC5 5258B2CD
6B70C411 77433BC5 286652DC 1452E8
quit
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp pool Pool0
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
lease 7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO887VA-M-K9 sn FCZ1753C0LJ
controller VDSL 0
ip ssh version 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-pol-outToIn
class t
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description LocalAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer1
description BT Infinity Dialer Interface$FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname [email protected]
ppp chap password 0 0
ppp ipcp address accept
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
remark Access list for NAT
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login local
transport preferred ssh
transport input all
line vty 5 15
login local
transport preferred ssh
transport input all
endI would recommend scaling back on some inspections, for instance look at a few policy-maps and remove them. Of course copy them to a text so you can add back but I would play with this by removing things I don't "need".
For instance, what do we "trust" and what do we "untrust"? Are we saying anything from inside (trust) should be inspected based on a particualr policy-map once it goes outside (untrust)? What is outside though? i.e. Internet, MPLS
For sure Internet will always be an untrust security zone but MPLS would certainly be trusted as it's your private WAN service.
Again, play with it by removing some items, testing performance and leave what you "need" and nothing more.
Did you create this via CCP by chance?
Maybe you are looking for
-
Hyperion Financial Management Installation Problem on WinXP system
Hi, I am trying to install EPM/HFM 11g from scratch. I have downloaded the following files and extracted them in a folder. I started the installation with a specified hyperion_home as C:\Hyperion1. APS-11113.zip EPM-Architect-11113.zip EPM-Foundation
-
I am able to open the document through finder, but I can't with Pages '09.
-
REPORT OUTPUT to Internal table
Hi, I order to achieve my requirement i need to know if this can happen: Q: I want to write a report REP1 (which has ITAB1) in which I want to run an already existing report REP2 and direct the result of the REP2 to ITAB1. So that upon this ITAB1 con
-
Dear All, I created Import PO, for which MIRO for customs done first. While doing that MIRO I have done wrong hence I cancelled that and created a new MIRO for the customs again. At the time of GR for the PO, in the Commercial Inv. No field it is pic
-
Premiere cs6 cc cannot export to media encoder
Suddenly today, Premiere cs6 cc sequence export to queue not appearing in media encoder.