Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Similar Messages

• Cisco Ironport S160 Port forwarding

  Hi,
  We've got a device within the network which needs to send data out to a website on port 5009. We've setup the following to allow the traffic
  - Identity with the interal IP as  member and bypass the proxy (the device can only be configured with the Proxy IP and port, no logins)
  - Added Port 5009 n HTTP Ports to Proxy
  - Added the destination IP n L4 Traffic allow list
  We are still not able to route the traffic.
  We then tried to get the traffic coming in the other way. We've asked the ISP to put in a port forwarding to forward traffic on Port 5019 to the device. This is also not working. We can get to the device on the internal Port without any issues. The question does the IronPort need to be configured to allow the traffic coming in? We dont have any other incoming port forwarded traffic.

  Hello,
  I will need a quick explanation on how your environment is laid out for your Web Content Appliance.
  1. Is your proxy transparent or explicitly proxied? Do you have multiple proxies that you are load balancing?
  2. If it is explicit, do you use a PAC file or is the proxy configured in the network configuration?
  3. If it is transparent, what do you use to redirect traffic? Is it wccp or L4 redirection? What kind of device are you using to redirect traffic? ASA, Catalyst, Nexus, something else?
  4. Is there any third party devices being used between the proxy and the clients or between the proxy and the outside world?
  5. What are your authentication requirements? How are you authenticating them (NTLMSSP, TUI, or Basic)?
  Thank you for answering these questions.
  Christian Rahl
  Customer Support Engineer
  Cisco Web Content Security Appliance
  Cisco Technical Assistance Center RTP

• Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

  I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 
  I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
  I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
  Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
  With the port forwarding in place, I tested VPN externally but it didn't connect.
  I've done the following so far to no avail:
  Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
  There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
  There was an L2TP port triggering rule enabled, that I toggled on and off with no change
  Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
  Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
  My router details:
  Verizon Actiontec
  MI424WR-GEN2
  Revision E
  Firmware 20.21.0.2
  Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
  Solved!
  Go to Solution.

  normally a vpn on that router, will have a GRE tunneling protocol as well.
  two ways to build the PF rules,
  Manually
  Preconfigured
  I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

• Port forwarding for clientless SSL VPN access

  Hello,
  I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
  However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
  But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
  Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
  If this doesn't make sense, please let me know and I'll do my best to explain it better.

  Hi Caleb,
  if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
  CLI:
  ciscoasa(config) webvpn
  ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
  ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
  then you apply the port-forwarder list under a group-policy
  Hope this helps
  Mashal
  Mashal Alshboul

• Port forwarding not working for VPN

  Hi there,
  I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
  I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
  So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
  The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
  I have indicated that the VPN should use the range - 10.0.0.1 to 200
  The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
  I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
  Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
  Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
  Thanks in advance, and I hope to hear from folk soon.
  Chris

  OK - here's how my router is configured:
  NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
  I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
  These are the ports I have open:
  UDP - 500
  UDP - 1701
  TCP - 1723
  TCP - 3283
  UDP - 3283
  UDP - 4500
  TCP - 5900
  TCP - 5988
  I have these ports open to accomodate remoting in via Apple Remote Desktop.
  However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
  Don't know if that helps or not, but it works for me.

