ACE - SIP TLS

Hello,
Do you know if it is possible in ACE 4710 appliance to configure a SIP TLS probes?
The SIP probe we have in the configuration guide it is only for clear text.
Anyways, for Lync 2013 we need to establish first a TLS session and then within it, send an SIP request...
IS it possible in any version? I tried also to configure a HTTPS probe but it fails as it sends a GET which the Lync SIP server doesnt understand..
Thanks for your help
Giulio

hi Giulio,
you probably need a custom script, contact your Cisco Account Manager or System Engineer they can help you with it
Cesar R
ANS Team

Similar Messages

VCS X8.5.1 SIP TLS to CUCM 8.6.2

I'm having problems enabling TLS on my SIP trunk from the VCS to CUCM.
The SIP trunk shows active on the VCS, but I can't make calls from VCS to CUCM or from CUCM to VCS.
Before configuring TLS, I was able to make these calls.
With TLS enabled, the VCS search for calls from VCS to CUCM show the call rejected and give the reason "Forbidden"
Calls from CUCM to VCS get fast busy and I do not see anything in the search history on the VCS.
I've restarted the trunk and call manager service on the CUCM servers, but no change.
I'm not really sure where to go from here.
I followed the following guide for configuring the SIP trunk. http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-SIP-Trunk-to-Unified-CM-Deployment-Guide-CUCM-8-9-10-and-X8-5.pdf
Any help is appreciated.
Thanks,
Joe

I have again checked these and identical to what I set up, We have a multiple TX9000's on the CUCM in Secure mode working perfect and can make Encrypted calls to the TPS server via a TPS TCP Trunk.
but any calls to the VCS just fail on a VCS To CUCM Trunk using TLS with a fast busy signal. and the VCS doesn't even show a search history for it.
In the eyes of the VCS and the CUCM there is no Issues with the TLS SIP Trunk it seems to be working, but It seems SIP TLS packets don't even leave the CUCM. I have tried almost every resource known, and thought it was me just having some random issue until I saw Josef post the same issue.
Tomorrow I will check the X.509 names on the CUCM SIP Security Profile as this is the only thing I can think of that might cause the SIP trunk to be OK up but not route correctly maybe?

Default VCS certificate - SIP-TLS Local Database Registration

Hi,
Can someone please tell me if it's possible to use the default VCS certificate for SIP-TLS registration for endpoints listed under the local database? If so will this work by default or is there extra configuration required?
Thanks

Hello Ovindo -
Because you're running a VCS with X7.2.2 software, and using an guide that's meant for X7.0, what you're looking for has changed since that guide.
Please take a look at the X7.2.2 release notes on page 10, "Device Authentication".
You should be using this device authentication guide for your version of VCS software.

SIP TLS/sRTP on Cisco border router (CUBE)

Hello!
Need help configuring SIP TLS for Skype Connect on CUBE (Cisco 2821, 15.1 IOS). Maybe someone has already set up at a similar functionality. Particularly interested in the question about the CA-signed certificate (maintain, installation).

I think you need to post here: https://communities.cisco.com/community/developer

ACE module, TLS and smtp

Hello,
On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
There are absolutely no lines in the log that could help me find out what's happening.
I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
Thanks a lot for any help you can give me!
Regards,
Marc.

SMTP over TLS is not supported in ACE currently.
SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
In case of SMTP client needs to open a new conn.
So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
You can get more details at
http://tools.ietf.org/html/rfc2487
Syed

Register TANDBERG MXP 6000 over SIP

Hi, i have MXP6000 with 9.1 software. Cant make it register with SIP. No single packet comes from MXP to server.
Has anyone been able to make it register with SIP server?
Config is quite simple:
xConfiguration Conference SIP URI: "[email protected]"
*c xConfiguration SIP Mode: On
*c xConfiguration SIP Server Discovery: Manual
*c xConfiguration SIP Server Address: "10.96.37.10"
*c xConfiguration SIP Server Type: Auto
*c xConfiguration SIP Authentication UserName: "6000"
*c xConfiguration SIP Transport Default: UDP
*c xConfiguration SIP TLS Verify: Off
*c xConfiguration SIP ICE Mode: Off
*c xConfiguration SIP MNS Mode: Off
*c xConfiguration SIP ForceTurn Mode: Off
*c xConfiguration SIP DefaultCandidate Type: Host
*c xConfiguration SIP Legacy Mask: ""
*c xConfiguration SIP ReplyTo URI: ""

Does it matter? NO REGISTER packets arrived to server, i was sniffing traffic.
Problem solved just after i entered valid DNS server address in IP parameters. Why would it need DNS if i'm using direct IP addresses...
Anyways, my SIP server (Asterisk) does not support duo-video and because there is two video streams in SDP message, it choses wrong RTP port and streams other's side video to presentation channel.

SIP Trunk Diversion (Cfwdall) inserting Domain in the FROM header of the originating PBX

Hello,
We recently performed an upgrade from 8.61 to 8.62. Since the upgrade, incoming off-net diversion (cfwdall) to the PSTN stopped working. Here is the call flow for our setup:
PSTN caller-->AVAYA CM SIP TLS-->AVAY SES SIP-->CUCM-->CFWDALL-->Avaya SES SIP TLS-->Avaya CM-->PSTN.
Calling from an internal SCCP Phone to another SCCP with CFWDall works fine. The problem is when a caller from the PSTN calls an SCCP phone with CFWDALL to PSTN cell phone the call fails at the Avaya with "407 Proxy Authentication required". I believe this because the FROM header has the domain of the Avaya and not the IP Address of CUCM.
Prior to the upgrade, the Diversion SIP INVITE FROM header has the ip address of the CUCM server:
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/TCP 10.170.99.12:5060;branch=z9hG4bK422a01feef6dc
From: <sip:[email protected]>;tag=315634~10e1eefb-2ebd-4fac-98ce-62a72a88c661-62310000
To: <sip:[email protected]>
Post upgrade the CUCM server is sending the originating sip domain from the Avaya SES:
INVITE [email protected]:5060 SIP/2.0
Via: SIP/2.0/TCP 10.170.99.12:5060;branch=z9hG4bK4214471ca38c3
From: <sip:[email protected]>;tag=315423~10e1eefb-2ebd-4fac-98ce-62a72a88c661-62309759
To: <sip:[email protected]>
I think this can be addressed with a SIP normalization script to replace the sip.avayadomain.com with the IP Address of the CUCM server sending the INVITE. I have yet have to implement a SIP normalization script and would like some expert help in creating the normalization script.
Thanks.

Hello,
We recently performed an upgrade from 8.61 to 8.62. Since the upgrade, incoming off-net diversion (cfwdall) to the PSTN stopped working. Here is the call flow for our setup:
PSTN caller-->AVAYA CM SIP TLS-->AVAY SES SIP-->CUCM-->CFWDALL-->Avaya SES SIP TLS-->Avaya CM-->PSTN.
Calling from an internal SCCP Phone to another SCCP with CFWDall works fine. The problem is when a caller from the PSTN calls an SCCP phone with CFWDALL to PSTN cell phone the call fails at the Avaya with "407 Proxy Authentication required". I believe this because the FROM header has the domain of the Avaya and not the IP Address of CUCM.
Prior to the upgrade, the Diversion SIP INVITE FROM header has the ip address of the CUCM server:
INVITE sip:[email protected]:5060 SIP/2.0
Via: SIP/2.0/TCP 10.170.99.12:5060;branch=z9hG4bK422a01feef6dc
From: <sip:[email protected]>;tag=315634~10e1eefb-2ebd-4fac-98ce-62a72a88c661-62310000
To: <sip:[email protected]>
Post upgrade the CUCM server is sending the originating sip domain from the Avaya SES:
INVITE [email protected]:5060 SIP/2.0
Via: SIP/2.0/TCP 10.170.99.12:5060;branch=z9hG4bK4214471ca38c3
From: <sip:[email protected]>;tag=315423~10e1eefb-2ebd-4fac-98ce-62a72a88c661-62309759
To: <sip:[email protected]>
I think this can be addressed with a SIP normalization script to replace the sip.avayadomain.com with the IP Address of the CUCM server sending the INVITE. I have yet have to implement a SIP normalization script and would like some expert help in creating the normalization script.
Thanks.

