Cisco 881 Zone Firewall issues

Similar Messages

• P2P Blocking is disabled in cisco 881 W router

  Hi
  We are facing an issue with the communication between wireless clients in same subnet .These users are not able to ping each other in cisco 881 W wireless router.
  But we can do in this router to disable this P2P blocking.  

  Well I would use a static on the AP, but if you depending on IOS dhcp to be reliable, then maybe you need to setup a Mac reservation for the AP. It would be after to just set a static on the AP. Since you know your environment will grow, it might be better that you start setting them to static. IOS dhcp isn't 100% reliable as you have already experienced.
  Sent from Cisco Technical Support iPad App

• PPTP out & in, Cisco 881

  Hello,
  I've searched a few forums and tried to use some of suggestions (and that's why the config is so big and probably messed up ;-)
  The network is very simple: (Computers behind NAT + Windows 2008 Server with PPTP -> Cisco 881 -> DSL) and (near) everything works perfectly.
  It is not posible to connect from outside to W2008 PPTP (stops at "connecting..."), what is even more interesting you can not connect from inside to any of PPTP servers located on the Internet (this stops at "veryfying user name & password")
  Please check the configuration, and thanks in advance!
  Greetings,
  Adrian
  config
  ip dhcp excluded-address 192.168.100.1 192.168.100.29
  ip dhcp excluded-address 192.168.100.100 192.168.100.254
  ip dhcp pool Logmar
      import all
      network 192.168.100.0 255.255.255.0
      dns-server 194.204.159.1 192.204.152.34 
      default-router 192.168.100.1 
  ip cef
  no ip bootp server
  ip domain name logmar
  ip name-server 194.204.159.1
  ip name-server 194.204.152.34
  ip port-map user-rserial port tcp 33600 list 3 description rserial
  ip inspect tcp reassembly queue length 1024
  no ipv6 cef
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_GRE
    match access-group name SDM_GRE
  class-map type inspect match-any VOIP
    match protocol sip-tls
    match protocol sip
    match protocol pptp
    match class-map SDM_GRE
  class-map type inspect imap match-any ccp-app-imap
    match  invalid-command
  class-map type inspect match-any pptp
    match protocol pptp
    match class-map SDM_GRE
  class-map type inspect match-any ccp-cls-protocol-p2p
    match protocol edonkey signature
    match protocol gnutella signature
    match protocol kazaa2 signature
    match protocol fasttrack signature
    match protocol bittorrent signature
  class-map type inspect match-any SDM_TELNET
    match access-group name SDM_TELNET
  class-map type inspect match-any SDM_HTTP
    match access-group name SDM_HTTP
  class-map type inspect match-any SDM_SHELL
    match access-group name SDM_SHELL
  class-map type inspect match-any SDM_SSH
    match access-group name SDM_SSH
  class-map type inspect match-any SDM_HTTPS
    match access-group name SDM_HTTPS
  class-map type inspect match-any sdm-mgmt-cls-0
    match class-map SDM_TELNET
    match class-map SDM_HTTP
    match class-map SDM_SHELL
    match class-map SDM_SSH
    match class-map SDM_HTTPS
  class-map type inspect match-any SDM_AH
    match access-group name SDM_AH
  class-map type inspect match-any CCP-Voice-permit
    match protocol h323
    match protocol skinny
    match protocol sip
  class-map type inspect match-any ccp-cls-insp-traffic
    match protocol cuseeme
    match protocol dns
    match protocol ftp
    match protocol h323
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol netshow
    match protocol shell
    match protocol realmedia
    match protocol rtsp
    match protocol smtp
    match protocol sql-net
    match protocol streamworks
    match protocol tftp
    match protocol vdolive
    match protocol tcp
    match protocol udp
    match class-map SDM_GRE
    match protocol pptp
  class-map type inspect match-all ccp-insp-traffic
    match class-map ccp-cls-insp-traffic
  class-map type inspect match-all sdm-cls--1
    match class-map VOIP
    match access-group name VOIP
  class-map type inspect match-any SDM_IP
    match access-group name SDM_IP
  class-map type inspect match-any SDM_ESP
    match access-group name SDM_ESP
  class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
    match protocol isakmp
    match protocol ipsec-msft
    match class-map SDM_AH
    match class-map SDM_ESP
  class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
    match class-map SDM_EASY_VPN_SERVER_TRAFFIC
  class-map type inspect gnutella match-any ccp-app-gnutella
    match  file-transfer 
  class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
    match  service any 
  class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
    match  service any 
  class-map type inspect match-any ccp-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
  class-map type inspect match-any ccp-cls-protocol-im
    match protocol ymsgr yahoo-servers
    match protocol msnmsgr msn-servers
    match protocol aol aol-servers
  class-map type inspect aol match-any ccp-app-aol-otherservices
    match  service any 
  class-map type inspect match-all ccp-protocol-pop3
    match protocol pop3
  class-map type inspect match-any pptp-traffic
    match access-group name pptp
    match access-group name SDM_GRE
    match access-group name pptp-out
  class-map type inspect pop3 match-any ccp-app-pop3
    match  invalid-command
  class-map type inspect kazaa2 match-any ccp-app-kazaa2
    match  file-transfer 
  class-map type inspect match-all ccp-protocol-p2p
    match class-map ccp-cls-protocol-p2p
  class-map type inspect msnmsgr match-any ccp-app-msn
    match  service text-chat 
  class-map type inspect ymsgr match-any ccp-app-yahoo
    match  service text-chat 
  class-map type inspect match-all ccp-protocol-im
    match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-invalid-src
    match access-group 100
  class-map type inspect match-all ccp-icmp-access
    match class-map ccp-cls-icmp-access
  class-map type inspect http match-any ccp-app-httpmethods
    match  request method bcopy
    match  request method bdelete
    match  request method bmove
    match  request method bpropfind
    match  request method bproppatch
    match  request method connect
    match  request method copy
    match  request method delete
    match  request method edit
    match  request method getattribute
    match  request method getattributenames
    match  request method getproperties
    match  request method index
    match  request method lock
    match  request method mkcol
    match  request method mkdir
    match  request method move
    match  request method notify
    match  request method options
    match  request method poll
    match  request method propfind
    match  request method proppatch
    match  request method revadd
    match  request method revlabel
    match  request method revlog
    match  request method revnum
    match  request method save
    match  request method search
    match  request method setattribute
    match  request method startrev
    match  request method stoprev
