Cisco 1921 - Anti Spoofing?

Similar Messages

• Anti spoof acl and cisco 7606

  Hi all,
  I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.
  Karel
  btw.> I tried solve this problem with this links:
  http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html
  http://www.cisco.com/web/about/security/intelligence/acl-logging.html
  [1.]
  Extended IP access list anti_spoof_Te1/1_input
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any
  Extended IP access list anti_spoof_Te1/1_output
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any
  [2.]
  ip access-group anti_spoof_Te1/1_input in
  ip access-group anti_spoof_Te1/1_output out
  [3.]
  Extended IP access list anti_spoof_Te1/1_output
  1 deny icmp host from OUR CIDR host in INTERNET log-input
  10 deny ip any 10.0.0.0 0.255.255.255
  20 deny ip any 172.16.0.0 0.15.255.255
  30 deny ip any 192.168.0.0 0.0.255.255
  40 deny ip any 127.0.0.0 0.255.255.255
  50 deny ip any 0.0.0.0 0.255.255.255
  60 deny ip any OUR CIDR
  70 permit ip host BGP Neighbor any
  80 permit ip OUR CIDR any
  90 deny ip any any log-input
  [4.]
  Extended IP access list anti_spoof_Te1/1_input
  1 deny icmp host from INTERNET host from OUR CIDR
  10 deny ip 10.0.0.0 0.255.255.255 any
  20 deny ip 172.16.0.0 0.15.255.255 any
  30 deny ip 192.168.0.0 0.0.255.255 any
  40 deny ip 127.0.0.0 0.255.255.255 any
  50 deny ip 194.79.52.0 0.0.3.255 any
  60 deny ip 0.0.0.0 0.255.255.255 any
  70 permit ip any OUR CIDR
  80 permit ip any host BGP Neighbor
  90 deny ip any any

  Following links may help you
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

• Increasing anti-spoofing rules

  What options are available on the C370's for implementing anti-spoofing controls in order to protect our company from the increasing number of phishing emails using spoofed addresses?  
  We already have an inbound rule to check the mailfrom: field and reject all messages that contain our domains

  Hello Anne,
  I hope that this tech-note may help:
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117796-problemsolution-esa-00.html
  This is a technote to assist with tagging possibly spoofed emails.
  You can change the action to another action if you want it to be dropped or actions in some other manner.
  Regards,
  Matthew

• Anti Spoofing

  I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.
  I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.
  If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.

  Carlos,
  It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.
  https://supportforums.cisco.com/docs/DOC-11874
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• Static NAT entry disappears when using NVI on Cisco 1921 (Multiple versions)

  We have a Cisco 1921 as an IPSec tunnel endpoint where we assign static NAT entries. It is a static one-to-one NAT putting each remote endpoint as a local /24 subnet. We are using NVI and we see some of these static entries disappear when packets are unable to reach the destination. 
  The production router is running 15.0(1r)M16 but we were able to reproduce this same behavior on 15.4(1)T2.
  To reproduce, we add the static NVI entry:
  ip nat source static X.X.X.X 172.30.250.11
  And things look good for a bit:
  ROUTER# sh ip nat nvi trans | i 172.30.250.11
  gre 172.30.250.11:0 X.X.X>X:0 Y.Y.Y.Y:0 Y.Y.Y.Y:0
  --- 172.30.250.11 138.54.32.9 --- ---
  tcp Y.Y.Y.Y:60360 Z.Z.Z.Z:60360 172.30.250.11:22 X.X.X.X:22
  There is a known issue with GRE traffic being dropped at this particular endpoint, so after generating GRE traffic, the entry completely disappears:
  ROUTER# sh run | i 172.30.250.11
  ROUTER#
  ROUTER# sh ip nat nvi trans | i 172.30.250.11
  gre 172.30.250.11:0 X.X.X>X:0 Y.Y.Y.Y:0 Y.Y.Y.Y:0
  icmp Y.Y.Y.Y:59916 Z.Z.Z.Z:59916 172.30.250.11:59916 172.30.250.11:59916
  tcp Y.Y.Y.Y:60360 Z.Z.Z.Z:60360 172.30.250.11:22 X.X.X.X:22
  I can reproduce this by severing the tunnel to any other remote site, and after generating GRE traffic to the downed endpoint, the corresponding static NAT entry will disappear.
  Debugging has not shown anything, and I have found some mentions of similar behavior on older versions. Has anyone seen this? We don't have support access to test all versions, so if it is known to be resolved in a particular one, we would love to know to work towards loading that version.
  Thanks

