Cisco IOS Zone Based Firewall and IPv6

Similar Messages

• Problems with Zone based Firewall and mtr (mytraceroute)

  We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
  http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
  <code>
                                                                                                                     Packets               Pings
  Host                                                                                                            Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                                                                                    100.0     8    0.0   0.0   0.0   0.0   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net                                                                        100.0     7    0.0   0.0   0.0   0.0   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net                                                                       100.0     7    0.0   0.0   0.0   0.0   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net                                                                             100.0     7    0.0   0.0   0.0   0.0   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net                                                                              100.0     7    0.0   0.0   0.0   0.0   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net                                                                    100.0     7    0.0   0.0   0.0   0.0   0.0
  7. de-cix20.net.google.com                                                                                      100.0     7    0.0   0.0   0.0   0.0   0.0
  8. 72.14.238.230                                                                                                100.0     7    0.0   0.0   0.0   0.0   0.0
  9. 72.14.239.62                                                                                                 100.0     7    0.0   0.0   0.0   0.0   0.0
  10. 209.85.242.187                                                                                               100.0     7    0.0   0.0   0.0   0.0   0.0
  11. ???
  12. ???
  13. ???
  14. bk-in-f94.1e100.net                                                                                           0.0%     7   20.0  20.6  20.0  21.2   0.4
  </code>
  So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
  At the moment I am inspecting all kind of traffic from my network outgoing:
  ip access-list extended 101
  permit ip any any
  class-map type inspect match-all cmap1
  match access-group name 101
  policy-map type inspect pmap1
  class type inspect cmap1
  inspect
  etc... (zones, zone-pair in-out with policies applied)
  So I tried to let pass all icmp-traffic from the outside to my network:
  class-map type inspect match-all cmap_icmp
  match protocol icmp
  policy-map type inspect pmap2
  class type inspect cmap_icmp
  pass
  etc... (zones, zone-pair out-in with policies applied)
  So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
  BUT then normal ping does not work anymore, because it will not be inspected any more.
  But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
  Has anyone the same problem or can even solve this issue?
  Thanks in advance,
  Stefan

  Hi Andrew, thanks for Your answer...
  So I have now:
  class-map type inspect match-any cmap_icmp
  match access-group name icmp_types
  ip access-list extended icmp_types
  permit icmp any any ttl-exceeded
  PMAP IN--> OUT
  (don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
  policy-map type inspect vlan664_pmap_in
  class type inspect vlan664_cmap_in   (this is an extended ACL "permit ip x.x.x.x any")
    inspect
  class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
    pass log
  class class-default
    drop log
  PMAP OUT-->IN
  policy-map type inspect vlan664_pmap_out
  class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
    pass log
  class type inspect vlan664_cmap_out (some open ports for some clients)
    inspect
  class type inspect ipsec_cmap_out (same problem with VPN when inspected)
    pass log
  class class-default
    drop log
  But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
                                                  Packets               Pings
  Host                                         Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                 50.0%     3    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net     50.0%     3    0.9   0.9   0.9   0.9   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     0.0%     2    2.7   2.7   2.7   2.7   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           0.0%     2    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            0.0%     2    2.5   2.5   2.5   2.5   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  0.0%     2    4.1   4.1   4.1   4.1   0.0
  7. de-cix20.net.google.com                    0.0%     2    5.0   5.0   5.0   5.0   0.0
  8. 72.14.238.44                               0.0%     2   39.2  39.2  39.2  39.2   0.0
  9. 72.14.236.68                               0.0%     2    5.4   5.4   5.4   5.4   0.0
  10. 209.85.254.118                             0.0%     2    5.4   5.4   5.4   5.4   0.0
  11. ???
  12. google-public-dns-a.google.com             0.0%     2    5.5   5.3   5.2   5.5   0.2
                                                   Packets               Pings
  Host                                          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. Stuttgart-I28-1.belwue.de                  66.7%     4    0.3   0.3   0.3   0.3   0.0
  2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net      66.7%     4    0.8   0.8   0.8   0.8   0.0
  3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     66.7%     4    2.1   2.1   2.1   2.1   0.0
  4. Karlsruhe1-10GE-4-0-0.belwue.net           66.7%     4    1.5   1.5   1.5   1.5   0.0
  5. Mannheim1-10GE-3-0-0.belwue.net            66.7%     4    2.6   2.6   2.6   2.6   0.0
  6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net  66.7%     4    4.2   4.2   4.2   4.2   0.0
  7. de-cix20.net.google.com                    66.7%     4    5.3   5.3   5.3   5.3   0.0
  8. 72.14.238.44                               66.7%     4   70.3  70.3  70.3  70.3   0.0
  9. 72.14.239.60                               66.7%     4    5.8   5.8   5.8   5.8   0.0
  10. 209.85.254.116                             66.7%     4    5.8   5.8   5.8   5.8   0.0
  11. ???
  12. google-public-dns-a.google.com              0.0%     4    6.3   5.7   5.2   6.3   0.5
  In the sessions on the routers, I see only this entry:
           Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
  Any other suggestions?

