CCP - Advanced Firewall Creating Custom Ports Inbound Traffic
Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.
Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881W-SSHS-R1
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
quit
no ip source-route
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
interface Null0
no ip unreachables
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
interface FastEthernet1
description Not in Use
no ip address
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
logging host 192.168.10.50
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
control-plane
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
ssl authenticate verify all
url-list "rewrite"
inservice
policy group sshs-webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpnpool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
end
Similar Messages
-
RV110W Blocks all inbound traffic
I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?
Hi David,
Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport -
How do I do the following so I can get into my chess program??
The access to our new chess hall may be blocked by your
local firewall. You would need to reconfigure your firewall to open port 15010
for TCP traffic.This is not really Firefox related.
What you need to do here is to read the firewall manual which usually explains how to create a rule for what you want to do.
If you're using the Windows XP firewall, see this Microsoft article: http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions -
Creating a custom IDoc inbound function module
I have created a custom idoc.I wanted to create a custom IDoc inbound function module, this Function module will provide to launch a BAPI .Tell me how to "create" inbound function module for the custom idoc ?
Goto any standard for the Paramtetres
*" IMPORTING
*" REFERENCE(INPUT_METHOD) LIKE BDWFAP_PAR-INPUTMETHD
*" REFERENCE(MASS_PROCESSING) LIKE BDWFAP_PAR-MASS_PROC
*" EXPORTING
*" REFERENCE(WORKFLOW_RESULT) LIKE BDWFAP_PAR-RESULT
*" REFERENCE(APPLICATION_VARIABLE) LIKE BDWFAP_PAR-APPL_VAR
*" REFERENCE(IN_UPDATE_TASK) LIKE BDWFAP_PAR-UPDATETASK
*" REFERENCE(CALL_TRANSACTION_DONE) LIKE BDWFAP_PAR-CALLTRANS
*" REFERENCE(DOCUMENT_NUMBER) LIKE VBAK-VBELN
*" TABLES
*" IDOC_CONTRL STRUCTURE EDIDC
*" IDOC_DATA STRUCTURE EDIDD
*" IDOC_STATUS STRUCTURE BDIDOCSTAT
*" RETURN_VARIABLES STRUCTURE BDWFRETVAR
*" SERIALIZATION_INFO STRUCTURE BDI_SER
*" EDI_TEXT STRUCTURE EDIORDTXT1 OPTIONAL
*" EDI_TEXT_LINES STRUCTURE EDIORDTXT2 OPTIONAL
Do the below configs.
1.Recognise the funcmod as Inbound -BD51
2.Register the Function module in WE57 .
3.we42 Process code .
4. WE20 -PARTNER Profile
I hope it resolves ur Query.
Rgds
Sree M -
SA520: problem when trying to access HTTPS over custom port in a site-to-site vpn
We've set up a site-to-site VPN between our SA520 and our SmoothWall running at our data center. The tunnel is always connected, so that part runs fine
What works fine:
- Client 192.168.11.1 is able to start an RDP session (on it's default port 3389) to server 192.168.3.5
- Client 192.168.11.1 can open a webpage which is hosted on server 192.168.3.5 (hosted on the default HTTP port 80)
What doesn't work:
- Client cannot open web page which is hosted on server 192.168.3.1 at the following url: https://192.168.3.1:441
- or, for that matter, any https service in the 192.168.3.x LAN which runs on a different port
To summarize:
from the 192.168.11.x subnet, accessing services running on default ports (i.e. 80, 3389, 21) in the 192.168.3.x subnet works fine. doing the same for services running on custom ports (i.e. https over port 441) the connection to the webserver times out.
Thanks in advance for any help you may provide.