• Please Help - Only Some Port Forwards Working

  Hi all,
  I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
  Port forwards on the follow ports all work fine:
  External port 8021 to 192.168.4.253 on port 80 works
  External port 8022 to 192.168.4.253 on port 8022 works
  All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
  Any help would be great appreciated as this sending me mad. Fully running config below.
  Louise ;-)
  Building configuration...
  Current configuration : 36870 bytes
  ! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname QQQ_ADSL_Gateway
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging buffered 64000
  enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
  aaa new-model
  aaa authentication login local_authen local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec local_author local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone Magadan 11 0
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3471381936
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3471381936
  revocation-check none
  rsakeypair TP-self-signed-3471381936
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki certificate chain TP-self-signed-3471381936
  certificate self-signed 01
    3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
    34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
    38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
    7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
    AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
    6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
    51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
    551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
    03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
    2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
    9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
    AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
    644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
    3D7107BA AA4E7273 1D43690E C4A5D4
                  quit
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  no ip source-route
  ip dhcp excluded-address 192.168.0.230 192.168.0.255
  ip dhcp excluded-address 192.168.0.1 192.168.0.200
  ip dhcp pool QQQ_LAN
  import all
  network 192.168.0.0 255.255.255.0
  default-router 192.168.0.254
  dns-server 192.168.0.6 202.1.161.36
  netbios-name-server 192.168.0.6
  domain-name QQQ.Local
  lease 3
  ip cef
  no ip bootp server
  ip domain name QQQ.Local
  ip name-server 192.168.0.6
  ip name-server 202.1.161.37
  ip name-server 202.1.161.36
  ip inspect log drop-pkt
  no ipv6 cef
  parameter-map type inspect global
  log dropped-packets enable
  parameter-map type protocol-info yahoo-servers
  server name scs.msg.yahoo.com
  server name scsa.msg.yahoo.com
  server name scsb.msg.yahoo.com
  server name scsc.msg.yahoo.com
  server name scsd.msg.yahoo.com
  server name cs16.msg.dcn.yahoo.com
  server name cs19.msg.dcn.yahoo.com
  server name cs42.msg.dcn.yahoo.com
  server name cs53.msg.dcn.yahoo.com
  server name cs54.msg.dcn.yahoo.com
  server name ads1.vip.scd.yahoo.com
  server name radio1.launch.vip.dal.yahoo.com
  server name in1.msg.vip.re2.yahoo.com
  server name data1.my.vip.sc5.yahoo.com
  server name address1.pim.vip.mud.yahoo.com
  server name edit.messenger.yahoo.com
  server name messenger.yahoo.com
  server name http.pager.yahoo.com
  server name privacy.yahoo.com
  server name csa.yahoo.com
  server name csb.yahoo.com
  server name csc.yahoo.com
  parameter-map type protocol-info aol-servers
  server name login.oscar.aol.com
  server name toc.oscar.aol.com
  server name oam-d09a.blue.aol.com
  parameter-map type protocol-info msn-servers
  server name messenger.hotmail.com
  server name gateway.messenger.hotmail.com
  server name webmessenger.msn.com
  password encryption aes
  license udi pid CISCO887VA-K9 sn FGL162321CT
  object-group service MAIL-PORTS
  description QQQ User Mail Restrictions
  tcp eq smtp
  tcp eq pop3
  tcp eq 995
  tcp eq 993
  udp lt rip
  udp lt domain
  tcp eq telnet
  udp lt ntp
  udp lt tftp
  tcp eq ftp
  tcp eq domain
  tcp eq 5900
  tcp eq ftp-data
  tcp eq 3389
  tcp eq 20410
  object-group network Network1
  description QQQ Management Network
  192.168.1.0 255.255.255.0
  192.168.4.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.8.0 255.255.255.0
  range 192.168.0.200 192.168.0.254
  range 192.168.0.1 192.168.0.25
  object-group network Network2
  description QQQ User Network
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.6.0 255.255.255.0
  range 192.168.0.26 192.168.0.199
  object-group network QQQ.Local
  description QQQ_Domain
  192.168.0.0 255.255.255.0
  192.168.1.0 255.255.255.0
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.4.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.6.0 255.255.255.0
  192.168.8.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.10.0 255.255.255.0
  10.1.0.0 255.255.0.0
  object-group network QQQ_Management_Group
  description QQQ I.T. Devices With UnRestricted Access
  range 192.168.0.200 192.168.0.254
  range 192.168.0.1 192.168.0.25
  192.168.1.0 255.255.255.0
  192.168.8.0 255.255.255.0
  192.168.7.0 255.255.255.0
  192.168.5.0 255.255.255.0
  192.168.4.0 255.255.255.0
  10.1.0.0 255.255.0.0
  192.168.10.0 255.255.255.0
  10.8.0.0 255.255.255.0
  192.168.9.0 255.255.255.0
  192.168.100.0 255.255.255.0
  192.168.20.0 255.255.255.0
  192.168.21.0 255.255.255.0
  192.168.22.0 255.255.255.0
  192.168.23.0 255.255.255.0
  object-group network QQQ_User_Group
  description QQQ I.T. Devices WIth Restricted Access
  range 192.168.0.26 192.168.0.199
  192.168.2.0 255.255.255.0
  192.168.3.0 255.255.255.0
  192.168.6.0 255.255.255.0
  object-group service WEB
  description QQQ User Web Restrictions
  tcp eq www
  tcp eq 443
  tcp eq 8080
  tcp eq 1863
  tcp eq 5190
  username cpadmin privilege 15 password 7 1406031A2C172527
  username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
