Cisco SRP 541W Advanced Firewall

Hi,
I have a problem with setting advanced firewall on this router... Access list looks like this:
Priority 1 - Enable_HTTPS
Priority 2 - Enable_SMTP
Priority 3 - Enable_PPTP
Priority 4 - Disable ALL
Enable HTTPS rule looks like this:
IN interface: All WAN
Out Interface: ALL LAN
Source: 0.0.0.0/0.0.0.0
Destination: 0.0.0.0/0.0.0.0
TCP - Source/destination Port: 25
Action: Permit
Problem is when I enable this rule "Disable ALL", nothing is passing firewall by this 3 rules for enabling protocols.
What could I be missing out?
Thanks,
Ivan

Similar Messages

SRP 541W VERY slow throughput

Hi!
I have had my SRP 541w for just over a year, BUGGER! So it is out of warranty now. Bought it in September 2012. It has been working like a charm since then. A couple of days ago my network speed suddenly dropped to about 10 mbit/s. That is true of all connections LANtoLAN, WANtoLAN and LANtoWAN. All my equipment is 1 gb/s. I have upgraded the firmware to 1.2.6, set the speed of the LAN ports to 1000 FULL, rebooted, tried with only one computer attached nothing else connected. WAN disconnected and throughput between LAN ports, nothing seems to make any difference. Did a factory reset, still no change.
I would really appreciate help on this! I really hope it has not stopped working properly. Not good advertisment for CISCO in that case, One month over warranty and suddenly BANG.
Any ideas?
Regards,
Sven Gustavsson

Got my hands on a multi adatper and plugged that in as well. No change, powerlight flashes and extremly slow throughput.
If it is of any use, the power light flashes 3 times then a few seconds delay, then flashes 3 times then few seconds delay and repeat. This does seem lik an error code of some kind that we have no documentation for. Maybe its time for someone from Cisco to enlighten us as to the nature of the powerlight flashing?

Cisco SRP 527W Restricting Bandwidth on one SSID

Hi, We have a Cisco SRP 527W. I have set up two SSID's one for our office use and one for our customers to check emails and surf the net. At the moment we are finding that some customers are streaming content and using too much bandwidth, using too much bandwidth. I have set up the second SSID as a guest, though cant work out how to limit bandwidth or if this is possible. I can find my way around settings and follow instructuctions - though do not have a strong grasp on the terminology/jargon thus would greatly appreciate any instructions/advice and if relevant referrerals to paid support contractors who can help me implement (remotely) if too difficult. Thanks very much!

Thanks for the reply Paolo , unfortunately I do not have access to the U model of that router to test with , however I can provide details from the router that is operating sucessfully on the line at present as well as posting information from the dsldiag page when we go back out and retest.
The line settings that are sucessfully in use at present with the other vendors router are as follows:
VC MUX Encapsulation
VPi 0
VCI 38
Protocol PPPoA
ADSL2+ G.992.5
SNR Margin 9
Loop Attenuation 17
Many Thanks

Issue when I upload CSV file for insert contact list on Cisco Attendant Console Advanced

Hi Friends,
I have error "Provided file is not valid CSV File" when I upload CSV file to Cisco Attendant Console Advanced system. I'm not sure what happen about my CSV. My purpose is insert contact list to system and create CSV base on documentation.
Anyone have idea to solve this issue please kindly help me.
Thanks

You are right, whenever Cisco device boots, the IOS files gets loaded on the DRAM.
But in this process, some temporary files are also generated which gets saved in the flash/Disk, that’s the only reason you got these error messages. It’s not recommended at all to have less space in the Flash than what is recommended on Cisco.com. I would say please remove some files from Disk and have minimum 256 MB flash otherwise your router may drop into rommon mode at the time of next reload.
Well, it’s good to upgrade the bootstarp image too. Currently you are running 15.X IOS code, I would say run 15.X bootstarp image on the box.
You may download bootstarp image for 7206VRX NPEG2 from the link below:-
http://software.cisco.com/download/release.html?mdfid=282188585&flowid=1380&softwareid=280805685&release=15.2.4S4&relind=AVAILABLE&rellifecycle=ED&reltype=latest
If you want to know the procedure of the upgrade, click the link mentioned below:-
http://www.cisco.com/en/US/docs/ios/12_2/configfun/command/reference/frf010.html#wp1017654
-Amant

IPSec Certificate Authentication from Linux Strongswan client to Windows Advanced Firewall (2012)

