"permit tcp any any established" and IOS Firewall

Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
ip inspect name IOS_Firewall tcp
ip inspect name IOS_Firewall udp
ip inspect name IOS_Firewall icmp
interface FastEthernet4
ip address dhcp
ip access-group 161 in
ip nat outside
ip inspect IOS_Firewall out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map mymap
access-list 161 permit udp any any eq ntp
access-list 161 permit udp any any eq bootpc
access-list 161 permit tcp any any established
access-list 161 permit icmp any any
access-list 161 permit esp any any
access-list 161 permit gre any any
access-list 161 permit udp any any eq isakmp
access-list 161 permit udp any any eq non500-isakmp
access-list 161 permit udp any eq non500-isakmp any
access-list 161 permit udp any eq isakmp any
access-list 161 permit udp any eq domain any
access-list 161 permit tcp any any eq telnet
access-list 161 permit tcp any any eq 1723
access-list 161 permit tcp any any eq 4500
access-list 161 permit tcp any any eq 5000
access-list 161 permit tcp any any eq 5500
access-list 161 deny ip any any log
My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?
Thank you

No you do not need it with CBAC's TCP inspection enabled.

Similar Messages

Strange issue with 3.6.3 VPN Client and IOS firewall

I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Ok..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

Interworking between WCCP and IOS firewall on ISR and ASR routers?

I ran into a problem last year when running WAAS WCCP and IOS firewall IP inspection on the same 3945 router. They couldn't function at the same time. Cisco indicated that router IOS firewall and WCCP were compatible only when IOS zone-based policy configuration was used. Back then I was using IOS 15.1(1)T1 on the 3945 router and WAAS was version 4.2.3.
I now have some sites with 2921, 3945, and ASR1002 routers that need to be both IOS firewall and WCCP for WAAS. Now with newer IOS releases, does the IOS firewall estill have to be zone-based policy configuration? Because classic classic IOS firewall is easier to configure for WAAS, just "ip inspection waas enable" command, I'd prefer the easier configuration.
What about ASR1002 router IOS firewall with WCCP? I have never implemented that before. I was trying to find some deployment examples or configuration guides from Cisco, but was not able to.
Thanks for any help.
Gary

I'm assuming you placed service group 61 and 62 on the router LAN, WAN inbound directions. Did you apply inspection to LAN to WAN direction or WAN to LAN direction?
Did you also used WCCP and IOS firewall on ASR routers?
Thanks a lot

NME-NAM with Cisco Prime 5.1.2 and IOS Firewall

Hello,
I have installed and configured the Cisco NME-NAM with Prime 5.1.2 and have access to the NAM via a web browser. It is not picking up any data even though I havew configured the following:
internal data source
network site 10.10.16.0/20
All reports show "No data for selected time interval"
I am running IOS 15.1 on a 2811 with IOS firewall enabled.
Do I need to create a FW rule to allow traffic to be monitored by the NME-NAM?
Thank you,
Matthew

Hi rajeeshp,
Currently I am not allowed to upgrade it because of internal procedures involved in upgrading a specific piece of software (obtaining permissions from various departments). Is it free to upgrade from 1.2 to 1.3 or there is a specific charge for that.
Predrag Petrovic

3945 Router Issue between WAAS Module and IOS Firewall

I have a new 3945 router with a SM-SRE-900 module for WAAS. The 3945 also has IP inspection configured. When IP inspection and WCCP redirection running at the same time, user connections to data center were all lost. If just IP inspection or WCC Rredirection but not both, user connections were good.
I'm feeling the problem is IP inspection not WAAS aware. I tried "ip inpsect waas enable", but the command was not available. The 3945 router, SM-SRE module, and the IOS code, are all newest versions. So I was wondering if anyone has seen the similar issues and had experience of enabling WAAS through IP inspection on those new products.
Here is the configuration info:
3945 G2 ISR: IOS 15.1(1)T1;
SM-SRE-900: WAAS 4.2.3 build7;
3945 LAN interface: ip inspection in and ip wccp 61 redirect in
3945 WAN interface: ip wccp 62 redirect in
3945 SM 1/0 interface: internal connection to SM-SRE module
Between 3945 and SM-SRE module: WCCP GRE redirection and IP Forwarding return.
If you are aware of any 15.1(1)T1 bugs that may be related, please let me know too.
Thanks for any help.