    match  request method subscribe
    match  request method trace
    match  request method unedit
    match  request method unlock
    match  request method unsubscribe
  class-map type inspect edonkey match-any ccp-app-edonkey
    match  file-transfer 
    match  text-chat 
    match  search-file-name 
  class-map type inspect http match-any ccp-http-blockparam
    match  request port-misuse im
    match  request port-misuse p2p
  class-map type inspect edonkey match-any ccp-app-edonkeydownload
    match  file-transfer 
  class-map type inspect aol match-any ccp-app-aol
    match  service text-chat 
  class-map type inspect match-all ccp-protocol-imap
    match protocol imap
  class-map type inspect edonkey match-any ccp-app-edonkeychat
    match  search-file-name 
    match  text-chat 
  class-map type inspect http match-any ccp-http-allowparam
    match  request port-misuse tunneling
  class-map type inspect fasttrack match-any ccp-app-fasttrack
    match  file-transfer 
  class-map type inspect match-all ccp-protocol-http
    match protocol http
  policy-map type inspect ccp-permit-icmpreply
    class type inspect ccp-icmp-access
     inspect 
    class class-default
     pass
  policy-map type inspect p2p ccp-action-app-p2p
    class type inspect edonkey ccp-app-edonkeychat
     log
     allow
    class type inspect edonkey ccp-app-edonkeydownload
     log
     allow
    class type inspect fasttrack ccp-app-fasttrack
     log
     allow
    class type inspect gnutella ccp-app-gnutella
     log
     allow
    class type inspect kazaa2 ccp-app-kazaa2
     log
     allow
  policy-map type inspect im ccp-action-app-im
    class type inspect aol ccp-app-aol
     log
     allow
    class type inspect msnmsgr ccp-app-msn
     log
     allow
    class type inspect ymsgr ccp-app-yahoo
     log
     allow
    class type inspect aol ccp-app-aol-otherservices
     log
     reset
    class type inspect msnmsgr ccp-app-msn-otherservices
     log
     reset
    class type inspect ymsgr ccp-app-yahoo-otherservices
     log
     reset
  policy-map global-policy
  policy-map type inspect http ccp-action-app-http
    class type inspect http ccp-http-blockparam
     log
     allow
    class type inspect http ccp-app-httpmethods
     log
     allow
    class type inspect http ccp-http-allowparam
     log
     allow
  policy-map type inspect imap ccp-action-imap
    class type inspect imap ccp-app-imap
     log
  policy-map type inspect pop3 ccp-action-pop3
    class type inspect pop3 ccp-app-pop3
     log
  policy-map type inspect ccp-inspect
    class type inspect ccp-invalid-src
     drop log
    class type inspect ccp-protocol-http
     inspect 
     service-policy http ccp-action-app-http
    class type inspect ccp-protocol-imap
     inspect 
     service-policy imap ccp-action-imap
    class type inspect ccp-protocol-pop3
     inspect 
     service-policy pop3 ccp-action-pop3
    class type inspect ccp-protocol-p2p
     inspect 
     service-policy p2p ccp-action-app-p2p
    class type inspect ccp-protocol-im
     inspect 
     service-policy im ccp-action-app-im
    class type inspect ccp-insp-traffic
     inspect 
    class type inspect CCP-Voice-permit
     inspect 
    class type inspect pptp-traffic
     pass
    class type inspect SDM_GRE
     pass
    class class-default
     pass
  policy-map type inspect ccp-permit
    class type inspect SDM_EASY_VPN_SERVER_PT
     pass
    class type inspect pptp-traffic
     pass
    class class-default
     drop
  policy-map type inspect sdm-policy-sdm-cls--1
    class type inspect sdm-cls--1
     pass
    class type inspect pptp-traffic
     pass
    class class-default
     drop
  policy-map type inspect sdm-permit-ip
    class type inspect SDM_IP
     pass
    class type inspect pptp-traffic
     pass
    class class-default
     drop log
  zone security out-zone
  zone security in-zone
  zone security ezvpn-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
    service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
    service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
    service-policy type inspect ccp-permit
  zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
    service-policy type inspect sdm-policy-sdm-cls--1
  zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
    service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
    service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
    service-policy type inspect sdm-permit-ip
  zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
    service-policy type inspect sdm-permit-ip
  interface Null0
    no ip unreachables
  interface FastEthernet0
    switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
    description $FW_OUTSIDE$$ETH-WAN$
    ip address 83.0.201.122 255.255.255.248
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    zone-member security out-zone
    duplex auto
    speed auto
  interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.100.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    zone-member security in-zone
    ip tcp adjust-mss 1452
  ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
  ip forward-protocol nd
  ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
  ip nat inside source list 4 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
  ip nat inside source list pptp-out interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
  ip access-list extended SDM_AH
    remark CCP_ACL Category=1
    permit ahp any any
  ip access-list extended SDM_ESP
    remark CCP_ACL Category=1
    permit esp any any
  ip access-list extended SDM_GRE
    remark CCP_ACL Category=0
    permit gre any any
  ip access-list extended SDM_HTTP
    remark CCP_ACL Category=0
    permit tcp any any eq www
  ip access-list extended SDM_HTTPS
    remark CCP_ACL Category=0
    permit tcp any any eq 443
  ip access-list extended SDM_IP
    remark CCP_ACL Category=1
    permit ip any any
  ip access-list extended SDM_SHELL
    remark CCP_ACL Category=0
    permit tcp any any eq cmd
  ip access-list extended SDM_SSH
    remark CCP_ACL Category=0
    permit tcp any any eq 22
  ip access-list extended SDM_TELNET
    remark CCP_ACL Category=0
    permit tcp any any eq telnet
  ip access-list extended VOIP
    remark CCP_ACL Category=128
    permit ip any host 192.168.100.100
  ip access-list extended pptp
    remark CCP_ACL Category=1
    permit gre any any
    permit tcp any host 192.168.100.100 eq 1723
    permit ip any host 192.168.100.100
  ip access-list extended pptp-out
    remark CCP_ACL Category=2
    permit tcp any any eq 1723
    permit gre any any
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.100.0 0.0.0.255
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.100.0 0.0.0.255
  access-list 3 remark CCP_ACL Category=1
  access-list 4 remark CCP_ACL Category=2
  access-list 4 permit 192.168.100.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 remark Auto generated by SDM Management Access feature
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit ip 192.168.100.0 0.0.0.255 any
  access-list 106 remark CCP_ACL Category=0
  no cdp run

