Simple firewall implementation

Similar Messages

• Simple Firewall

  Hi all,
  I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
  Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
  Three questions I have:
  1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
  2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
  3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.
  Thank you all for your time.

  Yes it is possible with java.net API.
  There are lot of examples.
  I think you shoulg go to the socket programming division
  if you realy like to this.

• [SOLVED] creating simple firewall

  HI
  I am running mails and web on my server, I would like to put simple firewall on that server to have some prtotection.
  Here is my start configuration of iptables
  cat /etc/iptables/iptables.rules
  *filter
  :INPUT DROP [0:0]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [0:0]
  -A INPUT -p icmp -j ACCEPT
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p tcp --dport 80 -j ACCEPT
  -A INPUT -p tcp --dport 443 -j ACCEPT
  -A INPUT -p tcp --dport 22 -j ACCEPT
  -A INPUT -p tcp --dport 25 -j ACCEPT
  -A INPUT -p tcp --dport 587 -j ACCEPT
  -A INPUT -p tcp --dport 143 -j ACCEPT
  -A INPUT -p tcp --dport 993 -j ACCEPT
  -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
  -A INPUT -j REJECT --reject-with icmp-proto-unreachable
  COMMIT
  As you can see I am opening imap, smtp, web and ssh ports.
  MY IDEA is to protect server from strangers who are scaning ports, trying to open all possible web pages and login over some webapp.
  I would like to do something like this:
  DROP connection if there are to many attempts to open, Let's say if there are more the 5 per 1 second then DROP.
  Is it possible to do it in simple way using iptables? and how?
  thank you very much.
  Last edited by jancici (2012-03-21 21:34:51)

  it happend just few moments ago, I know it is not me :-)
  Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=175.145.230.49, lip=77.93.202.118
  Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
  so these are the situation, or reasen why I want to protect my server

• Firewall implementation in java

  Need help about firewall implementation in java,Is it possible to develop application level firewall in java?how?

  No.
  You can control a firewall in C or such from Java. But you must have native codes in part of it.
  This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

• Simple Microblaze implementation using vivado

  hello
  i get recently my new basys3 board, and i try to implement a simple project based on a microblaze and an gpio ip core to generate a simple signal and get this signal on a pmod pin connector using vivado, and as this is the first time I used Vivado i find a little bit difficult to run the implementation. i attached the different files with this message include the c programe. i can generate a bitstream file and build a project in SDK also i can implement the design in the basys3 board, but when i check the signal in the pmode connector it seem like nothing happen.
  i appreciate any help or suggestion in order to remedy this problem.
  Best regards

  Hello,
  I have tested this.
  I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
  I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
  Maybe I did it wrong or it doesn't work.
  //Edwin

• Extranet/Firewall implementation question

  All,
  We’re running EP6 SP11 on a single server scenario.  We’ve implemented iviews that access backend CRM and BW systems.  All connections are HTTP (verses SSL).  I’ve been asked to make the Portal system available outside the firewall where the sales team can access sales functionality w/o VPN authentication.  I’ve read about reverse proxy and SSL scenarios which make sense however I have a couple of questions. 
  It seems like the reverse proxy scenario would be a good choice.  I understand how access to the portal would work however not sure what happens when the iviews which accesses backend systems are launched.
  I would like to get others input.
  Thanks,
  Greg

  Hi Greg,
  We have an external portal that is frontended by an Apache Reverse Proxy.  In the Apache Configuration file there is a section for reverse proxy statements.
  So basically we have it setup so that when users request portal.sap.com/irj it is reverse proxyed to the portal server.  For Iviews that access backend sysems we setup the same thing.
  For example we have an iview that connects to a R3 system so we have it setup so that anything that comes across as portal.sap.com/r3 is reverse proxyed to an ITS Server that then connects to the R3 system.
  Hope that helps
  Keith

• DC Firewall implementation

  Hi Experts,
  Could you please guide me to best practices of implementing/designing Firewalls in existing Data Center. I am looking to implementing Transparent mode Firewalls to minimize disruptions and achieve server farm security.
  Existing topology is collapsed Aggregration/Access Layer. 2x6500 Active/Standby through HSRP and external routing is OSPF. These switches connect to CORE through OSPF 0, Server farms networks default gateways is the HSRP address on Switches.Server networks segmented through Vlans [170-190].
  Cisco ASA to be implemented, do not want major routing changes hence opted for transparent mode. Attached high level topology of what to be achieved.
  Any detailed design guides would be appreciated on how the traffic flow from WAN to DC be intercepted and within DC.