  controller VDSL 0
  ip tcp synwait-time 10
  no ip ftp passive
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 118
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
  match access-group 121
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
  match access-group 120
  class-map type inspect imap match-any ccp-app-imap
  match  invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
  match access-group 122
  class-map type inspect match-all SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect match-any CCP_PPTP
  match class-map SDM_GRE
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 117
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol pptp
  match protocol dns
  match protocol ftp
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any SDM_IP
  match access-group name SDM_IP
  class-map type inspect gnutella match-any ccp-app-gnutella
  match  file-transfer
  class-map type inspect match-any SDM_HTTP
  match access-group name SDM_HTTP
  class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
  match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  class-map type inspect match-all sdm-cls-http
  match access-group name dmz-traffic
  match protocol http
  class-map type inspect match-any Telnet
  match protocol telnet
  class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
  match  service any
  class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
  match  service any
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-any ccp-cls-protocol-im
  match protocol ymsgr yahoo-servers
  match protocol msnmsgr msn-servers
  match protocol aol aol-servers
  class-map type inspect aol match-any ccp-app-aol-otherservices
  match  service any
  class-map type inspect match-all ccp-protocol-pop3
  match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
  match access-group name FIREWALL_EXCEPTIONS_ACL
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
  match access-group 102
  match access-group 103
  match access-group 104
  match access-group 105
  match access-group 106
  match access-group 107
  match access-group 108
  match access-group 109
  match access-group 110
  match access-group 111
  match access-group 112
  match access-group 113
  match access-group 114
  match access-group 115
  class-map type inspect match-any SIP
  match protocol sip
  class-map type inspect pop3 match-any ccp-app-pop3
  class-map type inspect match-any SDM_HTTPS
  match access-group name SDM_HTTPS
  class-map type inspect sip match-any ccp-cls-sip-pv-2
  match  protocol-violation
  class-map type inspect kazaa2 match-any ccp-app-kazaa2
  match  file-transfer
  class-map type inspect match-all ccp-protocol-p2p
  match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-cls-ccp-permit-1
  match access-group name ETS1
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect msnmsgr match-any ccp-app-msn
  match  service text-chat
  class-map type inspect ymsgr match-any ccp-app-yahoo
  match  service text-chat
  class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
  match access-group name ETS
  class-map type inspect match-all ccp-protocol-im
  match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
  match class-map Telnet
  match access-group name Telnet
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect http match-any ccp-app-httpmethods
  match  request method bcopy
  match  request method bdelete
  match  request method bmove
  match  request method bpropfind
  match  request method bproppatch
  match  request method connect
  match  request method copy
  match  request method delete
  match  request method edit
  match  request method getattribute
  match  request method getattributenames
  match  request method getproperties
  match  request method index
  match  request method lock
  match  request method mkcol
  match  request method mkdir
  match  request method move
  match  request method notify
  match  request method options
  match  request method poll
  match  request method propfind
  match  request method proppatch
  match  request method put
  match  request method revadd
  match  request method revlabel
  match  request method revlog
  match  request method revnum
  match  request method save
  match  request method search
  match  request method setattribute
  match  request method startrev
  match  request method stoprev
  match  request method subscribe
  match  request method trace
  match  request method unedit
  match  request method unlock
  match  request method unsubscribe
  class-map type inspect match-any ccp-dmz-protocols
  match user-group qqq
  match protocol icmp
  match protocol http
  class-map type inspect edonkey match-any ccp-app-edonkey
  match  file-transfer
  match  text-chat
  match  search-file-name
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect match-all sdm-cls-sip
  match access-group name dmz-traffic
  match protocol sip
  class-map type inspect match-all ccp-dmz-traffic
  match access-group name dmz-traffic
  match class-map ccp-dmz-protocols
  class-map type inspect http match-any ccp-http-blockparam
  match  request port-misuse im
  match  request port-misuse p2p
  class-map type inspect edonkey match-any ccp-app-edonkeydownload
  match  file-transfer
  class-map type inspect match-all ccp-protocol-imap
  match protocol imap
  class-map type inspect aol match-any ccp-app-aol
  match  service text-chat
  class-map type inspect edonkey match-any ccp-app-edonkeychat
  match  search-file-name
  match  text-chat
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
  match class-map SIP
  match access-group name SIP
  class-map type inspect fasttrack match-any ccp-app-fasttrack
  match  file-transfer
  class-map type inspect http match-any ccp-http-allowparam
  match  request port-misuse tunneling
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect p2p ccp-action-app-p2p
  class type inspect edonkey ccp-app-edonkeychat
    log
    allow