• Cisco Zone-based firewall issue/ not receiving return traffic

  Hi,
  I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
  I have two zone pairs: Internal to Outside and Outside to Internal.
  In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
  In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
  To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
  Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.

  Please share your config. Then we can see what's wrong there.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Firewall and IPv6, how to block ports?

  I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool, but I am willing to deal with this until Apple sorts this out through a security update (please?).
  The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.

  Hi Andre,
  The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.
  What speed is it? 867
  Leopard requirements...
  * Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
  minimum system requirements
  * 512MB of memory
  * DVD drive for installation
  * 9GB of available disk space
  Not sure on IPv6, since the whole purpose seems to be to pinpoint individual computers to the whole world, but IPFW may still work...
  WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features...
  http://www.macupdate.com/info.php/id/23317
  See also...
  http://oreilly.com/pub/a/mac/2005/03/15/firewall.html
  http://tadek.pietraszek.org/blog/2007/05/01/adding-custom-firewall-rules-in-osx/

• Cisco IOS supporting both voice and vpn

  Hi Friends
  i have one 2821 router.Can any one suggesting which ios will support both voice and vpn?

  Questions like this are better/faster answered by checking feature navigator.
  http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
  My suggestion is to run an MD release.
  Also a big dated document:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_tech_note09186a00800fb9d9.shtml
  For old software and hardware you can also check out Figure 1 here:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_bulletin_c25_506007.html
  M.

• Cisco IOS XE for 5508 and 2504 WLCs

  Hi,
  does anybody know whether new IOS XE introduced for WLC 5760 will be also available for 5508 and 2504 series controllers?
  Thank you.
  Regards
  Karel Navratil

  No it will not be.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• CCP bug with with zone based firewall policies

  Hello guys,
  I'm facing a problem today right after creating some new rules.
  When we are going to "Edit Firewall Policy" the Rule Flow Diagram is showing up. My problem is that i don't see anymore the button which let me disable it !!
  You can see the screenshot.
  So my questions are:
  - Is there a way to disable this diagram ? (maybe with some java configuration)
  - Is there a way to modify this display ?
  I have the same problem on a Win7, Win8, Win2008 & Win2012. Tested with Java 1.6u11 to 1.7
  Thanks for the help.

  I tried taking the http inspection rules out and had the same problem.
  debug messages :
  000168: Feb  9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0
  000169: Feb  9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846  due to  Out-Of-Order Segment with ip ident 0
  000170: Feb  9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25  due to  Out-Of-Order Segment with ip ident 0
  000171: Feb  9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823  due to  Out-Of-Order Segment with ip ident 0
  000172: Feb  9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897  due to  Out-Of-Order Segment with ip ident 0
  000173: Feb  9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25  due to  Retransmitted Segment with Invalid Flags with ip ident 0

• Websense web filtering not working with 2911 with zone based firewall

  Hi,
  Any one ran into this issue
  We use websense for guest wifi but i dont see requests hitting websense server
  config is below
  class-map type inspect match-any test-1
   match protocol http
  policy-map type inspect Wifi-test
   class type inspect  test-1
    inspect
  urlfilter websense-parmap
   class class-default
    drop
  parameter-map type urlfilter websense-parmap
   server vendor websense 10.10.1.4
   source-interface GigabitEthernet0/2
   allow-mode on
   cache 100
  zone-pair security Wifi-in-out source Wifi destination outside
  service-policy type inspect Wifi-test
  interface GigabitEthernet0/1
   description Internet
   ip address 192.168.10.1 255.255.255.0
   ip nbar protocol-discovery
   ip nat inside
   ip virtual-reassembly in
   zone-member security Wifi
  interface GigabitEthernet0/2
   description LAN
   ip address 10.10.4.1 255.255.255.0
  zone-member security inside