Glenhi luis,
thank you for your reply. we've checked the smoothwall configuration, but couldn't discover anything which could cause this problem. we even tried replacing the sa520 with a draytek vigor router to set up an lan-to-lan vpn with the smoothwall. with the draytek in place we have no problems accessing the aforementioned servers, so it seems the issue is with the SA520.
what exactly do you mean by creating an ACL from the remote WAN to our LAN? i assumed you meant creating a firewall rule, allowing traffic from the remote device's public ip to our LAN. however, in that case i need to enter an ip address of a device in our LAN, or else i cannot save this rule. as a test i entered the ip address of my machine as the destination address, but am still unable to access the aforementioned servers.
here's how i set up the rule:
from zone: UNSECURE (WAN/optional WAN)
to zone: LAN
service: ANY
action: ALLOW always
schedule: (not set)
source hosts: Single address
from: public ip of one of the aforementioned servers
source NAT settings > external IP address: WAN interface address (cannot change this setting)
source NAT settings >WAN interface: dedicated WAN (cannot change this setting)
destination NAT settings > internal ip address: 192.168.11.123 (ip address of my machine)
enable port forwarding: unchecked
translate port number: empty
external IP address: dedicated WAN -
How to create routed port in Cisco SF-300 Switch
I am trying to create routed ports in SF 300 small business 8 port switch.
I have 3 different LAN say 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
I have 3 unmanaged linsys switch where I have connected all these computers.
Now what I have to do is to create routed ports in SF300 and route this networks properly.
Can anybody help me on this? Thanks in advance.Dear Shereef,
Thank you for reaching Small Business Support Community.
In Layer 3 system mode, the device can have multiple IP addresses. Each IP address can be assigned to specified ports, LAGs, or VLANs. Operating in Layer 3 mode, the device routes traffic between the directly attached IP subnets configured on the device. In addition, you can manually define default routes.
Configuring the device to work in Layer 3 mode is performed in the Administration >System Settings page.
To define IP addresses on the ports:
IP Configuration > IPv4 Management and Interfaces > IPv4 Interface
To define an IP static route:
Click IP Configuration > IPv4 Management and Interfaces > IPv4 Routes
Just in case you can check on the admin guide, chapter 16 for a more detailed step by step description;
http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/78-19308-01.pdf
I hope you find this information useful and please do not hesitate to reach me back if there is any further assistance I may help you with.
Kind regards
Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer
*Please rate the Post so other will know when an answer has been found. -
IPSec Certificate Authentication from Linux Strongswan client to Windows Advanced Firewall (2012)
Hi,
Has anybody had any success in getting a Linux Strongswan client (or Openswan) to connect to a win2012 Advanced Firewall using certificates and IPSec? My Security Connection Rule requires authentication both inbound and outbound. The cert is
installed correctly on the Linux box.
I can get a connection using pre-shared keys, but haven't been able to establish a Quick Mode session when using certs. I've tried (literally) hundreds of different configs without success. Event log shows either 'No Policy Configured' or 'Unknown
Authentication'.
Windows clients can connect correctly with certs. I've deliberately excluded details as the Linux config can be setup in so many different ways, i'd rather start by looking at someone elses config that works (if that actually exists).
Thanks
MickHi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding and support.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Create Contact Type in Create Customer contact screen of collections mgt
Hi All,
Can anyone please let me know if its possible to create a new contact type ( Currently we have four default types (Outbound call / Inbound Call / Visit to Customer / Visit from Customer) in the FSCM collections management, in the create customer contact screen.
If its possible to create a new contact type, please let me know where to do that.
Thanks in advance.
Thanks
KrishnaYou can add new contact types in the customizing table UDMV_CCT_TYPE.
With this you would be able to select the contact types you have
defined.
Please note that you can create entries in this table only with the
customer namespace i.e. prefix 'Z' to the contact type that you choose.
e.g. if you want to create a new entry in contact type say 'TEST' then
the entry in the customizing table should be as below:
Contact type | Name of contact type
Z03 | TEST
Another point to note here would be that for each entry that you create
in this table, the system displays 2 entries (1 for Inbound and 1 for
Outbound) in the contact type dropdown on the customer contact screen in the collection management system. This is as per the standard design
and it cant overridden.
Thanks
Krishna -
Create Custom data_domain in Oracle E-Business Suite Extensions for Oracle Endeca
Hi all
I integrated EBS with Oracle Endeca information discovery with the help of the following document Installing Oracle E-Business Suite Extensions for Oracle Endeca, Release 12.2 V4 (Doc ID 1574273.1).
