Cisco Zone-based firewall issue/ not receiving return traffic

Hi,
I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
I have two zone pairs: Internal to Outside and Outside to Internal.
In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.

Please share your config. Then we can see what's wrong there.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Similar Messages

Not receiving Return Label in email

Hi Best Buy..
I am inquiring about an issue I have regarding acquiring a return label. I had purchased a TV on bestbuy.com, it had arrived with some Stuck Pixels on the screen and I requested a replacement TV.
This was easy, and while on the phone I was transferred to Post Putchase where the CS rep got me my rteurn label and asked me to stay on the line to confirm it arrived in my email; which it did.
Unfortunately two things happened:
-I came down with a cold and wasn't in the mood to pack it up and return it right aways
-I read the part of the label where UPS says its good for 30 days, but not the part Best Buy added which says it's only 10 days.
Ever since then I have been calling (5 times so far) to get a new label with no luck. Everyone I spoke to on the Elite Plus help line was courteous and helpful and they aren't sure exactly what's wrong.
On my fourth call it was discovered that no one was actually sending me a label but was scheduling UPS to come pick it up without informing me. I was provided with a tracking number and said they would be coming. Later that night I decided to track that number and saw that UPS had already tried 3 times to pick it up and the dates match the first 3 times I called, which leads me to believe Post Purchase was just using this over and over.
On my fifth call I spoke to someone who seemed to understand and I was transferred to speak to Post Purchase personally (this only happened on my very first and most recent call). I was told once again that I would be getting a label in 24-48 hours which I have no again. I also don't understand why it takes so long when the first time I was able tor recieve it while on the phone with Post Purchase.
So thank you for reading all that, and I come to you here to see if you can help or have any insight in getting me a new return label.
I live in the city and have no need for a car, so taking it back to the store isn't the easiest. And even though I am Elite Plus I am closely approaching the Return Due Date and I would hope not to get charged for a second televeision.
Thanks for your time and any help you may provide!!
Solved!
Go to Solution.

Hello ev0,
Thank you for being a loyal Elite Plus customer! I can imagine the disappointment of discovering that your new TV has stuck pixels. I would definitely want to exchange it right away. I'm very sorry to hear of all the troubles you have encountered trying to get a new return label, and that you've had to call numerous times to get this straightened out.
I would be happy to assist you in receiving a new return label if you still have not received it. Using the e-mail you registered on the forum, I was able to locate your information, and will follow up with you once I have more details.
In the meantime, please do not hesitate to let me know if you have any further questions or concerns. I will be in contact as soon as possible.
Sincerely,
Maria|Social Media Specialist | Best Buy® Corporate
Private Message

Cisco IOS Zone Based Firewall and IPv6

Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000

OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX

Websense web filtering not working with 2911 with zone based firewall

Hi,
Any one ran into this issue
We use websense for guest wifi but i dont see requests hitting websense server
config is below
class-map type inspect match-any test-1
match protocol http
policy-map type inspect Wifi-test
class type inspect test-1
inspect
urlfilter websense-parmap
class class-default
drop
parameter-map type urlfilter websense-parmap
server vendor websense 10.10.1.4
source-interface GigabitEthernet0/2
allow-mode on
cache 100
zone-pair security Wifi-in-out source Wifi destination outside
service-policy type inspect Wifi-test
interface GigabitEthernet0/1
description Internet
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
zone-member security Wifi
interface GigabitEthernet0/2
description LAN
ip address 10.10.4.1 255.255.255.0
zone-member security inside

Hi Stan,
You should be able to adapt this config example to your environment.
Andy-
class-map type inspect match-any http-cm
match protocol http
parameter-map type urlfpolicy websense websense-parm
server <websense server IP>
source-interface <lan interface>
allow-mode on
truncate hostname
class-map type urlfilter websense match-any websense-cm
match server-response any
policy-map type inspect urlfilter websense-pm
parameter type urlfpolicy websense websense-parm
class type urlfilter websense websense-cm
server-specified-action
policy-map type inspect Inside->Internet-pm
description Inside trusted to Internet
class type inspect http-cm
inspect
service-policy urlfilter websense-pm
class type inspect Inside->Internet-cm
inspect
class class-default
drop
zone-pair security Inside->Internet source Inside destination Internet
service-policy type inspect Inside->Internet-pm
! to check status & url block counts
show policy-map type inspect zone-pair Inside->Internet urlfilter