ACE - security vulnerabilites

Hi All
We received two vulnerability alerts for different web sites behind Cisco ACE:
1) Vulnerability - SSL / TLS Renegotiation DoS
Description: The remote service encrypts traffic using TLS / SSL and permits
clients to renegotiate connections. The computational requirements
for renegotiating a connection are asymmetrical between the client and
the server, with the server performing several times more work. Since
the remote host does not appear to limit the number of renegotiations
for a single TLS / SSL connection, this permits a client to open
several simultaneous connections and repeatedly renegotiate them,
possibly leading to a denial of service condition.
Recommendation: Contact the vendor for specific patch information.
2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
Description: A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow
information disclosure if an attacker intercepts encrypted traffic
served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are
not affected.
Could you please help how they could be fixed?
ACE software A4(2.3)
Regards Craig

Hi Craig,
Regarding this vulnerability,
1) Vulnerability - SSL / TLS Renegotiation DoS
You shouldn't be worrying as the code you are running has by default renegotiation diabled. If not please go to parameter type ssl and disable it.
(config)# Parameter-map type ssl SSL
(config-parammap-ssl)# rehandshake enabled
(config-parammap-ssl)# no rehandshake enabled------>This is the default.
Regarding your second vulnerability:
2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
The workaround is to enable adding empty data blocks via SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS or SSL_OP_ALL runtime options. This was introduced in OpenSSL 0.9.6d. And most of client browsers (IE, Firefox, etc) have included this.
ACE uses TLS 1.0. However, we do not allow code execution on the device. Also the device supports the OpenSSL workaround from client connections that implement it. In this way, ACE is not affected by this vulnerability and no
action is required for this.
There's future enhancement request for TLS 1.1 and TLS 1.2 support on ACE, however there's no hard date on it yet.
Please review the details in below feature enhancement request:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt13316
This is fixed inb A530.
Let me know if you have any questions.
Regards,
Kanwal

ZBFW and SIP problems

Hi GUYS,
Please help me..
I have experiencing problems with SIP phones behind firewall running on CIsco 887 VA-M.
I got these messages :
5 02:43:37.439: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.120:5061 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base
Jul 5 02:43:40.035: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Mandatory header field missing) - dropping udp session 192.168.33.117:5060 203.111.37.20:5060 on zone-pair in-out-zone class cmap-in-out-base
I have downgraded software to 151-4.M6 and greated the policy to skip those checkings but no any improvements
My config is
boot-start-marker
boot system flash:c880data-universalk9-mz.151-4.M6.bin
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp excluded-address 192.168.33.150 192.168.33.254
ip dhcp pool 1
network 192.168.33.0 255.255.255.0
default-router 192.168.33.1
dns-server 8.8.8.8
ip dhcp pool `
ip cef
ip domain name ues
ip name-server 8.8.8.8
no ipv6 cef
license udi pid CISCO887VA-M-K9 sn FGL171725DT
controller VDSL 0
class-map type inspect match-all cmap-manage
match access-group 23
class-map type inspect match-any cmap-in-out-ALL_allowed
match access-group 150
class-map type inspect match-any cmap-in-out-base
match protocol https
match protocol http
match protocol dns
match protocol ftp
match protocol pop3
match protocol citrix
match protocol citriximaclient
match protocol icmp
match protocol smtp
match protocol pptp
match protocol gopher
match protocol sip
match protocol h323
match protocol sip-tls
policy-map type inspect allow_all
class type inspect cmap-in-out-ALL_allowed
pass
class class-default
drop
policy-map type inspect pmap-out-in-manage
class type inspect cmap-manage
pass
class class-default
drop
policy-map type inspect pmap-in-out
class type inspect cmap-in-out-base
inspect
class type inspect cmap-in-out-ALL_allowed
pass
class class-default
drop
zone security in
zone security out
zone-pair security in-out-zone source in destination out
service-policy type inspect pmap-in-out
zone-pair security out-self-zone source out destination self
service-policy type inspect pmap-out-in-manage
zone-pair security out-in-zone source out destination in
service-policy type inspect allow_all
interface Ethernet0
no ip address
shutdown
no fair-queue
interface ATM0
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface FastEthernet0
switchport access vlan 100
no ip address
interface FastEthernet1
switchport access vlan 100
no ip address
interface FastEthernet2
switchport access vlan 100
no ip address
interface FastEthernet3
switchport access vlan 100
no ip address
interface Vlan1
no ip address
interface Vlan100
ip address 192.168.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0 673569
ppp pap sent-username
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list FOR_NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip access-list extended FOR_NAT
permit ip 192.168.33.0 0.0.0.255 any
ip access-list extended KILL-TFTP
deny udp any eq tftp any
permit ip any any
access-list 150 permit ip any any
access-list 150 remark TEMP
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
end
Thanks a lot!

Try to do disable inspection of protocol-violation for sip, using this config:
class-map type inspect sip SIP_VIOLATION_CLASS
match protocol-violation
policy-map type inspect sip SIP_VIOLATION_POLICY
class type inspect sip SIP_VIOLATION_CLASS
allow
policy-map type inspect pmap-in-out
class type inspect cmap-in-out-base
inspect
service-policy sip SIP_VIOLATION_POLICY

ZBFW - dmz-zone to in-zone access

Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.

Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
   import all
   network 168.192.200.0 255.255.255.0
   domain-name in.froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
   import all
   network 200.200.200.0 255.255.255.128
   domain-name froghop.com
   dns-server 200.200.200.20 200.200.200.4
   default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
4F5E79FE 8C76B0EC BC5DD668 69BE1A
            quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
match service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
match service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
pass log
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
inspect
class type inspect WEB-PROTOCOLS
inspect
class type inspect FTP-PROTOCOL
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class type inspect DEST-DNS
inspect
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ICMP-PROTOCOLS
inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
pass log
class type inspect WEB-PROTOCOLS
inspect
class type inspect OPENDIR-OUT
inspect
class type inspect DEST-DNS
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
inspect
class type inspect TRANSPORT-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
inspect
class class-default
drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect SELF-ICMP
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
pass
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
inspect
class type inspect SMTPS-TRAFFIC
inspect
class type inspect SMTPS-TRAFFIC-IN
pass log
class class-default
drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny   ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny   ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John.

Access Edge or A/V edge for Skype

Dear Expert,
I received question from this customer and partner.
In TechNet told us about open port from Access Edge instead A/V edge when using Audio/Video with Skype, Is it correct? They are wondering, please help to explain.
http://technet.microsoft.com/en-us/library/jj618376.aspx
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Notes
Access/SIP(MTLS)/TCP/5061
Public IM connectivity partners
Edge Server Access interface
For federated and public IM connectivity that use SIP.
Access/SIP(MTLS)/TCP/5061
Edge Server Access interface
Public IM connectivity partners
For federated and public IM connectivity that use SIP.
Access/SIP(TLS)/TCP/443
Clients
Edge Server Access interface
Client-to-server SIP traffic for external user access.
A/V/RTP/TCP/50,000-59,999
Edge Server Access interface
Live Messenger clients
Used for A/V sessions with Windows Live Messenger if public IM connectivity is configured.
A/V/STUN,MSTURN/UDP/3478
Edge Server Access interface
Live Messenger clients
Required for public IM connectivity with Windows Live Messenger.
A/V/STUN,MSTURN/UDP/3478
Live Messenger clients
Edge Server Access interface
Required for public IM connectivity with Windows Live Messenger.

