Cisco 5550 blocking inbound unsolicited echo-replies

Similar Messages

• Block Inbound Calls

  Most of us are probably aware of the limited ability, via H323 gateways and translation rules, to block inbound calls from the PSTN.
  Two questions:
  1.) Is there another method I may not be aware of?
  2.) I was reading about External Call Control Profiles this morning and it seems like a logical fit.  Anyone experimented with this?
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/8_0_1/ccmfeat/fsextcallctrl.html

  Here is great Doc from CCO that outline Voice Translation Profiles and has examples of
  various situations. Letting the GW handle it to me seems most straight forward if its H323 GW
  Why make CUCM have to even deal with it?
  Has example for blocking ext
  http://www.cisco.com/en/US/customer/tech/tk652/tk90/technologies_configuration_example09186a00803f818a.shtml
  HTH, if it does not answer what your after pls give me some more details on what you want to accomplishand I will see if I can help
  George

• How to access a domain server which is targeted by Group Policy set to block Inbound and Outbound connections

  Hi,
  I have a practice lab with two physical servers 2012 R2, one of them is Hyper-V host and one of VMs is a domain controller. I was doeing some exercises with firewall rule deployment through Group Policy, so I created an outbound rule to block port 80 which
  was targeted to Domain Computers. Now my other physical server has inbound and outbound connections set to block and domain controller cannot be contacted to update policy ( with rule removed ). At least that is my understanding. Maybe I messed up something
  with the profiles too, because port 80 would not have block all outband traffic, or?
  I am new to IT so my understanding is still poor.
  Best
  Robert

  Hi Robert,
  If we block inbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
  If we block outbound connections, all connections that do not have firewall rules that explicitly allow the connection will be blocked.
  If we block outbound TCP port 80, it will mean all websites will be unreachable, for TCP port 80 is for HTTP.
  Regarding Windows firewall security settings, the following article can be referred to for more information.
  Windows Firewall with Advanced Security Properties Page
  http://technet.microsoft.com/en-us/library/cc753002.aspx
  Best regards,
  Frank Shen

• Blocked inbound queue RETRY status

  Hi everybody
  Sometimes I get this alert in the CCMS-> Transactional RFC and Queued RFC -> Inbound Queues->Int. Server Outbound Messages (XBQ0*)->Blocked queues:
     Blocked inbound queue XBQ0$PE_W.... status RETRY...........
  I can not get the isssue because it happend when nobody is monitoring the XI system. I want to see what happen at this time but I do not how to do it. When I see the inbound queues in the SMQ2 is empty. Could tell me someboy how to get the issue in a trace or log file?
  The system works fine normally but it happens sometimes.
  thanks in advanced.

  Hi Gerardo Mondragon 
  this issue is not very strange when some queue has very heavy load then for time being messages are queued in the queue and it throws exception and ccms alert is generated.  after some time when  the queue gets processed all the messsages you will not find any error
  if you find error RETRY status in SMQ2 then right click in the last column and execute LUW
  it will get processed and queues will be fine
  then in RZ 20 you can complete alert
  thanks
  Sandeep Shrama
  PS; if helpful reward points

• Blocking Inbound Numbers

  What is the best pay to block inbound numbers on CCM 4.1(3)SR1. For example, we have this one particuler number that is probably a computer generated number that keeps calling. When we pickup no one is there.
  Where can this be filtered? Thanks!

  If your PSTN provider can block it there are some advantages. First you don't have to do it, second even though you can, it does tie up a channel coming into your gateway for the time it takes to reach CallManager and reject it. If it is a computer generated call, it could be making several at a time and could result in a sort of DOS on the gateway. Other than that, you could route it to non-existant phone or I think use a route filter. I would also setup reporting on it to verify the block is working.
  Terry

• Blocking unsolicited echo-reply from the outside of firewall

                     What is the easiest way to stop unsolicited icmp echo-reply packets coming from the outside of an Cisco ASA 5500 firewall?