  I've deleted all (well at least part concerning PPTP access ;-) configuration and written it from scratch...
  Heh, I do not understand WHY configuring Cisco is such a pain while doing same thing in ALL other routers is easier, far more predictable, and not at all less secure
  Below is ACL & policy-map-related part of my config - hope this helps.
  class-map type inspect match-any SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect match-any cpp-cls-inside
  match protocol pptp
  match class-map SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect imap match-any ccp-app-imap
  match  invalid-command
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol cuseeme
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  match class-map SDM_GRE
  match protocol pptp
  match protocol skinny
  match protocol sip
  match protocol sip-tls
  match access-group name SDM_GRE
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect gnutella match-any ccp-app-gnutella
  match  file-transfer
  class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
  match  service any
  class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
  match  service any
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect aol match-any ccp-app-aol-otherservices
  match  service any
  class-map type inspect pop3 match-any ccp-app-pop3
  match  invalid-command
  class-map type inspect kazaa2 match-any ccp-app-kazaa2
  match  file-transfer
  class-map type inspect msnmsgr match-any ccp-app-msn
  match  service text-chat
  class-map type inspect ymsgr match-any ccp-app-yahoo
  match  service text-chat
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect http match-any ccp-app-httpmethods
  match  request method bcopy
  match  request method bdelete
  match  request method bmove
  match  request method bpropfind
  match  request method bproppatch
  match  request method connect
  match  request method copy
  match  request method delete
  match  request method edit
  match  request method getattribute
  match  request method getattributenames
  match  request method getproperties
  match  request method index
  match  request method lock
  match  request method mkcol
  match  request method mkdir
  match  request method move
  match  request method notify
  match  request method options
  match  request method poll
  match  request method propfind
  match  request method proppatch
  match  request method revadd
  match  request method revlabel
  match  request method revlog
  match  request method revnum
  match  request method save
  match  request method search
  match  request method setattribute
  match  request method startrev
  match  request method stoprev
  match  request method subscribe
  match  request method trace
  match  request method unedit
  match  request method unlock
  match  request method unsubscribe
  class-map type inspect edonkey match-any ccp-app-edonkey
  match  file-transfer
  match  text-chat
  match  search-file-name
  class-map type inspect http match-any ccp-http-blockparam
  match  request port-misuse im
  match  request port-misuse p2p
  class-map type inspect edonkey match-any ccp-app-edonkeydownload
  match  file-transfer
  class-map type inspect aol match-any ccp-app-aol
  match  service text-chat
  class-map type inspect edonkey match-any ccp-app-edonkeychat
  match  search-file-name
  match  text-chat
  class-map type inspect http match-any ccp-http-allowparam
  match  request port-misuse tunneling
  class-map type inspect fasttrack match-any ccp-app-fasttrack
  match  file-transfer
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
    inspect
  class class-default
    pass
  policy-map type inspect p2p ccp-action-app-p2p
  class type inspect edonkey ccp-app-edonkeychat
    log
    allow
  class type inspect edonkey ccp-app-edonkeydownload
    log
    allow
  class type inspect fasttrack ccp-app-fasttrack
    log
    allow
  class type inspect gnutella ccp-app-gnutella
    log
    allow
  class type inspect kazaa2 ccp-app-kazaa2
    log
    allow
  policy-map type inspect im ccp-action-app-im
  class type inspect aol ccp-app-aol
    log
    allow
  class type inspect msnmsgr ccp-app-msn
    log
    allow
  class type inspect ymsgr ccp-app-yahoo
    log
    allow
  class type inspect aol ccp-app-aol-otherservices
    log
    reset
  class type inspect msnmsgr ccp-app-msn-otherservices
    log
    reset
  class type inspect ymsgr ccp-app-yahoo-otherservices
    log
    reset
  policy-map global-policy
  policy-map type inspect ccp-inspect
  class type inspect SDM_GRE
    pass
  class type inspect ccp-invalid-src
    drop log
  class type inspect ccp-insp-traffic
    inspect
  class class-default
    pass
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
    log
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
    log
    allow
  class type inspect http ccp-app-httpmethods
    log
    allow
  class type inspect http ccp-http-allowparam
    log
    allow
  policy-map type inspect ccp-inside
  class type inspect SDM_GRE
    pass
  class type inspect cpp-cls-inside
    inspect
  class class-default
    drop
  policy-map type inspect ccp-permit
  class class-default
    drop
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
    log
  zone security out-zone
  zone security in-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security cp-zp-out-in source out-zone destination in-zone
  service-policy type inspect ccp-inside
  interface Null0
  no ip unreachables
  interface FastEthernet0
  switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description $FW_OUTSIDE$$ETH-WAN$
  ip address 83.0.201.122 255.255.255.248
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip verify unicast reverse-path
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  zone-member security out-zone
  duplex auto
  speed auto
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
  ip address 192.168.100.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security in-zone
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_3 192.168.100.200 192.168.100.210
  ip forward-protocol nd
  ip http server
  ip http access-class 2
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat pool logmar 192.168.100.1 192.168.100.254 netmask 255.255.255.0
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.100.100 1723 interface FastEthernet4 1723
  ip route 0.0.0.0 0.0.0.0 83.0.201.121 permanent
  ip access-list extended SDM_GRE
  remark CCP_ACL Category=0
  permit gre any any
  ip access-list extended SDM_HTTP
  remark CCP_ACL Category=0
  permit tcp any any eq www
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=0
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=0
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=0
  permit tcp any any eq 22
  ip access-list extended SDM_TELNET
  remark CCP_ACL Category=0
  permit tcp any any eq telnet
  logging trap debugging
  logging 192.168.100.100
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.100.0 0.0.0.255
  access-list 1 permit any
  access-list 2 remark Auto generated by SDM Management Access feature
  access-list 2 remark CCP_ACL Category=1
  access-list 2 permit 192.168.100.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 102 remark Auto generated by SDM Management Access feature
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit ip 192.168.100.0 0.0.0.255 any
  no cdp run

