Inbound Traffic Blocked
I am running VPN Client Version 5.0.00.0340. I have internal and external nics on the server. Once I have the tunnel established (inside internal nic) I seem to be dropping the inbound packets between the external and internal nics. Any suggestions?
Well no - not really. The VPN client will establish the connection to the remote end using the local routing table it has. From that point onwards - that is the terminating IP address of the vpn session. From the machine itself mit should be assigned an IP address from the remote VPN server - this IP address will be used the recevie and send encrypted traffic from the central end.
If you have an internal NIC in the server you also have the VPN client on....do you want to send traffic from your LAN thu the VPN client to the remote end? If so - the external & internal NIC's must be on the same IP subnet. As the remote VPN client cannot be used as a pass thru devices from 2 different subnets....unless you perform NAT on the device with the VPN client.....if you are doing that - you may as well just by a firewall or router!
HTH.
Similar Messages
-
RV110W Blocks all inbound traffic
I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly. Anybody seen this before?
Hi David,
Please call the Small Business Support Center and speak with an engineer. The phone numbers for the support center is located here: https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Regards,
Cindy Toy
Cisco Small Business Community Manager
for Cisco Small Business Products
www.cisco.com/go/smallbizsupport
twitter: CiscoSBsupport -
Inbound traffic alert (ESET) - Application: System
I have a MacBook Pro (Retina, 15-inch, Mid 2014) running OS X Yosemite 10.10.2
I have installed ESET Cyber Security Pro a while ago, and an inbound traffic alert just popped up. "A remote computer is attempting to communicate with an application running on this computer. Do you wish to allow this communication?"
The application involved is "System", local port is TCP 8770. The remote computer is fe80::4c8d:97ff:feb4:5d8d, remote port is 56398.
I am still new to Mac, and therefore I'm not sure if I should allow or block. I thought that it might be system updates, but not too sure about that so I'd rather wait for an answer before proceeding.Port 8770 is used for the Digital Photo Access Protocol, which in the case of a Mac means sharing of photos. I'm not sure exactly how this port is used in Yosemite, but you can bet this is just another Mac or iOS device on your local network querying your Mac to see if it is sharing any photos. It is very unlikely that you have a network configuration that would even allow a truly "remote" computer to connect to yours over the internet.
ESET is wasting your time here. Uninstall it, and see my Mac Malware Guide for more information about protecting yourself from malware.
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.) -
Nexus1000v local SPAN can't capture inbound traffic
hi all,
I just configured local SPAN on nexus1000v (version 1.3d).
local SPAN source and destination is on same VEM.
my config is like below:
monitor session 3
source interface Vethernet13 both
destination interface Vethernet170
destination interface Vethernet36
no shut
SPAN session is up.
But we can't see any inbound traffic to the source VM.
(10.16.185.4,5,6 is the IPs of SPAN source)
[root@davidzhangRHEL ~]# tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:46:07.644551 IP 10.16.185.3.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=sta ndby group=1 addr=10.16.185.1
11:46:07.654771 IP 10.16.185.2.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=act ive group=1 addr=10.16.185.1
11:46:07.961735 IP 10.16.185.6.https > 10.16.184.196.50254: S 3897896960:3897896 960(0) ack 1838046824 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 74329579 2654766205>
11:46:07.962955 IP 10.16.185.6.https > 10.16.184.196.50254: R 1:1(0) ack 2 win 0
11:46:10.644950 IP 10.16.185.3.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=sta ndby group=1 addr=10.16.185.1
11:46:10.657615 IP 10.16.185.2.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=act ive group=1 addr=10.16.185.1
11:46:11.081231 IP 10.16.185.5.https > 10.16.184.197.58538: S 1850399261:1850399 261(0) ack 3055844595 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 74329891 2654662655>
11:46:11.081970 IP 10.16.185.5.https > 10.16.184.197.58538: R 1:1(0) ack 2 win 0
11:46:11.957381 IP 10.16.185.5.https > 10.16.184.196.42161: S 1862096740:1862096 740(0) ack 970410175 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 74329978 2 654770202>
11:46:11.958705 IP 10.16.185.5.https > 10.16.184.196.42161: R 1:1(0) ack 2 win 0
11:46:12.089401 IP 10.16.185.6.https > 10.16.184.197.45604: S 2733719434:2733719 434(0) ack 3290215780 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 74329992 2654663683>
11:46:12.090735 IP 10.16.185.6.https > 10.16.184.197.45604: R 1:1(0) ack 2 win 0
11:46:12.956018 IP 10.16.185.6.https > 10.16.184.196.50302: S 2275642708:2275642 708(0) ack 3286673454 win 8192 <mss 1460,nop,wscale 8,sackOK,timestamp 74330078 2654771200>
11:46:12.956838 IP 10.16.185.6.https > 10.16.184.196.50302: R 1:1(0) ack 2 win 0
11:46:13.552716 IP 10.16.185.4.61913 > 10.2.222.111.5723: P 3867141198:386714222 3(1025) ack 4146771556 win 508
11:46:13.645770 IP 10.16.185.3.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=sta ndby group=1 addr=10.16.185.1
11:46:13.654427 IP 10.16.185.2.hsrp > 224.0.0.2.hsrp: HSRPv0-hello 20: state=act ive group=1 addr=10.16.185.1
11:46:13.817143 IP 10.16.185.4.61913 > 10.2.222.111.5723: . ack 180 win 508
1000v# module vem 12 execute vemcmd show span
VEM SOURCE IP NOT CONFIGURED.