  Hi Ryan,
  Asa cannot ahve 2 default routes, it can only have one. ASA also doesnt support PBR, so the setup that you are trying to configure would not work on the ASA. Router is the correct option for it.
  Hope that helps.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• New Cisco 1921 doesn't display running configuration

  Hi All,
  I've recently received this new Cisco 1921 routers with Cisco CP loaded, so it comes up with the annoying change username and password at first access. I've removed all of those files from the flash memory, and rebooted it, and it came up with the proper initial configuration dialog, which is what I wanted.
  But, whenever I configure the router with a set of basic configuration, like interface, routing, and snmp loggings, and hit wr mem, it doesn't display at all when I do "sh run". It's weird cause when I do sh run | sec rip  or any other stuff that I have configured, it shows up , but not in sh run at all.
  What's the deal with the new routers??? Even sh version doesn't show the config-register or memory allocation details. Which is weird!
  xxxxx#sh ver
  Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 20-Mar-12 17:58 by prod_rel_team
  ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
  xxxxxx uptime is 6 minutes
  System returned to ROM by reload at 06:39:25 UTC Mon Apr 29 2013
  System restarted at 06:40:59 UTC Mon Apr 29 2013
  System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  ==================================================================
  xxxxx#sh run
  Building configuration...
  Current configuration : 1930 bytes
  ! Last configuration change at 06:42:46 UTC Mon Apr 29 2013
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname xxxxxx
  boot-start-marker
  boot-end-marker
  logging userinfo
  logging buffered 4096
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  xxxxxxx #sh run | sec rip
  router rip
  version 2
  network 172.17.0.0
  network 192.168.10.0
  network 192.168.13.0
  no auto-summary
  xxxxxxx#sh license feature
  Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
  ipbasek9                 no           no          no             yes      no
  securityk9               yes          yes         no             no       yes
  datak9                   yes          yes         no             no       yes
  SSL_VPN                  yes          yes         no             no       yes
  ios-ips-update           yes          yes         yes            no       yes
  WAAS_Express             yes          yes         no             no       yes

  Same stuff, but I do have another router that's working fine when I do a sh run.
  Problematic router:
  xxxxxx#sh hardware
  Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 20-Mar-12 17:58 by prod_rel_team
  ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
  xxxxx uptime is 1 hour, 35 minutes
  System returned to ROM by reload at 06:39:25 UTC Mon Apr 29 2013
  System restarted at 06:40:59 UTC Mon Apr 29 2013
  System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  Working router:
  yyyyyyy#sh ver
  Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 20-Mar-12 17:58 by prod_rel_team
  ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
  yyyyyyy uptime is 1 week, 3 days, 10 hours, 19 minutes
  System returned to ROM by power-on
  System restarted at 06:19:19 est Fri Apr 19 2013
  System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
  Last reload type: Normal Reload
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
  Processor board ID FGLxxxxxx
  2 Gigabit Ethernet interfaces
  1 terminal line
  DRAM configuration is 64 bits wide with parity disabled.
  255K bytes of non-volatile configuration memory.
  249840K bytes of USB Flash usbflash0 (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO1921/K9          FGLxxxxxx    
  Technology Package License Information for Module:'c1900'
  Technology    Technology-package           Technology-package
                Current       Type           Next reboot 
  ipbase        ipbasek9      Permanent      ipbasek9
  security      None          None           None
  data          None          None           None
  Configuration register is 0x2102

• Cisco 1921 Dual ADSL Load Balancing/Failover?