• Cisco 881 - Ports won't open

  Hi All,
  I am trying to forward incoming external traffic from the internet on ports 25 and 433 to internal IP 10.10.10.29, but it's not working, any ideas what I've done wrong?
  I've replaced some of the config with "x"'s
  Config:
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 xxxx
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone PCTime 10 0
  clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-704284261
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-704284261
  revocation-check none
  rsakeypair TP-self-signed-704284261
  crypto pki certificate chain TP-self-signed-704284261
  certificate self-signed 01
  xxx
  quit
  no ip source-route
  ip cef
  no ip bootp server
  ip domain name
  ip name-server 10.10.10.31
  ip port-map user-Intranet port tcp 8080 list 3 description Intranet
  ip port-map user-5610 port tcp 5610 description 5610
  ip inspect name DEFAULT100 ftp
  ip inspect name DEFAULT100 esmtp
  ip inspect name DEFAULT100 tftp
  ip inspect name DEFAULT100 tcp
  ip inspect name DEFAULT100 udp
  ip inspect name DEFAULT100 ldap
  no ipv6 cef
  license udi pid CISCO881-K9 sn FGL164227LM
  username admin privilege 15 secret 5 xx
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group xxx.remote
  key xxx
  dns 10.10.10.1 10.10.10.4
  wins 10.10.10.1 10.10.10.4
  domain xxx.local
  pool SDM_POOL_1
  acl 102
  split-dns xxx.local
  max-users 10
  netmask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec df-bit clear
  crypto dynamic-map SDM_DYNMAP_1 1
  set security-association idle-time 3600
  set transform-set ESP-3DES-MD5
  reverse-route
  crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
  crypto map SDM_CMAP_1 client configuration address respond
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description WAN Interface$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
  ip address 125.7.x.x 255.255.255.252
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect DEFAULT100 in
  ip inspect DEFAULT100 out
  ip virtual-reassembly in
  ip verify unicast reverse-path
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface Vlan1
  description Internal Interface$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.10.10.3 255.255.255.0
  ip access-group 100 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip nat inside
  ip inspect DEFAULT100 in
  ip inspect DEFAULT100 out
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_1 10.10.20.100 10.10.20.120
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source static tcp 10.10.10.29 25 interface FastEthernet4 25
  ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
  ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 125.7.x.x
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 2 remark SDM_ACL Category=1
  access-list 2 permit 10.10.10.51
  access-list 3 remark SDM_ACL Category=1
  access-list 3 permit 10.10.10.5
  access-list 100 remark auto generated by Cisco SDM Express firewall configuration
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit udp host 10.10.10.31 eq domain any
  access-list 100 remark SEP Cloud 1
  access-list 100 permit ip any host 67.134.208.160
  access-list 100 permit udp host 10.10.10.4 eq domain any
  access-list 100 remark MYOB File Confirmation
  access-list 100 permit ip any host 203.34.100.26
  access-list 100 remark Ansarada Dataroom
  access-list 100 permit ip any host 125.7.67.133
  access-list 100 remark ClassSuper
  access-list 100 permit tcp any host 125.7.68.130 eq 443
  access-list 100 remark Mercury Connective
  access-list 100 permit tcp any host 150.207.147.152 eq 2099
  access-list 100 remark AE Tax Lodgement 2
  access-list 100 permit tcp any any eq 7586
  access-list 100 remark AE Tax Lodgement
  access-list 100 permit tcp any any eq 10000
  access-list 100 remark Corporate Compliance
  access-list 100 permit tcp any any eq 5610
  access-list 100 remark GRE
  access-list 100 permit gre any any
  access-list 100 remark PPTP
  access-list 100 permit tcp any any eq 1723
  access-list 100 remark RDP
  access-list 100 permit tcp any any eq 3389
  access-list 100 remark Remote VMs
  access-list 100 permit tcp any eq 3389 10.10.20.0 0.0.0.255
  access-list 100 remark GetBusi to HTTP
  access-list 100 permit tcp host 10.10.10.18 any eq www
  access-list 100 remark GetBusi FILTERING
  access-list 100 permit tcp host 10.10.10.18 any eq 3436
  access-list 100 remark GetBusi NTP
  access-list 100 permit tcp host 10.10.10.18 any eq 123
  access-list 100 remark GetBusi RSYNC
  access-list 100 permit tcp host 10.10.10.18 any eq 873
  access-list 100 remark GetBusi DNS
  access-list 100 permit tcp host 10.10.10.18 any eq domain
  access-list 100 remark GetBusi SSH
  access-list 100 permit tcp host 10.10.10.18 any eq 22
  access-list 100 remark GetBusi FTP
  access-list 100 permit tcp host 10.10.10.18 any eq ftp
  access-list 100 remark GetBusi SSL
  access-list 100 permit tcp host 10.10.10.18 any eq 443
  access-list 100 remark Icarus
  access-list 100 permit ip host 10.10.10.99 any
  access-list 100 remark BlackHawk
  access-list 100 permit ip host 10.10.10.28 any
  access-list 100 remark Bane
  access-list 100 permit ip host 10.10.10.24 any
  access-list 100 remark Buffy
  access-list 100 permit ip host 10.10.10.31 any
  access-list 100 remark Skype TV Cam FTR
  access-list 100 permit ip host 10.10.10.173 any
  access-list 100 remark Pyro
  access-list 100 permit ip host 10.10.10.26 any
  access-list 100 remark TV in FTR
  access-list 100 permit ip host 10.10.10.32 any
  access-list 100 remark Quorra
  access-list 100 permit ip host 10.10.10.29 any
  access-list 100 remark Gambit
  access-list 100 permit ip host 10.10.10.12 any
  access-list 100 remark THOR
  access-list 100 permit ip host 10.10.10.21 any
  access-list 100 remark QBO Remote VM
  access-list 100 permit ip host 10.10.10.47 any
  access-list 100 remark VIZ
  access-list 100 permit ip host 10.10.10.5 any
  access-list 100 remark vCenter
  access-list 100 permit ip host 10.10.10.25 10.10.20.0 0.0.0.255
  access-list 100 remark WISE
  access-list 100 permit ip host 10.10.10.4 any
  access-list 100 remark Email - Lotus Domino
  access-list 100 permit ip host 10.10.10.1 any
  access-list 100 remark TQ's PC1
  access-list 100 permit ip host 10.10.10.124 any
  access-list 100 remark Thrace
  access-list 100 permit ip host 10.10.10.22 any
  access-list 100 remark TQ's PC2
  access-list 100 permit ip host 10.10.10.97 any
  access-list 100 remark TQ's PC2 UDP
  access-list 100 permit udp host 10.10.10.97 any
  access-list 100 deny ip 203.47.157.0 0.0.0.255 any log
  access-list 100 deny ip host 255.255.255.255 any log
  access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
  access-list 100 remark Block Port 25
  access-list 100 deny tcp any eq smtp any eq smtp log
  access-list 101 remark auto generated by Cisco SDM Express firewall configuration
  access-list 101 remark CCP_ACL Category=1
  access-list 101 remark Auto generated by CCP for NTP (123) 212.12.50.232
  access-list 101 permit udp host 212.12.50.232 eq ntp host 125.7.x.x eq ntp
  access-list 101 permit ahp any host 125.7.x.x
  access-list 101 permit esp any host 125.7.x.x
  access-list 101 permit udp any host 125.7.x.x eq isakmp
  access-list 101 permit udp any host 125.7.x.x eq non500-isakmp
  access-list 101 permit ip host 10.10.20.100 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.101 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.102 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.103 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.104 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.105 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.106 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.107 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.108 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.109 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.110 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.111 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.112 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.113 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.114 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.115 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.116 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.117 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.118 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.119 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.120 10.10.10.0 0.0.0.255
  access-list 101 permit udp any any eq non500-isakmp
  access-list 101 permit udp any any eq isakmp
  access-list 101 permit esp any any
  access-list 101 permit ahp any any
  access-list 101 deny udp any any eq 603
  access-list 101 deny tcp any any eq 603
  access-list 101 permit tcp any any eq smtp
  access-list 101 remark Secure Inbound HTTPS
  access-list 101 permit tcp any any eq 443
  access-list 101 remark Allow remote ISW access to router
  access-list 101 permit tcp 203.33.128.0 0.0.0.255 any
  access-list 101 remark PPTP access to completekitchensolutions
  access-list 101 permit gre host 202.170.194.141 any
  access-list 101 permit icmp any any administratively-prohibited
  access-list 101 permit icmp any any time-exceeded
  access-list 101 permit icmp any any unreachable
  access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
  access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
  access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
  access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
  access-list 101 deny ip host 255.255.255.255 any log
  access-list 101 deny ip host 0.0.0.0 any log
  access-list 101 deny ip any any log
  access-list 102 remark SDM_ACL Category=4
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark SDM_ACL Category=4
  access-list 103 remark SDM_ACL Category=2
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
  access-list 103 permit ip 10.10.10.0 0.0.0.255 any
  access-list 103 remark SDM_ACL Category=2
  access-list 104 remark SDM_ACL Category=2
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
  access-list 104 permit ip 10.10.10.0 0.0.0.255 any
  access-list 104 remark SDM_ACL Category=2
  no cdp run
  route-map SDM_RMAP_1 permit 1
  match ip address 103
  route-map SDM_RMAP_2 permit 1
  match ip address 104
  snmp-server community public RO
  banner login ^CCCCAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  transport output telnet
  line aux 0
  transport output telnet
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000 4000 1000
  scheduler interval 500
  ntp server 212.12.50.232 source FastEthernet4
  end