HW SSN ID DST LTL/IP ERSPAN ID HDR VER
0 68 local
1000v# show monitor internal errors
1) Event:E_DEBUG, length:96, at 163774 usecs after Thu Sep 22 15:12:17 2011
[102] eth_span_phy_if_init_runtime_info(1051): im_get_ifindex_span_mode_list returned 0x40e30005
2) Event:E_DEBUG, length:96, at 684704 usecs after Thu Sep 22 15:12:04 2011
[102] eth_span_phy_if_init_runtime_info(1051): im_get_ifindex_span_mode_list returned 0x40e30005
anybody any suggestion. Your help is highly appreciated.Hi Michael,
Thanks. You are correct. We are able to see outbound traffic from SPAN source but not inbound traffic to SPAN source.
Note: I have done vmotion for the SPAN source and SPAN destination virtual machines.
Please see the below output which you requested.
1000v# show monitor session 1
session 1
type : local
state : up
source intf :
rx : Veth13
tx : Veth13
both : Veth13
source VLANs :
rx :
tx :
both :
filter VLANs : filter not specified
destination ports : Veth170 Veth36
1000v#
show monitor internal info session 1
Session 1 info:
FSM state: SESSION_STATE_OPER_ACTIVE
State reason: 0
*** ADMIN DATA ***
Session state: NO SHUT
Ingress sources
phy if: Veth13
port ch:
vlans:
Egress sources
phy if: Veth13
port ch:
vlans:
Destinations:
Veth170, Veth36
PSS source list:
Veth13
PSS destination list:
Veth170, Veth36
*** RUNTIME DATA ***
hw_ssn_id: 0
destination index: 0x4fa3 (multicast di)
oper rx: Veth13
oper tx: Veth13
oper dest: Veth170, Veth36
oper dest for di: Veth170, Veth36
programmed rx: Veth13
programmed tx: Veth13
programmed dest: Veth170, Veth36
programmed dest for di: Veth170, Veth36
programmed filter rx:1500
programmed filter tx:
Lock Info: resource [Session ID(0x1)]
type[0] p_gwrap[(nil)]
FREE @ 97236 usecs after Sun Sep 25 12:14:25 2011
type[1] p_gwrap[(nil)]
FREE @ 580143 usecs after Tue Sep 27 01:53:06 2011
type[2] p_gwrap[(nil)]
FREE @ 520203 usecs after Sun Sep 25 12:48:23 2011
0x1
Use lock event history for more details
1000v# terminal length 0
1000v# show monitor internal info interface vethernet 13
Interface info:
if_index: 1c0000c0
source for ssn 1, src_dir 3
state: up
layer: 2
mode: access
Access vlan: 1500
Interface is not in switchport monitor mode
No Entries in SDB for if_index 0x1c0000c0
1000v# show monitor internal info interface vethernet 36
Interface info:
if_index: 1c000230
destination for ssn 1
state: up
layer: 2
mode: access
Access vlan: 1500
Interface is not in switchport monitor mode
The port is MISCONFIGURED, being not span destination but used as such
No Entries in SDB for if_index 0x1c000230
1000v# show monitor internal info interface vethernet 170
Interface info:
if_index: 1c000a90
destination for ssn 1
state: up
layer: 2
mode: access
Access vlan: 1500
Interface is not in switchport monitor mode