  class type inspect edonkey ccp-app-edonkeydownload
    log
    allow
  class type inspect fasttrack ccp-app-fasttrack
    log
    allow
  class type inspect gnutella ccp-app-gnutella
    log
    allow
  class type inspect kazaa2 ccp-app-kazaa2
    log
    allow
  policy-map type inspect PF_OUT_TO_IN
  class type inspect FIREWALL_EXCEPTIONS_CLASS
    pass
  policy-map type inspect PF_IN_TO_OUT
  class type inspect FIREWALL_EXCEPTIONS_CLASS
    pass
  policy-map type inspect im ccp-action-app-im
  class type inspect aol ccp-app-aol
    log
    allow
  class type inspect msnmsgr ccp-app-msn
    log
    allow
  class type inspect ymsgr ccp-app-yahoo
    log
    allow
  class type inspect aol ccp-app-aol-otherservices
    log
    reset
  class type inspect msnmsgr ccp-app-msn-otherservices
    log
    reset
  class type inspect ymsgr ccp-app-yahoo-otherservices
    log
    reset
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
    log
    reset
  class type inspect http ccp-app-httpmethods
    log
    reset
  class type inspect http ccp-http-allowparam
    log
    allow
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
    log
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
    log
  policy-map type inspect ccp-inspect
  class type inspect ccp-protocol-http
    inspect
    service-policy http ccp-action-app-http
  class type inspect ccp-protocol-imap
    inspect
    service-policy imap ccp-action-imap
  class type inspect ccp-protocol-pop3
    inspect
    service-policy pop3 ccp-action-pop3
  class type inspect ccp-protocol-p2p
    inspect
    service-policy p2p ccp-action-app-p2p
  class type inspect ccp-protocol-im
    inspect
    service-policy im ccp-action-app-im
  class type inspect ccp-insp-traffic
    inspect
  class type inspect ccp-sip-inspect
    inspect
  class type inspect ccp-h323-inspect
    inspect
  class type inspect ccp-h323annexe-inspect
    inspect
  class type inspect ccp-h225ras-inspect
    inspect
  class type inspect ccp-h323nxg-inspect
    inspect
  class type inspect ccp-skinny-inspect
    inspect
  class type inspect ccp-invalid-src
    drop log
  class class-default
    drop
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
    pass
  class type inspect ccp-cls-ccp-permit-1
    pass
  class type inspect SDM_EASY_VPN_SERVER_PT
    pass
  class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
    inspect
  class class-default
    drop
  policy-map type inspect sip ccp-app-sip-2
  class type inspect sip ccp-cls-sip-pv-2
    allow
  policy-map type inspect ccp-permit-dmzservice
  class type inspect ccp-cls-ccp-permit-dmzservice-1
    pass
  class type inspect ccp-dmz-traffic
    inspect
  class type inspect sdm-cls-http
    inspect
    service-policy http ccp-action-app-http
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class class-default
    pass
  policy-map type inspect ccp-pol-outToIn
  class type inspect ccp-cls-ccp-pol-outToIn-1
    pass
  class type inspect ccp-cls-ccp-pol-outToIn-2
    pass
  class type inspect CCP_PPTP
    pass
  class type inspect sdm-cls-VPNOutsideToInside-1
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class type inspect sdm-cls-VPNOutsideToInside-4
    inspect
  class class-default
    drop log
  policy-map type inspect sdm-permit-ip
  class type inspect SDM_IP
    pass
  class type inspect sdm-cls-VPNOutsideToInside-2
    inspect
  class type inspect sdm-cls-VPNOutsideToInside-3
    pass
  class type inspect sdm-cls-VPNOutsideToInside-4
    inspect
  class class-default
    drop log
  zone security dmz-zone
  zone security in-zone
  zone security out-zone
  zone security ezvpn-zone
  zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
  service-policy type inspect ccp-permit-dmzservice
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
  service-policy type inspect ccp-pol-outToIn
  zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
  service-policy type inspect ccp-permit-dmzservice
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security dmz-to-in source dmz-zone destination in-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
  service-policy type inspect sdm-permit-ip
  crypto ctcp port 10000 1723 6299
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 2
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
  crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
  crypto isakmp client configuration group QQQ
  key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
  dns 192.168.0.6 202.1.161.36
  wins 192.168.0.6
  domain QQQ.Local
  pool SDM_POOL_1
  include-local-lan
  max-users 20
  max-logins 1
  netmask 255.255.255.0
  banner ^CCWelcome to QQQ VPN!!!!1                 ^C
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group QQQ
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address initiate
     client configuration address respond
     keepalive 10 retry 2
     virtual-template 1
  crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 43200
  set transform-set ESP_AES_SHA
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to220.245.109.219
  set peer 220.245.109.219
  set transform-set ESP-3DES-SHA
  match address 119
  interface Loopback0
  description QQQ_VPN
  ip address 192.168.9.254 255.255.255.0
  interface Null0
  no ip unreachables
  interface Ethernet0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  no fair-queue
  interface ATM0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  description Telekom_ADSL
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  zone-member security out-zone
  pvc 8/35
    pppoe-client dial-pool-number 1
  interface FastEthernet0
  description QQQ_LAN-VLAN_1
  switchport access vlan 1
  no ip address
  interface FastEthernet1
  description QQQ_LAN-VLAN_1
  no ip address
  interface FastEthernet2
  description QQQ_WAN-VLAN_2
  switchport access vlan 2
  no ip address
  interface FastEthernet3
  description QQQ_DMZ-IP_PBX-VLAN_3
  switchport access vlan 3
  no ip address
  interface Virtual-Template1 type tunnel