  I decided it might be easier to factory restore, setup, enter the NAT setting and setup the firewall using the wizard, but still it is not working.
  Updated config: (some info replaced with "xx")
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 4 xx
  no aaa new-model
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-84280098
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-84280098
  revocation-check none
  rsakeypair TP-self-signed-84280098
  crypto pki certificate chain TP-self-signed-84280098
  certificate self-signed 01
  xx
  quit
  ip source-route
  ip cef
  ip name-server 8.8.8.8
  no ipv6 cef
  license udi pid CISCO881-K9 sn FGL164227LM
  username admin privilege 15 secret 4
  xx
  class-map type inspect match-all SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect match-any CCP_PPTP
  match class-map SDM_GRE
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol pptp
  match protocol dns
  match protocol ftp
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect match-all sdm-nat-https-1
  match access-group 102
  match protocol https
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-https-1
  inspect
  class type inspect CCP_PPTP
  pass
  class class-default
  drop log
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-insp-traffic
  inspect
  class type inspect ccp-sip-inspect
  inspect
  class type inspect ccp-h323-inspect
  inspect
  class type inspect ccp-h323annexe-inspect
  inspect
  class type inspect ccp-h225ras-inspect
  inspect
  class type inspect ccp-h323nxg-inspect
  inspect
  class type inspect ccp-skinny-inspect
  inspect
  class class-default
  drop
  policy-map type inspect ccp-permit
  class class-default
  drop
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description $ETH-WAN$$FW_OUTSIDE$
  ip address 125.7.xx.xx 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  duplex auto
  speed auto
  interface Vlan1
  description $FW_INSIDE$
  ip address 10.10.10.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 101 interface FastEthernet4 overload
  ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
  ip route 0.0.0.0 0.0.0.0 125.7.xx.xx
  ip access-list extended SDM_GRE
  remark CCP_ACL Category=1
  permit gre any any
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 125.7.xx.xx 0.0.0.3 any
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 10.10.10.29
  line con 0
  exec-timeout 5 30
  password xx
  login
  line aux 0
  line vty 0 4
  privilege level 15
  password xx
  login local
  transport input telnet ssh
  end

• Possible firewall issue

  I've installed jboss on a non-global zone and verified the installation using lynx from within the non-global zone.
  I can't see jboss from the global xone, another non-global zone, or a different machine. I can ping back and forth between all zones and other machines as well as ssh into the non-global jboss zone to admin it.
  I tried issuing 'svcadm disable ipfilter' on both the global zone and non-global zone. It worked on the global zone but not the jboss zone (got 'pattern doesn't match any instances' error).
  I tried rebooting the jboss-zone after disabling ipfilter on the global zone and still can't get anything.
  Any ideas?

