Port Forwarding/Firewall Query
I've got the BT 2Wire.com gateway router, and I'm mystified by the setup screen, when I want to add more than one firewall pinhole for a pc on my network, it complains that that pinhole is already assigned to another pc.
But I don't understand that a pinhole in the firewall isn't the same as 'port-forwarding' is it?
I might have multiple pcs behind the router all of which need the same hole in the firewall.
There may be quite a few diffences, they could mean port forwarding.
The BT Business forum is at http://business.forums.bt.com
Its possible someone there may be able to help.
There s a general guide to port forwarding on my website.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.
Similar Messages
-
Help needed please (Port forwarding/Firewall Question)
So im hooked up thru my router so if I want to play a game I have to port forward so im told.
Ok, I im at my port forwarding menu and its asking for the following info...some of this info I know and some I have no idea what it means or where I can get it from. Heres the parts im asked to enter that I have no idea what to enter......
Source IP Address:
Destination IP Address
Source Netmask:
Destination Port Map
Where do I find out these things!?...Im a COMPLETE novice when it comes to routers and im so confused.Hello,
Unfortunately, that information is going to have to come from the people who are providing you the online game.
The settings you need are going to depend on what their program requires, and how they communicate with your computer.
All of this is different for each service you are trying to use.
Here are some articles to get you familiarized with the concept though:
http://en.wikipedia.org/wiki/Port_forwarding
http://forums.furthurnet.org/viewtopic.php?p=3821
http://www.boutell.com/newfaq/creating/forwardports.html
http://panasonic.co.jp/pcc/products/en/netwkcam/technic/port_fwrd.html
http://p2p.weblogsinc.com/2005/04/24/how-to-configure-your-router-to-allow-fast- bittorrent-downloads/
While they all discuss doing it with different routers, the principals and ideas are the same.
But, the actual configuration is going to depend on the specific needs of the service you are trying to use (the particular online game).
I hope this helps. -
Cisco 5520 ASA Port Forward to Endian Firewall VPN Question
Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
JoeWrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.
-
RV042 Port forwarding stops working when Firewall is enabled
Hey all,
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows:
HTTP[TCP/80~80]->10.0.0.6
HTTPS[TCP/443~443]->10.0.0.6
IMAP[TCP/143~143]->10.0.0.5
IMAP SSL[TCP/993~993]->10.0.0.5
SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out.
Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Do you know anything I could try?
Best regards,
Theo
EDIT:
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.Hi Theo, if you want to over ride the default state table, you need to first make firewall rules to block all access then make your permission rules.
Such an example would be-
Action Deny
Service All
Source interface WAN
Source IP any
Destination IP any
Save
Action Permit
Service RDP
Source interface WAN
Source IP -xx.xx.xx.xx
Destination IP - xx.xx.xx.xx
Save
As for your concern about the syn flood, it can be a likely cause of your problems. Does the logging facility of the router give any indications?
-Tom
Please mark answered for helpful posts -
Port Forwarding/Router Firewall HELP
I'm trying to use my iSight built in cam with "aMSN" and they give me error messages when I configure. It says I have firewall/port issues to free up or something. Here's what help says to do:
"To do this, open your router web-based configuration (check router manual for details on this). Once you have the web-based configuration open, browse for a setting called "port forwarding" or "port range forwarding" or something similar to that. (This might be found under the advanced features for your router).
Now that you have the port forwarding page open, you will want to set the port forwarding range so that aMSN will be able to accept and send the webcam stream.
Here's an example of how you will set up your port forwarding:
Application: aMSN
Start: 6890
End: 6900
Protocol: Both(TCP & UDP)
IP: xxx.xxx.x.xxx
Enabled: X (Yes/True)
Note: xxx.xxx.x.xxx is the IP of your machine that you are trying to send / receive webcam
If you have a web server open on your port 80, you can try to disable it too, sometimes it helps. "
All I'm asking is how do I get to the port forwarding page to do what they have displayed above? I've tried Apple support topics on the subject and all were irrelevent or only dealt with iChat.
Any ideas? Thank you!Are you using an Airport? If not, what type of router do you have connected? Each manufactor is different, but should provide the information in their manuals.
-
RV042 Firewall & Port Forwarding
I am installing a RV042 on a client SBS network. In the configuration, I notice that there is a place for port forwarding where I guess I could open the ports for smtp, http, https, ...
But there are also access rules in the firewall section which seem to be the same except that you can schedule them.
Question is, do I need to configure both, or if only one of them, which one?
Thanks in advance for the advice.