Problems with Zone based Firewall and mtr (mytraceroute)

We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
<code>
                                                                                                                   Packets               Pings
Host                                                                                                            Loss%   Snt   Last   Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de                                                                                    100.0     8    0.0   0.0   0.0   0.0   0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net                                                                        100.0     7    0.0   0.0   0.0   0.0   0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net                                                                       100.0     7    0.0   0.0   0.0   0.0   0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net                                                                             100.0     7    0.0   0.0   0.0   0.0   0.0
5. Mannheim1-10GE-3-0-0.belwue.net                                                                              100.0     7    0.0   0.0   0.0   0.0   0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net                                                                    100.0     7    0.0   0.0   0.0   0.0   0.0
7. de-cix20.net.google.com                                                                                      100.0     7    0.0   0.0   0.0   0.0   0.0
8. 72.14.238.230                                                                                                100.0     7    0.0   0.0   0.0   0.0   0.0
9. 72.14.239.62                                                                                                 100.0     7    0.0   0.0   0.0   0.0   0.0
10. 209.85.242.187                                                                                               100.0     7    0.0   0.0   0.0   0.0   0.0
11. ???
12. ???
13. ???
14. bk-in-f94.1e100.net                                                                                           0.0%     7   20.0 20.6 20.0 21.2   0.4
</code>
So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
At the moment I am inspecting all kind of traffic from my network outgoing:
ip access-list extended 101
permit ip any any
class-map type inspect match-all cmap1
match access-group name 101
policy-map type inspect pmap1
class type inspect cmap1
inspect
etc... (zones, zone-pair in-out with policies applied)
So I tried to let pass all icmp-traffic from the outside to my network:
class-map type inspect match-all cmap_icmp
match protocol icmp
policy-map type inspect pmap2
class type inspect cmap_icmp
pass
etc... (zones, zone-pair out-in with policies applied)
So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
BUT then normal ping does not work anymore, because it will not be inspected any more.
But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
Has anyone the same problem or can even solve this issue?
Thanks in advance,
Stefan

Hi Andrew, thanks for Your answer...
So I have now:
class-map type inspect match-any cmap_icmp
match access-group name icmp_types
ip access-list extended icmp_types
permit icmp any any ttl-exceeded
PMAP IN--> OUT
(don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
policy-map type inspect vlan664_pmap_in
class type inspect vlan664_cmap_in   (this is an extended ACL "permit ip x.x.x.x any")
inspect
class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
pass log
class class-default
drop log
PMAP OUT-->IN
policy-map type inspect vlan664_pmap_out
class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
pass log
class type inspect vlan664_cmap_out (some open ports for some clients)
inspect
class type inspect ipsec_cmap_out (same problem with VPN when inspected)
pass log
class class-default
drop log
But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
                                                Packets               Pings
Host                                         Loss%   Snt   Last   Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de                 50.0%     3    0.3   0.3   0.3   0.3   0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net     50.0%     3    0.9   0.9   0.9   0.9   0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     0.0%     2    2.7   2.7   2.7   2.7   0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net           0.0%     2    1.5   1.5   1.5   1.5   0.0
5. Mannheim1-10GE-3-0-0.belwue.net            0.0%     2    2.5   2.5   2.5   2.5   0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 0.0%     2    4.1   4.1   4.1   4.1   0.0
7. de-cix20.net.google.com                    0.0%     2    5.0   5.0   5.0   5.0   0.0
8. 72.14.238.44                               0.0%     2   39.2 39.2 39.2 39.2   0.0
9. 72.14.236.68                               0.0%     2    5.4   5.4   5.4   5.4   0.0
10. 209.85.254.118                             0.0%     2    5.4   5.4   5.4   5.4   0.0
11. ???
12. google-public-dns-a.google.com             0.0%     2    5.5   5.3   5.2   5.5   0.2
                                                 Packets               Pings
Host                                          Loss%   Snt   Last   Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de                  66.7%     4    0.3   0.3   0.3   0.3   0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net      66.7%     4    0.8   0.8   0.8   0.8   0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net     66.7%     4    2.1   2.1   2.1   2.1   0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net           66.7%     4    1.5   1.5   1.5   1.5   0.0
5. Mannheim1-10GE-3-0-0.belwue.net            66.7%     4    2.6   2.6   2.6   2.6   0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 66.7%     4    4.2   4.2   4.2   4.2   0.0
7. de-cix20.net.google.com                    66.7%     4    5.3   5.3   5.3   5.3   0.0
8. 72.14.238.44                               66.7%     4   70.3 70.3 70.3 70.3   0.0
9. 72.14.239.60                               66.7%     4    5.8   5.8   5.8   5.8   0.0
10. 209.85.254.116                             66.7%     4    5.8   5.8   5.8   5.8   0.0
11. ???
12. google-public-dns-a.google.com              0.0%     4    6.3   5.7   5.2   6.3   0.5
In the sessions on the routers, I see only this entry:
         Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
Any other suggestions?