  Hello,
  We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
  I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
  I had a look at ppp multilink but I am unsure our ISP (BT) support this?
  This is my current config which I think only one ADSL line is being used. Some input would be appreciated
  Robbie
  ! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
  version 15.0
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname xxxxxx
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 xxxxx
  enable password xxxx
  no aaa new-model
  no ipv6 cef
  ip source-route
  ip cef
  ip name-server 194.74.65.68
  ip name-server 194.72.0.114
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-xxxxxx
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
  revocation-check none
  rsakeypair TP-self-signed-xxxxx!
  crypto pki certificate chain TP-self-signed-xxxxxx
  certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
  license udi pid CISCO1921/K9 xxxxx
  username admin privilege 15 secret 5 xxxxxxxxxx/
  interface GigabitEthernet0/0
  description lan$ETH-LAN$
  ip address 10.0.8.1 255.255.248.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface ATM0/0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/0/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/1/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  dsl operating-mode adsl2
  interface ATM0/1/0.1 point-to-point
  description $ES_WAN$$FW_OUTSIDE$
  ip flow ingress
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface Dialer0
  mtu 1483
  ip address negotiated
  ip access-group spalding in
  ip access-group spalding out
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  interface Dialer1
  mtu 1483
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap callin
  ppp chap hostname xxxxx
  ppp chap password 0 xxxxx
  ppp link reorders
  ppp multilink
  ppp multilink links minimum 2
  ppp multilink fragment disable
  ppp timeout multilink link add 2
  no cdp enable
  ip forward-protocol nd
  no ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
  ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=GigabitEthernet0/0
  access-list 1 permit 10.0.0.0 0.254.255.255
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
  line aux 0
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  line vty 5 15
  privilege level 15
  login local
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  Hi,
  Can anyone help me with this config?  not very reliable.
  Building configuration...
  Current configuration : 17349 bytes
  ! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
  version 15.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
  aaa new-model
  aaa authentication login local_authen local
  aaa authorization exec local_author local
  aaa session-id common
  no ip source-route
  ip port-map user-protocol--8 port udp 3392
  ip port-map user-protocol--9 port tcp 3397
  ip port-map user-protocol--2 port udp 3391
  ip port-map user-protocol--3 port tcp 14000
  ip port-map user-protocol--1 port tcp 3391
  ip port-map user-protocol--6 port udp 3394
  ip port-map user-protocol--7 port tcp 3392
  ip port-map user-protocol--4 port udp 14100
  ip port-map user-protocol--5 port tcp 3394
  ip port-map user-protocol--10 port udp 3397
  ip dhcp excluded-address 192.168.1.1 192.168.1.49
  ip dhcp excluded-address 192.168.10.1 192.168.10.49
  ip dhcp pool DHCP_POOL1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.1.1
   lease infinite
  ip dhcp pool ccp-pool1
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 139.130.4.4 203.50.2.71
   default-router 192.168.10.1
   lease infinite
  no ip bootp server
  ip host SHAWN-PC 192.168.1.10
  ip host DIAG 192.168.1.5
  ip host MSERV 192.168.1.13
  ip name-server 139.130.4.4
  ip name-server 203.50.2.71
  ip cef
  ip cef load-sharing algorithm include-ports source destination
  no ipv6 cef
  multilink bundle-name authenticated
  cts logging verbose
  crypto pki trustpoint TP-self-signed-1982477479
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-1982477479
   revocation-check none
   rsakeypair TP-self-signed-1982477479
  license udi pid 
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  redundancy
  controller VDSL 0/0/0
   operating mode adsl2+
  controller VDSL 0/1/0
   operating mode adsl2+
  no cdp run
  track timer interface 5
  track 1 interface Dialer0 ip routing
   delay down 15 up 10
  track 2 interface Dialer1 ip routing
   delay down 15 up 10
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-all sdm-nat-user-protocol--7-1
   match access-group 104
   match protocol user-protocol--7
   match access-group 102
  class-map type inspect match-all sdm-nat-user-protocol--4-2
   match access-group 101
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--6-1
   match access-group 103
   match protocol user-protocol--6
  class-map type inspect match-all sdm-nat-user-protocol--5-1
   match access-group 103
   match protocol user-protocol--5
  class-map type inspect match-all sdm-nat-user-protocol--4-1
   match access-group 102
   match protocol user-protocol--4
  class-map type inspect match-all sdm-nat-user-protocol--7-2
   match access-group 101