  No.
  You can control a firewall in C or such from Java. But you must have native codes in part of it.
  This question is asked repeatedly.. you really should have searched because the answer is always the same. You can't do it directly in Java.

• A simple BADI implementation - very urgent

  Hi,
    I am new to ABAP. I need a small piece of coding. I am implementing a BADI. There is a table which has 3 fields (MATID, LOCID, STATUS and PLANNING_DATE). For each MATID (material ID), there are many LOCID (Location ID) available. My BADI has to choose the suitable LOCID for the given MATID based on the following conditions :
  The LOCID for that particular MATID, must satisfy STATUS = salesprice and PLANNING_DATE = current date.
  <u>Code Logic :</u>
  <b>Input :</b> BADI gets a series of MATID and corresponding LOCID as input.
  <b>Logic :</b> For the MATID, choose one LOCID. Check whether the corresponding fields have STATUS = salesprice  and PLANNING_DATE = current date

  Hi Preetha,
  Assume that the BADI's interface has an internal table which has the table for matid, locid, status and planning_date say itab(In the badi method, check the correct name for the table).
  read table itab into wa with key matid = <Current Matid>
                                                status = <sales priice>
                                                planning_date = sy-datum.
  if sy-subrc = 0.
  You will have the chosen record.
  endif.
  Regards,
  Ravi

• Simple idm implementation question

  Hi,
  Would anyone with IDM experience comment on what would it take to implement the following in IDM (assuming there are technical people available, though with no idm experience)
  1. There is no provisioning to the end systems
  2. A requestor logs in, creates a request -> approver logs in and approves -> implementer logs in and marks implemented (that last piece i imagine you'd need a custom workflow and form on a resource/role to add implementers) -> resource/role marked provisioned
  3. Basic audit reports for audit
  4. requester/approver/implemeter can be setup in different departments so they only see resources/roles for that department
  Your advice is much appreciated!

  I am no expert in IDM, but what you require is possible and explained in good detail as part of the Deployment Fundementals course run by Sun, which I attended about a month back. It would take too long to explain how to put it in place on this forum I'm afraid. You would need to attend the course. I don't have enough expereince to advise how long this would take. Hope this is of some help.

• 2 layers of firewall Implementation Design

  Dears i'll be going for this design below :-
  Internet-----Firewall1-----Firewall2----Core switches----Distrubtion switchs----End users
  Firewall1: outer interface to internet , Internal interface to firewall2 , DMZ interface to DNS , EMail server , Bluecoat (Guest users) , Websense (Wired users internet access)
  Firewall2 : Outer interface to firewall1 , DMZ interface to Server Farm , internal interface for core switchs.
  Now inorder for both users Wired/Wireless to have their internet traffic directed to bluecoat and then from bluecoat to internet, routing should be enabled between 2 firewalls so is it ok ? or shall i configure all users to have a default gateway to firewall1 and then have firewall1 configured to route traffic to both websense and bluecoat ???? also while traffic is coming back from firewall1 heading to firewall2 i should open some ports on Firewall2 because by default it wont be allowing any traffic since it will be going from low level interface to higher level???.

  routing should be enabled between 2 firewalls so is it ok ?
  Surely it's ok and it should be done. You may use dynamic routing or just static routes. Final goal is to provide full IP reachability between your clients and WebFiltering services.
  or shall i configure all users to have a default gateway to firewall1
  You can't configure firewall 1 inside IP as default gateway for your clients, cause default gateway IP hould be in the same LAN segmetn (broadcast domain).
  also while traffic is coming back from firewall1 heading to firewall2 i  should open some ports on Firewall2 because by default it wont be  allowing any traffic since it will be going from low level interface to  higher level???.
  If we're talking about general webtraffic, then you don't have to configure any ACL's on the outside interface of the FW2, cause web traffic will be inspected by default (at least as TCP). That means, when client connects to, say, cisco.com, returning traffic will be allowed by default, cause there'll be an entry in the state table.