  Hi Stan,
  You should be able to adapt this config example to your environment.
  Andy-
  class-map type inspect match-any http-cm
   match protocol http
  parameter-map type urlfpolicy websense websense-parm
   server <websense server IP>
   source-interface <lan interface>
   allow-mode on
   truncate hostname
  class-map type urlfilter websense match-any websense-cm
   match server-response any
  policy-map type inspect urlfilter websense-pm
   parameter type urlfpolicy websense websense-parm
   class type urlfilter websense websense-cm
    server-specified-action
  policy-map type inspect Inside->Internet-pm
   description Inside trusted to Internet
   class type inspect http-cm
    inspect
    service-policy urlfilter websense-pm
   class type inspect Inside->Internet-cm
    inspect
   class class-default
    drop
  zone-pair security Inside->Internet source Inside destination Internet
   service-policy type inspect Inside->Internet-pm
  ! to check status & url block counts
  show policy-map type inspect zone-pair Inside->Internet urlfilter

• How to allow website using the domain name in zone based firewall ?

    Hi,            
  I need to give a restricted access to internet by allowing few sites. How will I do it with the url of a particular website. If I put the url in the configuration it resolves to only a single IP. How will I do it for a website like google where there are numerous number of IP addresses.
  Regards,
  Tony

  Hi Bro
  Please kindly refer to this URL https://supportforums.cisco.com/docs/DOC-17014
  I hope this is what you're looking for :-)
  P/S: If you think this comment is helpful, please do rate it nicely :-)

• Standard (application-based) firewall with one additional port open?

  Lion and Snow Leopard both have application based firewalls.  I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java.  How can I open one port in addition to leaving the standard firewall in place?

  Hi
  The Zone based firewall uses "inspect" statements, that's just what it does.
  A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
  ip access-list standard INSIDE-NETWORK_ACL
   permit 192.168.1.0 255.255.255.0
  class-map type inspect INSIDE-NETWORK_CMAP
   match access-group name INSIDE-NETWORK_ACL
  class-map type inspect HTTPS_CMAP
   match protocol https
  policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
   class type inspect INSIDE-NETWORK_CMAP
    inspect
  policy-map type inspect OUTSIDE-TO-SELF
   class type inspect HTTPS_CMAP
    pass
  zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
   service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
  zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
   service-policy type inspect OUTSIDE-TO-SELF
  I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