   match protocol user-protocol--7
  class-map type inspect match-all sdm-nat-user-protocol--3-1
   match access-group 102
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--2-1
   match access-group 101
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--1-2
   match access-group 102
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--1-1
   match access-group 101
   match protocol user-protocol--1
  class-map type inspect match-all sdm-nat-user-protocol--2-2
   match access-group 102
   match protocol user-protocol--2
  class-map type inspect match-all sdm-nat-user-protocol--3-2
   match access-group 101
   match protocol user-protocol--3
  class-map type inspect match-all sdm-nat-user-protocol--8-2
   match access-group 101
   match protocol user-protocol--8
  class-map type inspect match-all sdm-nat-user-protocol--9-2
   match access-group 104
   match protocol user-protocol--9
  class-map type inspect match-any ccp-skinny-inspect
   match protocol skinny
  class-map type inspect match-all sdm-nat-user-protocol--9-1
   match access-group 101
   match protocol user-protocol--9
   match access-group 104
  class-map type inspect match-all sdm-nat-user-protocol--8-1
   match access-group 104
   match protocol user-protocol--8
   match access-group 102
  class-map type inspect match-any ccp-h323nxg-inspect
   match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
   match protocol icmp
   match protocol tcp
   match protocol udp
  class-map type inspect match-all sdm-nat-user-protocol--10-2
   match access-group 104
   match protocol user-protocol--10
  class-map type inspect match-all sdm-nat-user-protocol--10-1
   match access-group 101
   match protocol user-protocol--10
   match access-group 104
  class-map type inspect match-any ccp-h225ras-inspect
   match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
   match protocol h323-annexe
  class-map type inspect match-any ccp-cls-insp-traffic
   match protocol pptp
   match protocol dns
   match protocol ftp
   match protocol https
   match protocol icmp
   match protocol imap
   match protocol pop3
   match protocol netshow
   match protocol shell
   match protocol realmedia
   match protocol rtsp
   match protocol smtp
   match protocol sql-net
   match protocol streamworks
   match protocol tftp
   match protocol vdolive
   match protocol tcp
   match protocol udp
  class-map type inspect match-all SDM_GRE
   match access-group name SDM_GRE
  class-map type inspect match-any ccp-h323-inspect
   match protocol h323
  class-map type inspect match-all ccp-invalid-src
   match access-group 100
  class-map type inspect match-any ccp-sip-inspect
   match protocol sip
  class-map type inspect match-all ccp-protocol-http
   match protocol http
  class-map type inspect match-any CCP_PPTP
   match class-map SDM_GRE
  class-map type inspect match-all ccp-insp-traffic
   match class-map ccp-cls-insp-traffic
  class-map type inspect match-all ccp-icmp-access
   match class-map ccp-cls-icmp-access
  policy-map type inspect ccp-inspect
   class type inspect ccp-invalid-src
    drop log
   class type inspect ccp-protocol-http
    inspect
   class type inspect ccp-insp-traffic
    inspect
   class type inspect ccp-sip-inspect
    inspect
   class type inspect ccp-h323-inspect
    inspect
   class type inspect ccp-h323annexe-inspect
    inspect
   class type inspect ccp-h225ras-inspect
    inspect
   class type inspect ccp-h323nxg-inspect
    inspect
   class type inspect ccp-skinny-inspect
    inspect
   class class-default
    drop
  policy-map type inspect sdm-pol-NATOutsideToInside-1
   class type inspect sdm-nat-user-protocol--1-1
    inspect
   class type inspect sdm-nat-user-protocol--2-1
    inspect
   class type inspect sdm-nat-user-protocol--3-1
    inspect
   class type inspect sdm-nat-user-protocol--4-1
    inspect
   class type inspect sdm-nat-user-protocol--5-1
    inspect
   class type inspect sdm-nat-user-protocol--6-1
    inspect
   class type inspect sdm-nat-user-protocol--7-1
    inspect
   class type inspect sdm-nat-user-protocol--8-1
    inspect
   class type inspect sdm-nat-user-protocol--9-1
    inspect
   class type inspect sdm-nat-user-protocol--10-1
    inspect
   class type inspect CCP_PPTP
    pass
   class type inspect sdm-nat-user-protocol--7-2
    inspect
   class type inspect sdm-nat-user-protocol--8-2
    inspect
   class type inspect sdm-nat-user-protocol--1-2
    inspect
   class type inspect sdm-nat-user-protocol--2-2
    inspect
   class type inspect sdm-nat-user-protocol--9-2
    inspect
   class type inspect sdm-nat-user-protocol--10-2
    inspect
   class type inspect sdm-nat-user-protocol--3-2
    inspect
   class type inspect sdm-nat-user-protocol--4-2
    inspect
   class class-default
    drop log
  policy-map type inspect ccp-permit
   class class-default
    drop
  policy-map type inspect ccp-permit-icmpreply
   class type inspect ccp-icmp-access
    inspect
   class class-default
    pass
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
   service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
   service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
   service-policy type inspect ccp-permit