I am little aware to create custom data loading using endeca integrator.
I need to know is there any possibility to create custom data_domain using Integrator in Oracle E-Business Suite Extensions for Oracle Endeca.
Using the webs ervices data domains are created in the Endeca server.
Below mentioned port numbers are displayed in the doc.
7001 Oracle Endeca WL Managed Server
7002 Oracle Endeca WL Domain Admin Server
7004 Oracle Endeca Studio UI WL Managed Server
7005 Oracle Endeca Integrator WL Domain Admin Server
7006 Oracle Endeca Integrator Server UI WL Managed Server
7011-8011 Oracle Endeca Server Internal Data Domains
webservices url will be like http://hostname:port/endeca-server/ws/admin Like.
I need to know the port number for this url. Kindle help me regarding this webservices
Kindly suggest me ASAP.
Thanks in advance.Hi,
While checking the load data its showing error in clover url.
We got error like this.
Graph 'sandbox://Common/graph/FullLoad.grf' failed!
And we followed the document for this issue Endeca graphs failing (Doc ID 1549013.1)
Please help me to fix this issue.
Regards
Kumar -
How to create custom infotype for training and event management
hai freinds can any one tell me how to create custom infotype for training and event managment with following fields
PS No PA0000-> PERNR
Name - PA0001 -> ENAME
IS PS.No. PA0001-> PS no. of Immediate Superior
IS name PA0001 -> ENAME
thanx in advance
afzalHi,
Your question is not clear for me. Since it is a TEM infotype, it could be a PD infotype.
If you wish to create a PD infotype, use transaction PPCI to create the infotype.
But before that you need to create a structure HRInnnn (where nnnn is the infotype number) with all the fields relevant for the infotype.
If you wish to create a PA infotype, use transaction PM01 to create the infotype.
But before that you may be required to create a strcuture PSnnnn (where nnnn is the infotype number) with all the fields relevant for the infotype.
Regards,
Srini -
"SYNTAX_ERROR" while creating customer Master T-code-"FD01
Dear All,
Getting an error "SYNTAX_ERROR" while creating customer Master T-code-"FD01". The error as follwoes
Short text :Syntax error in program "CMD_EI_API_CHECK==============CP ".
What happened? : Error in the ABAP Application Program
The current ABAP program "SAPLCMD_BTE_OUTBOUND" had to be terminated because it
has
come across a statement that unfortunately cannot be executed.
The following syntax error occurred in program
"CMD_EI_API_CHECK==============CP " in include
"CMD_EI_API_CHECK==============CM04T " in
line 82:
""LS_KNVP_NEW_PARTIAL-PERNR" and "<LS_KNVP_NEW>-PERNR" are not mutually"
" convertible in a Unicode program. ."
The include has been created and last changed by:
Created by: "SAP "
Last changed by: "SAP "
Error in the ABAP Application Program
The current ABAP program "SAPLCMD_BTE_OUTBOUND" had to be terminated because it
has
come across a statement that unfortunately cannot be executed.
Error analysis :The following syntax error was found in the program
CMD_EI_API_CHECK==============CP :
""LS_KNVP_NEW_PARTIAL-PERNR" and "<LS_KNVP_NEW>-PERNR" are not mutually"
" convertible in a Unicode program. ."
Information on where terminated :Termination occurred in the ABAP program "SAPLCMD_BTE_OUTBOUND" - in
"CMD_CUSTOMER_BTE_1321_IMPL".
The main program was "SAPMF02D ".
In the source code you have the termination point in line 330
of the (Include) program "LCMD_BTE_OUTBOUNDU01".
Please help us on this,
Thanks in Advance,
Kumar.KDear Kumar,
please kindly apply the SAP note 1511101.
I hope this helps.
Mauri -
Need help in creating custom reports
hello,
I am using EM 10.2.0.2 on windows 32-bit.
All EM components are installed on a single machine.
Have installed AGENT 10.1.0.5 for managing targets which are on LINUX 2.1
Please help me in getting the solution for the following queries:
(a)I need to create a custom report regarding the CAPACITY MANAGEMENT .