  Hi,
  The firewall should now allow any ICMP Echo replys through the firewall if it hasnt seen a Echo for that same reply.
  Instead of allowing Inbound ICMP from the WAN with an ACL you should configure ICMP Inspection
  In a very default ASA configuration they would be added in the following way
  policy-map global_policy
  class inspection_default
    inspect icmp
    inspect icmp error
  Hope this helps
  - Jouni

• Blocking Inbound File Attachments

  Hi,
  Currently, we are upgrading our email firewall from Borderware to Cisco C160 Ironport.  I have loaded the config file and am now in the process of setting up/configuring policies, content filter.  I want to block certain inbound attachments such as .exe's, .bat, etc.
  I go to the following:
  Mail Policies
  Incoming Content Filter
  Choose Add filter and provide filter name (optional)
  Choose Add Condition
  Attachment File Info
  File Type is
  Here is where I choose certain file types to block or allow through depening on the filter I am creating.
  Do I have to create a new conditon for each file type I want blocked or can I choose multiple file extensions somehow??
  Any help is greatly appreciated.

  You can block file attachments by file extension such as .exe, .ppt etc. with the knowledge that someone could change an exe file to .xex and it would be accepted. The other option is to block by file type which looks at the binary signature of the file and determines if it matches. There are pre-configured categories of file types like Executable, Graphics etc. You can select the category or you could pick the individual file. Selecting Exectuable would block every file deemed as an executable under the category and would prevent the renaming of the file.

• Blocking inbound call in CM with MGCP Voice gateways

  I'm sure someone has posted on this: We have MGCP voicegateways and CM 4.02aSR2b. How can I setup CM to block a specific inbound call? If the gateways were H323 then no problem, but with MGCP we are stumped. Any suggestions? Thx!

  It cannot be done with MGCP. It can be done with H.323 using reject translation rules on the GW.
  With MGCP your only option is to route all calls via Unity or IPCC first where logic can be build to block calls.
  HTH, please rate posts!
  Chris

• Cisco 5510 blocking all websites except a few

  Hello:
  I see many post about how to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Does anyone have any example configs?

  Hi,
  Yes you should be able to:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
  Of course, you will need to create some soft of regex that will deny all the websites such as *.com, but first of course permit the websites you want.
  Another option will be using FQDN acls (Only supported on version 8.4.2 and higher) Here is the example.
  https://supportforums.cisco.com/docs/DOC-17014
  Cheers,
  Mike

• Cisco FWSM 'deny inbound' error in ASDM

  Hello
  We have an explicit rule allowing inbound traffic, however it recently stopped working. The rule is still in place but we get a Deny message in the logs and the traffic does not pass. Would NAT have an affect on this? Someone changed the NAT from Static to Dynamic recently and I'm wondering if that might have broken something. Please let me know what further info you need.
  Thanks
  Amy

  NAT could very well be the issue here if it has been changed.
  You could check by running a packet tracer on the ASA from any public IP (4.2.2.2 for example) to the public IP of the server you are trying to reach.  Make sure that the source port is a random hight port (I normally use 12345) and make sure you specify the server port which is being used to access the server (for example, port 80 for webservers).
  packet-tracer input outside tcp 4.2.2.2 12345 <public IP of server> <port> detail
  Please remember to select a correct answer and rate helpful posts

• Cisco ISE Block URL Access

  Hello, Everyone
  Is there a way to deny access to an URL in Cisco Identity Services Management. I want to deny all users http accesses to the default Portal
  "https://<ip_of_ise>:8433/guestportal/Login.action".
  This URL is redirecting the users to the DefaultGuestPortal.
  Thank you For help.

  For this question  according to my understanding to do this task usually we use  Authorization policy  to restrict access by using downloadable ACL (or  even by VLAN) , We have “Webtype”  ACL(ostname(config)#  access-list acl_company webtype deny url http://*.company.com) but these type of  ACL are not supported on Switch I guess , they are for 5500 ASA. So  this is not possible using ISE  but Iron Port can be used for the same  and customer’s requirement can be meet. Please follow the link below it  may be of Help
  https://supportforums.cisco.com/thread/2149968

• *blocking inbound telephone number

  I have tried *60 and 3, but am unable to connect to the call blocking service.  Is it available in Florida?  Any suggestions to how I can block a harassing phone caller.  I have their number.

  You are definately wrong about this.  IOBI still exists and still can be purchased. In fact, when I signed up for the free service "Verizon Call Assistant" a week ago, I received a letter from Verizon indicating that the free service had been added, and I received a second letter indicating that IOBI service had been added to my account for $7.95 a month.  I had to phone to get this unwanted IOBI service off my account.  VCA seems to provide a subset of the features of IOBI, which still exists as a separate not-for-free account.  By the way, Verizon personnel seem to be very confused by all of this.  I had to call tech support because a glitch in my voice mail service prevented VCA from working.  When I called, the tech support person had never heard of VCA, and had to go talk to her friends to get another tech support phone number for me to call, and that tech support person referred my call to yet another tech support person who finally fixed my problem. 