• Cisco 881 Zone Firewall issues

  I'm having issues with an 881 that I have configured as a zone based firewall.
  I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
  On the corporate side the user complains that some websites fail, such as Linked in.
  I have been using CCP to configure the device. What am I doing wrong?
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
  sh run
  Building configuration...
  Current configuration : 22210 bytes
  ! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname -Rt
  boot-start-marker
  boot-end-marker
  security authentication failure rate 10 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5
  enable password 7
  aaa new-model
  aaa authentication login local_auth local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3066996233
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3066996233
  revocation-check none
  rsakeypair TP-self-signed-3066996233
  crypto pki certificate chain TP-self-signed-3066996233
  certificate self-signed 01
  quit
  no ip source-route
  no ip gratuitous-arps
  ip dhcp excluded-address 10.0.2.2
  ip dhcp excluded-address 10.0.2.1
  ip dhcp pool Trusted
  import all
  network 10.0.2.0 255.255.255.0
  default-router 10.0.2.1
  domain-name spectra.local
  dns-server 10.0.2.2 10.0.1.6
  option 150 ip 10.1.1.10 10.1.1.20
  ip dhcp pool Guest
  import all
  network 192.168.112.0 255.255.255.0
  default-router 192.168.112.1
  dns-server 4.2.2.2 4.2.2.3
  ip cef
  no ip bootp server
  ip domain name yourdomain.com
  ip name-server 10.0.2.2
  ip name-server 4.2.2.2
  login block-for 5 attempts 3 within 2
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  parameter-map type inspect global
  log dropped-packets enable
  log summary flows 256 time-interval 30
  parameter-map type regex ccp-regex-nonascii
  pattern [^\x00-\x80]
  parameter-map type protocol-info yahoo-servers
  server name scs.msg.yahoo.com
  server name scsa.msg.yahoo.com
  server name scsb.msg.yahoo.com
  server name scsc.msg.yahoo.com
  server name scsd.msg.yahoo.com
  server name cs16.msg.dcn.yahoo.com
  server name cs19.msg.dcn.yahoo.com
  server name cs42.msg.dcn.yahoo.com
  server name cs53.msg.dcn.yahoo.com
  server name cs54.msg.dcn.yahoo.com
  server name ads1.vip.scd.yahoo.com
  server name radio1.launch.vip.dal.yahoo.com
  server name in1.msg.vip.re2.yahoo.com
  server name data1.my.vip.sc5.yahoo.com
  server name address1.pim.vip.mud.yahoo.com
  server name edit.messenger.yahoo.com
  server name messenger.yahoo.com
  server name http.pager.yahoo.com
  server name privacy.yahoo.com
  server name csa.yahoo.com
  server name csb.yahoo.com
  server name csc.yahoo.com
  parameter-map type protocol-info msn-servers
  server name messenger.hotmail.com
  server name gateway.messenger.hotmail.com
  server name webmessenger.msn.com
  parameter-map type protocol-info aol-servers
  server name login.oscar.aol.com
  server name toc.oscar.aol.com
  server name oam-d09a.blue.aol.com
  license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
  archive
  log config
  logging enable
  username S privilege 15 secret 4
  username ed privilege 15 password 7
  ip tcp synwait-time 10
  ip tcp path-mtu-discovery
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect imap match-any ccp-app-imap
  match invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect http match-any ccp-app-nonascii
  match req-resp header regex ccp-regex-nonascii
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any TFTP
  match protocol tftp
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 105
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
  match access-group name Any-From-HO
  class-map type inspect match-any Skinny
  match protocol skinny
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
  match class-map Skinny
  match access-group name Hostcom-Skinny
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  class-map type inspect match-any ccp-cls-protocol-im
  match protocol ymsgr yahoo-servers
  match protocol msnmsgr msn-servers
  match protocol aol aol-servers
  class-map type inspect match-any Pings
  match protocol icmp
  class-map type inspect match-any Ping-
  match class-map Pings
  class-map type inspect match-all ccp-cls-ccp-inspect-2
  match class-map Ping-
  match access-group name Ping-
  class-map type inspect match-any DNS
  match protocol dns
  class-map type inspect match-all ccp-cls-ccp-inspect-3
  match class-map DNS
  match access-group name Any-any
  class-map type inspect match-all ccp-protocol-pop3
  match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-all ccp-cls-ccp-inspect-1
  match access-group name Any/Any
  class-map type inspect match-any https
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-inspect-4
  match class-map https
  match access-group name any-any
  class-map type inspect match-any UDP
  match protocol udp
  match protocol tcp
  class-map type inspect match-all ccp-cls-ccp-inspect-5
  match class-map UDP
  match access-group name InsideOut
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any SDM_SSH
  match access-group name SDM_SSH
  class-map type inspect pop3 match-any ccp-app-pop3
  match invalid-command
  class-map type inspect match-any SDM_HTTPS
  match access-group name SDM_HTTPS
  class-map type inspect match-all ccp-protocol-p2p
  match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-cls-ccp-permit-2
  match class-map Pings
  match access-group name RespondtoSomePings
  class-map type inspect match-any RemoteMgt
  match protocol ssh
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-permit-1
  match class-map RemoteMgt
  match access-group name Spectra-RemoteMgt
  class-map type inspect match-any SDM_SHELL
  match access-group name SDM_SHELL
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect match-all ccp-protocol-im
  match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 103
  class-map type inspect http match-any ccp-app-httpmethods
  match request method bcopy
  match request method bdelete
  match request method bmove
  match request method bpropfind
  match request method bproppatch
  match request method connect
  match request method copy
  match request method delete
  match request method edit
  match request method getattribute
  match request method getattributenames
  match request method getproperties
  match request method index
  match request method lock
  match request method mkcol
  match request method mkdir
  match request method move
  match request method notify
  match request method options
  match request method poll
  match request method post
  match request method propfind
  match request method proppatch
  match request method put
  match request method revadd
  match request method revlabel
  match request method revlog
  match request method revnum
  match request method save
  match request method search
  match request method setattribute
  match request method startrev
  match request method stoprev
  match request method subscribe
  match request method trace
  match request method unedit
  match request method unlock
  match request method unsubscribe
  class-map type inspect match-any ccp-dmz-protocols
  match protocol http
  match protocol dns
  match protocol https
  class-map type inspect match-any WebBrowsing
  match protocol http
  match protocol https
  class-map type inspect match-any DNS2
  match protocol dns
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect http match-any ccp-http-blockparam
  match request port-misuse im
  match request port-misuse p2p
  match request port-misuse tunneling