(b)I have some UDM defined but I am not able to use these UDM while creating custom report.
(c)Also is there any possibility that we can use views other than REPOSITORY VIEWS. What I meant was : instead of using REPOSITORY VIEWS can we use the tables of the target instances.
Thanks in advance.Same post
Need help on repository views for creating custom capacity planning reports -
How Tou2026 Create Custom Application in E-Commerce 7.0?
Hi all,
We want to set up SAP E-Commerce for ERP 7.0. For SAP E-Commerce for ERP 5.0 the following configuration guide is available:
How Tou2026 Create Custom Application in E-Commerce 5.0
What about SAP E-Commerce for ERP 7.0? Is this guideline also valid for 7.0?
If not, where can I find the corresponding configuration guideline for SAP E-Commerce for ERP 7.0 (on the SAP Service Marketplace?)?
Thanks in advance.
Regards,
AVHello Av,
Please see the Development and extension guide @
http://service.sap.com/crm-inst
=> Release 7.0
=> Operate
Regards
Mark -
Create Customer at POS and upload to different company code
Hi Experts
Client Requirement is like this
Two company codes are here e.g. company code BP01 and BP02
BP01 has one store
BP02 has three store
Now Customer is create at POS Server at any store .
here we can create customer with respect to any one company code
Same customer want to buy goods from both company code and can get rewards points
question
so cutomer has to extend in other company code and has to update to each POS SERVER which located in each store
how to handle this scenarion
regardsHi Hanumant,
Assuming if customer, buys some item from CCode BP02 regularly, then you can create the customer on the POS application (like SAP POS..), and append the POS Customer master (re-use any text field) with information of other company code where the customer wishes to deal with).
The customer master will be passed using inbound idoc, on to the IS Retail Server in the HO.
Now at HO level a the customer can be extended for multiple company code ..in this case BP01 manually or by an automated program, which will monitor the specific field (coming from the new customer master idoc from POS) , if it detects contents, it reads the same and extend the customer as per mentioned ccode.
So next time onwards , using outbound doc , customer master can be updated to all locations for that customer. Similarly the loyality point, can be accumulated based on the purchases made per Ccode.
Regards,
Anirban Roy -
Ageing analysis for advances received from customer
Hello All,
Please can anyone provide inputs on whether there are any standard reports in SAP that can provide ageing analysis of advances received from customer (posted using special GL indicators).
Thnx in advance.
Regards,
SudeepHi,
In Report S_ALR_87012168 you get which are due and which are not due (you can see per Special GL Indicator wise also)
If you think this will not suffice your requirement (like you would like to see 1-30 days, 31-60 days and so on)
I would suggest
You create a form in FDI4 - refer FDI5 and FDI6 for standard forms (you can even write own formulas)
Assign the form to report in FDI1 - refer FDI2 and FDI3 for standard reports.
Hope this will help you.
Regards,
Ravi
Maybe you are looking for
-
How to increas the width of the Table in OBIEE Report
Hi , I am creating a OBIEE report, the report has table and 30 column in it. When I am viewing the report in an excel file , its appearing good but the width of the table is so small if I am viewing the same in internet explorer/PDF .I dont know how
-
We have one computer and two apple id's- how do I sync two phones to the same computer?
My family has one laptop computer but we have two different iPhones and itunes accounts. I want to be able to plug my iPhone into the computer and sync pictures and music with my account. My husband has his own iTunes account and he needs to be abl
-
Hi all, I've activated standard BI content queries. Have loaded master data, transaction data & hierarchies. The problem is while executing the queries in BEx, wherever the F4 for hierarchies is coming, the Long description is field is blank. only th
-
Album photo/video widget not supported by Other launchers?
Hi, I seemed to notice that the album photo/video widget is not supported by other launchers(e.g. I use Nova Launcher). Walkman widget recently was supported and I can add the widget even I use other launcher(this was not possible before in JB 4.1.2)
-
Dear All, When I am sending a Purchase Order using EDI the IDoc is not capturing the details of the Forwarding Agent whose Partner Function is "CR" that I entered while creating a PO. Could some one give me a solution for it. Thanks in advance. - Lax