  OK, just to test I started apache and it works as expected.
  This must be a firewall issue. Does anyone know how to configure / diable it?

• Cannot install any apps from Creative Cloud in corporate environment.  Suspsected Firewall issues.

  Hello all. 
  I subscribed successfully and easily to CC on my home PC (iMac) and downloaded a few apps.  All is fine. 
  I wanted to download those same few apps on a remove machine I use several times a week (Win 7).
  After many many attempts of trying to download CC and getting a generic error message, I learned it could be a firewall issue here at this work/office. I found this in Adobe's forums:
  Many organizations use a hardware firewall and proxy server that can prevent software from accessing an FTP server. A hardware solution applies to all computers within the corporate network. Most home networks do not use hardware firewall or proxy technology. 
  Contact your company's IT department to obtain firewall or proxy information.
  Configure your browser with proxy or firewall information.
  Configure your corporate firewall to by-pass the servers. The following servers are accessed:
  ccmdl.adobe.com:80
  swupmf.adobe.com:80
  swupdl.adobe.com:80
  Having nothing to loose, I put in a request and had these addresses/ports opened up in our firewall.  That seems to partially fix the problem.
  Now the problem is the speed and traffic is so terribly slow with CC that nothing installs with out failing and giving error. For example, I am trying to install PhotoShop CC and it will take a couple of HOURS to even get to 10% and then it fails.  Usually, it doesn't get that far.  CC just gives me the generic message:
  "Installation Failed - Learn More."
  Download error.  Press Retry to try again or contact customer support.(-7).
  Our network admins swear that there is nothing wrong with the ports/firewall and yet all this works fine at my home.  Can anyone offer any suggestions or advice?  My internet connection here is fine.  All other sites load and work fine.  I simply cannot download any of the CC aps here with any reasonable speed.
  Help!
  PS - The URLs and ports ping just fine.

  Hi RedBirdOBX1,
  I'd recommend checking out the two pdf documents in the
  Adobe Creative Cloud Service Access Documentation for IT section on this page:
  http://www.adobe.com/devnet/creativesuite/enterprisedeployment.html
  Adobe Creative Cloud Network Endpoints
  Adobe Creative Cloud Controlling Service Access
  and if you're still struggling this might be another alternative:
  http://prodesigntools.com/adobe-cc-direct-download-links.html
  Hope that helps,
  -Dave

• Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

  Hello,
  I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  ip address outside xxx.xxx.xxx.94 255.255.255.224
  ip address inside 192.168.1.1 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

  Hey Craig,
  Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
  On 8.4 for interface defining use below mentioned example :
  int eth0/0
  ip add x.x.x.x y.y.y.y
  nameif outside
  no shut
  int eth0/1
  ip add x.x.x.x y.y.y.y
  nameif inside
  no shut
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
  If you're still not able to reach.Paste your entire config and version that you are using on ASA.

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• TS2709 I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

  I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

  I also get this problem on my iPad, so probably not related to the AppleTV. On the iPad I restarted Airport Extreme this time, and then the iPad saw my Home Sharing.
  So to recap, restarting the router or Airport Express allowed the iPad and AppleTV to see Home Sharing. Restarting AppleTV also allows AppleTV to see Home Sharing.
  So does anyone have any idea?
  Thanks

• Can't scan from Lexmark multifunction printer - firewall issue?

  Hi there!
  I got a Lexmark printer/scanner combo which used to work fine on my arch install. However, its mobo died, so now I'm back at another install which refuses to scan. Scanning is done through the browser via a java applet residing on the printer's webserver. The applet does start (so it's not a java issue), but refuses to receive data from the scanner. Within the printer's web interface, it reads
  If using Windows XP, the Windows XP personal firewall must be disabled before using Scan to PC profiles.
  , so I'm assuming it might be a firewall issue. Lexmark's website provides the following advice:
  The following two command lines will open the port 5353 for incoming and outgoing connections:
  iptables -I INPUT -p udp -m udp --sport 5353 -j ACCEPT
  iptables -I OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
  NOTE: These steps will work on most distributions configured with IPTABLES. There is no common command to make these rules persistent.
  As I don't know anything about IP tables, I've simply copied these commands (as root, obviously). Still, I can't scan.
  So, my questions are:
  1. Has anybody else ever come across an issue like this?
  2. I don't even know for sure, whether this is a firewall issue - What iptabled magic would I need to temporarily disable the firewall to check?
  3. I tried checking my rules by "iptables -L". How can I tell "iptables -L" to specify the ports it is working on (as I did in the commands copied from lexmark's website)?
  Best wishes,
  Rufus

  Hi Bob
  I believe so.  We put the install disc into this mac back when we bought it to set up the printer.  I'm assuming the scanning drivers were there as well since it's a multifunctional printer/scanner/fax wireless printer.
  We've tried it both ways.  If I press the button scan on the printer, it reads can't find computer (or something like that).  When we go thru the HP icon on my computer screen and choose scan to computer, it does nothing.
  We don't scan that often.  So the few times when we ran into this problem, we just did something else (like take a pic from our iPhone and email the pic...kinda stupid but did the trick.
  But I want to have the function of the scanner available.  So that's why I'm here asking...thought others had this issue and had a solution.