Hi,
Has anybody had any success in getting a Linux Strongswan client (or Openswan) to connect to a win2012 Advanced Firewall using certificates and IPSec? My Security Connection Rule requires authentication both inbound and outbound. The cert is
installed correctly on the Linux box.
I can get a connection using pre-shared keys, but haven't been able to establish a Quick Mode session when using certs. I've tried (literally) hundreds of different configs without success. Event log shows either 'No Policy Configured' or 'Unknown
Authentication'.
Windows clients can connect correctly with certs. I've deliberately excluded details as the Linux config can be setup in so many different ways, i'd rather start by looking at someone elses config that works (if that actually exists).
Thanks
Mick

Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding and support.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Advanced Firewall-Automatically allow signed software...

For some reason I have an app I use often set up as Automatically Allow Signed Software To Receive Income Connections in my Advance Firewall settings of System Preferences. Yet, every time I use this software, it always asks me if I want to allow incoming connections? It never did this pre-10.6. Any ideas? Thanks in advance.

Sounds like a Codesign issue. From terminal, type:
codesign -vvv /Applications/iTunes.app/
You should see:
/Applications/iTunes.app/: valid on disk
/Applications/iTunes.app/: satisfies its Designated Requirment
But if you see:
/Applications/iTunes.app/: a sealed resourse is missing or invalid
[lists reources]
You can either delete the offending resouces (risky) or try redownloading and reinstalling the latest iTunes.dmg from Apple. Try the reinstall first.

ADvANCED FIREWALL FEATURES

If a router i am looking at says:
ADvANCED FIREWALL FEATURES
Network Address Translation (NAT)
Does this mean it supports loopback?
http://www.dlink.com/uk/en/home-solutio ... en_uk.ashx

What you are looking for is "NAT Loopback", most routers support this, apart from the home hub 3, which the makers have decided presents a security threat.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

No Ping-Answer in Site-To-Site-Connection between Cisco 876 and CheckPoint-Firewall

Hello!
We try to establish a Site-To-Site-IPSec-connection between a Cisco 876 (local site) and a CheckPoint-firewall (remote site). The Cisco 876 is not directly connected to the internet, but is behind a DSL-Router with port-forwarding, forwarding ports 500 and 4500. The running config of the Cisco 876 is appended to this discussion thread. Unfortunately I get no output when debugging the connection with commands "debug crypto isakmp" and "debug crypto ipsec".
From the Checkpoint-firewall point of view the connection seems to establish, but there is no ping answer.
The server on the local site that should be reached from the network behind the Checkpoint-firewall has a routing entry "route -P add [inside ip-net remote] 255.255.255.0 [inside ip local]" (see also appended running config for naming of ip-addresses).
Establishing a Cisco VPN-Client connection to the same Cisco 876 router works fine.
Any help would be very much appreciated!
Jakob J. Blaette

Hi Jakob,
Adding my two cents here.
You always need to confirm that the following ports and protocol are opened:
1- UDP port 500 --> ISAKMP
2- UDP port 4500 --> NAT-T
3- Protocol 50 ---> ESP
A LAN-to-LAN tunnel will never establish a session over TCP, but it could use NAT-T (if behind NAT). Remember that a one-to-one translation is not a port-forwarding, a LAN-to-LAN tunnel does not work well unless you have a one-to-one translation for the NATted device, which I think, in your case is the Router.
HTH.
Portu.
Please rate any helpful posts and mark this post as answered.

Cisco 867w and Advanced IP Services

Can anybody tell me if the Cisco 867w ISR router has an IOS with the Advanced IP Services? I need to use this router with Amazon VPC and BGP is required, where the Universal IOS does not accomodate BGP.
Any help is very much appreciated.

Rose,
Thank you for the reply. I am a little confused by your response as the Cisco website contradicts your advice about BGP on the Advanced IP Services IOS for the 880 & 870 routers
http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78_459542_ps380_Products_Data_Sheet.html (Table 7)
And also on the 870 Series
http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976.html (Table 5)
Are you talking from experience on these devices and have tried to get BGP working on them. It is important i get the right device as i am trying to connect to the Amazon VPC system and these routers have been recommended.
Regards,
Craig Pickering.

Cisco IOS Zone Based Firewall and IPv6

Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000

OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX

Cisco SRP 540 Series Router custom Dynamic DNS

Hello,
I'm wondering if there is a possibility to get my homepage provider's custom dynamic DNS service working on my Cisco SRP541W Router as I'd not like to be forced to sign up for either DynDNS or TZO which are available through the web frontend.