• Firewall Implementation

  Is it advisable to place a firewall infront of my server farm???? and why                  

  Hello Maro,
  A firewall is a device that will be place into the network to filter traffic (depending on the security policies your managment team has set) to protect the internal resources from both internal and outside threaths,
  So if you place a firewall in front of a server farm that will protect them it would be amazing,
  Now remember that you will need to configure the firewall to allow access to those servers on the right ports/services,
  Regards
  Remember to rate all of the helpful posts.
  For this community that's as important as a thanks.

• Simple ResourceAdapter implementation

  I am trying to deploy a ResourceAdapter which only uses BootstrapContext.ctx.createTimer() and getWorkManager() to execute tasks within the webapplication, it has no communication with other systems.
  On a resin-server this gets started by adding
  <resource jndi-name="jca/taskEngine" type="myclasses.TaskEngine"/>
  For deploying this on oc4j i have tried packaging this ra.xml:
  <?xml version="1.0" ?>
  <connector xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/connector_1_5.xsd"
  version="1.5">
  <description>experimental jca 1.5 resource adapter</description>
  <display-name>taskengine</display-name>
  <vendor-name>tester</vendor-name>
  <eis-type>test</eis-type>
  <resourceadapter-version>0.0</resourceadapter-version>
  <resourceadapter>
  <resourceadapter-class>myclasses.taskengine</resourceadapter-class>
  </resourceadapter>
  </connector>
  and a jar with the class into taskengine.rar.
  Then running this command:
  E:\oracle2\ora92\dcm\bin>dcmctl deployApplication -f e:\test3\taskengine.rar -a taskengine
  This extracts the files to ...j2ee/home/connectors
  and adds this entry
  <connector name="taskengine" path="taskengine.rar">
       </connector>
  to oc4j-connectors.xml.
  The start(BootstrapContext bootstrapContext) - method is still not executed.
  Dont' know if I am even on the right track here, any tips would be greatly appreciated.
  best regards, lars

  Hi Ripal,
  Following are the steps which would be used to achieve the objective:
  We have to define following dictionary types for creating the relation:
  Data dictionary related developments
       a. Z Table with all fields needed to be captured
       b.A structure having all the fields of Z table
       c. A table type same as the Z table
       d. Structure having only key fields of Z table
    2. SPRO settings :
       To create this relation go to SPRO :
  Customer Relationship Management->CRM Cross-Application Components ->Generic Interaction Layer/Object Layer->Business Transactions
  Here we need to do all three tasks :
       a)  Extend Model for Business Transactions with New Nodes.
                 Click on New entries.
       b)  Extend Model for Business Transactions with New Relations.
  In this step we name the new relation. Click on new entries and maintain new entries as shown.
  The  Source object is the parent relation(External Object name) on which our relation is dependent.
  As we have to store n records for 1 opportunity header hence relation is (1: 0…n ).
       c) Define Custom Handler Classes for Business Transaction Model Nodes.
                      In This step we have to mention the name of Class which is inherited from the Genil class      of      parent relation.      
  Methods :
  We haveto implement two methods here :
    IF_CRM_RUNTIME_BTIL~READ_ATTRIBUTES
    IF_CRM_RUNTIME_BTIL~MAINTAIN_ATTRIBUTES
  Once all these steps are completed the new relation is created and can be accessed as dependent object in bol.
  Regards,
  Chiru

• Lscd - simple ranger implementation in POSIX shell

  I've been casually working on a file browser that has a similar interface like ranger, but takes a different approach, in that it is written in bash POSIX shell.
  I wanted to combine the elegance, portability and simplicity of a short bash shell script with the ability to get me whereever I want ASAP without the "cd TAB TAB TAB" boilerplate.  Additionally, it can use ranger's file opener "rifle" to execute files just the way ranger does.
  I'm not finished yet, but there is a working alpha version at github:
  https://github.com/hut/lscd
  It uses the basic h/j/k/l vim type movement control keys. Check the source for more key bindings, it makes no sense to write a complete list at this stage of development.
  And the obligatory screen shot:
  As you can see, there are no miller columns like in ranger. That may or may not change in the future. I suspect it would be too slow in shell script.
  Pro tip: if you run lscd with the command ". lscd", it will run in the current bash environment, rather than in a new one. Only this way the directory will actually change after you close lscd.
  Last edited by hut (2014-09-11 12:13:45)