Any other US based BB users not receiving mails as of 12pm this afternoon?

Despite receiving loads of emails to my laptop, nothing seems to have pushed through to my device (from my work or personal emails) since about noon today. Is anyone else seeing the same thing?
What is up?

I stopped receiving emails yesterday and then starting receiving again, but all my emails from a certain point yesterday to back in February are now gone. I tried doing a search on the emails to see if maybe these were just "hidden" somehow, but no luck.

CCP bug with with zone based firewall policies

Hello guys,
I'm facing a problem today right after creating some new rules.
When we are going to "Edit Firewall Policy" the Rule Flow Diagram is showing up. My problem is that i don't see anymore the button which let me disable it !!
You can see the screenshot.
So my questions are:
- Is there a way to disable this diagram ? (maybe with some java configuration)
- Is there a way to modify this display ?
I have the same problem on a Win7, Win8, Win2008 & Win2012. Tested with Java 1.6u11 to 1.7
Thanks for the help.

I tried taking the http inspection rules out and had the same problem.
debug messages :
000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0
000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0
000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0
000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0

How to allow website using the domain name in zone based firewall ?

Hi,
I need to give a restricted access to internet by allowing few sites. How will I do it with the url of a particular website. If I put the url in the configuration it resolves to only a single IP. How will I do it for a website like google where there are numerous number of IP addresses.
Regards,
Tony

Hi Bro
Please kindly refer to this URL https://supportforums.cisco.com/docs/DOC-17014
I hope this is what you're looking for :-)
P/S: If you think this comment is helpful, please do rate it nicely :-)

Standard (application-based) firewall with one additional port open?

Lion and Snow Leopard both have application based firewalls. I want to allow access to a Minecraft server on port 25565 but I don't want to allow all of Java. How can I open one port in addition to leaving the standard firewall in place?

Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw

Cisco 881 Zone Firewall issues

I'm having issues with an 881 that I have configured as a zone based firewall.
I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
On the corporate side the user complains that some websites fail, such as Linked in.
I have been using CCP to configure the device. What am I doing wrong?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 22210 bytes
! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname -Rt
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
enable password 7
aaa new-model
aaa authentication login local_auth local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3066996233
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3066996233
revocation-check none
rsakeypair TP-self-signed-3066996233
crypto pki certificate chain TP-self-signed-3066996233
certificate self-signed 01
quit
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 10.0.2.2
ip dhcp excluded-address 10.0.2.1
ip dhcp pool Trusted
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
domain-name spectra.local
dns-server 10.0.2.2 10.0.1.6
option 150 ip 10.1.1.10 10.1.1.20
ip dhcp pool Guest
import all
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
dns-server 4.2.2.2 4.2.2.3
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.0.2.2
ip name-server 4.2.2.2
login block-for 5 attempts 3 within 2
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
archive
log config
logging enable
username S privilege 15 secret 4
username ed privilege 15 password 7
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any TFTP
match protocol tftp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
match access-group name Any-From-HO
class-map type inspect match-any Skinny
match protocol skinny
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
match class-map Skinny
match access-group name Hostcom-Skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any Pings
match protocol icmp
class-map type inspect match-any Ping-
match class-map Pings
class-map type inspect match-all ccp-cls-ccp-inspect-2
match class-map Ping-
match access-group name Ping-
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-all ccp-cls-ccp-inspect-3
match class-map DNS
match access-group name Any-any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name Any/Any
class-map type inspect match-any https
match protocol https
class-map type inspect match-all ccp-cls-ccp-inspect-4
match class-map https
match access-group name any-any
class-map type inspect match-any UDP
match protocol udp
match protocol tcp
class-map type inspect match-all ccp-cls-ccp-inspect-5
match class-map UDP
match access-group name InsideOut
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Pings
match access-group name RespondtoSomePings
class-map type inspect match-any RemoteMgt
match protocol ssh
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map RemoteMgt
match access-group name Spectra-RemoteMgt
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol dns
match protocol https
class-map type inspect match-any WebBrowsing
match protocol http
match protocol https
class-map type inspect match-any DNS2
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map WebBrowsing
match access-group name DMZ-Out
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map DNS2
match access-group name DMZtoAny
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-2
inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-cls-ccp-inspect-5
pass log
class type inspect TFTP
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-4
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
class type inspect ccp-cls-ccp-inspect-3
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop log
policy-map type inspect ccp-permit-outside-in
class type inspect ccp-cls-ccp-permit-outside-in-2
inspect
class type inspect ccp-cls-ccp-permit-outside-in-1
pass
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-app-nonascii
log
reset
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-2
inspect
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-outside-in
zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect ccp-permit-dmzservice
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Y address x.x.x.x
crypto isakmp key o1 address x.x.x.x
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-AES256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set security-association lifetime kilobytes 128000
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
match address 102
interface FastEthernet0
description B
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet1
description Docker
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet2
description Phone
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet3
description Guest
switchport access vlan 3
no ip address
spanning-tree portfast
interface FastEthernet4
description External $FW_OUTSIDE$
bandwidth inherit
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 104
duplex auto
speed auto
pppoe-client dial-pool-number 1
hold-queue 224 in
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
shutdown
interface Vlan2
description Trusted Network$FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1440
interface Vlan3
description Guest Network$FW_DMZ$
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callout
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip access-list standard SSH-Management
permit x.x.x.x log
permit 10.0.2.0 0.0.0.255 log
permit 10.0.1.0 0.0.0.255 log
ip access-list extended Any-From-HO
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended Any-any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Any/Any
remark CCP_ACL Category=128
permit ip host 10.0.2.0 host 10.0.1.0
ip access-list extended DMZ-Out
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended DMZtoAny
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended Hostcom-Skinny
remark CCP_ACL Category=128
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended InsideOut
remark CCP_ACL Category=128
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended Ping-Hostcom
remark CCP_ACL Category=128
permit ip host 10.0.2.2 any
ip access-list extended RespondtoSomePings
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host 37.0.96.2 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended RemoteMgt
remark CCP_ACL Category=128
permit ip host x.x.x.x any
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended any-any
remark CCP_ACL Category=128
permit ip any any
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 23 remark HTTPS Access
access-list 23 permit 10.0.2.1
access-list 23 permit x.x.x.x
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.112.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit udp any any eq bootpc
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP permit 1
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Authorised Access Only
If your not supposed to be here. Close the connection
^C
banner motd ^C
Access Is Restricted To Personel ONLY^C
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class SSH-Management in
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet ssh
scheduler interval 500
end

Hello Martin,
Please apply the following changes and let us know:
ip access-list extend DMZtoAny
1 permit udp 192.168.12.0 0.0.0.255 any eq 53
no permit ip 192.168.112.0 0.0.0.255 any
Ip access-list extended DMZ-Out
1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
no permit ip 192.168.112.0 0.0.0.255 any
Change that, try and if it does not work post the configuration with the changes applied,
Regards,
Remember to rate all of the helfpul posts, that is as important as a thanks
Julio

Canceled but not received yet

i canceled my item is apple airport express with Order Number: W277258486 in march 11 2011. i received email with notification about canceled items, but now, i've not received return yet!!! plz help me!!!

