Cisco IOS Zone Based Firewall and IPv6
Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000
OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX
Similar Messages
-
Problems with Zone based Firewall and mtr (mytraceroute)
We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
<code>
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 100.0 8 0.0 0.0 0.0 0.0 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
7. de-cix20.net.google.com 100.0 7 0.0 0.0 0.0 0.0 0.0
8. 72.14.238.230 100.0 7 0.0 0.0 0.0 0.0 0.0
9. 72.14.239.62 100.0 7 0.0 0.0 0.0 0.0 0.0
10. 209.85.242.187 100.0 7 0.0 0.0 0.0 0.0 0.0
11. ???
12. ???
13. ???
14. bk-in-f94.1e100.net 0.0% 7 20.0 20.6 20.0 21.2 0.4
</code>
So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
At the moment I am inspecting all kind of traffic from my network outgoing:
ip access-list extended 101
permit ip any any
class-map type inspect match-all cmap1
match access-group name 101
policy-map type inspect pmap1
class type inspect cmap1
inspect
etc... (zones, zone-pair in-out with policies applied)
So I tried to let pass all icmp-traffic from the outside to my network:
class-map type inspect match-all cmap_icmp
match protocol icmp
policy-map type inspect pmap2
class type inspect cmap_icmp
pass
etc... (zones, zone-pair out-in with policies applied)
So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
BUT then normal ping does not work anymore, because it will not be inspected any more.
But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
Has anyone the same problem or can even solve this issue?
Thanks in advance,
StefanHi Andrew, thanks for Your answer...
So I have now:
class-map type inspect match-any cmap_icmp
match access-group name icmp_types
ip access-list extended icmp_types
permit icmp any any ttl-exceeded
PMAP IN--> OUT
(don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
policy-map type inspect vlan664_pmap_in
class type inspect vlan664_cmap_in (this is an extended ACL "permit ip x.x.x.x any")
inspect
class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
pass log
class class-default
drop log
PMAP OUT-->IN
policy-map type inspect vlan664_pmap_out
class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
pass log
class type inspect vlan664_cmap_out (some open ports for some clients)
inspect
class type inspect ipsec_cmap_out (same problem with VPN when inspected)
pass log
class class-default
drop log
But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 50.0% 3 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 50.0% 3 0.9 0.9 0.9 0.9 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 0.0% 2 2.7 2.7 2.7 2.7 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 0.0% 2 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 0.0% 2 2.5 2.5 2.5 2.5 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 0.0% 2 4.1 4.1 4.1 4.1 0.0
7. de-cix20.net.google.com 0.0% 2 5.0 5.0 5.0 5.0 0.0
8. 72.14.238.44 0.0% 2 39.2 39.2 39.2 39.2 0.0
9. 72.14.236.68 0.0% 2 5.4 5.4 5.4 5.4 0.0
10. 209.85.254.118 0.0% 2 5.4 5.4 5.4 5.4 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 2 5.5 5.3 5.2 5.5 0.2
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 66.7% 4 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 66.7% 4 0.8 0.8 0.8 0.8 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 66.7% 4 2.1 2.1 2.1 2.1 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 66.7% 4 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 66.7% 4 2.6 2.6 2.6 2.6 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 66.7% 4 4.2 4.2 4.2 4.2 0.0
7. de-cix20.net.google.com 66.7% 4 5.3 5.3 5.3 5.3 0.0
8. 72.14.238.44 66.7% 4 70.3 70.3 70.3 70.3 0.0
9. 72.14.239.60 66.7% 4 5.8 5.8 5.8 5.8 0.0
10. 209.85.254.116 66.7% 4 5.8 5.8 5.8 5.8 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 4 6.3 5.7 5.2 6.3 0.5
In the sessions on the routers, I see only this entry:
Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
Any other suggestions? -
Cisco Zone-based firewall issue/ not receiving return traffic
Hi,
I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
I have two zone pairs: Internal to Outside and Outside to Internal.
In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.Please share your config. Then we can see what's wrong there.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Firewall and IPv6, how to block ports?
I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool, but I am willing to deal with this until Apple sorts this out through a security update (please?).