  description QQQ_Easy_VPN
  ip unnumbered Loopback0
  ip nat inside
  ip virtual-reassembly in
  zone-member security ezvpn-zone
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  description QQQ_LAN-VLAN1$FW_INSIDE$
  ip address 192.168.0.254 255.255.255.0
  ip access-group QQQ_ACL in
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1412
  interface Vlan2
  description QQQ_WAN-VLAN2$FW_INSIDE$
  ip address 192.168.5.254 255.255.255.0
  ip access-group QQQ_ACL in
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1412
  interface Vlan3
  description QQQ_IP-PBX_WAN-VLAN3
  ip address 192.168.4.254 255.255.255.0
  ip mask-reply
  ip nat inside
  ip virtual-reassembly in
  zone-member security dmz-zone
  interface Vlan4
  description VLAN4 - 192.168.20.xxx (Spare)
  ip address 192.168.20.253 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  interface Dialer0
  description ATM Dialer
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  no cdp enable
  interface Dialer2
  description $FW_OUTSIDE$
  ip address negotiated
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip mtu 1452
  ip nbar protocol-discovery
  ip flow ingress
  ip flow egress
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname xxxxxxxxxxxxxxxxxxx
  ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
  ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
  no cdp enable
  crypto map SDM_CMAP_1
  router rip
  version 2
  redistribute static
  passive-interface ATM0
  passive-interface ATM0.1
  passive-interface Dialer0
  passive-interface Dialer2
  passive-interface Ethernet0
  passive-interface Loopback0
  network 10.0.0.0
  network 192.168.0.0
  network 192.168.1.0
  network 192.168.2.0
  network 192.168.3.0
  network 192.168.4.0
  network 192.168.5.0
  network 192.168.6.0
  network 192.168.7.0
  network 192.168.8.0
  network 192.168.10.0
  network 192.168.100.0
  ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
  ip forward-protocol nd
  ip http server
  ip http access-class 5
  ip http authentication local
  ip http secure-server
  ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
  ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
  ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
  ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
  ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
  ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
  ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
  ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
  ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
  ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
  ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
  ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
  ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
  ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
  ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
  ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
  ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
  ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
  ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
  ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
  ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
  ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
  ip default-network 192.168.0.0
  ip default-network 192.168.4.0
  ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
  ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
  ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
  ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
  ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
  ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
  ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
  ip access-list extended ACCESS_FROM_INSIDE
  permit ip object-group QQQ_Management_Group any
  permit tcp object-group QQQ_User_Group any eq smtp pop3
  permit tcp object-group QQQ_User_Group any eq 993 995
  permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
  permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
  permit ip 192.168.1.0 0.0.0.255 any
  permit ip 192.168.4.0 0.0.0.255 any
  permit ip 192.168.5.0 0.0.0.255 any
  permit ip 192.168.7.0 0.0.0.255 any
  permit ip 192.168.8.0 0.0.0.255 any
  permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
  permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
  permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
  permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
  permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
  ip access-list extended ETS
  remark CCP_ACL Category=128
  permit ip host 203.219.237.252 any
  ip access-list extended ETS1
  remark CCP_ACL Category=128
  permit ip host 203.219.237.252 any
  ip access-list extended FIREWALL_EXCEPTIONS_ACL
  permit tcp any host 192.168.0.100 eq 25565
  permit tcp any eq 25565 host 192.168.0.100
  ip access-list extended QQQ_ACL
  permit ip any host 192.168.4.253
  permit udp any any eq bootps bootpc
  permit ip any 192.168.4.0 0.0.0.255
  permit ip host 203.219.237.252 any
  remark QQQ Internet Control List
  remark CCP_ACL Category=17
  remark Auto generated by CCP for NTP (123) 203.12.160.2
  permit udp host 203.12.160.2 eq ntp any eq ntp
  remark AD Services
  permit udp host 192.168.0.6 eq domain any
  remark Unrestricted Access
  permit ip object-group QQQ_Management_Group any
  remark Restricted Users
  permit object-group MAIL-PORTS object-group QQQ_User_Group any
  permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
  permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
  remark ICMP Full Access
  permit icmp object-group QQQ_User_Group any
  permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
  ip access-list extended QQQ_NAT
  remark CCP_ACL Category=18
  remark IPSec Rule
  deny   ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  permit ip any any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_GRE
  remark CCP_ACL Category=1