You have posted in a forum for users. Apple is not here and they will not respond to you on this forum.
You should contact Apple Customer Service directly to resolve your issue.
http://store.apple.com/us/help/contact?mco=MTM3NDc0OTU

Cisco 2911 ISR Firewall

Hi everyone,
I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.
Hope that anyone can help me with my problem.
Thank you very much in advance
Best Regards,
Jayson Cruz

Hi Julio,
A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.
I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.
How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.
Thanks you very much and I'm sorry for bothering you.
Thank you very much!
Jayson
Sent from Cisco Technical Support Android App

CCP - Advanced Firewall Creating Custom Ports Inbound Traffic

Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.

Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881W-SSHS-R1
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
      quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
      quit
no ip source-route
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
interface Null0
no ip unreachables
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
interface FastEthernet1
description Not in Use
no ip address
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
logging host 192.168.10.50
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
control-plane
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
acl "ssl-acl"
   permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
ssl authenticate verify all
url-list "rewrite"
inservice
policy group sshs-webvpnpolicy
   functions svc-enabled
   filter tunnel ssl-acl
   svc address-pool "webvpnpool" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
end

Cisco ASA not returning traffic when wccp peering with Bluecoat.

Experts,
My setup has a Cisco ASA where we are doing wccp with a Bluecoat SG box. The traffic gets redirected to the Bluecoat due to the wccp settings so it's just transparent to the end users. Theye do not have to do any manual proxy settings in their IE.
We however notice that somehow the ASA does not return these connection back to the requesting hosts and somehere the connection table breaks. The message we see on the ASA that state table is somehow not being maintained. Any idea where this connection must be breaking?
Regards,
Nikhil Kulkarni.

Nikhil,
Let me give you a little bit of backgrounf in regards to WCCP that can help you. As you stated the ASA will do transparent redirection, so the client doesn't have to configure anything on the PC.
The traffic will get to the ASA (port 80/443 or any configured port) and then the ASA will establish a GRE tunnel with WCCP server and will redirect the traffic. After the Bluecoat receives the traffic it will "spoof" the IP address of the requested web page (the WCCP server needs to have direct comunication with the client PC without passing through the ASA). I have seen some issues where the ASA and the WCCP server are unable to establish the GRE tunnel becuase the ASA uses the highest IP address as the router ID and uses this IP address to establish the tunnel. The WCCP keepalives (Here I am, I see you) are sent using the IP address of the closest IP address to the WCCP server.
At this point you may turn on the WCCP debugs and run some "show WCCP" commands.
I hope it helps
Luis Silva

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out. I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall. I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one. Unfortunately, my script is not working with the 5505. Can someone please let me know what I am doing wrong with the following script? I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults. I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
ip address outside xxx.xxx.xxx.94 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

Hey Craig,
Based on your commands I think you were using 6.3 version on PIX and now you must be moving to ASA ver 8.2.x.
On 8.4 for interface defining use below mentioned example :
int eth0/0
ip add x.x.x.x y.y.y.y
nameif outside
no shut
int eth0/1
ip add x.x.x.x y.y.y.y
nameif inside
no shut
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
global (outside) 1 xxx.xxx.xxx.95
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
route outside 0 0 xxx.xxx.xxx.93
access-group 100 in interface outside
You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
If you're still not able to reach.Paste your entire config and version that you are using on ASA.

Cisco Zone-based firewall issue/ not receiving return traffic

Similar Messages

Maybe you are looking for