  Really cool.
  falconindy wrote:Aliasing ls will break (e.g. alias ls='ls --color') this. You shouldn't be using ls at all, but rather glob expansion....
  In case you source it it will use the alias/function, so indeed, be careful with that.
  Here's a template I always use for adding cursor movement:
  (starting with line 147)
  (adjust to posix shell yourself)
  (the -t 0.01 newinput is "beatable" like if you hold the cursor newinput will get larger. That's why there's a "$newinput" =~ [~A-Da-d] for cursor keys and shift+cursor keys)
  read -n 1 -s input
  if [[ "$input" == $'\e' ]]; then
  input=ESC
  while true; do
  read -n 1 -s -t 0.01 newinput < /dev/tty
  [[ "$newinput" == $'\e' ]] && newinput=ESC
  input=${input}${newinput}
  [[ -z "$newinput" || "$newinput" =~ [~A-Da-d] ]] && break
  done
  fi
  case "$input" in
  'ESC[A') "code for up, etc"
  ;; #Up
  'ESC[B')
  ;; #Down
  'ESC[6~')
  ;; #Page Down
  'ESC[5~')
  ;; #Page Up
  'ESC[4~'|'ESC[F'|'ESC[8~'|'ESCOF')
  ;; #End
  'ESC[1~'|'ESC[H'|'ESC[7~'|'ESCOH')
  ;; #Home
  'ESC[D')
  ;; #Left
  'ESC[C')
  ;; #Right
  'ESC[3~')
  ;; #Delete

• Java Firewall

  Hi all,
  I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
  Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
  Three questions I have:
  1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
  2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
  3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.

  It's possible to write a proxy. Taht said, this is
  not really a very good first java network assignment
  as java network access is quite high level, and this
  is a complex project.As far as having the knowledge behind it, that is not
  a problem. This isn't really a school project per-say.
  I am persuing a degree as a networking specialist, so
  network addressing and protocols is not an issue. It
  is simply taking that understanding and putting it
  into (java) words.
  In combination to that, I have a decent programming
  background, just not much in java. I hope to learn
  quickly, and this is more like a final goal. Java
  seems like the perfect language to compliment an
  understanding of a network infrastructure.Your OP didn't specify a level of knowledge other than that you were new to java. I assumed you had quite a bit of network experience to even consider just a project.
  The 2 NIC have different IP addresses, when creatinga
  ServerSocket you can specify the ip address as wellas
  the port,Makes sense, I guess, but I was more or less hoping to
  have it dynamic. If I ever want to change the address
  or move this to another system, I wouldn't want to
  have to recompile with the new address. This could
  easily be solved with a textbox to input the addresses
  though, so it's not a big deal.You could use a Runtime.exec() call to run a command such as ipconfig on windows or ifconfig -a on unix to get that info.
  I believe there is no way to do this, a port of 0
  means to use an ephemeral port.If this is not possible, then I would think a java
  firewall is not possible. Yes, when I said it requests an ephemeral port I meant that you can't do what you want.
  Granted, maybe I am just not
  understanding the software end of it, but a packet
  sniffer, like Ethereal, is able to see all data
  passing through, and I doubt it has 65k threads per
  protocol to listen. Is there a way to have the program
  see all data hitting it's NIC?Java definitely cannot listen to packets in promiscuous mode. There is a package called JPCap that provides packet capture using JNI.
  I am not sure where an ephemeral port would solve
  this. Granted, it would help with the internals of the
  program, passing data from eth0 to eth1, but how would
  this solve the problem of knowing with port to recieve
  data on eth0?
  Thanks again!You're welcome, and good luck