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
   service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface Null0
   no ip unreachables
  interface Embedded-Service-Engine0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$
   ip address 192.168.10.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   duplex auto
   speed auto
   no mop enabled
  interface GigabitEthernet0/1
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   duplex auto
   speed auto
   no mop enabled
  interface ATM0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/0/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  interface ATM0/0/0.2 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
  interface Ethernet0/0/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface ATM0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   no atm ilmi-keepalive
  interface ATM0/1/0.1 point-to-point
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 2
  interface Ethernet0/1/0
   no ip address
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip flow ingress
   shutdown
   no mop enabled
  interface GigabitEthernet0/3/0
   no ip address
  interface GigabitEthernet0/3/1
   no ip address
  interface GigabitEthernet0/3/2
   no ip address
  interface GigabitEthernet0/3/3
   no ip address
  interface GigabitEthernet0/3/4
   no ip address
  interface GigabitEthernet0/3/5
   no ip address
  interface GigabitEthernet0/3/6
   no ip address
  interface GigabitEthernet0/3/7
   no ip address
  interface Vlan1
   description $FW_INSIDE$
   ip address 192.168.1.1 255.255.255.0
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat inside
   ip virtual-reassembly in
   zone-member security in-zone
  interface Dialer0
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 1444405858557A
   ppp pap sent-username [email protected] password 7 135645415F5D54
   ppp multilink
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nbar protocol-discovery
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   zone-member security out-zone
   encapsulation ppp
   dialer pool 2
   dialer-group 2
   ppp authentication chap pap callin
   ppp chap hostname [email protected]
   ppp chap password 7 01475E540E5D55
   ppp pap sent-username [email protected] password 7 055F5E5F741A1D
   ppp multilink
  router eigrp as#
  router eigrp 10
   network 192.168.1.1 0.0.0.0
  router rip
   version 2
   network 192.168.1.0
   no auto-summary
  ip forward-protocol nd
  ip http server
  ip http access-class 3
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
  ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
  ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
  ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
  ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
  ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
  ip nat inside source route-map ADSL0 interface Dialer0 overload
  ip nat inside source route-map ADSL1 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
  ip access-list extended NAT
   remark CCP_ACL Category=18
   permit ip 192.0.0.0 0.255.255.255 any
  ip access-list extended SDM_GRE
   remark CCP_ACL Category=1
   permit gre any any
   remark CCP_ACL Category=1
  ip access-list extended STATIC-NAT-SERVICES
   permit ip host 192.168.1.35 any
   permit ip host 192.168.1.5 any
   permit ip host 192.168.1.10 any
   permit ip host 192.168.1.17 any
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  route-map ADSL0 permit 10
   match ip address NAT
   match interface Dialer0
  route-map ADSL1 permit 10
   match ip address NAT
   match interface Dialer1
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.1.0 0.0.0.255
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.1.0 0.0.0.255
  access-list 2 deny   any
  access-list 2 remark HTTP Access-class list
  access-list 2 remark CCP_ACL Category=1
  access-list 3 remark HTTP Access-class list
  access-list 3 remark CCP_ACL Category=1
  access-list 3 permit 192.168.1.0 0.0.0.255
  access-list 3 deny   any
  access-list 10 remark INSIDE_IF=NAT
  access-list 10 remark CCP_ACL Category=2
  access-list 10 permit 192.168.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 139.130.227.0 0.0.0.255 any
  access-list 100 permit ip 203.45.106.0 0.0.0.255 any
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.10
  access-list 101 remark CCP_ACL Category=0
  access-list 101 permit ip any host 192.168.1.35
  access-list 101 permit tcp any any eq www
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.35
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 192.168.1.10
  access-list 103 remark CCP_ACL Category=0
  access-list 103 permit ip any host 192.168.1.5
  access-list 104 remark CCP_ACL Category=0
  access-list 104 permit ip any host 192.168.1.17
  control-plane
  banner login ^CCE-Rescue Systems^C
  line con 0
   login authentication local_authen
   transport output telnet
  line aux 0
   login authentication local_authen
   transport output telnet
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  line vty 5 15
   authorization exec local_author
   login authentication local_authen
   transport input telnet ssh
  scheduler allocate 20000 1000
  end
  Thanks
  Shawn