The port is MISCONFIGURED, being not span destination but used as such
No Entries in SDB for if_index 0x1c000a90
1000v# show interface virtual | egrep "(13|36|170)"
Veth13 Net Adapter 1 VM451 11 esx905
Veth36 Net Adapter 4 VM510 11 esx905
Veth113 Net Adapter 2 VM808 12 esx902
Veth130 Net Adapter 1 VMSDE449 12 esx902
Veth131 Net Adapter 3 VM809 10 esx904
Veth132 Net Adapter 2 VMSDE449 12 esx902
Veth134 Net Adapter 2 VM510 11 esx905
Veth135 Net Adapter 2 VM511 8 esx901
Veth136 Net Adapter 2 VM465 9 esx903
Veth137 Net Adapter 1 VM472 11 esx905
Veth138 Net Adapter 3 VM470 10 esx904
Veth139 Net Adapter 3 VM472 11 esx905
Veth151 Net Adapter 1 VMSDE436 11 esx905
Veth152 Net Adapter 2 VMSDE436 11 esx905
Veth170 Net Adapter 2 RHEL5 11 esx905
1000v# module vem 11 execute vemcmd show port
LTL IfIndex Vlan Bndl SG_ID Pinned_SGID Type Admin State CBL Mode Name
8 0 3969 0 32 32 VIRT UP UP 4 Access
9 0 3969 0 32 32 VIRT UP UP 4 Access
10 0 1513 0 32 7 VIRT UP UP 4 Access
11 0 3968 0 32 32 VIRT UP UP 4 Access
12 0 1514 0 32 8 VIRT UP UP 4 Access
13 0 1 0 32 32 VIRT UP UP 0 Access
14 0 3971 0 32 32 VIRT UP UP 4 Access
15 0 3971 0 32 32 VIRT UP UP 4 Access
16 1a0a0000 1600 T 307 0 32 PHYS UP UP 4 Trunk vmnic0
18 1a0a0200 616 T 306 2 32 PHYS UP UP 4 Trunk vmnic2
19 1a0a0300 1 T 305 3 32 PHYS UP UP 1 Trunk vmnic3
20 1a0a0400 1 T 305 4 32 PHYS UP UP 1 Trunk vmnic4
21 1a0a0500 1600 T 307 5 32 PHYS UP UP 4 Trunk vmnic5
23 1a0a0700 1 T 304 7 32 PHYS UP UP 1 Trunk vmnic7
24 1a0a0800 1 T 304 8 32 PHYS UP UP 1 Trunk vmnic8
25 1a0a0900 616 T 306 9 32 PHYS UP UP 4 Trunk vmnic9
48 1b0a0000 1500 0 32 3 VIRT UP UP 4 Access VM510 ethernet3
49 1b0a0010 620 0 32 9 VIRT UP UP 4 Access VM510 ethernet2
pvlan isolated 616 620
50 1b0a0020 1500 0 32 4 VIRT UP UP 4 Access VM510 ethernet1
51 1b0a0030 1620 0 32 0 VIRT UP UP 4 Access VM480 ethernet2
pvlan isolated 1600 1620
52 1b0a0040 620 0 32 2 VIRT UP UP 4 Access VM480 ethernet1
pvlan isolated 616 620
53 1b0a0050 1502 0 32 3 VIRT UP UP 4 Access VM480 ethernet0
54 1b0a0060 1509 0 32 4 VIRT UP UP 4 Access fiserv-f5 ethernet2
55 1b0a0070 620 0 32 9 VIRT UP UP 4 Access fiserv-f5 ethernet1
pvlan isolated 616 620
56 1b0a0080 1512 0 32 7 VIRT UP UP 4 Access fiserv-f5.eth0
57 1b0a0090 1620 0 32 5 VIRT UP UP 4 Access VM459 ethernet2
pvlan isolated 1600 1620
58 1b0a00a0 620 0 32 2 VIRT UP UP 4 Access VM459 ethernet1
pvlan isolated 616 620
59 1b0a00b0 1501 0 32 3 VIRT UP UP 4 Access VM459 ethernet0
60 1b0a00c0 620 0 32 2 VIRT UP UP 4 Access VM476 ethernet2
pvlan isolated 616 620
61 1b0a00d0 1501 0 32 4 VIRT UP UP 4 Access VM476 ethernet1
62 1b0a00e0 1620 0 32 0 VIRT UP UP 4 Access VM476 ethernet0
pvlan isolated 1600 1620
63 1b0a00f0 620 0 32 2 VIRT UP UP 4 Access VM451 ethernet3
pvlan isolated 616 620
64 1b0a0100 1620 0 32 5 VIRT UP UP 4 Access VM451 ethernet2