I feel that that's a typo. It doesn't agree with other Lync 2013 TechNet documents such as
http://technet.microsoft.com/en-us/library/gg425891.aspxwhich specify these ports should be opened to/from the Edge Server A/V Edge service interface.
Alternatively, inbound UDP/3478 should be destined to the A/V edge. You can see in the first column, that they correctly identify the A/V role, but the typo is in the IP address that it should be sent to. Someone got excited with cut and paste.
I believe you're right to question it.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

Skype Federation shows garbled characters in one direction

I have implemented PIC from my Lync 2013 Server via an Edge Server to Skype.
Unfortunately connectivity works only in one direction:
Sending IMs from Skype to Lync works fine.
No matter what I enter everything sent from Lync to Skype arrives as þÿ (Which is a Unicode Byte Order Mark as in
http://en.wikipedia.org/wiki/Byte_order_mark)
Any ideas?
Thank you for your help
tom

Hi,
From your description above, it may be the issue of Edge ports. So please double check the ports on your Edge Server:
Role/Protocol/TCP or UDP/Port
Source IP address
Destination IP address
Access/SIP(MTLS)/TCP/5061
Public IM connectivity partners
Edge Server Access interface
Access/SIP(MTLS)/TCP/5061
Edge Server Access interface
Public IM connectivity partners
Access/SIP(TLS)/TCP/443
Clients
Edge Server Access interface
A/V/RTP/TCP/50,000-59,999
Edge Server Access interface
Live Messenger clients
A/V/STUN,MSTURN/UDP/3478
Edge Server Access interface
Live Messenger clients
A/V/STUN,MSTURN/UDP/3478
Live Messenger clients
Edge Server Access interface
More details:
http://technet.microsoft.com/enus/library/jj618373.aspx
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support

H323 and NAT issue

Hello all,
I have a router 1812 Version 12.4(15)T16, RELEASE SOFTWARE (fc2). Router is doing NAT.
I have a lifesize videoconference system. Calls with h323 are dropped after 30 seconds.
I have ip inspect rule :
- ip inspect name SDM_LOW h323
- ip inspect name SDM_LOW h323callsigalt
interface FastEthernet0
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
When I start a communication, I have
sh ip inspect sessions
Session 85AE7150 (50.59.87.241:60118)=>(192.168.200.200:60016) h323-RTP-audio SIS_OPEN
Session 85AE12C0 (50.59.87.241:60119)=>(192.168.200.200:60017) h323-RTCP-audio SIS_OPEN
Session 85AE39B0 (192.168.200.200:60001)=>(50.59.87.241:62830) h245-media-control SIS_OPEN
Session 841F7CEC (192.168.200.200:60005)=>(50.59.87.241:1720) h323 SIS_OPEN
Session 85AE20A8 (50.59.87.241:60120)=>(192.168.200.200:60018) h323-RTP-video SIS_OPENING
Session 85ADE0B0 (50.59.87.241:60121)=>(192.168.200.200:60019) h323-RTCP-video SIS_OPENING
Session 85AE4D28 (50.59.87.241:60122)=>(192.168.200.200:60020) h323-RTP-data SIS_OPENING
Session 85ADCD38 (50.59.87.241:60123)=>(192.168.200.200:60021) h323-RTCP-data SIS_OPENING
Pre-gen session 85ADA648 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Pre-gen session 85AD92D0 192.168.200.200[1024:65535]=>50.59.87.241[60121:60121] h323-RTCP-video
Pre-gen session 85ADB6F8 192.168.200.200[1024:65535]=>50.59.87.241[60123:60123] h323-RTCP-data
Pre-gen session 85AD9008 192.168.200.200[1024:65535]=>50.59.87.241[60118:60118] h323-RTP-audio
Pre-gen session 85AE5848 192.168.200.200[1024:65535]=>50.59.87.241[60119:60119] h323-RTCP-audio
Where 192.168.200.200 is local IP and 50.59.87.241 the server I try to reach.
Any idea of what is going on ? Why calls are dropped after 30 seconds ?
Something with NAT ?

Hi Alessandro,
configuration below :
ip inspect tcp reassembly queue length 200
ip inspect tcp reassembly timeout 10
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW http
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW h323callsigalt
ip inspect name SDM_LOW skinny
ip inspect name SDM_LOW sip-tls
ip inspect name SDM_LOW sip
ip inspect name SDM_LOW esmtp max-data 50000000
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW streamworks
WAN_INTERFACE = xxx.xxx.xxx
interface FastEthernet0
ip address WAN_INTERFACE.226 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
Inbound ACL
access-list 102 remark SDM_ACL Category=3
access-list 102 permit tcp any host WAN_INTERFACE.228 eq www log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 443 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 558 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1503 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 4001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 11720 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60000 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1718 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1719 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 1720 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 5060 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 17518 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60001 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60002 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60003 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60004 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60005 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60006 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60007 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60008 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60009 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60010 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60011 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60012 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60013 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60014 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60015 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60016 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60017 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60018 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60019 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60020 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60021 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60022 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60023 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60024 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 60025 log
access-list 102 permit udp any host WAN_INTERFACE.228 eq 3389 log
access-list 102 permit tcp any host WAN_INTERFACE.228 eq 3389 log
[ Some ipsec rubles]
access-list 102 permit tcp any host WAN_INTERFACE.230 eq 22
access-list 102 permit tcp any host WAN_INTERFACE.230 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq smtp
access-list 102 permit udp any host WAN_INTERFACE.227 eq 80
access-list 102 permit tcp any host WAN_INTERFACE.227 eq www
access-list 102 permit tcp any host WAN_INTERFACE.227 eq ftp
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 1723
access-list 102 permit tcp any host WAN_INTERFACE.226 eq 47
ip nat inside source static udp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_32 extendable
ip nat inside source static tcp LAN_INTERFACE 80 WAN_INTERFACE.228 80 route-map SDM_RMAP_15 extendable
ip nat inside source static tcp LAN_INTERFACE 443 WAN_INTERFACE.228 443 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp LAN_INTERFACE 558 WAN_INTERFACE.228 558 route-map SDM_RMAP_47 extendable
ip nat inside source static tcp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_77 extendable
ip nat inside source static udp LAN_INTERFACE 1023 WAN_INTERFACE.228 1023 route-map SDM_RMAP_78 extendable
ip nat inside source static tcp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_73 extendable
ip nat inside source static udp LAN_INTERFACE 1024 WAN_INTERFACE.228 1024 route-map SDM_RMAP_74 extendable
ip nat inside source static tcp LAN_INTERFACE 1503 WAN_INTERFACE.228 1503 route-map SDM_RMAP_75 extendable
ip nat inside source static tcp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_86 extendable
ip nat inside source static udp LAN_INTERFACE 1718 WAN_INTERFACE.228 1718 route-map SDM_RMAP_87 extendable
ip nat inside source static tcp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_42 extendable
ip nat inside source static udp LAN_INTERFACE 1719 WAN_INTERFACE.228 1719 route-map SDM_RMAP_43 extendable
ip nat inside source static tcp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_28 extendable
ip nat inside source static udp LAN_INTERFACE 1720 WAN_INTERFACE.228 1720 route-map SDM_RMAP_44 extendable
ip nat inside source static tcp LAN_INTERFACE 4001 WAN_INTERFACE.228 4001 route-map SDM_RMAP_72 extendable
ip nat inside source static udp LAN_INTERFACE 5060 WAN_INTERFACE.228 5060 route-map SDM_RMAP_29 extendable
ip nat inside source static tcp LAN_INTERFACE 11720 WAN_INTERFACE.228 11720 route-map SDM_RMAP_71 extendable
ip nat inside source static tcp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_45 extendable
ip nat inside source static udp LAN_INTERFACE 17518 WAN_INTERFACE.228 17518 route-map SDM_RMAP_46 extendable
ip nat inside source static tcp LAN_INTERFACE 60000 WAN_INTERFACE.228 60000 route-map SDM_RMAP_30 extendable
ip nat inside source static tcp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_31 extendable
ip nat inside source static udp LAN_INTERFACE 60001 WAN_INTERFACE.228 60001 route-map SDM_RMAP_33 extendable
ip nat inside source static tcp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_66 extendable
ip nat inside source static udp LAN_INTERFACE 60002 WAN_INTERFACE.228 60002 route-map SDM_RMAP_34 extendable
ip nat inside source static tcp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_67 extendable
ip nat inside source static udp LAN_INTERFACE 60003 WAN_INTERFACE.228 60003 route-map SDM_RMAP_35 extendable
ip nat inside source static tcp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_68 extendable
ip nat inside source static udp LAN_INTERFACE 60004 WAN_INTERFACE.228 60004 route-map SDM_RMAP_36 extendable
ip nat inside source static tcp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_69 extendable
ip nat inside source static udp LAN_INTERFACE 60005 WAN_INTERFACE.228 60005 route-map SDM_RMAP_37 extendable
ip nat inside source static udp LAN_INTERFACE 60006 WAN_INTERFACE.228 60006 route-map SDM_RMAP_38 extendable
ip nat inside source static udp LAN_INTERFACE 60007 WAN_INTERFACE.228 60007 route-map SDM_RMAP_39 extendable
ip nat inside source static udp LAN_INTERFACE 60008 WAN_INTERFACE.228 60008 route-map SDM_RMAP_48 extendable
ip nat inside source static udp LAN_INTERFACE 60009 WAN_INTERFACE.228 60009 route-map SDM_RMAP_49 extendable
ip nat inside source static udp LAN_INTERFACE 60010 WAN_INTERFACE.228 60010 route-map SDM_RMAP_50 extendable
ip nat inside source static udp LAN_INTERFACE 60011 WAN_INTERFACE.228 60011 route-map SDM_RMAP_51 extendable
ip nat inside source static udp LAN_INTERFACE 60012 WAN_INTERFACE.228 60012 route-map SDM_RMAP_52 extendable
ip nat inside source static udp LAN_INTERFACE 60013 WAN_INTERFACE.228 60013 route-map SDM_RMAP_53 extendable
ip nat inside source static udp LAN_INTERFACE 60014 WAN_INTERFACE.228 60014 route-map SDM_RMAP_54 extendable
ip nat inside source static udp LAN_INTERFACE 60015 WAN_INTERFACE.228 60015 route-map SDM_RMAP_55 extendable
ip nat inside source static udp LAN_INTERFACE 60016 WAN_INTERFACE.228 60016 route-map SDM_RMAP_56 extendable
ip nat inside source static udp LAN_INTERFACE 60017 WAN_INTERFACE.228 60017 route-map SDM_RMAP_57 extendable
ip nat inside source static udp LAN_INTERFACE 60018 WAN_INTERFACE.228 60018 route-map SDM_RMAP_58 extendable
ip nat inside source static udp LAN_INTERFACE 60019 WAN_INTERFACE.228 60019 route-map SDM_RMAP_59 extendable
ip nat inside source static udp LAN_INTERFACE 60020 WAN_INTERFACE.228 60020 route-map SDM_RMAP_60 extendable
ip nat inside source static udp LAN_INTERFACE 60021 WAN_INTERFACE.228 60021 route-map SDM_RMAP_61 extendable
ip nat inside source static udp LAN_INTERFACE 60022 WAN_INTERFACE.228 60022 route-map SDM_RMAP_62 extendable
ip nat inside source static udp LAN_INTERFACE 60023 WAN_INTERFACE.228 60023 route-map SDM_RMAP_63 extendable
ip nat inside source static udp LAN_INTERFACE 60024 WAN_INTERFACE.228 60024 route-map SDM_RMAP_64 extendable
ip nat inside source static udp LAN_INTERFACE 60025 WAN_INTERFACE.228 60025 route-map SDM_RMAP_65 extendable
ip nat inside source static LAN_INTERFACE WAN_INTERFACE.228 route-map SDM_RMAP_76
All SMD_RMAP are like this one below
route-map SDM_RMAP_32 permit 1
match ip address 141
access-list 141 remark SDM_ACL Category=2
access-list 141 deny ip host LAN_INTERFACE 10.0.5.0 0.0.0.31
access-list 141 deny ip host LAN_INTERFACE 10.0.5.40 0.0.0.1
access-list 141 permit udp host LAN_INTERFACE eq 60000 any