  permit gre any any
  ip access-list extended SDM_HTTP
  remark CCP_ACL Category=0
  permit tcp any any eq telnet
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=0
  permit tcp any any eq 443
  ip access-list extended SDM_IP
  remark CCP_ACL Category=1
  permit ip any any
  ip access-list extended SIP
  remark CCP_ACL Category=128
  permit ip any 192.168.4.0 0.0.0.255
  ip access-list extended Telnet
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended dmz-traffic
  remark CCP_ACL Category=1
  permit ip any 192.168.4.0 0.0.0.255
  access-list 1 remark CCP_ACL Category=2
  access-list 1 remark QQQ_DMZ
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 2 remark CCP_ACL Category=2
  access-list 2 remark QQQ_LAN
  access-list 2 permit 192.168.0.0 0.0.0.255
  access-list 3 remark QQQ Insid NAT
  access-list 3 remark CCP_ACL Category=2
  access-list 3 permit 192.168.0.0 0.0.0.255
  access-list 3 permit 192.168.1.0 0.0.0.255
  access-list 3 permit 192.168.2.0 0.0.0.255
  access-list 3 permit 192.168.3.0 0.0.0.255
  access-list 3 permit 192.168.4.0 0.0.0.255
  access-list 3 permit 192.168.5.0 0.0.0.255
  access-list 3 permit 192.168.6.0 0.0.0.255
  access-list 3 permit 192.168.7.0 0.0.0.255
  access-list 3 permit 192.168.8.0 0.0.0.255
  access-list 3 permit 192.168.9.0 0.0.0.255
  access-list 3 permit 192.168.10.0 0.0.0.255
  access-list 4 remark QQQ_NAT
  access-list 4 remark CCP_ACL Category=2
  access-list 4 permit 10.1.0.0 0.0.255.255
  access-list 4 permit 10.8.0.0 0.0.0.255
  access-list 4 permit 192.168.0.0 0.0.0.255
  access-list 4 permit 192.168.1.0 0.0.0.255
  access-list 4 permit 192.168.2.0 0.0.0.255
  access-list 4 permit 192.168.3.0 0.0.0.255
  access-list 4 permit 192.168.4.0 0.0.0.255
  access-list 4 permit 192.168.5.0 0.0.0.255
  access-list 4 permit 192.168.6.0 0.0.0.255
  access-list 4 permit 192.168.7.0 0.0.0.255
  access-list 4 permit 192.168.8.0 0.0.0.255
  access-list 4 permit 192.168.9.0 0.0.0.255
  access-list 4 permit 192.168.10.0 0.0.0.255
  access-list 5 remark HTTP Access-class list
  access-list 5 remark CCP_ACL Category=1
  access-list 5 permit 192.168.4.0 0.0.0.255
  access-list 5 permit 192.168.0.0 0.0.0.255
  access-list 5 deny   any
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip 192.168.4.0 0.0.0.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip host 255.255.255.255 any
  access-list 101 remark QQQ_Extended_ACL
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit tcp any host 192.168.0.254 eq 10000
  access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
  access-list 101 permit udp any host 192.168.0.254 eq isakmp
  access-list 101 permit esp any host 192.168.0.254
  access-list 101 permit ahp any host 192.168.0.254
  access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
  access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
  access-list 101 permit udp host 192.168.0.6 eq domain any
  access-list 101 remark NTP (123) 203.12.160.2
  access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
  access-list 101 remark QQQ_ANY_Any
  access-list 101 permit ip object-group QQQ.Local any
  access-list 101 remark QQQ_DMZ
  access-list 101 permit ip any 192.168.4.0 0.0.0.255
  access-list 101 remark QQQ_GRE
  access-list 101 permit gre any any
  access-list 101 remark QQQ_Ping
  access-list 101 permit icmp any any
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit tcp any any eq 10000
  access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
  access-list 103 remark CCP_ACL Category=1
  access-list 103 permit tcp any any eq 10000
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
  access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
  access-list 103 permit tcp any eq telnet host 192.168.0.254
  access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
  access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
  access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
  access-list 104 remark CCP_ACL Category=1
  access-list 104 permit tcp any any eq 10000
  access-list 105 remark CCP_ACL Category=1
  access-list 105 permit tcp any any eq 10000
  access-list 106 remark CCP_ACL Category=1
  access-list 106 permit tcp any any eq 10000
  access-list 107 remark CCP_ACL Category=1
  access-list 107 permit tcp any any eq 10000
  access-list 108 remark CCP_ACL Category=1
  access-list 108 permit tcp any any eq 10000
  access-list 109 remark CCP_ACL Category=1
  access-list 109 permit tcp any any eq 10000
  access-list 110 remark CCP_ACL Category=1
  access-list 110 permit tcp any any eq 10000
  access-list 111 remark CCP_ACL Category=1
  access-list 111 permit tcp any any eq 10000
  access-list 112 remark CCP_ACL Category=1
  access-list 112 permit tcp any any eq 10000
  access-list 113 remark CCP_ACL Category=1
  access-list 113 permit tcp any any eq 10000
  access-list 114 remark CCP_ACL Category=1
  access-list 114 permit tcp any any eq 10000
  access-list 115 remark CCP_ACL Category=1
  access-list 115 permit tcp any any eq 10000
  access-list 116 remark CCP_ACL Category=4
  access-list 116 remark IPSec Rule
  access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  access-list 117 remark CCP_ACL Category=128
  access-list 117 permit ip any any
  access-list 117 permit ip host 220.245.109.219 any
  access-list 118 remark CCP_ACL Category=0
  access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
  access-list 119 remark CCP_ACL Category=4
  access-list 119 remark IPSec Rule
  access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
  access-list 120 remark CCP_ACL Category=0
  access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
  access-list 121 remark CCP_ACL Category=0
  access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  access-list 122 remark CCP_ACL Category=0
  access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  dialer-list 1 protocol ip permit
  route-map SDM_RMAP_1 permit 1
  match ip address QQQ_NAT
  banner login ^CCWelcome to QQQ ADSL Gateway