Bob Showalter, Packer InternationalBob,
You only need to configure port forwarding, unless you want to specify a source and destination that the packet is allowed or denied; then you would use both.
hope this helps,
Jasbryan -
Port Forwarding Cisco firewall
Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end -
Manual port-forwarding to Time Capsule behind firewall (NVG589)
A happy new year to all. I'm writing seeking help with my computer setup in a well-connected home. In short, here is what I want to do: I want to get access to my latest-gen Time Capsule (wireless AC) from outside my house, so that I can read or write files on the 2TB HD on my time capsule, using the Back to My Mac feature in the Time Capsule (with my Apple ID). I have no interest in sharing screens or anything else, just in the data on the drive.
Now, my current setup, which otherwise works like a charm.
ATT Uverse's Motorola NVG589 is the incoming modem/gateway/firewall for my entire house (using their 'Power' service, the fastest): it is possible via various tricks and hacks to put the NVG589 into 'near-bridge mode' or to root the modem via and exploit and through it into full bridge mode (which the Motorola NVG589 is capable of, but ATT does not expose that functionality [imagine the tech calls!]). I'm resisting the temptation to do so, because I don't want to the run the risk of messing up service to our house, and a call to ATT tech support. If it ain't broke, don't fix it.
The Motorola NVG589 has its DHCP service on and doles out IP addresses to everything else in the network (thankfully it also has a hidden mDNS system, too, allowing me Bonjour functionality inside my whole house). The Time Capsule, however, has a static-IP that I've assigned, and I also have a DHCP reservation for the Time Capsule in the NVG589's DHCP table.
One crucial thing is that the Motorola NVG589 does not expose UPnP or NAT-PMP to the user, which means that I'll have to do the work manually to allow externally-originating traffic to pass through the Motorola NVG589 to the Time Capsule.
Apple's latest Time Capsule 2TB unit, in bridge mode, so that its IP address is the one given it by the Motorola NVG589 (192.168.1.x, not the usual 10.0.0.x that the TC would give out were it the router). No double-NAT, in other words. The Time Capsule is solely a wireless access point and a passive shared disk (and my target for Time Machine on my Mac).
Nothing else on my home network needs to be accessed from the outside world, no gaming, no servers, no Back to My Mac for any individual Mac computer (we have four).
So what I'm looking for is help knowing what holes to poke into the NVG589's firewall to direct to my time capsule. I've searched through many docs here on Apple's support site, and the number of potential ports I could open is dizzying. Security concerns require that I open the necessary ports, and no more.
I'd be grateful for any help.LaPastenague,
I connected one of devices that I was trying to reach directly to the U-Verse modem and the port forwarding doesnt work anymore. This must be somthing in the way I reconfigured the U-Verse modem to work with my new TC, becuase it used to work jsut fine.
I have a U-Verse modem model number 3801HGV. I have a new TC with a 3TB HD but I don't know the specifcs of what generation is it. It is new and dual band WiFi... that is why I am trying to use it as a wireless access point behind my At&T modem/router.
As far as the details go, I will explain. The port forwarding worked before I added the TC, so I'm sure I just dont have them working together yet. The devices that I want to reach from my iPhone and iPad are a Foscam 8910W IP camera, and a Neptune Apex aquarium controller. Both devices have static IPs and configured with ports 8080, and 8090 respectivly. The IP camera is connected to the TC wirelessly and the Apex is a little different...it is connected to a Sonos (wireless music media) bridge via a ethernet patch cable. The Sonos bridge is connected to the Sonos wireless network (assume it is a dedicated frequency) which originates at another Bridge that is physically connected to the TC with a ethernet cable. Sounds weird, but it works as that is one of the features the the Sonos has is to offer. I think it is similar to a wirless gaming adapter in that sense.
As far as port fowarding goes, I configured within the U-Verse router to open up the two IP ports 192.168.X.X:8080 for the Apex and 192.168.Y.Y:8090 for the Foscam in the Firewall section called "Applications, pinholes and DMZ". I would use my cellphone when away from home by putting my public IP along with the correct port number to get access to the assocated device (ex.99.56.289.34:8080). The phone was on a cellular signal and not tethered to the wireless network. My public IP always stays the same so I don't have to worry about that variable.
Again, all this used to work, but now when I added the TC I cant access it externally. Any suggestions to get this to work would be apprected.