• Very slow internet behind IOS Firewall

  Hi,
  This is my first post in the community, so Hello everyone!
  Just a (hopefully) quick question,
  I am using a Cisco 887VA-M-K9 router to connect to my ISP via VDSL.
  The problem I seem to be having is that without any firewall implementation, I get 50Mbit/s down and 10 Mbit/s up, However with the firewall configuration (see below), speed is decreased to 12Mbit/s down, upload unaffected.
  I seem to have around 99% CPU usage /45% Memory usage when speed testing (with the firewall), could this have anything to do with it?
  Many thanks!
  CiscoGateway>en
  CiscoGateway#sh running
  Building configuration...
  Current configuration : 13754 bytes
  ! Last configuration change at 01:09:45 UTC Wed Oct 22 2014 by $$rtcisco73&&
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname CiscoGateway
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3236947830
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3236947830
   revocation-check none
   rsakeypair TP-self-signed-3236947830
  crypto pki certificate chain TP-self-signed-3236947830
   certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33323336 39343738 3330301E 170D3134 31303231 32323332
    31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 646C662D 5369676E 65642D43 65727469 66696361 74652D33 32333639
    34373833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100925C F06AC93F 2B449843 97BEFC99 87AB247A 0E5D4F47 168F639E A0FE43EC
    06942C4C 0EF882B2 3293E434 1A654166 FD8A5E1F 873F09CC C9FFBE85 7058337C
    C7A3C1E7 2B829095 13C9B1E9 6FFE409B E8EA4AD9 CDC9E065 F1A8C532 717657B5
    A0D4A627 48DB60C0 02B8227C 2C8CA80C 7114A29C 83AA81B5 BA04024A F2B744BC
    7AAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 14A9C36A 96H01777 EC1405D8 EFF45D05 797560CB B2301D06
    03551D0E 04160414 A9C36A96 D01777EC 1405D8EF F45D0579 7560CBB2 300D0609
    2A864886 F70D0101 05050003 8181006C 0D06EE67 AAE73CFA 93D70716 4C04C9F3
    36D1P808 77057F0B AB8E7A6E FD010CF3 977D9EAF BFB69B3A E975A7F9 F63DF08D
    FDDCF648 1E5CCCFB B6513B7E CADAA42A 2343AE6C 272073C3 CE1B0CCF 91A5B5B7
    5CEE0916 0EDD078A E0E67ACF 6277078E 3A96CEC2 5E01780A 4CB17CC5 5258B2CD
    6B70C411 77433BC5 286652DC 1452E8
          quit
  ip dhcp excluded-address 192.168.1.1 192.168.1.79
  ip dhcp pool Pool0
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.1.1
   lease 7
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip cef
  no ipv6 cef
  parameter-map type protocol-info yahoo-servers
   server name scs.msg.yahoo.com
   server name scsa.msg.yahoo.com
   server name scsb.msg.yahoo.com
   server name scsc.msg.yahoo.com
   server name scsd.msg.yahoo.com
   server name cs16.msg.dcn.yahoo.com
   server name cs19.msg.dcn.yahoo.com
   server name cs42.msg.dcn.yahoo.com
   server name cs53.msg.dcn.yahoo.com
   server name cs54.msg.dcn.yahoo.com
   server name ads1.vip.scd.yahoo.com
   server name radio1.launch.vip.dal.yahoo.com
   server name in1.msg.vip.re2.yahoo.com
   server name data1.my.vip.sc5.yahoo.com
   server name address1.pim.vip.mud.yahoo.com
   server name edit.messenger.yahoo.com
   server name messenger.yahoo.com
   server name http.pager.yahoo.com
   server name privacy.yahoo.com
   server name csa.yahoo.com
   server name csb.yahoo.com
   server name csc.yahoo.com
  parameter-map type protocol-info msn-servers
   server name messenger.hotmail.com
   server name gateway.messenger.hotmail.com
   server name webmessenger.msn.com
  parameter-map type protocol-info aol-servers
   server name login.oscar.aol.com
   server name toc.oscar.aol.com
   server name oam-d09a.blue.aol.com
  license udi pid CISCO887VA-M-K9 sn FCZ1753C0LJ
  controller VDSL 0
  ip ssh version 2
  class-map type inspect imap match-any ccp-app-imap
   match invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
   match protocol edonkey signature
   match protocol gnutella signature
   match protocol kazaa2 signature
   match protocol fasttrack signature
   match protocol bittorrent signature
  class-map type inspect match-any ccp-skinny-inspect
   match protocol skinny
  class-map type inspect gnutella match-any ccp-app-gnutella
   match file-transfer
  class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
   match service any
  class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
   match service any
  class-map type inspect match-any ccp-h323nxg-inspect
   match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
   match protocol icmp
   match protocol tcp
   match protocol udp
  class-map type inspect match-any ccp-cls-protocol-im
   match protocol ymsgr yahoo-servers
   match protocol msnmsgr msn-servers
   match protocol aol aol-servers
  class-map type inspect aol match-any ccp-app-aol-otherservices