PPTP out & in, Cisco 881

Hello,
I've searched a few forums and tried to use some of suggestions (and that's why the config is so big and probably messed up ;-)
The network is very simple: (Computers behind NAT + Windows 2008 Server with PPTP -> Cisco 881 -> DSL) and (near) everything works perfectly.
It is not posible to connect from outside to W2008 PPTP (stops at "connecting..."), what is even more interesting you can not connect from inside to any of PPTP servers located on the Internet (this stops at "veryfying user name & password")
Please check the configuration, and thanks in advance!
Greetings,
Adrian
config
ip dhcp excluded-address 192.168.100.1 192.168.100.29
ip dhcp excluded-address 192.168.100.100 192.168.100.254
ip dhcp pool Logmar
    import all
    network 192.168.100.0 255.255.255.0
    dns-server 194.204.159.1 192.204.152.34
    default-router 192.168.100.1
ip cef
no ip bootp server
ip domain name logmar
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip port-map user-rserial port tcp 33600 list 3 description rserial
ip inspect tcp reassembly queue length 1024
no ipv6 cef
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any VOIP
match protocol sip-tls
match protocol sip
match protocol pptp
match class-map SDM_GRE
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any pptp
match protocol pptp
match class-map SDM_GRE
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-cls--1
match class-map VOIP
match access-group name VOIP
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any pptp-traffic
match access-group name pptp
match access-group name SDM_GRE
match access-group name pptp-out
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
   inspect
class class-default
   pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
   log
   allow
class type inspect edonkey ccp-app-edonkeydownload
   log
   allow
class type inspect fasttrack ccp-app-fasttrack
   log
   allow
class type inspect gnutella ccp-app-gnutella
   log
   allow
class type inspect kazaa2 ccp-app-kazaa2
   log
   allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
   log
   allow
class type inspect msnmsgr ccp-app-msn
   log
   allow
class type inspect ymsgr ccp-app-yahoo
   log
   allow
class type inspect aol ccp-app-aol-otherservices
   log
   reset
class type inspect msnmsgr ccp-app-msn-otherservices
   log
   reset
class type inspect ymsgr ccp-app-yahoo-otherservices
   log
   reset
policy-map global-policy
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
   log
   allow
class type inspect http ccp-app-httpmethods
   log
   allow
class type inspect http ccp-http-allowparam
   log
   allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
   log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
   log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
   drop log
class type inspect ccp-protocol-http
   inspect
   service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
   inspect
   service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
   inspect
   service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
   inspect
   service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
   inspect
   service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
   inspect
class type inspect CCP-Voice-permit
   inspect
class type inspect pptp-traffic
   pass
class type inspect SDM_GRE
   pass
class class-default
   pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
   pass
class type inspect pptp-traffic
   pass
class class-default
   drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
   pass
class type inspect pptp-traffic
   pass
class class-default
   drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
   pass
class type inspect pptp-traffic
   pass
class class-default
   drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 83.0.201.122 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 4 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
ip nat inside source list pptp-out interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended VOIP
remark CCP_ACL Category=128
permit ip any host 192.168.100.100
ip access-list extended pptp
remark CCP_ACL Category=1
permit gre any any
permit tcp any host 192.168.100.100 eq 1723
permit ip any host 192.168.100.100
ip access-list extended pptp-out
remark CCP_ACL Category=2
permit tcp any any eq 1723
permit gre any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 3 remark CCP_ACL Category=1
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=0
no cdp run

I've deleted all (well at least part concerning PPTP access ;-) configuration and written it from scratch...
Heh, I do not understand WHY configuring Cisco is such a pain while doing same thing in ALL other routers is easier, far more predictable, and not at all less secure
Below is ACL & policy-map-related part of my config - hope this helps.
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any cpp-cls-inside
match protocol pptp
match class-map SDM_GRE
match access-group name SDM_GRE
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match class-map SDM_GRE
match protocol pptp
match protocol skinny
match protocol sip
match protocol sip-tls
match access-group name SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map global-policy
policy-map type inspect ccp-inspect
class type inspect SDM_GRE
pass
class type inspect ccp-invalid-src
drop log
class type inspect ccp-insp-traffic
inspect
class class-default
pass
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inside
class type inspect SDM_GRE
pass
class type inspect cpp-cls-inside
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security cp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-inside
interface Null0
no ip unreachables
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 83.0.201.122 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
ip access-list extended SDM_GRE
remark CCP_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
logging trap debugging
logging 192.168.100.100
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit any
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
no cdp run

5520 to 5525 all access rules being ignored.