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.Hi Andre,
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.
What speed is it? 867
Leopard requirements...
* Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
minimum system requirements
* 512MB of memory
* DVD drive for installation
* 9GB of available disk space
Not sure on IPv6, since the whole purpose seems to be to pinpoint individual computers to the whole world, but IPFW may still work...
WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features...
http://www.macupdate.com/info.php/id/23317
See also...
http://oreilly.com/pub/a/mac/2005/03/15/firewall.html
http://tadek.pietraszek.org/blog/2007/05/01/adding-custom-firewall-rules-in-osx/ -
Cisco IOS supporting both voice and vpn
Hi Friends
i have one 2821 router.Can any one suggesting which ios will support both voice and vpn?Questions like this are better/faster answered by checking feature navigator.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
My suggestion is to run an MD release.
Also a big dated document:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_tech_note09186a00800fb9d9.shtml
For old software and hardware you can also check out Figure 1 here:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_bulletin_c25_506007.html
M. -
Cisco IOS XE for 5508 and 2504 WLCs
Hi,
does anybody know whether new IOS XE introduced for WLC 5760 will be also available for 5508 and 2504 series controllers?
Thank you.
Regards
Karel NavratilNo it will not be.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
CCP bug with with zone based firewall policies
Hello guys,
I'm facing a problem today right after creating some new rules.
When we are going to "Edit Firewall Policy" the Rule Flow Diagram is showing up. My problem is that i don't see anymore the button which let me disable it !!
You can see the screenshot.
So my questions are:
- Is there a way to disable this diagram ? (maybe with some java configuration)
- Is there a way to modify this display ?
I have the same problem on a Win7, Win8, Win2008 & Win2012. Tested with Java 1.6u11 to 1.7
Thanks for the help.I tried taking the http inspection rules out and had the same problem.
debug messages :
000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0
000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0
000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0
000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0 -
Websense web filtering not working with 2911 with zone based firewall
Hi,
Any one ran into this issue
We use websense for guest wifi but i dont see requests hitting websense server
config is below
class-map type inspect match-any test-1
match protocol http
policy-map type inspect Wifi-test
class type inspect test-1
inspect
urlfilter websense-parmap
class class-default
drop
parameter-map type urlfilter websense-parmap
server vendor websense 10.10.1.4
source-interface GigabitEthernet0/2
allow-mode on
cache 100
zone-pair security Wifi-in-out source Wifi destination outside
service-policy type inspect Wifi-test
interface GigabitEthernet0/1
description Internet
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
zone-member security Wifi
interface GigabitEthernet0/2
description LAN
ip address 10.10.4.1 255.255.255.0
zone-member security insideHi Stan,
You should be able to adapt this config example to your environment.
Andy-
class-map type inspect match-any http-cm
match protocol http
parameter-map type urlfpolicy websense websense-parm
server <websense server IP>
source-interface <lan interface>
allow-mode on
truncate hostname
class-map type urlfilter websense match-any websense-cm
match server-response any
policy-map type inspect urlfilter websense-pm
parameter type urlfpolicy websense websense-parm
class type urlfilter websense websense-cm
server-specified-action
policy-map type inspect Inside->Internet-pm
description Inside trusted to Internet
class type inspect http-cm
inspect
service-policy urlfilter websense-pm
class type inspect Inside->Internet-cm
inspect
class class-default
drop
zone-pair security Inside->Internet source Inside destination Internet
service-policy type inspect Inside->Internet-pm
! to check status & url block counts
show policy-map type inspect zone-pair Inside->Internet urlfilter -
How to allow website using the domain name in zone based firewall ?
Hi,
I need to give a restricted access to internet by allowing few sites. How will I do it with the url of a particular website. If I put the url in the configuration it resolves to only a single IP. How will I do it for a website like google where there are numerous number of IP addresses.
Regards,
TonyHi Bro
Please kindly refer to this URL https://supportforums.cisco.com/docs/DOC-17014
I hope this is what you're looking for :-)
P/S: If you think this comment is helpful, please do rate it nicely :-) -
Standard (application-based) firewall with one additional port open?