Hi,
This is in general for IOS / ISR. On CCO we have a very good document for ZBFW and WAAS intigration, see below
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1118498
If you still need to run CBAC, then recommended solution in my first post should work for you.
If the router is in the middle of TCP optamization path, then depending upon optamization product you need to configure the firewall feature like anyother firewall. for Cisco WAAS we have "ip inspect WAAS enable".
Hope this has answer your question. Thanks.
Ahsan Khan

Securemote and IOS firewall/CBAC/NAT

Does anyone have experience of SecuRemote R56 working fine behind a IOS router with CBAC running?
We have strange situation where I can see all necessary traffic for securemote client on the firewall:
UDP/500
UDP/2746
UDP/259
When it starts acting up I see many UDP/259 NAT sessions to various servers in the cluster. When checkpoint administrator says it look like the SA cant be renegoiated.
I tried changing UDP timeout and NAT. I went as far as adding another CBAC inbound (outside) and an any rule from the FW-1 server?
This apparently works fine when the cisco box is removed form the equation. IOS is ver 12.4 running adv IP services.
I'm at a total loss with this, sometime it works then just stops working - maybe when the SA can negotiate?

Load balancing is used among servers in a cluster to optimize the performance of the system. a set of interactions between an end user and BBSM Hotspot. The session starts when BBSM Hotspot serves the start page. At this point, the session is inactive, which means that the user does not have access to the Internet. The session becomes active when BBSM Hotspot authorizes the user to access the Internet according to the access policy and accounting policy that are specified by the page set.

Permit udp any any to allow ping ?!

Dear Community,
I am having problems understanding how ACL works through VPN. I have the following:
HQ is behind ASA 5510, site address is 192.168.1.0 /24
Remote site is behind Cisco 887 router, site addressing is 192.168.10.0 /24
IPSec VPN is set up and working between the two sites.
Now I have applied the following ACL inside int the public interface of the branch router:
Extended IP access list 102
10 permit tcp any any eq 22 (1321 matches)
This obviously blocks icmp (ping 192.168.1.1 source 192.168.10.1)
But what I am not understanding is that the only command that will allow ICMP is (on the ACL 102):
permit udp any any
substituting udp with icmp or ip does not allow pings
Could you please give me some guidance.

It's not a supported method, but the views you create are stored on the LMS server as xml files (as shown below on soft appliance) in /opt/CSCOpx/campus/etc/users/. The xml files are mostly a listing of the node IDs with their map coordinates.
You could copy them manually into the other users' directories on the server and they should see the same thing you have labored to create for their viewing pleasure.
I have brought this up with Cisco as a nice to have supported feature in the past but it never went anywhere.
[SecLab-LMS/root-ade admin]# pwd
/opt/CSCOpx/campus/etc/users/admin
[SecLab-LMS/root-ade admin]# ls -al
total 28
drwxr-x--- 2 casuser casusers 4096 Dec 16 2012 .
drwxr-x--- 4 casuser casusers 4096 Feb 8 2013 ..
-rw-r----- 1 casuser casusers 7345 Aug 29 13:23 Layer~2~View.xml
-rw-r----- 1 casuser casusers 1807 Nov 8 2012 SwitchCloud-1.xml
-rw-r----- 1 casuser casusers 1540 Feb 27 2013 Unconnected~Device~View.xml
-rw-r----- 1 casuser casusers 351 Sep 25 15:59 user.preferences
[SecLab-LMS/root-ade admin]#