  match req-resp protocol-violation
  class-map type inspect match-all ccp-protocol-imap
  match protocol imap
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
  match class-map WebBrowsing
  match access-group name DMZ-Out
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
  match class-map DNS2
  match access-group name DMZtoAny
  class-map type inspect match-all ccp-protocol-smtp
  match protocol smtp
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
  pass
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
  log
  reset
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
  log
  reset
  policy-map type inspect ccp-inspect
  class type inspect ccp-cls-ccp-inspect-2
  inspect
  class type inspect ccp-cls-ccp-inspect-1
  inspect
  class type inspect ccp-cls-ccp-inspect-5
  pass log
  class type inspect TFTP
  inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-cls-ccp-inspect-4
  inspect
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-protocol-smtp
  inspect
  class type inspect ccp-cls-ccp-inspect-3
  inspect
  class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
  class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
  class type inspect ccp-protocol-p2p
  drop log
  class type inspect ccp-protocol-im
  drop log
  class type inspect ccp-sip-inspect
  inspect
  class type inspect ccp-h323-inspect
  inspect
  class type inspect ccp-h323annexe-inspect
  inspect
  class type inspect ccp-h225ras-inspect
  inspect
  class type inspect ccp-h323nxg-inspect
  inspect
  class type inspect ccp-skinny-inspect
  inspect
  class class-default
  drop log
  policy-map type inspect ccp-permit-outside-in
  class type inspect ccp-cls-ccp-permit-outside-in-2
  inspect
  class type inspect ccp-cls-ccp-permit-outside-in-1
  pass
  class class-default
  drop log
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
  log
  reset
  class type inspect http ccp-app-httpmethods
  log
  reset
  class type inspect http ccp-app-nonascii
  log
  reset
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
  pass
  class type inspect ccp-cls-ccp-permit-2
  inspect
  class type inspect ccp-cls-ccp-permit-1
  pass
  class type inspect SDM_DHCP_CLIENT_PT
  pass
  class class-default
  drop log
  policy-map type inspect ccp-permit-dmzservice
  class type inspect ccp-cls-ccp-permit-dmzservice-1
  inspect
  class type inspect ccp-cls-ccp-permit-dmzservice-2
  inspect
  class class-default
  drop
  zone security in-zone
  zone security out-zone
  zone security dmz-zone
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-out-in source out-zone destination in-zone
  service-policy type inspect ccp-permit-outside-in
  zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
  service-policy type inspect ccp-permit-dmzservice
  crypto isakmp policy 2
  encr aes 256
  authentication pre-share
  group 5
  lifetime 28800
  crypto isakmp key Y address x.x.x.x
  crypto isakmp key o1 address x.x.x.x
  crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set transform-set ESP-AES256-SHA
  match address 100
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set security-association lifetime kilobytes 128000
  set security-association lifetime seconds 28800
  set transform-set ESP-AES256-SHA
  match address 102
  interface FastEthernet0
  description B
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  description Docker
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  description Phone
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  description Guest
  switchport access vlan 3
  no ip address
  spanning-tree portfast
  interface FastEthernet4
  description External $FW_OUTSIDE$
  bandwidth inherit
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast source reachable-via rx allow-default 104
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  hold-queue 224 in
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip tcp adjust-mss 1452
  shutdown
  interface Vlan2
  description Trusted Network$FW_INSIDE$
  ip address 10.0.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1440
  interface Vlan3
  description Guest Network$FW_DMZ$
  ip address 192.168.112.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security dmz-zone
  interface Dialer0
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callout
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  no cdp enable
  interface Dialer1
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  zone-member security out-zone
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  ppp ipcp route default
  ppp ipcp address accept
  no cdp enable
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  no ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  ip access-list standard SSH-Management
  permit x.x.x.x log
  permit 10.0.2.0 0.0.0.255 log
  permit 10.0.1.0 0.0.0.255 log
  ip access-list extended Any-From-HO
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended Any-any
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended Any/Any
  remark CCP_ACL Category=128
  permit ip host 10.0.2.0 host 10.0.1.0
  ip access-list extended DMZ-Out
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended DMZtoAny
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended Hostcom-Skinny
  remark CCP_ACL Category=128
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended InsideOut
  remark CCP_ACL Category=128
  permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  ip access-list extended Ping-Hostcom
  remark CCP_ACL Category=128
  permit ip host 10.0.2.2 any
  ip access-list extended RespondtoSomePings
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 any
  permit ip host x.x.x.x any
  permit ip host 37.0.96.2 any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=1
  permit tcp any any eq 22
  ip access-list extended RemoteMgt
  remark CCP_ACL Category=128
  permit ip host x.x.x.x any
  permit ip 10.0.1.0 0.0.0.255 any
  ip access-list extended any-any
  remark CCP_ACL Category=128
  permit ip any any
  logging trap debugging
  logging facility local2
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.0.2.0 0.0.0.255
  access-list 1 permit 192.168.112.0 0.0.0.255
  access-list 23 remark HTTPS Access
  access-list 23 permit 10.0.2.1
  access-list 23 permit x.x.x.x
  access-list 23 permit 10.0.2.0 0.0.0.255
  access-list 23 permit 10.0.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 permit ip 192.168.112.0 0.0.0.255 any
  access-list 101 permit ip 10.0.2.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=4
  access-list 102 remark IPSec Rule
  access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 103 remark CCP_ACL Category=128
  access-list 103 permit ip host 255.255.255.255 any
  access-list 103 permit ip 127.0.0.0 0.255.255.255 any
  access-list 104 permit udp any any eq bootpc
  access-list 105 remark CCP_ACL Category=128
  access-list 105 permit ip host x.x.x.x any
  access-list 105 permit ip host x.x.x.x any
  dialer-list 1 protocol ip permit
  no cdp run
  route-map SDM_RMAP permit 1
  route-map SDM_RMAP_1 permit 1
  match ip address 101
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Authorised Access Only
  If your not supposed to be here. Close the connection
  ^C
  banner motd ^C
  Access Is Restricted To  Personel ONLY^C
  line con 0
  exec-timeout 5 0
  login authentication local_auth
  transport output telnet
  line aux 0
  exec-timeout 15 0
  login authentication local_auth
  transport output telnet
  line vty 0 4
  access-class SSH-Management in
  privilege level 15
  logging synchronous
  login authentication local_auth
  transport input telnet ssh
  scheduler interval 500
  end