  It turns out the problem had nothing to do with wires or splitters.  The Verizon tech was at my house yesterday and the ONT was failing.  He replaced part of the ONT and it fixed the problem (finally!).  At least I was able to watch the Celtics game last night.
  I have a Tellabs ONT.  Not sure the model but it's older like the ones in this thread.
  http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT

• ASA 5520 site-to-site VPN question

  Hello,
  We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
  The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
  After doing some research, I came across the this command;
  sysopt connection permit-vpn
  I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
  Thanks,
  John

  What are your configs and network diagrams at each location?  What are you doing for DNS?  I can help quicker with that info.  Also, here are some basic site to site VPN examples if it helps.
  hostname cisco
  domain-name cisco.com
  enable password XXXXXXXX encrypted
  passwd XXXXXXXXXXX encrypted
  names
  dns-guard
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address XXX.XXX.XXX.XXX 255.255.255.248
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.0.0.2 255.255.255.0
  interface Ethernet0/2
  nameif backup
  security-level 0
  no ip address
  interface Ethernet0/3
  nameif outsidetwo
  security-level 0
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  dns server-group DefaultDNS
  domain-name cisco.com
  same-security-traffic permit intra-interface
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
  access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
  access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
  access-list split standard permit 10.0.0.0 255.255.255.0
  access-list split standard permit 10.90.238.0 255.255.255.0
  pager lines 24
  logging enable
  logging buffer-size 1048576
  logging buffered errors
  logging trap notifications
  logging asdm informational
  logging class vpn buffered debugging
  mtu outside 1500
  mtu inside 1500
  mtu backup 1500
  mtu outsidetwo 1500
  mtu management 1500
  ip local pool vpnpool 10.0.10.100-10.0.10.200
  ip audit name Inbound-Attack attack action alarm drop
  ip audit name Inbound-Info info action alarm
  ip audit interface outside Inbound-Info
  ip audit interface outside Inbound-Attack
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inbound in interface outside
  route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set myset esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dynmap 10 set transform-set myset
  crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
  crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address XXX
  crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 1 set transform-set myset
  crypto map outside_map 1 set security-association lifetime seconds 28800
  crypto map outside_map 1 set security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address XXX2
  crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 2 set transform-set myset
  crypto map outside_map 2 set security-association lifetime seconds 28800
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map 3 match address XXX3
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
  crypto map outside_map 3 set transform-set myset
  crypto map outside_map 3 set security-association lifetime seconds 28800
  crypto map outside_map 3 set security-association lifetime kilobytes 4608000
  crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
  crypto map outside_map interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy XXXgroup internal
  group-policy XXXgroup attributes
  dns-server value XXX.XXX.XXX.XXX
  vpn-idle-timeout 30
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split
  default-domain value domain.local
  username XXX24 password XXXX encrypted privilege 15
  username admin password XXXX encrypted
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXXgroup type remote-access
  tunnel-group XXXgroup general-attributes
  address-pool vpnpool
  default-group-policy rccgroup
  tunnel-group XXXgroup ipsec-attributes
  pre-shared-key XXXXXXXXXX
  isakmp ikev1-user-authentication none
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
  tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
  pre-shared-key XXXXXXXXXX
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily

• Quantum Gateway Port Forwarding issues

  This post can be removed.... the port forwarding worked once I set it up under "Advanced Settings -> Network Settings ->Port Forwarding" instead of "Firewall -> Port Forwarding"
  Hello,
  I am having an issue setting up port forwarding.  I have made several attempts to make port forward TCP 8096, but it continues not to work.  I had it working with no problems at my with my old router before we moved so I know it's not an issue with my computer firewall or antivirus and MediaBrowser is working fine on the local network. Is anyone else experiencing Port Forwarding issues?  Also when will DMZ be enabled on this gateway?
  Any help would be apprciated. I'm trying to setup MediaBrowser so I can schedule recordings when i'm not at home.
  Thanks!
  Armyb77
  This post can be removed

  See kayster contribution here.
  SYNOLOGY DS214 - Remote access via BT Home Hub
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• RV110W port forwarding

  Hello,
  I have new RV110W with firmware 1.1.0.9, which is set to gateway operating mode and I have problem with port forwarding on LAN. I have web server in LAN with services on different ports and static public IP on WAN port and set port forwarding on RV110W firewall in port range forwarding. From Internet everything works fine, but when I try connect to server with public IP,that I have set on WAN port, from LAN, it´s not work. Please can you tell me whether it is a standard feature or I have some errors in configuration or it´s firmware bug? Thanks for your answers.

  Hi Petr
  this feature is called NAT Redirection (possibility to access local resource from local (same) network by external IP address) and is usually disabled by default for security reasons. You can find pretty good explanation here:
  http://www.dslreports.com/forum/remark,10449610
  Try to add new rule to router´s Firewall // Access Rules.
  Regards,
  Abudef

• Cisco ASA 5512, IP NVR port forwarding

  Hi,
  i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
  please help me how to configure port forwarding in cisco asa in CLI?
  I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
  thank you so much.