Lion and Snow Leopard both have application based firewalls. I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java. How can I open one port in addition to leaving the standard firewall in place?
Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw -
Cisco 881 Zone Firewall issues
I'm having issues with an 881 that I have configured as a zone based firewall.
I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
On the corporate side the user complains that some websites fail, such as Linked in.
I have been using CCP to configure the device. What am I doing wrong?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 22210 bytes
! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname -Rt
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
enable password 7
aaa new-model
aaa authentication login local_auth local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3066996233
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3066996233
revocation-check none
rsakeypair TP-self-signed-3066996233
crypto pki certificate chain TP-self-signed-3066996233
certificate self-signed 01
quit
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 10.0.2.2
ip dhcp excluded-address 10.0.2.1
ip dhcp pool Trusted
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
domain-name spectra.local
dns-server 10.0.2.2 10.0.1.6
option 150 ip 10.1.1.10 10.1.1.20
ip dhcp pool Guest
import all
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
dns-server 4.2.2.2 4.2.2.3
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.0.2.2
ip name-server 4.2.2.2
login block-for 5 attempts 3 within 2
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
archive
log config
logging enable
username S privilege 15 secret 4
username ed privilege 15 password 7
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any TFTP
match protocol tftp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
match access-group name Any-From-HO
class-map type inspect match-any Skinny
match protocol skinny
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
match class-map Skinny
match access-group name Hostcom-Skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any Pings
match protocol icmp
class-map type inspect match-any Ping-
match class-map Pings
class-map type inspect match-all ccp-cls-ccp-inspect-2
match class-map Ping-
match access-group name Ping-
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-all ccp-cls-ccp-inspect-3
match class-map DNS
match access-group name Any-any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name Any/Any
class-map type inspect match-any https
match protocol https
class-map type inspect match-all ccp-cls-ccp-inspect-4
match class-map https
match access-group name any-any
class-map type inspect match-any UDP
match protocol udp
match protocol tcp
class-map type inspect match-all ccp-cls-ccp-inspect-5
match class-map UDP
match access-group name InsideOut
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Pings
match access-group name RespondtoSomePings
class-map type inspect match-any RemoteMgt
match protocol ssh
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map RemoteMgt
match access-group name Spectra-RemoteMgt
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol dns
match protocol https
class-map type inspect match-any WebBrowsing
match protocol http
match protocol https
class-map type inspect match-any DNS2
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map WebBrowsing
match access-group name DMZ-Out
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map DNS2
match access-group name DMZtoAny
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-2
inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-cls-ccp-inspect-5
pass log
class type inspect TFTP
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-4
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
class type inspect ccp-cls-ccp-inspect-3
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop log
policy-map type inspect ccp-permit-outside-in
class type inspect ccp-cls-ccp-permit-outside-in-2
inspect
class type inspect ccp-cls-ccp-permit-outside-in-1
pass
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-app-nonascii
log
reset
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-2
inspect
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-outside-in
zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect ccp-permit-dmzservice
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Y address x.x.x.x
crypto isakmp key o1 address x.x.x.x
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-AES256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set security-association lifetime kilobytes 128000
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
match address 102
interface FastEthernet0
description B
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet1
description Docker
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet2
description Phone
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet3
description Guest
switchport access vlan 3
no ip address
spanning-tree portfast
interface FastEthernet4
description External $FW_OUTSIDE$
bandwidth inherit
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 104
duplex auto
speed auto
pppoe-client dial-pool-number 1
hold-queue 224 in
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
shutdown
interface Vlan2
description Trusted Network$FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1440
interface Vlan3
description Guest Network$FW_DMZ$
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callout
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip access-list standard SSH-Management
permit x.x.x.x log
permit 10.0.2.0 0.0.0.255 log
permit 10.0.1.0 0.0.0.255 log
ip access-list extended Any-From-HO