I copied my config from my old 5520 to our new 5525 and when I cut over to it from the inside out I could get to the internet no problem but from the outside in none of our access rules were working. Could someone take a look at our config and maybe inlighten me on the problem please. Thanks,
http://www.ebay.com/itm/290951611556?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649
: Saved
: Written by admin at 02:33:30.875 EDT Mon Sep 30 2013
ASA Version 8.6(1)2
hostname ColASA01-HA
domain-name corp.COMPANY.com
names
name 172.22.5.133 ColBarracuda description Colo Barracuda Internal
name 74.XXX.XXX.133 ColBarracuda- description Colo Barracuda External
name 74.XXX.XXX.132 ColVPN- description Colo VPN External
name 172.22.5.138 ww2 description ww2 Internal
name 74.XXX.XXX.138 ww2- description ww2 External
name 172.22.5.139 www1 description www1 Internal
name 74.XXX.XXX.139 www1- description www1 External
name 172.22.5.140 www1-COMPANY.co.uk description www1 COMPANY.co.uk Internal
name 172.22.5.143 ColSysAid description ColSysAid Internal
name 74.XXX.XXX.143 ColSysAid- description ColSysAid External
name 172.22.5.141 Colww3 description Colww3 Internal
name 74.XXX.XXX.141 Colww3- description Colww3 External
name 10.1.1.100 Facts description Facts Internal
name 74.XXX.XXX.135 Facts- description Facts External
name 74.XXX.XXX.144 ftp.boundree.co.uk- description ftp.COMPANY.co.uk External
name 172.22.5.144 ftp.COMPANY.co.uk description ftp.COMPANY.co.uk Internal
name 10.101.0.24 Dubmss01 description Voicemail Server - Internal
name 74.XXX.XXX.145 Dubmss01- description Voicemail Sever - External
name 172.22.5.146 ColBI01 description ColBI01 Internal
name 74.XXX.XXX.146 ColBI01- description ColBI01 External
name 172.22.5.147 ColMOSS01 description ColMOSS01 Internal
name 74.XXX.XXX.147 ColMOSS01- description ColMOSS01 External
name 172.22.5.149 ambutrak description AmbuTRAK Internal
name 74.XXX.XXX.149 ambutrak- description AmbuTRAK External
name 172.22.5.136 NSTrax description NSTrax Internal
name 74.XXX.XXX.136 NSTrax- description NSTrax External
name 172.22.5.150 btmu description BTMU Internal
name 74.XXX.XXX.150 btmu- description BTMU External
name 172.22.5.155 w2k-isoft description w2k-isoft Internal
name 74.XXX.XXX.155 w2k-isoft- description w2k-isoft External
name 172.22.5.142 Colexch01 description Colexch01 Internal
name 172.22.5.151 Coltixdb description Coltxdb Internal
name 74.XXX.XXX.151 Coltixdb- description Coltixdb External
name 172.22.5.156 colexcas description colexcas Internal
name 74.XXX.XXX.156 colexcas- description colexcas External
name 172.22.3.74 colexcas01 description colexcas01 Internal
name 172.22.3.75 colexcas02 description colexcas02 Internal
name 172.22.5.157 ColFTP01 description ColFTP01 Internal
name 74.XXX.XXX.157 ColFTP01- description ColFTP01 External
name 172.22.5.158 www.COMPANY.com description www.COMPANY.com Internal
name 74.XXX.XXX.158 www.COMPANY.com- description www.COMPANY.com External
name 172.22.5.159 act.COMPANY.com description COMPANY ACT Internal - colww4
name 74.XXX.XXX.159 act.COMPANY.com- description COMPANY ACT External
name 172.22.3.93 test.COMPANY.com description test.COMPANY.com Internal
name 172.22.5.161 ColdevAS2 description ColdevAS2 Internal
name 74.XXX.XXX.160 Rewards.COMPANY.com- description COMPANY Rewards External
name 74.XXX.XXX.153 as2.COMPANY.com- description as2.COMPANY.com External
name 74.XXX.XXX.161 as2test.COMPANY.com- description as2test.COMPANY.com External
name 172.22.5.153 colas2 description colas2 Internal
name 172.22.5.160 colww5 description colww5 Internal
name 172.22.3.91 colexcas01NLB description colexcas01 NLB Interface
name 172.22.3.92 colexcas02NLB description colexcas02 NLB Interface
name 172.22.3.100 ColVPN description Colo VPN Internal
name 172.22.5.134 intra.COMPANY.com description on NewPortal
name 74.XXX.XXX.134 intra.COMPANY.com- description It's on NewPortal
name 10.1.0.80 asgard description asgard Internal
name 74.XXX.XXX.163 www.COMPANY.net- description www.COMPANY.net External
name 172.22.5.165 crmws.COMPANY.com description ColCrmRouter01 Internal
name 74.XXX.XXX.165 crmws.COMPANY.com- description ColCrmRouter01 External
name 10.1.5.137 dubngwt description Test Next Gen Web Farm Internal
name 74.XXX.XXX.137 dubngwt- description Test Next Gen Web Farm External
name 10.1.0.87 dubexcas description Dublin CAS NLB
name 10.1.0.85 dubexcas01 description Dublin CAS Server
name 10.1.0.86 dubexcas02 description Dublin CAS Server
name 74.XXX.XXX.166 collync01- description Lync Edge Server External
name 74.XXX.XXX.167 coltmg01- description TMG Server External
name 172.23.2.166 collync01 description Lync Edge Server DMZ
name 172.23.2.167 coltmg01 description TMG Server DMZ
name 172.22.5.168 COMPANYfed.com description COMPANYfed.com Internal
name 74.XXX.XXX.168 COMPANYfed.com- description COMPANYfed.com External
name 172.22.3.60 www1.COMPANY.com description www1.COMPANY.com Internal
name 74.XXX.XXX.169 www1.COMPANY.com- description www1.COMPANY.com External
name 172.22.3.63 www1.COMPANYfed.com description www1.COMPANYfed.com Internal
name 74.XXX.XXX.171 www1.COMPANYfed.com- description www1.COMPANYfed.com External
name 172.22.3.61 www2.COMPANY.com description www2.COMPANY.com Internal
name 74.XXX.XXX.170 www2.COMPANY.com- description www2.COMPANY.com External
name 172.22.3.64 www2.COMPANYfed.com description www2.COMPANYfed.com Internal
name 74.XXX.XXX.172 www2.COMPANYfed.com- description www2.COMPANYfed.com External
name 172.22.5.154 COMPANY.com description COMPANY.com Web Farm Production
name 74.XXX.XXX.154 COMPANY.com- description COMPANY.com Web Farm Outside
name 184.XXX.XXX.226 PMISonicWALL description PMI SonicWALL
name 10.10.0.0 PMI_SonicWALL-Subnet description PMI LAN
name 10.1.0.0 DublinData description Dublin Data Network
name 10.2.0.0 SouthavenData description Southaven Data Network
name 10.0.0.0 BrentwoodData description Brentwood Data Network
name 10.8.0.0 GilbertData description Gilbert Data Network
name 10.101.0.0 DublinVoIP description Dublin VoIP Network
name 10.110.0.0 PMI_SonicWALL-VOICSubnet
name 172.24.3.50 ColUT04-PCITrust
name 172.22.3.31 coldc01
name 172.22.3.4 coldc02
name 172.22.3.23 ColWSUS02 description Windows Update Server
name 74.XXX.XXX.175 monitor.COMPANY.com- description PRTG Network Monitor
name 172.22.3.150 ColPRTG01 description PRTG Monitor
dns-guard
interface GigabitEthernet0/0
description Connected to Internet via COLRTR01
speed 100
duplex full
shutdown
nameif outside
security-level 0
ip address 74.XXX.XXX.130 255.255.255.192 standby 74.XXX.XXX.176
ospf cost 10
interface GigabitEthernet0/1
description Connected to Colo LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 172.22.1.8 255.255.0.0 standby 172.22.1.50
ospf cost 10
authentication key eigrp 10 Fiyalt1 key-id 1
authentication mode eigrp 10 md5
interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address 172.23.2.1 255.255.255.0 standby 172.23.2.50
ospf cost 10
interface GigabitEthernet0/3
description Connected to COLSW01 port 9 - PCI Trust Area (no internet)
nameif Colo_PCI_Trust
security-level 100
ip address 172.24.3.1 255.255.255.0 standby ColUT04-PCITrust
ospf cost 10
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 10.1.200.20 255.255.0.0 standby 10.1.200.21
ospf cost 10
management-only
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.COMPANY.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-172.22.255.0
subnet 172.22.255.0 255.255.255.0
object network PMI_SonicWALL-Subnet
subnet 10.10.0.0 255.255.0.0
object network obj-172.24.3.0
subnet 172.24.3.0 255.255.255.0
object network ColWSUS02
host 172.22.3.23
object network ambutrak
host 172.22.5.149
object network ambutrak-
host 74.XXX.XXX.149
object network btmu
host 172.22.5.150
object network btmu-
host 74.XXX.XXX.150
object network ColBarracuda
host 172.22.5.133
object network ColBarracuda-
host 74.XXX.XXX.133
object network ColBI01
host 172.22.5.146
object network ColBI01-
host 74.XXX.XXX.146
object network colexcas
host 172.22.5.156
object network colexcas-
host 74.XXX.XXX.156
object network ColMOSS01