• Updating Marantz firmware via CISCO 1921 Router

  I have a CISCO 1921 Router running IOS Version 15.0(1r)M15.  There are two Marantz 7701 pre/pro processors on the LAN side of this router.  Marantz makes firmware updates available through the internet.  All other network services seem to run without any issues on the 7701 except firmware updates.  We can stream Pandora audio, various internet radio stations, and receive notification of firmware updates available just fine.  However, if we try to actually update the firmware, the Marantz 7701 connects to the update server, then hangs trying to do the update and has to time out before I can try to do the update again. There is something in the way that Marantz uploads the firmware update that is getting blocked by the CISCO 1921.
  If we put an HP ProCurve switch between the CISCO 1921 and the FIOS ONT and assign a routable IP address to the Marantz, the firmware update works just fine.  If we attach the Marantz to an Apple Airport Express that is NATted/routed to a COMCAST cable modem connection the firmware update works just fine.
   This is a long shot, but does anyone happen to  have a Marantz 7701 attached to a CISCO router that successfully allows the Marantz firmware updates on the LAN side?  If so, did you have to change any of the "default" IOS settings so the update takes place?
  I tried to get some info from Marantz on how they do the firmware update, but the folks that answer the phone didn't have access to any protocol or handshake information.
  Thanks for any insight or help on this.

  I have a CISCO 1921 Router running IOS Version 15.0(1r)M15.  There are two Marantz 7701 pre/pro processors on the LAN side of this router.  Marantz makes firmware updates available through the internet.  All other network services seem to run without any issues on the 7701 except firmware updates.  We can stream Pandora audio, various internet radio stations, and receive notification of firmware updates available just fine.  However, if we try to actually update the firmware, the Marantz 7701 connects to the update server, then hangs trying to do the update and has to time out before I can try to do the update again. There is something in the way that Marantz uploads the firmware update that is getting blocked by the CISCO 1921.
  If we put an HP ProCurve switch between the CISCO 1921 and the FIOS ONT and assign a routable IP address to the Marantz, the firmware update works just fine.  If we attach the Marantz to an Apple Airport Express that is NATted/routed to a COMCAST cable modem connection the firmware update works just fine.
   This is a long shot, but does anyone happen to  have a Marantz 7701 attached to a CISCO router that successfully allows the Marantz firmware updates on the LAN side?  If so, did you have to change any of the "default" IOS settings so the update takes place?
  I tried to get some info from Marantz on how they do the firmware update, but the folks that answer the phone didn't have access to any protocol or handshake information.
  Thanks for any insight or help on this.

• How to create anti-spoof rules with exception

  Hello all,
  I'm a beginner with Ironport and I need to create rules for specific cases.
  I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
  But I have some mail addresses with external applications that need to be send with my mail domains.
  For example, I receive acknowledge mails sent with [email protected] address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external [email protected] mail will be dropped.
  For example I tried this rule with no success :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
  drop();
  I tried this rule too :
  Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^[email protected]$") OR (mail-from !="^[email protected]$") OR (mail-from !="@ack.mydomain.com$")){
  drop();
  Have you got any tips or advice to answer my funny case ?

  Hello,
  We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
  Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
  insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
  The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
  A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.
  We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D
  Good luck,
  Steven

• Cisco 1921/k9

  hi,
  i have cisco 1921/k9 and EHWIC-4EGS-P but PoE is is not coming up. i want to connect my APs to this.
  Please share how to enable PoE.

  You need to have the correct power supply on your 1921.  If you don't have the PoE power supply, your PoE ports will not come up.  See table 5 and then look at what power supply you have.
  http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/data_sheet_c78-612808.html
  -Scott

• Cisco 1921 - Visio template needed

  Can anyone send me a template for a Cisco 1921 router?  (only the 1941 is on the Cisco download site).\
  Would prefer a 2-D version . . .
  You can email it direct to me [email protected]
  thks,    - Bill H

  Hello Bill,
  Please click here for Visio Stencils
  HTH
  Regards,
  Ashish Shirkar
  Technical Community Manager-NI

• Anti-spoofing rule

  I am trying to create a antispoofing rule using message filter feature.
  It is like
  if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }
  But the rough part is to be able to whitelist certain hosts, e.g., our partners.
  For example:
  AND ( header("Received") != "whitelist1|whitelist2...." )
  Is there a better way to do this? My concern is that this will get very long and error prone over time.
  Thanks,
  Jack

  What if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.
  Next, you can modify your existing filter to bypass spoofing checks from partner domains:
  if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
  { apply anti-spoofing rules here; }

• Uplink between Stacked Dell 8132 and Cisco 1921 HSRP pair.