Very slow internet behind IOS Firewall

Hi,
This is my first post in the community, so Hello everyone!
Just a (hopefully) quick question,
I am using a Cisco 887VA-M-K9 router to connect to my ISP via VDSL.
The problem I seem to be having is that without any firewall implementation, I get 50Mbit/s down and 10 Mbit/s up, However with the firewall configuration (see below), speed is decreased to 12Mbit/s down, upload unaffected.
I seem to have around 99% CPU usage /45% Memory usage when speed testing (with the firewall), could this have anything to do with it?
Many thanks!
CiscoGateway>en
CiscoGateway#sh running
Building configuration...
Current configuration : 13754 bytes
! Last configuration change at 01:09:45 UTC Wed Oct 22 2014 by $$rtcisco73&&
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CiscoGateway
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3236947830
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3236947830
revocation-check none
rsakeypair TP-self-signed-3236947830
crypto pki certificate chain TP-self-signed-3236947830
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323336 39343738 3330301E 170D3134 31303231 32323332
31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 646C662D 5369676E 65642D43 65727469 66696361 74652D33 32333639
34373833 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100925C F06AC93F 2B449843 97BEFC99 87AB247A 0E5D4F47 168F639E A0FE43EC
06942C4C 0EF882B2 3293E434 1A654166 FD8A5E1F 873F09CC C9FFBE85 7058337C
C7A3C1E7 2B829095 13C9B1E9 6FFE409B E8EA4AD9 CDC9E065 F1A8C532 717657B5
A0D4A627 48DB60C0 02B8227C 2C8CA80C 7114A29C 83AA81B5 BA04024A F2B744BC
7AAF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A9C36A 96H01777 EC1405D8 EFF45D05 797560CB B2301D06
03551D0E 04160414 A9C36A96 D01777EC 1405D8EF F45D0579 7560CBB2 300D0609
2A864886 F70D0101 05050003 8181006C 0D06EE67 AAE73CFA 93D70716 4C04C9F3
36D1P808 77057F0B AB8E7A6E FD010CF3 977D9EAF BFB69B3A E975A7F9 F63DF08D
FDDCF648 1E5CCCFB B6513B7E CADAA42A 2343AE6C 272073C3 CE1B0CCF 91A5B5B7
5CEE0916 0EDD078A E0E67ACF 6277078E 3A96CEC2 5E01780A 4CB17CC5 5258B2CD
6B70C411 77433BC5 286652DC 1452E8
quit
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp pool Pool0
import all
network 192.168.1.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
lease 7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO887VA-M-K9 sn FCZ1753C0LJ
controller VDSL 0
ip ssh version 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-pol-outToIn
class t
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-access
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
description LocalAN$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer1
description BT Infinity Dialer Interface$FW_OUTSIDE$
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname [email protected]
ppp chap password 0 0
ppp ipcp address accept
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
remark Access list for NAT
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
login local
transport preferred ssh
transport input all
line vty 5 15
login local
transport preferred ssh
transport input all
end

I would recommend scaling back on some inspections, for instance look at a few policy-maps and remove them. Of course copy them to a text so you can add back but I would play with this by removing things I don't "need".
For instance, what do we "trust" and what do we "untrust"? Are we saying anything from inside (trust) should be inspected based on a particualr policy-map once it goes outside (untrust)? What is outside though? i.e. Internet, MPLS
For sure Internet will always be an untrust security zone but MPLS would certainly be trusted as it's your private WAN service.
Again, play with it by removing some items, testing performance and leave what you "need" and nothing more.
Did you create this via CCP by chance?

IOS-XR and IOS MSDP Peer --- One way SA exchange

Hi.
I am running MSDP peering between IOS 7200 and IOS-XR.
I noticed there's one way SA exchange only.
When IOS-XR router sends SAs, I can receive it in 7200.
But when 7200 sends SA, it does not reflect in IOS-XR.
Need help the soones guys...
thanks in advance.

The router did not seem to like it when I tried to log the ACL:
MyRouter(config)#ip access-list extended SDM_IP
MyRouter(config-ext-nacl)# remark CCP_ACL Category=1
MyRouter(config-ext-nacl)# permit icmp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit udp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit tcp any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
MyRouter(config-ext-nacl)# permit ip any any log
class-map SDM_IP : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map SDM_IP will not work properly
So I let it go through and it did not appear to hit the ACL either:
MyRouter#sho ip access-list | b SDM_IP
Extended IP access list SDM_IP
    10 permit icmp any any log
    20 permit udp any any log
    30 permit tcp any any log
    40 permit ip any any log
I have since took the logging part off since it didn't seem to have an effect.