host 172.22.5.147
object network ColMOSS01-
host 74.XXX.XXX.147
object network COMPANY.com
host 172.22.5.154
object network COMPANY.com-
host 74.XXX.XXX.154
object network Coltixdb
host 172.22.5.151
object network Coltixdb-
host 74.XXX.XXX.151
object network Colww3
host 172.22.5.141
object network Colww3-
host 74.XXX.XXX.141
object network ColSysAid
host 172.22.5.143
object network ColSysAid-
host 74.XXX.XXX.143
object network ColVPN
host 172.22.3.100
object network ColVPN-
host 74.XXX.XXX.132
object network colas2
host 172.22.5.153
object network as2.COMPANY.com-
host 74.XXX.XXX.153
object network Dubmss01
host 10.101.0.24
object network Dubmss01-
host 74.XXX.XXX.145
object network Facts
host 10.1.1.100
object network Facts-
host 74.XXX.XXX.135
object network ftp.COMPANY.co.uk
host 172.22.5.144
object network ftp.boundree.co.uk-
host 74.XXX.XXX.144
object network NSTrax
host 172.22.5.136
object network NSTrax-
host 74.XXX.XXX.136
object network w2k-isoft
host 172.22.5.155
object network w2k-isoft-
host 74.XXX.XXX.155
object network www1
host 172.22.5.139
object network www1-
host 74.XXX.XXX.139
object network ww2
host 172.22.5.138
object network ww2-
host 74.XXX.XXX.138
object network ColFTP01
host 172.22.5.157
object network ColFTP01-
host 74.XXX.XXX.157
object network www.COMPANY.com
host 172.22.5.158
object network www.COMPANY.com-
host 74.XXX.XXX.158
object network act.COMPANY.com
host 172.22.5.159
object network act.COMPANY.com-
host 74.XXX.XXX.159
object network colww5
host 172.22.5.160
object network Rewards.COMPANY.com-
host 74.XXX.XXX.160
object network ColdevAS2
host 172.22.5.161
object network as2test.COMPANY.com-
host 74.XXX.XXX.161
object network intra.COMPANY.com
host 172.22.5.134
object network intra.COMPANY.com-
host 74.XXX.XXX.134
object network asgard
host 10.1.0.80
object network www.COMPANY.net-
host 74.XXX.XXX.163
object network crmws.COMPANY.com
host 172.22.5.165
object network crmws.COMPANY.com-
host 74.XXX.XXX.165
object network dubngwt
host 10.1.5.137
object network dubngwt-
host 74.XXX.XXX.137
object network COMPANYfed.com
host 172.22.5.168
object network COMPANYfed.com-
host 74.XXX.XXX.168
object network www1.COMPANYfed.com
host 172.22.3.63
object network www1.COMPANYfed.com-
host 74.XXX.XXX.171
object network www2.COMPANYfed.com
host 172.22.3.64
object network www2.COMPANYfed.com-
host 74.XXX.XXX.172
object network www1.COMPANY.com
host 172.22.3.60
object network www1.COMPANY.com-
host 74.XXX.XXX.169
object network www2.COMPANY.com
host 172.22.3.61
object network www2.COMPANY.com-
host 74.XXX.XXX.170
object network ColPRTG01
host 172.22.3.150
object network monitor.COMPANY.com-
host 74.XXX.XXX.175
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network collync01
host 172.23.2.166
object network collync01-
host 74.XXX.XXX.166
object network coltmg01
host 172.23.2.167
object network coltmg01-
host 74.XXX.XXX.167
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
object-group service Barracuda tcp
port-object eq 8000
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ssh
group-object Barracuda
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service mySQL tcp
description mySQL Database
port-object eq 3306
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_10 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_11 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_12 tcp
port-object eq www
port-object eq https
object-group service as2 tcp
description as2
port-object eq 4080
port-object eq 5080
port-object eq https
port-object eq 6080
object-group network DM_INLINE_NETWORK_2
network-object host ColBarracuda
network-object host ww2
network-object host www1
network-object host colexcas01
network-object host colexcas02
network-object host colexcas
network-object host test.COMPANY.com
network-object host colexcas01NLB
network-object host colexcas02NLB
network-object host dubexcas01
network-object host dubexcas02
network-object host dubexcas
object-group service SQLServer tcp
description Microsoft SQL Server
port-object eq 1433
object-group service DM_INLINE_TCP_13 tcp
port-object eq www
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_14 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_15 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object host as2.COMPANY.com-
network-object host as2test.COMPANY.com-
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service rdp tcp
description Remote Desktop Protocol
port-object eq 3389
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_16 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_17 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service LyncEdge tcp-udp
description sip-tls, 443, 444, rtp 50000-59999, stun udp 3478
port-object eq 3478
port-object eq 443
port-object eq 444
port-object range 50000 59999
port-object eq 5061
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_18 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_19 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_20 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_21 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_22 tcp
port-object eq www
port-object eq https
object-group network PMIVPNNetworks
description VPN Networks to PMI
network-object BrentwoodData 255.255.0.0
network-object DublinData 255.255.0.0
network-object SouthavenData 255.255.0.0
network-object GilbertData 255.255.0.0
network-object 172.22.0.0 255.255.0.0
network-object DublinVoIP 255.255.0.0
object-group network PMI_SonicWALL-Subnets
network-object PMI_SonicWALL-Subnet 255.255.0.0
network-object PMI_SonicWALL-VOICSubnet 255.255.0.0
object-group network COLDCs
network-object host coldc01
network-object host coldc02
access-list inside_access_in remark Allow SMTP from certain servers.
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 any eq smtp
access-list inside_access_in remark No SMTP except from allowed servers
access-list inside_access_in extended deny tcp any any eq smtp log errors
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark For debugging (can enable logging)
access-list inside_access_in extended deny ip any any
access-list outside_access_in remark Allow Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow VPN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ColVPN-
access-list outside_access_in remark Allow SMTP, HTTP, and HTTPS to the Exchange CAS NLB Cluster
access-list outside_access_in extended permit tcp any object colexcas- object-group DM_INLINE_TCP_13
access-list outside_access_in remark Allow SMTP, SSH, and Web
access-list outside_access_in extended permit tcp any object ColBarracuda- object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow HTTP and HTTPS to AmbuTRAK
access-list outside_access_in extended permit tcp any object ambutrak- object-group DM_INLINE_TCP_10
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to ww2
access-list outside_access_in extended permit tcp any object ww2- object-group DM_INLINE_TCP_2
access-list outside_access_in remark Allow SMTP, HTTP and HTTPS to www1
access-list outside_access_in extended permit tcp any object www1- object-group DM_INLINE_TCP_3
access-list outside_access_in remark Allow portal.bouindtree.com to COLMOSS01
access-list outside_access_in extended permit tcp any object ColMOSS01- object-group DM_INLINE_TCP_9
access-list outside_access_in remark Allow HTTP and HTTPS to ems.COMPANY.com
access-list outside_access_in extended permit tcp any object Colww3- object-group DM_INLINE_TCP_5
access-list outside_access_in remark Allow HTTP and HTTPS to helpdesk.COMPANY.com
access-list outside_access_in extended permit tcp any object ColSysAid- object-group DM_INLINE_TCP_7
access-list outside_access_in remark Allow SSH to Facts
access-list outside_access_in extended permit tcp any object Facts- eq ssh inactive
access-list outside_access_in remark Allow mySQL to NSTrax for IQ
access-list outside_access_in extended permit tcp any object NSTrax- object-group mySQL inactive
access-list outside_access_in remark Allow FTP to ftp.COMPANY.co.uk
access-list outside_access_in extended permit tcp any object ftp.boundree.co.uk- eq ftp inactive