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended Any-any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Any/Any
remark CCP_ACL Category=128
permit ip host 10.0.2.0 host 10.0.1.0
ip access-list extended DMZ-Out
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended DMZtoAny
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended Hostcom-Skinny
remark CCP_ACL Category=128
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended InsideOut
remark CCP_ACL Category=128
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended Ping-Hostcom
remark CCP_ACL Category=128
permit ip host 10.0.2.2 any
ip access-list extended RespondtoSomePings
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host 37.0.96.2 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended RemoteMgt
remark CCP_ACL Category=128
permit ip host x.x.x.x any
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended any-any
remark CCP_ACL Category=128
permit ip any any
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 23 remark HTTPS Access
access-list 23 permit 10.0.2.1
access-list 23 permit x.x.x.x
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.112.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit udp any any eq bootpc
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP permit 1
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Authorised Access Only
If your not supposed to be here. Close the connection
^C
banner motd ^C
Access Is Restricted To Personel ONLY^C
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class SSH-Management in
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet ssh
scheduler interval 500
endHello Martin,
Please apply the following changes and let us know:
ip access-list extend DMZtoAny
1 permit udp 192.168.12.0 0.0.0.255 any eq 53
no permit ip 192.168.112.0 0.0.0.255 any
Ip access-list extended DMZ-Out
1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
no permit ip 192.168.112.0 0.0.0.255 any
Change that, try and if it does not work post the configuration with the changes applied,
Regards,
Remember to rate all of the helfpul posts, that is as important as a thanks
Julio -
Cisco IOS IPS in Cisco 2921/k9 router
Hi All,
I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
Will it support on the Basic IP Base IOS or do i need to change the IOS?
If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
Do i need to buy any addtional module for this like (NME-IPS-K9) ?
Thanks in advance for your quick support
regards
SunnyHi Sunny
1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
2. Correct, the modules and appliances run a different kind of software and are much more powerful
3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
I hope this helps, let us know.
regards
Herbert
jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1) Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2) I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3) If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
Services Routers does not require a Security Feature license.
In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
thanks alot for the support.
regards
Sunny -
CISCO ASA 5505 bandwidth Controll and split
Dear All,
Below am giving the infrastructure which i like to do please help me.
I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.
Thanks
Lalu R.SThere's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
You can do some crude controls with QoS - the configuration guide chapter on doing that is here. -
Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: endThanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help. -
I am having a difficult time determining why on a 2811 running IOS c2800nm-advsecurityk9-mz.150-1.M2.bin, the router won't accept ipv6 commands. The feature set from what I can discern includes ipv6 support. However, I have received mixed views. Does advsecurity image support ipv6 or do I need adv ip services image?
The philosophical direction of Cisco is to have full IPv4 and IPv6 parity across feature sets. Any IPv4 feature should appear in the same license level of software for IPv6.
That said, some older software and platforms may have been missed.
See
https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition/blog/2011/09/21/ipv6-feature-packaging-in-cisco-routers-and-switches
See if the problem persists with the latest version. If so, I'd treat it as a bug and open a case.
Maybe you are looking for
-
ITunes Media on NAS: iTunes makes a terrible mess... tips?
Hi all I have transferred my iTunes Media (folder) to a NAS (currently Synology DS212+), and I'm having repeated troubles in using those media from the iMac. iTunes simply makes a mess in the iTunes library, and in the files as well. If I let iTunes
-
OS X MAVERICKS on Macbook Pro, Mid 2012 4GB?
I am running a new Macbook Pro, Mid 2012, 4 GB and the App store said my computer was eligible to get OS X Mavericks. My question is, how is almost 6 GB of a system going to fit into a 4 GB Macbook Pro. To upgrade or not? Help!
-
SQL Loader needs to load default value instead of null
I am loading data from the flat file into the table. The table primary key consists of 5 fields. One of these fields might be empty in the text file, so on the load I need to substitute it with some default value like "***", for instance. Is there an
-
I have written an application that uses the SMTP server (mail.btinternet.com) to send out messages and it works correctly for 99% of messages. However an occasional one fails and my log file shows this: 09-06-2013 09:03:28 : Send error(1) Connection
-
Kindly share is there any API to create AR transaction sources.
Kindly share is there any API to create AR transaction sources, transaction type in AR as we have a lot of transaction sources and transaction types to copy from one SOB to another.