• Windows Firewall issue, Inbound rule opend all, still not the same as turning off

  This is Windows Firewall issue on Windows 8.1 Pro. 
  Backup Exec server cannot expand a computer node in selection list. I drill down to Microsoft Windows Network/Domain/Computers, then when I tried to expand a Windows 8.1 Pro computer node, it hangs out. 
  I narrowed this problem to Windows firewall related issue on Windows 8.1 Pro computer. 
  When I turn off Windows Firewall on Domain profile, Backup Exec Selection expands the computer node of the Windows 8.1 Pro computer. So, I created an inbound rule opening all to BAckup Exec server as following, but it's still not the same as turning off
  Windows firewall specifically on Windows 8.1 Pro computer;
  Any Local IP address, Any Remote IP address, Any port, Any protocol, All Interface, All Programs and Services, All profiles(Domain, Private, Public)
  And there are no rules blocking any which may override the above rule. 
  Ethernet on Windows 8.1 Pro computer shows profile is linked with Domain, but just to make it work, I selected all profiles.
  Even though I opened all available in inbound rule, it's still not the same as turning off windows firewall. Why am I missing? 

  It looks as something related to RPC(UDP 135), but even when inbound rule is all open, why it matters? RPC seems working fine only when firewall is turned off on domain profile. 
  Protocol 17 is UDP
  Port: 135
  ===============================
  Event ID 5152
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Outbound
  Source Address:
  192.168.1.120
  Source Port:
  0
  Destination Address:
  192.168.1.11
  Destination Port:
  0
  Protocol:
  1
  Filter Information:
  Filter Run-Time ID:
  245836
  Layer Name:
  ICMP Error
  Layer Run-Time ID:
  32
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Inbound
  Source Address:
  192.168.1.11
  Source Port:
  35341
  Destination Address:
  192.168.1.120
  Destination Port:
  135
  Protocol:
  17
  Filter Information:
  Filter Run-Time ID:
  245834
  Layer Name:
  Transport
  Layer Run-Time ID:
  13

• RMI firewall issue - opening port 1099 is not enough

  Hello,
  We have a distributed java desktop app that uses RMI with callbacks to communicate amongst the clients. It all works really well at our dev site and at 2 trial sites.
  We are about to deploy out to more customer sites - so I have been doing more testing with firewalls etc and discovered some issues. Our customers are small businesses and typically have between 1 and 10 desktop clients that connect to the server via RMI. These customers are "very NOT technical", so we need to give them set-and-forget firewalls etc.
  This is all on a LAN, with RMI using port 1099. On the firewalls (of the various PCs) we open ports 1099 (RMI) and 5432 (for the Postgres DB).
  Also, I was using "CurrPorts" and "SmartSniff" to monitor the traffic at each PC - so I had a reasonable view of proceedings.
  Basically, opening port 1099 on the server is necessary, but it is NOT ENOUGH. The RMI moves off to ports other than 1099, and the server firewall does not allow the connection.
  Procedure ...
  (1) start the "server" app - which starts the RMI registry - the "localhost" desktop app also starts and it works well to both the database and the RMI.
  (2) start another client - it connects to the DB Server, but NOT the RMI server.
  (3) open the server firewall to all traffic for a few seconds - then the client connects successfully.
  From CurrPort logging I could watch the RMI comms progress over those first few minutes ...
  Initially the comms do include port 1099 on the initial call to the server, but there after there are always 2 or 3 "channels" open, but not to 1099.
  I notice that the Postgres DB keeps using port 5432 for all of its active channels - so it does not have the same firewall issue.
  After we have opened the firewall for a few seconds - to enable the link - then we can turn the client on and off and the client re-connects without issue - so it would seem to be only an issue with the initial connection.
  I am sure that this is all completely standard and correct RMI behavior.
  QUESTIONS:
  1. Can RMI be "forced" to always use port 1099 for connections, and not move to other ports? (like the database uses 5432)
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?
  Other comments ...
  The firewall lets me open individual ports (say 1099) - BUT I can not justify opening ALL ports.
  The firewall lets me open all ports to an application, say "C:\Program Files\Java\jre6\bin\java.exe", but that app will occasionally change at a customer's site as they will update their java version and suddenly our app will stop working.
  Any guidance is appreciated.
  Many Thanks,
  -Damian

  1. Can RMI be "forced" to always use port 1099 for connectionsYes. Export all your servers on the same port. See UnicastRemoteObject constructor that takes an int, or UnicastRemoteObject.exportObject(int). If the RMI Registry is a separate process you can't re-use 1099 for this purpose, but see below.
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?Yes. Start the RMI Registry in the same JVM as the code, then you only need to use 1099 for everything.
  If you are using server socket factories, make sure they have an equals() method, or use the same instance for all remote objects.

• IOS Zone firewall (ZFW) & changing SSH listening port

  I'll have to check into the deetails again but I recall there being a way to change the listening port for SSH.  Not only do you have to configure SSH itself to listen on a new port but I think there was something about making the inbound interface part of a rotary group or something. 
  Anyway, my question is more about how the zone firewall reacts to this.  If I have inspect set for SSH, (or pass) and yet change the default port for it, does the IOS still know to take the configured action on the protocol?  I'll try to test this myself once I have an opportunity but may not be able to for several days, plus if anybody has anything further to add regarding any other implications this port change mgiht have, please share
  Thanks! 

  Hi Julio,
  You are ever helpful sir Howver, things are not making sense.
  Ok so to take it from the top. So far I have done the following:
  Router(config)#ip ssh port 2340 rotary 1
  Then:
  Router(config)#line vty 0 123 (123 = max # of vty lines, my actual # is different)
  Router(config-line)#rotary 1
  This of course does not make SSH on port 2340 work from the Internet zone to Self as I have not yet modified the firewall nor done the ip port-map command. It does work from the LAN side to Self since that zone-pair is more forgiving, however, it works on both 22 and 2340 which I thought odd since I thought the ip ssh command changes the SSH server listening port.
  I have not yet permanently set the ip port-map command. However I ran it once and then did a sh ip port-map ssh
  This showed system defined ssh port maps for tcp and udp on 22, and then my user defined one for tcp port 2340. Interesting that the system-defined ones are both UDP and TCP - I thought SSH was TCP only.
  According to the IOS command referendces (for release 15.2), I should not be able to remove the system-defined port map entries as it would give an error. However, I did no ip port-map ssh port tcp 22 and the same for the UDP entry and they disappeared - so now for sh ip port-map ssh I get no results returned. Yet, SSH still works on 22 and 2340.
  Be that as it may, after some further testing I've concluded that with or without use of the ip port-map ssh port tcp 2340 entry, SSH works (from LAN to Self) on either port 22 or 2340. It seems ip port-map has no effect on the SSH server itself (?). Or perhaps PAM is overridden by the ip ssh commands?
  So at that point I decided to stop testing, not doing anything with firewall yet, until I understand things better. So far, the IOS is very confusing in it's behavior.
  Changing the SSH server's listening port via ip ssh command to something other than 22 seems to not actually change anything, it just adds that port in addition to 22.
  Port-application mapping appears to have no effect on the SSH server (I have not tested whether ip ssh overrides PAM or vice versa)
  So far there seems to be no way to actually change port 22 usage - even "deleting" the PAM entry for ssh via 22 has no effect.
  Confusing!