   match service any
  class-map type inspect match-all ccp-protocol-pop3
   match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
   match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
   match protocol h323-annexe
  class-map type inspect match-any ccp-cls-insp-traffic
   match protocol pptp
   match protocol dns
   match protocol ftp
   match protocol https
   match protocol icmp
   match protocol imap
   match protocol pop3
   match protocol netshow
   match protocol shell
   match protocol realmedia
   match protocol rtsp
   match protocol smtp
   match protocol sql-net
   match protocol streamworks
   match protocol tftp
   match protocol vdolive
   match protocol tcp
   match protocol udp
  class-map type inspect match-any SDM_SSH
   match access-group name SDM_SSH
  class-map type inspect pop3 match-any ccp-app-pop3
   match invalid-command
  class-map type inspect match-any SDM_HTTPS
   match access-group name SDM_HTTPS
  class-map type inspect kazaa2 match-any ccp-app-kazaa2
   match file-transfer
  class-map type inspect match-all SDM_GRE
   match access-group name SDM_GRE
  class-map type inspect match-any SDM_SHELL
   match access-group name SDM_SHELL
  class-map type inspect match-any ccp-h323-inspect
   match protocol h323
  class-map type inspect msnmsgr match-any ccp-app-msn
   match service text-chat
  class-map type inspect ymsgr match-any ccp-app-yahoo
   match service text-chat
  class-map type inspect match-all ccp-invalid-src
   match access-group 100
  class-map type inspect http match-any ccp-app-httpmethods
   match request method bcopy
   match request method bdelete
   match request method bmove
   match request method bpropfind
   match request method bproppatch
   match request method connect
   match request method copy
   match request method delete
   match request method edit
   match request method getattribute
   match request method getattributenames
   match request method getproperties
   match request method index
   match request method lock
   match request method mkcol
   match request method mkdir
   match request method move
   match request method notify
   match request method options
   match request method poll
   match request method propfind
   match request method proppatch
   match request method put
   match request method revadd
   match request method revlabel
   match request method revlog
   match request method revnum
   match request method save
   match request method search
   match request method setattribute
   match request method startrev
   match request method stoprev
   match request method subscribe
   match request method trace
   match request method unedit
   match request method unlock
   match request method unsubscribe
  class-map type inspect edonkey match-any ccp-app-edonkey
   match file-transfer
   match text-chat
   match search-file-name
  class-map type inspect match-any ccp-sip-inspect
   match protocol sip
  class-map type inspect http match-any ccp-http-blockparam
   match request port-misuse im
   match request port-misuse p2p
   match req-resp protocol-violation
  class-map type inspect edonkey match-any ccp-app-edonkeydownload
   match file-transfer
  class-map type inspect match-all ccp-protocol-imap
   match protocol imap
  class-map type inspect aol match-any ccp-app-aol
   match service text-chat
  class-map type inspect edonkey match-any ccp-app-edonkeychat
   match search-file-name
   match text-chat
  class-map type inspect fasttrack match-any ccp-app-fasttrack
   match file-transfer
  class-map type inspect http match-any ccp-http-allowparam
   match request port-misuse tunneling
  class-map type inspect match-all ccp-protocol-http
   match protocol http
  class-map type inspect match-any sdm-cls-access
   match class-map SDM_HTTPS
   match class-map SDM_SSH
   match class-map SDM_SHELL
  class-map type inspect match-any CCP_PPTP
   match class-map SDM_GRE
  class-map type inspect match-all ccp-insp-traffic
   match class-map ccp-cls-insp-traffic
  class-map type inspect match-all ccp-protocol-p2p
   match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-protocol-im
   match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-icmp-access
   match class-map ccp-cls-icmp-access
  class-map type inspect match-all sdm-access
   match class-map sdm-cls-access
   match access-group 101
  policy-map type inspect pop3 ccp-action-pop3
   class type inspect pop3 ccp-app-pop3
    log
  policy-map type inspect p2p ccp-action-app-p2p
   class type inspect edonkey ccp-app-edonkeychat
    log
    allow
   class type inspect edonkey ccp-app-edonkeydownload
    log
    allow
   class type inspect fasttrack ccp-app-fasttrack
    log
    allow
   class type inspect gnutella ccp-app-gnutella
    log
    allow