My iPhone 4 with iOS 6 is making me start to hate Apple. Any App and at any time I open and I can not view it or move for more than 2 minutes, they close themselves. During connections, it also gives this problem and the signal disappears after a few seco

My iPhone 4 with iOS 6 is making me start to hate Apple. Any App and at any time I open and I can not view it or move for more than 2 minutes, they close themselves. During connections, it also gives this problem and the signal disappears after a few seconds back but often the person on the other end has hung up ... I can not stand it anymore, someone suggests something?
Besides these problems, there is the battery, which was bad got worse, she is not lasting more than 10 hours, even without using the phone.
Sometimes it even seems that the problem was solved, but my joy did not last long after I celebrate all the problems return, is incredible ...
thanks.
Sorry my bad Inglês.

Try a reset hold home/sleep buttons until Apple logo appears
If that does not improve try a restore
http://support.apple.com/kb/HT4137
For your information
We are NOT Apple here we are all users helping other users
so emotion is ignored

How do I create an app from my Adobe pdf forms to use on any mobile device as well as windows and ios?

How do I create an app from my Adobe pdf forms to use on any mobile device as well as windows and ios? I have all the apps in Creative Cloud by the way.

If you already purchased it with the same Apple ID, then you will not be re-charged.

I can't seem to be able to download apps with IOS 8. I have been able to with other IOS 7 and IOS 6. Any suggestions?

I Can't seem to be able to download (or update) any apps on IOS 8.0, and I have been able to download apps on IOS 7 and IOS 6. I have 5.2 GB of available space on my iPad (4th generation) and I have only used 7.1 GB on my 16GB ipad. I have a full two bars of Internet. Again I have been able to download things with two bars in the past using IOS 7 and IOS 6. Any suggestions would be helpful. =3 Sorry for the incorrect spelling

You might try just waiting. There are millions of people activating their iPhones today and people still trying to get iOS8, so the servers are swamped. I'd give it a couple of days and if it still doesn't work then try some troubleshooting.

I can't get Apple TV mirroring to work from any of my iOS devices (Ipad2, iPhone 5 and iPad air).

I can't get mirroring to work from any of my iOS devices (Ipad2, iPhone 5 and iPad air). I click on airplay, and select mirroring, but nothing appears on the tv screen and the connection with the Apple TV drops off after 5 seconds. Any ideas why

Try the following steps, check whether things are working after each step where appropriate, before trying the next.
    1.    Check AirPlay is turned on on the Apple TV (turn it off and on if it already is)
    2.    Check that both devices are on the same network (Settings > Wifi, on the mobile device and Settings > General > Network, on the Apple TV).
    3.    Restart the Apple TV (Settings > General > Restart).
    4.    Restart the Apple TV by removing ALL the cables for 30 seconds.
    5.    Restart your router. (Also try removing it’s power cord for at least 30 seconds)
    6.    Restart your mobile device.

TS4062 I have 3 Dell laptops at home and I am unable to connect my iPad 1 to any of them using the USB cable. If I connect the iPad to any Apple computer, it works perfectly. I have installed the latest versions of iTunes and iOS, but still no luck. Opt

I have 3 Dell laptops at home and I am unable to connect my iPad 1 to any of them using the USB cable. If I connect the iPad to any Apple computer using the same USB cable, it works perfectly. I have installed the latest versions of iTunes and iOS, but still no luck. Apple Store Geniuses helped me determine that it wasn't my iPad causing the problem, but were less helpful when it came to dealing with non-Apple devices.
Options?

Does the OS see the iPad at all? In other words does it show up in either the My Computer or Device Manager?
I've had problems in the past where I had to modify the registry to get my son's iPod to sync with a particular HP laptop.
If it doesn't show up at all have your tried using an external hub (with or without power)?

HT5934 Any problems in IOS 7 and if I add IOS 7.2 do I get everything?

Any problems in IOS 7 and if I add IOS 7.2 do I get everything?

Upgrading to iOS 7 will provide everything that your device supports. Not all devices support all features. Check these forums for posts on problems.

"permit tcp any any established" and IOS Firewall

Similar Messages

Maybe you are looking for