pvlan isolated 1600 1620
65 1b0a0110 1500 0 32 3 VIRT UP UP 4 Access VM451 ethernet0
66 1b0a0120 1620 0 32 0 VIRT UP UP 4 Access VMSDE440 ethernet1
pvlan isolated 1600 1620
67 1b0a0130 1508 0 32 4 VIRT UP UP 4 Access VMSDE440 ethernet0
68 1b0a0140 1509 0 32 3 VIRT UP UP 4 Access VM501 ethernet0
72 1b0a0180 1620 0 32 0 VIRT UP UP 4 Access VMSDE436 ethernet1
pvlan isolated 1600 1620
73 1b0a0190 1508 0 32 3 VIRT UP UP 4 Access VMSDE436 ethernet0
74 1b0a01a0 620 0 32 2 VIRT UP UP 4 Access VM477 ethernet3
pvlan isolated 616 620
75 1b0a01b0 1620 0 32 5 VIRT UP UP 4 Access VM477 ethernet1
pvlan isolated 1600 1620
76 1b0a01c0 1501 0 32 3 VIRT UP UP 4 Access VM477 ethernet0
77 1b0a01d0 1620 0 32 0 VIRT UP UP 4 Access VMSDE434 ethernet1
pvlan isolated 1600 1620
78 1b0a01e0 1508 0 32 4 VIRT UP UP 4 Access VMSDE434 ethernet0
79 1b0a01f0 1620 0 32 5 VIRT UP UP 4 Access VM454 ethernet3
pvlan isolated 1600 1620
80 1b0a0200 620 0 32 9 VIRT UP UP 4 Access VM454 ethernet2
pvlan isolated 616 620
81 1b0a0210 1501 0 32 4 VIRT UP UP 4 Access VM454 ethernet0
82 1b0a0220 1620 0 32 0 VIRT UP UP 4 Access VM815 ethernet1
pvlan isolated 1600 1620
83 1b0a0230 1507 0 32 3 VIRT UP UP 4 Access VM815 ethernet0
87 1b0a0270 1620 0 32 0 VIRT UP UP 4 Access VMSDE405 ethernet1
pvlan isolated 1600 1620
88 1b0a0280 1509 0 32 3 VIRT UP UP 4 Access VMSDE405 ethernet0
89 1b0a0290 1620 0 32 5 VIRT UP UP 4 Access VMSDE424 ethernet1
pvlan isolated 1600 1620
90 1b0a02a0 1509 0 32 3 VIRT UP UP 4 Access VMSDE424 ethernet0
91 1b0a02b0 620 0 32 9 VIRT UP UP 4 Access VM472 ethernet2
pvlan isolated 616 620
92 1b0a02c0 1620 0 32 0 VIRT UP UP 4 Access VM472 ethernet1
pvlan isolated 1600 1620
93 1b0a02d0 1500 0 32 4 VIRT UP UP 4 Access VM472 ethernet0
94 1b0a02e0 1508 0 32 4 VIRT UP UP 4 Access VMSDE431 ethernet1
95 1b0a02f0 1620 0 32 5 VIRT UP UP 4 Access VMSDE431 ethernet0
pvlan isolated 1600 1620
96 1b0a0300 1620 0 32 0 VIRT UP UP 4 Access VM496 ethernet2
pvlan isolated 1600 1620
97 1b0a0310 1501 0 32 3 VIRT UP UP 4 Access VM496 ethernet1
98 1b0a0320 1500 0 32 4 VIRT UP UP 4 Access VM496 ethernet0
99 1b0a0330 1620 0 32 5 VIRT UP UP 4 Access VM510 ethernet0
pvlan isolated 1600 1620
100 1b0a0340 1500 0 32 4 VIRT UP UP 4 Access RHEL5 ethernet1
101 1b0a0350 1512 0 32 8 VIRT UP UP 4 Access RHEL5.eth0
102 1b0a0360 1620 0 32 0 VIRT UP UP 4 Access VM452 ethernet3
pvlan isolated 1600 1620
103 1b0a0370 620 0 32 2 VIRT UP UP 4 Access VM452 ethernet2
pvlan isolated 616 620
104 1b0a0380 1500 0 32 3 VIRT UP UP 4 Access VM452 ethernet0
304 16000028 1 T 0 32 32 VIRT UP UP 1 Trunk
305 16000029 1 T 0 32 32 VIRT UP UP 1 Trunk
306 1600002a 616 T 0 32 32 VIRT UP UP 4 Trunk
307 1600002b 1600 T 0 32 32 VIRT UP UP 4 Trunk
1000v# module vem 11 execute vemcmd show span
VEM SOURCE IP NOT CONFIGURED.