  Hello Martin,
  Please apply the following changes and let us know:
  ip access-list extend DMZtoAny
  1 permit udp 192.168.12.0 0.0.0.255 any eq 53
  no permit ip 192.168.112.0 0.0.0.255 any
  Ip access-list extended DMZ-Out
  1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
  2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
  no permit ip 192.168.112.0 0.0.0.255 any
  Change that, try and if it does not work post the configuration with the changes applied,
  Regards,
  Remember to rate all of the helfpul posts, that is as important as a thanks
  Julio

• Cisco IOS IPS in Cisco 2921/k9 router

  Hi All,
  I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
  Will it support on the Basic IP Base IOS or do i need to change the IOS?
  If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
  Do i need to buy any addtional module for this like (NME-IPS-K9) ?
  Thanks in advance for your quick support
  regards
  Sunny

  Hi Sunny
  1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
  2. Correct, the modules and appliances run a different kind of software and are much more powerful
  3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
  I hope this helps, let us know.
  regards
  Herbert
  jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1)  Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2)  I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3)  If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
  2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
  Services Routers does not require a Security Feature license.
  In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
  thanks alot for the support.
  regards
  Sunny

• CISCO ASA 5505 bandwidth Controll and split

  Dear All,
  Below am giving the infrastructure which i like to do please help me.
  I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
  in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
  i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
  each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
  after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  Compiled on Sun 06-Apr-08 13:39 by builders
  System image file is "disk0:/asa724-k8.bin"
  so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
  Thanks 
  Lalu R.S

  There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
  You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• IPV6 Support in Cisco IOS

  I am having a difficult time determining why on a 2811 running IOS c2800nm-advsecurityk9-mz.150-1.M2.bin,  the router won't accept ipv6 commands.  The feature set from what I can discern includes ipv6 support. However, I have received mixed views.  Does advsecurity image support ipv6 or do I need adv ip services image?               

  The philosophical direction of Cisco is to have full IPv4 and IPv6  parity across feature sets.  Any IPv4 feature should appear in the same  license level of software for IPv6.
  That said, some older software and platforms may have been missed.
  See
  https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition/blog/2011/09/21/ipv6-feature-packaging-in-cisco-routers-and-switches
  See if the problem persists with the latest version.  If so, I'd treat it as a bug and open a case.