• Cisco ASA5520 Blocks email to/from Cell Phones

  Hi,
    I have erecently installed a Meraki (Now Cisco) Wireless Access Solution for my company. I have configured 2 SSID's, one for Wiress access to our LAN and the other for Guest access to the Internet only. These appear to work quite well, however some users are complaining that the email clients on their cell phones do not work when using this Wireless System. Web Mail Apps work fine however.
  Internet Access is via our Cisco ASA5520 and I strongly suspect this is the culprit. I have opened all ports associated with cell phones but still it does not work. Has anyone seen this kind of thing before?
  Pete

  Hello Peter,
  In order to determine if the problem is related to the FW you will need to take captures of the traffic when a client attempts to send email
  Here is the link about how to use captures on the asa
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
  With that we will be able to determine if the packets are getting stucked somewhere else or if this is an ASA problem,
  Cheers,
  Julio Carvajal Segura

• RV180 ALG blocks inbound sip messages

  Hi,
  I have a sip gateway connect to the LAN side of RV180 router which has ALG enabled.  I have no problem to make and receive calls but sometime I see the router does not forward the 'Bye' message from the VOIP service provider to the sip gateway.
  Attached a wireshark capture on both WAN and LAN of RV180.
       sip gateway ip: 192.168.30.100
       RV180 WAN ip: 206.108.192.53
       VOIP provider ip: 66.237.65.67 and 65.175.129.133
  In the capture frame 4292, a 'Bye' message reaches the WAN of RV180 but it never forward the 'Bye' to the sip gateway with internal ip
  All settings in RV180 are default with only ALG enabled.
  I tried to setup Access Rule or Port Forward but none seems to work.  Not sure if they are over-ruled by ALG?
  With ALG enabled, is it possible to have individual Access Rule?  If there are conflicts between ALG and Access Rule, which has higer priority?         

  Topic bump, as the behaviour has begun occurring again.
  My ISA550w has once again begun silently filtering inbound SIP UDP OPTIONS messages, which are used by my trunk provider to verify that my VOIP switch is alive and responding.
  As stated above, ACL rules explicitly permit the forwarding of this traffic to my VOIP switch, which resides behind the firewall.
  From time to time, and apparently for no reason at all, the firewall begins silently dropping this traffic.  No hits are recorded in the firewall logs despite the fact that logging of this traffic is turned on.
  Previously, disabling all security services appeared to deal with this.  In addition, all "attack protection" options have been turned off.
  I can see that the UDP traffic from my SIP provider is hitting the firewall and getting dropped, as it pops up in packet captures run on the WAN1 interface.  When the ISA550w is displaying this behaviour, the traffic is not forwarded to the VOIP switch.
  The only "fix," such as it is, for this product is to reset the configuration to factory defaults and then restore the set config from XML backup.
  In addition, occasionally the SSL VPN for our remote phones dies, producing timeouts on connect.  The box again needs to be reset -- albeit without uploading the config -- to fix this.
  Whatever it is, it's a bug, the type of which does not present itself on "real" IOS devices.  Once those are configured properly, they stay configured properly.
  If anyone can recommend a "real" IOS box with the same feature set as this piece of junk, I would appreciate it.  I'd also happily buy a firewall product from any competitor so long as it presents a compatible SSL VPN server capable of being accessed by the SPA525G2 phone.
  Ugh.

• Is it possible to completely block any unsolicited attempts by BING and its insidious hidden registry additions.

  Certain addons in the Mozilla addon library, including a number of youtube download assistants have attempted to install BING and have consequently prevented Firefox from restarting/starting. My only solution was a system restore. I will not be installing any further addons until developers find a way to COMPLETELY prevent any unwanted registry changes. I would ask that all users complain to youtube as it seems that they all attach themselves to youtube entries within the registry..

  They may not be professional but they're definitely seasoned, they do this every weekend in the same location, and the phones seem to end up at the same location as well. Local police won't do anything since apparently a Find my iPhone report isn't accurate enough to properly figure out which house it's in
  Ok so the next question is, let's say I get the sim card disabled, so they won't be able to make calls from my phone. Will FMI still work even if the sim card can't connect to 3G or the internet? Wi fi is not disabled so that might still work to locate it...?