HW SSN ID DST LTL/IP ERSPAN ID HDR VER
0 4408 local
1000v# -
Inbound Queue blocked: Parallel and alternative sequences are not supported
Hi,
Just now, I checked the Inbound Queue in SCM system through SMQ2 and found which was blocked by error message "Parallel and alternative sequences are not supported". Could you please tell me what does it mean? How to fix it?
Thanks,
Quanyin SuHi Quanyin Su,
Parallel and Alternative sequences are used in routing.
I believe you are trying to CIF PPM/PDS from ECC to APO and you are getting this queue stuck at inbound of APO.
Both the alternative and parallel sequences are supported in APO.
Alternative sequence is used as alternative modes in APO.
I can think of this as a master data issue.
At least one of your work center used in either of the sequences is not available in APO or is not APO relevant.
Could you please check your master data such as all the work centers used and make sure your parallel and alternative sequences are consistent.
Once you made sure that master is available in ECC, you can CIF it to APO by using CURTO_CREATE transaction in ECC.
Please see below link for Routing and its usage in APO:
http://help.sap.com/saphelp_apo/helpdata/en/99/ed3a981d0f11d5b3fc0050dadf0791/content.htm
You also need to activate a BADI in order to sent alternative sequences to APO.
Below thread has all the details regarding this.
Re: /SAPAPO/CURTO 103 : Mode .. is not assigned to an activity
Regards,
Abhay Kapase
Edited by: AbhayKapase on Aug 5, 2011 2:24 PM -
Inbound Queue blocked - SAP TM
Hi guys,
We are facing an issue regarding CIF. Seems like Inbound Queue in TM got blocked, original error was because number ranges for locations (what I think we already solved) but since queue is blocked we can not send fresh data.
I've tried checking SMQ2 from TM side, and SMQ1 from ECC side, both are empty. Any idea how to unlock queue even if no records are displayed in SMQ1 (ECC) / SMQ2 (TM).
Many thanks in advance!
Martin,Hi Quanyin Su,
Parallel and Alternative sequences are used in routing.
I believe you are trying to CIF PPM/PDS from ECC to APO and you are getting this queue stuck at inbound of APO.
Both the alternative and parallel sequences are supported in APO.
Alternative sequence is used as alternative modes in APO.
I can think of this as a master data issue.
At least one of your work center used in either of the sequences is not available in APO or is not APO relevant.
Could you please check your master data such as all the work centers used and make sure your parallel and alternative sequences are consistent.
Once you made sure that master is available in ECC, you can CIF it to APO by using CURTO_CREATE transaction in ECC.
Please see below link for Routing and its usage in APO:
http://help.sap.com/saphelp_apo/helpdata/en/99/ed3a981d0f11d5b3fc0050dadf0791/content.htm
You also need to activate a BADI in order to sent alternative sequences to APO.
Below thread has all the details regarding this.
Re: /SAPAPO/CURTO 103 : Mode .. is not assigned to an activity
Regards,
Abhay Kapase
Edited by: AbhayKapase on Aug 5, 2011 2:24 PM -
Incoming RTP traffic blocked by SPA112 ATA: UDP port unreachable
Hi folks,
I'm using a Cisco SPA112 ATA behind a NAT, where port 5060,5061 and 16384-16482 are forwarded. Registration to the SIP proxy also works fine. However, I'm struggling with audio issues, meaning that the RTP session is not setup properly.