Hi there,
Sorry for the delay in replying to this. Must have missed it the first time around.
Anyway, I'm afraid the only DDNS providers supported natively by the SRP500 platform are DynDNS and TZO. Having said that, many if not most DDNS providers either have or support the use of a client running on a device behind the router, so that might be a workaround for you. There are a few open sourced generic clients out there that are pretty versatile as well.
Cheers,
Dave.

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.

Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881W-SSHS-R1
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
      quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
      quit
no ip source-route
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
interface Null0
no ip unreachables
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
interface FastEthernet1
description Not in Use
no ip address
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
logging host 192.168.10.50
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
control-plane
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
acl "ssl-acl"
   permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
ssl authenticate verify all
url-list "rewrite"
inservice
policy group sshs-webvpnpolicy
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpnpool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
end

STS Tunnel in between Cisco ASA and Meraki Firewall

Hello Experts,
We are in process of configuring the syslog server which is placed at remote site and the STS Tunnel is established to send the Meraki syslogs over the Tunnel which is working fine. The local LANS of both sites can communicate each other without issue but we are facing an issue wherein when the traffic leaves the traffic from Meraki firewall then it uses the Meraki wan interface IP and in syslog it's being used as a source which can't be added in encryption list on Meraki firewall unfortunately as there is no option available to get the wan IP added to encryption list. Can somebody please advise on how to solve this issue? I also searched an option to get the source IP changed from wan to Inside interface IP which is still not possible on Meraki firewall.

I am not very familiar with Meraki, but I did come across this document...hope it will help you out.
https://kb.meraki.com/knowledge_base/syslog-server-overview-and-configuration
Please remember to select a correct answer and rate helpful posts

AGPM 4.0 SP2 Editors cannot open "Windows Firewall with Advanced Security" area of a GPO

When attempting to Edit a checked-out GPO in AGPM, & navigating to "Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP://CN...." Editors
get:
"There was an error opening the Windows Firewall with Advanced Security snap-in
An error occurred while trying to open the policy.
Error: The system cannot find the path specified
Code 0x3"
This happens with GPOs that existed prior to AGPM install where the GPO was "controlled", and with new Controlled GPOs created within AGPM. A workaround is to grant the user Full Control within AGPM (and have them re-launch Group Policy Management
MMC via Shift right-click "Run as different user"), but this circumvents the Change Control we are attempting to use AGPM for. Any ideas of how to fix this, or how to file a bug report?
Also, changes made to Incoming Firewall rules do not show up in the AGPM Settings or Differences reports. I'd imagine this is related to the known issue described on the Release Notes page here:
http://technet.microsoft.com/en-us/library/dn458958.aspx

Hi Fabian - Thanks for the response. I checked & the AGPM Server is on a subnet that was not mapping to any AD Site. Based on its subnet/location, it actually should be in the same Site as the PDCe. I added a new Subnet definition to
AD & waited until "nltest /dsgetsite" was reporting the correct Site on the AGPM Server. Now, with just Editor role, I can access the Advanced Firewall area of a checked out GPO from my AGPM Client, which is correctly in a different AD Site.
I think this might have solved it.
Should this requirement be added to AGPM documentation? "AGPM Server must be installed on a server that is in the same AD Site as the DC holding the PDCe role."
Thanks for the tip!

Help with cisco 837 VPN firewall configuration

Hi guys,
I attempted to configure remote access VPN using cisco 837.IPSEC and firewall features were added already.However, the VPN client keeps saying "remote peer no longer responding".
Upon removing firewall and ACLs, VPN client works. Therefore, I believe these two parts went wrong. Could you please take a look on my config below and see what is going on. On the other hand, when i issue the same config to cisco 827, it does not work. My question is whether cisco 827 IOS 12.1(3)support IPSEC.
Any help would be highly appreciated.

This document demonstrates how to configure a connection between a router and the Cisco VPN Client 4.x using Remote Authentication Dial-In User Service (RADIUS) for user authentication. Cisco IOS? Software Releases 12.2(8)T and later support connections from Cisco VPN Client 3.x. The VPN Clients 3.x and 4.x use Diffie Hellman (DH) group 2 policy. The isakmp policy # group 2 command enables the VPN Clients to connect.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

Cisco SRP 541W Advanced Firewall

Similar Messages

Maybe you are looking for