access-list outside_access_in remark Allow IMAP to the Voice Mail Server
access-list outside_access_in extended permit tcp any object Dubmss01- eq imap4
access-list outside_access_in remark Permit HTTPS to ColBI01 for https://reports.COMPANY.com
access-list outside_access_in extended permit tcp any object ColBI01- eq https inactive
access-list outside_access_in remark Allow FTP to btmu.COMPANY.com
access-list outside_access_in extended permit tcp any object btmu- eq ftp
access-list outside_access_in remark Allow HTTP and HTTPS to colngwt - the Test Next Gen Web Farm
access-list outside_access_in extended permit tcp any object dubngwt- object-group DM_INLINE_TCP_17 inactive
access-list outside_access_in remark Allow HTTP and HTTPS to COMPANYfed.com
access-list outside_access_in extended permit tcp any object COMPANYfed.com- object-group DM_INLINE_TCP_18
access-list outside_access_in remark Allow HTTP and HTTPS to colngwp - the Next Gen Web Farm
access-list outside_access_in extended permit tcp any object COMPANY.com- object-group DM_INLINE_TCP_11
access-list outside_access_in remark Allow HTTP and HTTPS to Colww5, which is one of our web servers.
access-list outside_access_in remark rewards.COMPANY.com is going live first on this web server.
access-list outside_access_in extended permit tcp any object Rewards.COMPANY.com- object-group DM_INLINE_TCP_12
access-list outside_access_in remark Allow HTTP and HTTPS to act.COMPANY.com
access-list outside_access_in extended permit tcp any object act.COMPANY.com- object-group DM_INLINE_TCP_15
access-list outside_access_in remark Allow AS2 (443, 4080, 5080, 6080) to the AS2 Production and Test Machines
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group as2
access-list outside_access_in remark Allow HTTP and HTTPS to www.COMPANY.com
access-list outside_access_in extended permit tcp any object www.COMPANY.com- object-group DM_INLINE_TCP_14
access-list outside_access_in remark Allow AS2 to w2k-isoft
access-list outside_access_in extended permit tcp any object w2k-isoft- object-group as2
access-list outside_access_in remark All SQL Server (SSL) to Coltixdb
access-list outside_access_in extended permit tcp any object Coltixdb- object-group SQLServer
access-list outside_access_in remark Allow FTP to ColFTP01
access-list outside_access_in extended permit tcp any object ColFTP01- eq ftp
access-list outside_access_in remark allow http/https access in intra.COMPANY.com
access-list outside_access_in extended permit tcp any object intra.COMPANY.com- object-group DM_INLINE_TCP_6
access-list outside_access_in remark Allow http and https to asgard
access-list outside_access_in extended permit tcp any object www.COMPANY.net- object-group DM_INLINE_TCP_8
access-list outside_access_in remark Allow HTTP and HTTPS to ColCrmRouter01 (crmws.COMPANY.com)
access-list outside_access_in extended permit tcp any object crmws.COMPANY.com- object-group DM_INLINE_TCP_16
access-list outside_access_in remark Allow HTTP and HTTPS to coltmg01
access-list outside_access_in extended permit tcp any object coltmg01- object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow Lync Edgel traffic to collync01
access-list outside_access_in extended permit object-group TCPUDP any object collync01- object-group LyncEdge
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANY.com
access-list outside_access_in extended permit tcp any object www1.COMPANY.com- object-group DM_INLINE_TCP_19
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANY.com
access-list outside_access_in extended permit tcp any object www2.COMPANY.com- object-group DM_INLINE_TCP_20
access-list outside_access_in remark Allow HTTP and HTTPS to www1.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www1.COMPANYfed.com- object-group DM_INLINE_TCP_21
access-list outside_access_in remark Allow HTTP and HTTPS to www2.COMPANYfed.com
access-list outside_access_in extended permit tcp any object www2.COMPANYfed.com- object-group DM_INLINE_TCP_22
access-list outside_access_in extended permit tcp any object monitor.COMPANY.com- eq www
access-list outside_access_in remark For debugging (can enable logging)
access-list outside_access_in extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 172.22.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group PMIVPNNetworks object PMI_SonicWALL-Subnet
access-list inside_nat0_outbound remark Domain Controller one to many rule so PCI Trust servers can reslove DNS names and authenticate.
access-list inside_nat0_outbound extended permit ip object-group COLDCs 172.24.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ColWSUS02 172.24.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group PMIVPNNetworks object-group PMI_SonicWALL-Subnets
access-list Colo_PCI_Trust_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
logging mail critical
logging from-address [email protected]
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Colo_PCI_Trust 1500
mtu management 1500
ip local pool vpnphone-ip-pool 172.22.255.1-172.22.255.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface HA GigabitEthernet0/7
failover key Fiyalt!
failover link HA GigabitEthernet0/7
failover interface ip HA 172.16.200.1 255.255.255.248 standby 172.16.200.2
no monitor-interface DMZ
no monitor-interface Colo_PCI_Trust
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 172.24.3.0 255.255.255.0 Colo_PCI_Trust
asdm image disk0:/asdm-66114.bin
asdm location ColVPN- 255.255.255.255 inside
asdm location ColBarracuda- 255.255.255.255 inside
asdm location ColBarracuda 255.255.255.255 inside
asdm location ww2- 255.255.255.255 inside
asdm location www1- 255.255.255.255 inside
asdm location ww2 255.255.255.255 inside
asdm location www1 255.255.255.255 inside
asdm location Colww3- 255.255.255.255 inside
asdm location Colww3 255.255.255.255 inside
asdm location ColSysAid- 255.255.255.255 inside
asdm location ColSysAid 255.255.255.255 inside
asdm location Facts 255.255.255.255 inside
asdm location Facts- 255.255.255.255 inside
asdm location NSTrax- 255.255.255.255 inside
asdm location ftp.boundree.co.uk- 255.255.255.255 inside
asdm location ftp.COMPANY.co.uk 255.255.255.255 inside
asdm location Dubmss01 255.255.255.255 inside
asdm location Dubmss01- 255.255.255.255 inside
asdm location ColBI01- 255.255.255.255 inside
asdm location ColBI01 255.255.255.255 inside
asdm location ColMOSS01 255.255.255.255 inside
asdm location ColMOSS01- 255.255.255.255 inside
asdm location ambutrak- 255.255.255.255 inside
asdm location ambutrak 255.255.255.255 inside
asdm location NSTrax 255.255.255.255 inside
asdm location btmu- 255.255.255.255 inside
asdm location btmu 255.255.255.255 inside
asdm location COMPANY.com- 255.255.255.255 inside
asdm location COMPANY.com 255.255.255.255 inside
asdm location as2.COMPANY.com- 255.255.255.255 inside
asdm location colas2 255.255.255.255 inside
asdm location w2k-isoft- 255.255.255.255 inside
asdm location w2k-isoft 255.255.255.255 inside
asdm location Coltixdb- 255.255.255.255 inside
asdm location Coltixdb 255.255.255.255 inside
asdm location colexcas- 255.255.255.255 inside
asdm location colexcas01 255.255.255.255 inside
asdm location colexcas02 255.255.255.255 inside
asdm location colexcas 255.255.255.255 inside
asdm location ColFTP01- 255.255.255.255 inside
asdm location ColFTP01 255.255.255.255 inside
asdm location www.COMPANY.com- 255.255.255.255 inside
asdm location www.COMPANY.com 255.255.255.255 inside
asdm location act.COMPANY.com- 255.255.255.255 inside
asdm location act.COMPANY.com 255.255.255.255 inside
asdm location Rewards.COMPANY.com- 255.255.255.255 inside
asdm location colww5 255.255.255.255 inside
asdm location as2test.COMPANY.com- 255.255.255.255 inside
asdm location ColdevAS2 255.255.255.255 inside
asdm location test.COMPANY.com 255.255.255.255 inside
asdm location colexcas01NLB 255.255.255.255 inside
asdm location colexcas02NLB 255.255.255.255 inside
asdm location ColVPN 255.255.255.255 inside
asdm location intra.COMPANY.com- 255.255.255.255 inside
asdm location intra.COMPANY.com 255.255.255.255 inside