When investigating this issue at the packet-level, I found that the ATA itself is blocking traffic:
21:00:21.857655 IP 192.168.x.y > 82.197.a.b: ICMP 192.168.x.y udp port 16452 unreachable, length 208
The blocked port number depends per session, but is always between 16384 and 16482.
Actually, the issue sounds very much like in [1]. However, the proposed solution (disabling CDP) is not of any help to me, since it's disabled on my ATA by default. Any clue what could be the reason for this behaviour? Your help is greatly appreciated.
[1] https://supportforums.cisco.com/discussion/11470321/spa-962-intermittently-no-audio-rtp-port-closedunreachableHi,
You can try this packet Tracer:-
packet input outside udp <External Source Ip on the internet> 45657 <Outside interface IP> 43139 det
For the captures , you just need to verify that the ASA device is passing the traffic through as this is UDP traffic , we would not be able to find much.
For more information on captures:-
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
Let me know if you have any further queries.
Thanks and Regards,
Vibhor Amrodia -
Howto allow all inbound traffic on 678?
I have a 501 behind a 678 (CBOS 2.4.6) The 678 does not allow inbound connection by default. How can I config the 678 to simply terminate the ADSL and allow all traffic both in and out, so that I can let the 501 do all the access control?
Try:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/products_user_guide_book09186a008007ce34.html
http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/prod_release_note09186a00800eac45.html -
QOS for inbound traffic on 3560
Just to clarify what I'm asking.... I would like to make the congestion happen on our end and not on the ISP's equipment that I have no control over traffic shaping etc... I can't limit the bandwidth on the aggregate port that the metro e connects to (3750) because it would limit it for all locations and not just one. I think my only option is to limit the bandwidth on the switch at the location in question but I guess it would have to be on the ingress side, but then will it still drop packets according to dscp priority during congestion?
I have a little problem I hope you guys can help me with. We have a location that has a metro e hand off from our ISP. The same metro e also serves other locations and the aggregate point is at our main office which goes to a Cisco 3750 stack. The location in question has a single Cisco 3560 switch. We need to apply QOS for both inbound and outbound traffic to this location. I can tag the traffic to and from there but how do I make it so that the 3560 (or 3750) gets saturated and not the ISP connection for incoming traffic (so we decide what packets get dropped)? srr-queue bandwidth limit can't be used on the metro e port on the 3750 because this would limit all locations and not just the one.Should I put another small switch and put it in from of the 3560? This way I could use srr-queue and apply QOS to the egress queue.I hope this...
This topic first appeared in the Spiceworks Community -
I'v allowd one private IP address to sepcific machine on tunnal ACL. My problem is when ever there is no acitivity from client side -- pix will block the traffic.
To enable the traffic I need ping client IP from specefic machine.
Any idea what's wrongYour question is vague. If I understand. the symptom is that if you are not doing anything, when your allowed machine tries to communicate, it cannot at first but if you ping, it will work after...
If that is the case, then you are observing normal behavior in that the tunnel will go down after a period of time. To bring it back up, you simply have to send it interesting traffic..
The ping works but any traffic destined for that remote side (that's allowed of course) should bring it up.
Chris -
CCP - Advanced Firewall Creating Custom Ports Inbound Traffic
Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881W-SSHS-R1
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
quit
no ip source-route
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
interface Null0
no ip unreachables
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
interface FastEthernet1
description Not in Use
no ip address
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
logging host 192.168.10.50
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
control-plane
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
ssl authenticate verify all
url-list "rewrite"
inservice
policy group sshs-webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpnpool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
end -
Inbound ports blocked now?
I have a few inbound ports open on my router (SSH, SIP, etc) and now for whatever reason I can no longer connect to my services. It appears Verizon is blocking ports. Can anyone confirm this and know how I can have these ports working again. Thanks.
Solved!
Go to Solution.Working just fine here. Are you sure that your public DHCP address did change and you're trying to connect to the old address? My public IP hops around a couple of times a month.
-
How do I NAT inbound traffic from a site to site VPN?
OK, This is confusing me....