  ASA#
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   94.56.178.222   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0x7fffa2969000, priority=0, domain=permit, deny=true
          hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=OUTSIDE, output_ifc=any
  Result:
  input-interface: OUTSIDE
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  please advise 

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• Port Forwarding Cisco firewall

  Hi,
  In Cisco Firewall 2900 seires
  trying to use port forwarding
  but not communication please help me.
  Reg
  Manoj.

  : Saved
  : Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
  name 10.10.70.X.40 FinalPdf
  name 201.256.x.x Youfinalip
  interface Ethernet0/0
  nameif YOUB
  security-level 0
  ip address 201.256.x.x.254.82 255.255.255.248
  interface Ethernet0/2
  nameif inside
  security-level 100
  ip address 10.10.70.X.1 255.255.255.0
  interface Management0/0
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  management-only
  ftp mode passive
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group service ftp tcp
  port-object eq ftp
  port-object eq ftp-data
  port-object eq 14147
  object-group service any tcp-udp
  port-object range 1 65535
  object-group service DM_INLINE_TCP_1 tcp
  group-object ftp
  port-object eq ftp-data
  access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
  access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
  access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_access_in extended deny object-group TCPUDP any any eq domain
  access-list inside_access_in extended permit ip any any
  access-list YOUB_mpc extended permit ip any any
  access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
  access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
  pager lines 24
  logging enable
  logging emblem
  logging asdm-buffer-size 512
  logging buffered debugging
  logging trap debugging
  logging history debugging
  logging asdm debugging
  logging device-id hostname
  logging debug-trace
  logging ftp-bufferwrap
  logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
  logging class auth trap emergencies asdm emergencies
  mtu YOUB 1500
  mtu SIFY 1500
  mtu inside 1500
  mtu WAN 1500
  mtu management 1500
  ip verify reverse-path interface YOUB
  ip verify reverse-path interface inside
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  asdm location Testpdf 255.255.255.255 inside
  asdm history enable
  arp timeout 14400
  global (YOUB) 1 interface
  global (SIFY) 1 interface
  nat (inside) 0 access-list EXEMPT
  nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
  static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
  access-group YOUB_access_in in interface YOUB
  access-group inside_access_in in interface inside
  route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
  route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
  route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
  route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication http console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 100
  type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
  num-packets 3
  frequency 10
  sla monitor schedule 100 life forever start-time now
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  track 1 rtr 100 reachability
  telnet timeout 5
  ssh scopy enable
  ssh 10.10.70.X.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted
  class-map YOUB-class
  match access-list YOUB_mpc
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  description ftp
  class inspection_default
    inspect dns preset_dns_map
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect ftp
  class class-default
    ips inline fail-open
  policy-map YOUB-policy
  class YOUB-class
    ips inline fail-open sensor vs0
  service-policy global_policy global
  service-policy YOUB-policy interface YOUB
  smtp-server 10.10.70.X.18
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
  : end

• ASA 5505 how to create a port forwarding rule

  ASA 5505 IOS ver 9.2.3
  I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
  I tried these commands but they didn't work:
  object network NAS
  host 192.168.2.8
  nat (inside,outside) static interface service tcp 21 1545
  access-list NASFTP-in permit tcp any object NAS eq 1545
  conf t
  int vlan 2
  access-group NASFTP-in permit tcp any object NAS eq 1545
  I really appreciate the help everyone.

  try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60  and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
  object network obj-10.10.50.60-1
  host 10.10.50.60
  nat (inside,outside) static interface service tcp 80 80
  object network INSIDE
  nat (inside,outside) dynamic interface
  object network WWW-SERVER
  nat (inside,outside) static interface service tcp 80 80
  access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
  access-group Outside_access_in in interface Outside

• Help: Port forward in Cisco SOHO 97

  Hi there!
  I have a Cisco SOHO 97.
  The IP is: 10.0.0.1/24
  Gw: 0.0.0.0
  *Default route via DIALER1
  I also have a RV042 configured as VPN Server (PPTP and IPSec).
  The IP is: 10.0.0.2/24
  I need help to configure the router to I be able to connect to VPN server from OUTSIDE-WORLD.
  I imagine I need Port forwarding from Cisco SOHO to RV042.
  I hope for possibles answers!
  Thanks!

  Sorry i found the issue.
  The problem was that, i wanted to redirect port 443 (https) to an private address.
  But by default port 443 is reserved to access ASA via https for management.
  I just reserved another port 888 for https management access and now i can redirect port 443 normaly as i wanted.
  Using this command: http server enable 888
  Germain

• HELP!! Cisco RV180 Port Forwarding

  Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.

  Hello sirflex,
  As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
  Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
  Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
  Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
  Thanks,
  Prithvi
  Please mark answered and rate for helpful posts.