  Hello,
  I have three Dell 8132 switches stacked and we plan on connecting them to an HSRP pair of Cisco 1921 routers. What would be the best way to uplink these stacked switches to the 1921 pair? 
  I was thinking of creating vlan trunk from 2 of the 3 Dell switches, one trunk going to each router and enable HSRP on these trunks for the vlans I need to route. Would that be a good approach?
  Attached is a basic network of what it would look like. Please suggest if this is a good way to accomplish this or if there is a more better and efficient way to do it?
  Thanks

  Just to clarify I wasn't suggesting that you move all the routing to the Dell switches. If the routers are already doing some routing for you then you could simply connect the Dell switches with L3 uplinks.
  But yes if you feel more comfortable using Cisco then use the routers.
  I have never used an integrated switch module to be honest, I just used L3 switches and routers separately.
  I suspect it would work as long as there was a backplane connection between the switch module and the router itself so you could route directly from the switch module to the router.
  Can't say for sure whether there is or not as like I say I have never used them.
  Which to use really comes down to how much bandwidth you need between vlans which only you know really. If you think using one interface and splitting it up may cause problems then you could look at a switch module.
  Although it does seem a bit redundant purchasing a switch module when you have L3 switches already :-)
  But I do understand what you mean about being a Cisco shop.
  Jon

• Cisco 1921 no username password commad

  Hi,
  I  ahve countered an issue today. I was working on 1921 which is used as  test router in ISP. I have loaded a router with test config with  username & password in running config. After a while i have removed  the username & password with no username---password---- command,  then i logged out of router. But now its not allowing me to login as its  asking username & password while its not taking any  username/password not even cisco/cisco, admin/administrator.
  Is  this a behaviour of 1921 as i have not copied the runn to start but i  disconneced from secure putty session when router was in running config  mode. Kindly help.
  Regards,
  Vishal

  You have the router configured to use the local user database, but you have removed all the accounts. Doing that will not disable the configuration for using the local database. What you are experiencing is "normal". Menaing that the router is configured for authentication but there are no valid accounts. Like Reza stated, reboot the router and you'll get the startup config. If the config was saved, you'll have to do a password recovery on it.

• Cisco 1921/1841 as a terminal server

  Hi,
  we need a terminal server.
  I researched a little bit on cisco.com and found out that there are several options, and because of that I am not sure what to buy.
  I write down the routers, card models and cables and you guys try to explain what the differences are.
  - 1921 ISR2
  - HWIC-8A  8-Port Async HWIC     x2
  - CAB-OCTAL-ASYNC  8 Lead Octal Cable (68 pin to 8 Male RJ-45s)    x2
  - 1841 ISR
  - HWIC-8A  8-Port Async HWIC     x2
  - CAB-HD8-ASYNC   High Density 8-port EIA-232 Async Cable            x2      
  I found this card too:
  HWIC-8A/S-232    8-Port Async/Sync Serial HWIC, EIA-232  
  and this one costs double the price of the HWIC-8A  8-Port Async HWIC but I am not sure if this is for a terminal server.
  Is this option enough to manage 16 devices vie the console?
  - 1921 ISR2
  - HWIC-8A  8-Port Async HWIC     x2
  - CAB-OCTAL-ASYNC  8 Lead Octal Cable (68 pin to 8 Male RJ-45s)    x2

  Hi,
  This is my first post and I just stumbled upon your question.
  The CAB-OCTAL-ASYNC has a 60-pin connector that will not work with HWIC-8A or HWIC-16A. 
  The HWIC-8A is compatible with (amongst others) your 1841 ISR and 1921 ISR2.
  The CAB-HD8-ASYNC will work with HWIC-8A (and if you have them HWIC-16A). Each CAB-HD8-ASYNC can support up to 8 serial interfaces. So to answer your questioh about the a workable hardware list, one options is as follows:
  - 1921 ISR2
  - HWIC-8A  8-Port Async HWIC     x2
  - CAB-HD8-ASYNC    x2
  Hope this helps.