I have an ASA5520 and need to set up multiple VPN's to some vendor sites. All these vendors are using 192.168.1.0 networks. All have public IP's and very little knowledge so are unable to NAT from their end.
The idea is to create some /28 blocks of IP's (172.29.0.0/28) and manage this on our end.
How do I get this to work?
Thanks in advance....
Brent
example: (all IP's are fictional)
tunnel1
VPN
My side "outside" 10.10.10.10
Their side "outside" 20.20.20.20
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.0/28
tunnel2
VPN
My side "outside" 10.10.10.10
Their side "outside" 30.30.30.30
Networks
My side "inside" 172.30.30.0
Their side "inside" 192.168.1.0 NAT'ed to 172.29.0.16/28
tunnel3
VPN
My side "outside" 10.10.10.10
Their side "outside" 40.40.40.40
Network (single address)
My side "inside" 172.30.30.1 255.255.255.255
Their side "inside" 192.168.1.1 255.255.255.255 NAT'ed to 172.29.0.33 255.255.255.255Hi bbanderson,
It can handle multiple VPN NATs.
All youve got to do is make multiple instances of the same crypto-map
like crypto-map crypto-map-name 1 peer-ip
" " 1 transform-set ....etc, etc.
crypto-map crypto-map-name 2
" " 2 transform-set ....etc, etc.
for the different peers 10.10.10.10, 20.20.20.20, etc, and match the ip address to each access-list there under each map instance.
crypto map Outside_map0 3 match address -this can be taken as an example.
HTH
Cheers
Arun -
Does cisco router support "tcp reset" mesg when the traffic blocked by access lit ?
hi ,
im trying to know if i blocked a destination with an access list on cisco.
can i make "tcp-rest " to that connection instead on dropping it ??
i belive it supported on ASA appliance , but not sure if supported on cisco routers.
im trying to migrate from linux router to cisco router and apply the same config , one of the challenging task is , i have
"reject-with=tcp-reset"
im wondering if i can do it on cisco router
waiting ur responce
regardsOne of the things that keeps me engaged with these forums is that they challenge me and give me opportunities to learn new things. My initial reaction to your question about IPS on IOS router was to say that this is not supported. But I did some research and find that apparently IPS functionality is now supported on some (but not all) of Cisco IOS routers. See this link for additional detail:
http://www.cisco.com/c/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/product_data_sheet0900aecd803137cf.html
HTH
Rick -
Traffic-export capturing only inbound traffic
Hi
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.
I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
Thanks
ColinHi Colin,
Please see below
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cfg/configuration/12-4/sec-ip-traff-export.html
Step 8
outgoing {access-list{standard | extended | named} | sample one-in-every packet-number}
Example: Router(config-rite)# outgoing sample one-in-every 50
(Optional) Configures filtering for outgoing export traffic.
Note
If you issue this command, you must also issue the bidirectional command, which enables outgoing traffic to be exported. However, only routed traffic (such as passthrough traffic) is exported; that is, traffic that originates from the network device is not exported.
An option might be to plug in to a cisco switch and SPAN the port to an interface with a sniffer on it like wireshark?
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic4
Maybe you are looking for
-
When trying to update Apps in iTunes on my computer my old Apple ID appears, which is no longer in use and has no password; even when I try to create a password for this Old ID, Apple won't let me. When I go into see my Account settings My new Apple
-
Why can I drag and drop from Photos to Pages, but not to Microsoft Word 2011
I'm unable, under OS X 10.10.3, to drag and drop pictures from Photo into Word for Mac 2011. I can paste from Photos into Pages. How can I add Word to the list of programs that can take pasted photos pasted from Photos
-
Thunderbird won't print, even though Firefox will. Print preview works fine. Job queued, but seems to think printer is offline? Port is not listed when look at print job. (USB connection) Wasn't getting an error message... job just never printed or l
-
Emulation software for older OS X versions
I was cleaning out a box of computer stuff and I found my old copies of OS X Server 1.2 (the Rhapsody version), OS X Public Beta, and the original OS X. Is there any kind of emulation software like Virtual Box that will allow me to install and run th
-
What is Analytics? We say, you say...
This is a comment that many customers, potential clients and SAP Partners are asking. It's a fair question because each SAP product release comes with a whole set of acronyms, slang, lingo, mini-language that is often confusing to new users. Take Bu