• Help with cisco 881

  Hello
  I'm having some trouble configuring a cisco 881. I'm building a lab where I connect 2 cisco 881 through the fe4 interface (Wan port), and then connect to each router a PC, at interface fe0 (Lan port). The idea was to establish connection and implementing a static route between the 2 routers.
  As a default the 881 has dhcp enabled on VLAN1 (10.10.10.0/24). So I set the pc's to get Ip's automatically. On Router A, I changed the dhcp pool so that I had a different network (11.10.10.0/24). So I have PC1 (11.10.10.2) connected to Router A on interface fa0. Router A connects to Router B through the fe4 interfaces (WAN ports). And PC2 (10.10.10.0/24) connects to Router B on fa0 interface.
  I assigned an ip address to fe4 on Router A (192.168.10.1/24) and an ip address to fe4 on Router B (192.168.10.2/24).
  At last I configured the static routes on both routers.
  On Router A :                         ip route 10.10.10.0 255.255.255.0 192.168.10.2
  On Router B :                         ip route 11.10.10.0 255.255.255.0 192.168.10.1
  With everything configured I tested the connections.
  PC 1 to its gateway: successful
  PC 1 to 192.168.10.2: successful
  PC1 to the gateway of PC2(10.10.10.1/24): successful
  PC 1 to PC 2: failed
  PC 2 to its gateway: successful
  PC 2 to 192.168.10.1: successful
  PC2 to the gateway of PC1(11.10.10.1/24): successful
  PC 1 to PC 2: failed
  Well this is the scenario. I really don’t understand the problem. I thing I did everything right, but I simply don’t get the result. Is there an error with my configuration or is this simply not doable?
  Thanks a lot.

  Have you checked that the firewalls are turned off? If you can ping the far side, that tells me you have a default gateway configured on the workstation and that the far side router has a route back to you. The only thing left would be firewalls need to be turned off on the workstations.
  HTH,
  John
  *** Please rate all useful posts ***

• Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

  I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
  This is my configuration:
  141Kerioth#sh config
  Using 3763 out of 262136 bytes
  ! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname 141Kerioth
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  141Kerioth#do wr mem
                ^
  % Invalid input detected at '^' marker.
  141Kerioth#wr mem
  Building configuration...
  [OK]
  141Kerioth#sh run
  Building configuration...
  Current configuration : 5053 bytes
  ! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname 141Kerioth
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default local
  aaa authentication ppp default local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-580381394
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-580381394
   revocation-check none
   rsakeypair TP-self-signed-580381394
  crypto pki certificate chain TP-self-signed-580381394
   certificate self-signed 01
    30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
    33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
    173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
    930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
    D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
    02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
    23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
    1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
    4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
    9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
    0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
    00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
    14EF37EA 15E57AD0 3C5D01F3 EF
          quit
  ip dhcp excluded-address 10.0.16.1
  ip dhcp pool ccp-pool
   import all
   network 10.0.16.0 255.255.255.0
   default-router 10.0.16.1
   dns-server 8.8.8.8
   lease 0 2
  ip domain name kerioth.com
  ip host hostname.domain z.z.z.z
  ip name-server 8.8.8.8
  ip name-server 4.2.2.2
  ip cef
  no ipv6 cef
  license udi pid CISCO881-K9 sn FTX180483DD
  username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
  username meadowbrook privilege 0 password 0 $8UBr#Ux
  username meadowbrook autocommand exit
  policy-map type inspect outbound-policy
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 5
  crypto isakmp key 141Township address z.z.z.z
  crypto isakmp keepalive 10
  crypto ipsec transform-set TS esp-3des esp-sha-hmac
   mode tunnel
  crypto map mymap 10 ipsec-isakmp
   set peer z.z.z.z
   set transform-set TS
   match address 115
  interface Loopback0
   no ip address
  interface Tunnel1
   no ip address
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface FastEthernet4
   description $FW_OUTSIDE_WAN$
   ip address 50.y.y.y 255.255.255.240
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto map mymap
  interface Vlan1
   description $ETH_LAN$
   ip address 10.0.16.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1452
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 115 interface Vlan1 overload
  ip nat inside source list 199 interface FastEthernet4 overload
  ip nat inside source route-map nonat interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 50.x.x.x
  access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 110 permit ip 10.0.16.0 0.0.0.255 any
  access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 144 permit icmp host c.c.c.c host 10.0.1.50
  access-list 144 permit icmp host p.p.p.p host 10.0.16.105
  access-list 199 permit ip a.a.a.a 0.0.0.255 any
  no cdp run
  route-map nonat permit 10
   match ip address 100
  line con 0
   no modem enable
  line aux 0
  line vty 0 4
   access-class 1 in
   exec-timeout 30 0
   privilege level 15
   transport preferred ssh
   transport input ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   transport input telnet ssh
  cns trusted-server all-agents x.x.x.x
  cns trusted-server all-agents hostname
  cns trusted-server all-agents hostname.domain
  cns id hardware-serial
  cns id hardware-serial event
  cns id hardware-serial image
  cns event hostname.domain 11011
  cns config initial hostname.domain 80
  cns config partial hostname.domain 80
  cns exec 80
  end

  Why do you have following command on the PIX?
  crypto map outside_map 40 set transform-set 165.228.x.x
  Also you have this transform set on the PIX:
  crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
  This does not match the transfor set on the router:
  crypto ipsec transform-set tritest esp-3des esp-md5-hmac
  Where are you using the access-list/route-map
  101 ?