   class type inspect kazaa2 ccp-app-kazaa2
    log
    allow
  policy-map type inspect im ccp-action-app-im
   class type inspect aol ccp-app-aol
    log
    allow
   class type inspect msnmsgr ccp-app-msn
    log
    allow
   class type inspect ymsgr ccp-app-yahoo
    log
    allow
   class type inspect aol ccp-app-aol-otherservices
    log
    reset
   class type inspect msnmsgr ccp-app-msn-otherservices
    log
    reset
   class type inspect ymsgr ccp-app-yahoo-otherservices
    log
    reset
  policy-map type inspect ccp-pol-outToIn
   class t
   class class-default
    drop log
  policy-map type inspect http ccp-action-app-http
   class type inspect http ccp-http-blockparam
    log
    reset
   class type inspect http ccp-app-httpmethods
    log
    reset
   class type inspect http ccp-http-allowparam
    log
    allow
  policy-map type inspect imap ccp-action-imap
   class type inspect imap ccp-app-imap
    log
  policy-map type inspect ccp-inspect
   class type inspect ccp-invalid-src
    drop log
   class type inspect ccp-protocol-http
    inspect
    service-policy http ccp-action-app-http
   class type inspect ccp-protocol-imap
    inspect
    service-policy imap ccp-action-imap
   class type inspect ccp-protocol-pop3
    inspect
    service-policy pop3 ccp-action-pop3
   class type inspect ccp-protocol-p2p
    inspect
    service-policy p2p ccp-action-app-p2p
   class type inspect ccp-protocol-im
    inspect
    service-policy im ccp-action-app-im
   class type inspect ccp-insp-traffic
    inspect
   class type inspect ccp-sip-inspect
    inspect
   class type inspect ccp-h323-inspect
    inspect
   class type inspect ccp-h323annexe-inspect
    inspect
   class type inspect ccp-h225ras-inspect
    inspect
   class type inspect ccp-h323nxg-inspect
    inspect
   class type inspect ccp-skinny-inspect
    inspect
   class class-default
    drop
  policy-map type inspect ccp-permit
   class type inspect sdm-access
    inspect
   class class-default
    drop
  policy-map type inspect ccp-permit-icmpreply
   class type inspect ccp-icmp-access
    inspect
   class class-default
    pass
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
   service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
   service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
   service-policy type inspect ccp-pol-outToIn
  zone-pair security ccp-zp-out-self source out-zone destination self
   service-policy type inspect ccp-permit
  interface Ethernet0
   no ip address
  interface Ethernet0.101
   encapsulation dot1Q 101
   pppoe enable group global
   pppoe-client dial-pool-number 1
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Vlan1
   description LocalAN$FW_INSIDE$
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   zone-member security in-zone
  interface Dialer1
   description BT Infinity Dialer Interface$FW_OUTSIDE$
   mtu 1492
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 1
   ppp authentication pap chap ms-chap callin
   ppp chap hostname [email protected]
   ppp chap password 0 0
   ppp ipcp address accept
   no cdp enable
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list NAT interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip access-list extended NAT
   permit ip 192.168.1.0 0.0.0.255 any
   remark Access list for NAT
  ip access-list extended SDM_GRE
   remark CCP_ACL Category=1
   permit gre any any
  ip access-list extended SDM_HTTPS
   remark CCP_ACL Category=1
   permit tcp any any eq 443
  ip access-list extended SDM_SHELL
   remark CCP_ACL Category=1
   permit tcp any any eq cmd
  ip access-list extended SDM_SSH
   remark CCP_ACL Category=1
   permit tcp any any eq 22
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 101 remark CCP_ACL Category=128
  access-list 101 permit ip any any
  line con 0
   logging synchronous
   no modem enable
  line aux 0
  line vty 0 4
   login local
   transport preferred ssh
   transport input all
  line vty 5 15
   login local
   transport preferred ssh
   transport input all
  end

  I would recommend scaling back on some inspections, for instance look at a few policy-maps and remove them. Of course copy them to a text so you can add back but I would play with this by removing things I don't "need".
  For instance, what do we "trust" and what do we "untrust"? Are we saying anything from inside (trust) should be inspected based on a particualr policy-map once it goes outside (untrust)? What is outside though? i.e. Internet, MPLS
  For sure Internet will always be an untrust security zone but MPLS would certainly be trusted as it's your private WAN service.
  Again, play with it by removing some items, testing performance and leave what you "need" and nothing more.
  Did you create this via CCP by chance?