asdm location asgard 255.255.255.255 inside
asdm location www.COMPANY.net- 255.255.255.255 inside
asdm location crmws.COMPANY.com- 255.255.255.255 inside
asdm location crmws.COMPANY.com 255.255.255.255 inside
asdm location dubngwt- 255.255.255.255 inside
asdm location dubngwt 255.255.255.255 inside
asdm location dubexcas01 255.255.255.255 inside
asdm location dubexcas02 255.255.255.255 inside
asdm location dubexcas 255.255.255.255 inside
asdm location collync01- 255.255.255.255 inside
asdm location coltmg01- 255.255.255.255 inside
asdm location collync01 255.255.255.255 inside
asdm location coltmg01 255.255.255.255 inside
asdm location COMPANYfed.com- 255.255.255.255 inside
asdm location COMPANYfed.com 255.255.255.255 inside
asdm location www1.COMPANY.com- 255.255.255.255 inside
asdm location www2.COMPANY.com- 255.255.255.255 inside
asdm location www1.COMPANYfed.com- 255.255.255.255 inside
asdm location www2.COMPANYfed.com- 255.255.255.255 inside
asdm location www1.COMPANY.com 255.255.255.255 inside
asdm location www2.COMPANY.com 255.255.255.255 inside
asdm location www1.COMPANYfed.com 255.255.255.255 inside
asdm location www2.COMPANYfed.com 255.255.255.255 inside
asdm location PMI_SonicWALL-Subnet 255.255.0.0 inside
asdm location PMISonicWALL 255.255.255.255 inside
asdm location BrentwoodData 255.255.0.0 inside
asdm location GilbertData 255.255.0.0 inside
asdm location coldc01 255.255.255.255 inside
asdm location coldc02 255.255.255.255 inside
asdm location ColWSUS02 255.255.255.255 inside
asdm location monitor.COMPANY.com- 255.255.255.255 inside
asdm location ColPRTG01 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static obj-172.22.255.0 obj-172.22.255.0 no-proxy-arp
nat (inside,any) source static PMIVPNNetworks PMIVPNNetworks destination static PMI_SonicWALL-Subnet PMI_SonicWALL-Subnet no-proxy-arp
nat (inside,any) source static COLDCs COLDCs destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
nat (inside,any) source static ColWSUS02 ColWSUS02 destination static obj-172.24.3.0 obj-172.24.3.0 no-proxy-arp
object network ambutrak
nat (inside,outside) static ambutrak-
object network btmu
nat (inside,outside) static btmu-
object network ColBarracuda
nat (inside,outside) static ColBarracuda-
object network ColBI01
nat (inside,outside) static ColBI01-
object network colexcas
nat (inside,outside) static colexcas-
object network ColMOSS01
nat (inside,outside) static ColMOSS01-
object network COMPANY.com
nat (inside,outside) static COMPANY.com-
object network Coltixdb
nat (inside,outside) static Coltixdb-
object network Colww3
nat (inside,outside) static Colww3-
object network ColSysAid
nat (inside,outside) static ColSysAid-
object network ColVPN
nat (inside,outside) static ColVPN-
object network colas2
nat (inside,outside) static as2.COMPANY.com-
object network Dubmss01
nat (inside,outside) static Dubmss01-
object network Facts
nat (inside,outside) static Facts-
object network ftp.COMPANY.co.uk
nat (inside,outside) static ftp.COMPANY.co.uk-
object network NSTrax
nat (inside,outside) static NSTrax-
object network w2k-isoft
nat (inside,outside) static w2k-isoft-
object network www1
nat (inside,outside) static www1-
object network ww2
nat (inside,outside) static ww2-
object network ColFTP01
nat (inside,outside) static ColFTP01-
object network www.COMPANY.com
nat (inside,outside) static www.COMPANY.com-
object network act.COMPANY.com
nat (inside,outside) static act.COMPANY.com-
object network colww5
nat (inside,outside) static Rewards.COMPANY.com-
object network ColdevAS2
nat (inside,outside) static as2test.COMPANY.com-
object network intra.COMPANY.com
nat (inside,outside) static intra.COMPANY.com-
object network asgard
nat (inside,outside) static www.COMPANY.net-
object network crmws.COMPANY.com
nat (inside,outside) static crmws.COMPANY.com-
object network dubngwt
nat (inside,outside) static dubngwt-
object network COMPANYfed.com
nat (inside,outside) static COMPANYfed.com-
object network www1.COMPANYfed.com
nat (inside,outside) static www1.COMPANYfed.com-
object network www2.COMPANYfed.com
nat (inside,outside) static www2.COMPANYfed.com-
object network www1.COMPANY.com
nat (inside,outside) static www1.COMPANY.com-
object network www2.COMPANY.com
nat (inside,outside) static www2.COMPANY.com-
object network ColPRTG01
nat (inside,outside) static monitor.COMPANY.com-
object network obj_any
nat (inside,outside) dynamic 74.XXX.XXX.131
object network collync01
nat (DMZ,outside) static collync01-
object network coltmg01
nat (DMZ,outside) static coltmg01-
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Colo_PCI_Trust_access_in in interface Colo_PCI_Trust
router eigrp 10
no auto-summary
eigrp router-id 172.22.1.8
network 172.22.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 74.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Colo protocol radius
aaa-server Colo (inside) host coldc02
timeout 5
key Bound/\Tree
radius-common-pw Bound/\Tree
aaa-server Colo (inside) host coldc01
timeout 5
key Bound/\Tree
user-identity default-domain LOCAL
http server enable
http 172.22.0.0 255.255.0.0 inside
http DublinData 255.255.0.0 inside
http DublinData 255.255.0.0 management
snmp-server host inside 10.1.0.59 community public
snmp-server host inside ColPRTG01 community public
snmp-server location Columbus, OH - Colo
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer PMISonicWALL
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet BrentwoodData 255.0.0.0 inside
telnet coldc02 255.255.255.255 inside
telnet DublinData 255.255.0.0 management
telnet timeout 5
ssh 172.22.0.0 255.255.0.0 inside
ssh DublinData 255.255.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 74.14.179.211 source outside prefer
ntp server 69.64.72.238 source outside prefer
ntp server coldc02 source inside
ntp server 74.120.8.2 source outside prefer
ntp server 108.61.56.35 source outside prefer
ntp server coldc01 source inside
webvpn
group-policy GroupPolicy_74.XXX.XXX.130 internal
group-policy GroupPolicy_74.XXX.XXX.130 attributes
vpn-tunnel-protocol ikev1
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 172.22.3.4 172.22.3.31
vpn-tunnel-protocol ikev1
default-domain value corp.COMPANY.com
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool vpnphone-ip-pool
authentication-server-group Colo
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
ikev1 pre-shared-key *
tunnel-group 184.XXX.XXX.226 type ipsec-l2l
tunnel-group 184.XXX.XXX.226 ipsec-attributes
ikev1 pre-shared-key *
peer-id-validate nocheck
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
inspect http
inspect icmp
inspect pptp
inspect icmp error
inspect ip-options
class class-default
service-policy global_policy global
smtp-server 172.22.5.156
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 18
subscribe-to-alert-group configuration periodic monthly 18
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:65e78911eefb94bd98892700b143f716
: end

Hi,
Any ASA using software 8.3 or above that does Static NAT between private and public IP addresses (or any NAT at all) and you want to allow traffic from public network to those Static NATed servers you will need to use the local/real IP address in the ACL statements.
If your ASA5520 was running 8.3 or above software levels then there should be no major changes compared to an ASA5525-X running 8.6 software level.
The only situation I can think of right now is if you had used ASA5520 with software 8.2 or below BUT in that case you WOULD NOT have been able to directly copy/paste the configuration to the ASA5525-X device as the lowest software level that the ASA5525-X supports is 8.6(1)
So I am kind of wondering what the situation has actually been.
But one thing is certain. You need to use the real/local IP address of the server in the ACL rules even if you are allowing traffic from the public/external network.
The "packet-tracer" test used to simulate a connection coming to one of your Static NAT public IP address should also tell if your ACLs are configured correctly, among other things.
- Jouni

ACE - SIP TLS

Similar Messages

Maybe you are looking for