Best Regards -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
ASA 5505 how to create a port forwarding rule
ASA 5505 IOS ver 9.2.3
I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
I tried these commands but they didn't work:
object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545
I really appreciate the help everyone.try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
object network obj-10.10.50.60-1
host 10.10.50.60
nat (inside,outside) static interface service tcp 80 80
object network INSIDE
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
access-group Outside_access_in in interface Outside -
Trying to Port Forward Airport Extreme 802.11ac using Airpot Utility 6.3.2
Hello kind experts. I am finally getting around to replacing my old BEFSR81 Cisco Router with an old Time Capsule attached with the Airport Extreme 802.11ac. The BEFSR81 also had 8 ports, so I have 8 hardwired locations throughout the house. I have a couple of IP cameras for which it was easy to port forward on the Cisco (just click on the port range forwarding tab, type the start/end ranges (which are identical) and the assigned IP address). Everything has been working well for years. Here's what I wish to do with the new setup: Cable Modem -> Airport Extreme -> Dumb gigaport switch with the hardwires connected to it.
When I go to Airport Utility (6.3.2) -> Network Tab -> Port Settings -> "+", the following comes up:
Firewall Entry Type (Defaulted to IPv4 Port Mapping)
Description (5 pull down choices)
Public UDP Ports : _________
Public TCP Ports: __________
Private IP Address (I take it that is where I enter the IP address for each camera, e.g. 192.168.1.xxx)?
Private UDP Ports: __________
Private TCP Ports: __________
I am obviously not a technophile, especially when it comes to networking, but was able to create my old setup.
Any advice on whether or not my configuration is appropriate and what exactly I need to put in the port fields would be greatly appreciated!
Thanks in advance!To successfully access an IP camera on the local network from the Internet, the following basics need to be taken care of:
Install the camera(s) and verify that you can access them from the local network.
Configure port mapping/forwarding on your router. Typically, IP cameras require at least two ports: 1) A web port for administering the camera; Usually TCP port 80, and 2) A streaming port to broadcast the camera video feed; Usually UDP port 9000. Note: You should check with your camera's documentation for the exact ports required.
If the camera is attached to a computer, you will need to configure the computer's firewall to open the same ports as in step 2 above.
Verify that your modem is in bridge mode, i.e., if the modem provides NAT & DHCP services, turn them off.
Test your network. Use CheckIP to determine your router's current WAN-side (public) IP address. Then, from a remote location (not from a computer on the local network), use the DynDNS Open Port Tool to verify that the required ports are open. Success is an "Open" response from the Tool.
Check out the following AirPort User tip for configuring port mapping on an AirPort base station. -
SRP547W, How to use multiple WAN IPs for port forwarding?
Hi folks,
We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
a.b.c.208 Network Address (/29 subnet)
a.b.c.209 ISP Gateway
a.b.c.210 IP1
a.b.c.211 IP2
a.b.c.212 IP3
a.b.c.213 IP4
a.b.c.214 IP5
a.b.c.215 Broadcast Address
On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
VLAN ID: 4000 (Chosen arbitrarily)
Connection Type: Static IP
Internet IP Address: a.b.c.211
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
When we try to do so however we get:
Fail!
Conflict with Ether_WAN2 interface address type
I should mention at this point that we're running on firmware version 1.02.01 (023).
Any suggestions on how we can proceed?
Is there a CLI or other method of configuration that might work if the web interface won't?
Thanks,
Tim.OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
We'd now like to expose a server function on IP2, let's say LAN details for this server are:
VLAN: 3000
VLAN IP Range: 192.168.1.1/24
Server IP: 192.168.1.10
Server Port: 80
So first we turn on Software DMZ:
Status: Enabled
Public IP: a.b.c.211
Private IP: 192.168.1.10
WAN Interface: Ether_WAN2
My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
In Interface (WAN): All
Out Interface (LAN): VLAN.3000
Source IP: 0.0.0.0
Source Subnet: 0.0.0.0
Destination IP: 192.168.1.10
Destination Subnet: 255.255.255.255
Protocol: TCP
Source Port: Any
Destination Port: Single:80
Action: Permit
Schedule: Everyday
Times: 24 Hours
Still no dice. What am I missing?
Cheers,
Tim. -
Please Help - Only Some Port Forwards Working
Hi all,
I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
Port forwards on the follow ports all work fine:
External port 8021 to 192.168.4.253 on port 80 works
External port 8022 to 192.168.4.253 on port 8022 works
All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
Any help would be great appreciated as this sending me mad. Fully running config below.
Louise ;-)
Building configuration...
Current configuration : 36870 bytes
! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname QQQ_ADSL_Gateway
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000
enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Magadan 11 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3471381936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3471381936
revocation-check none
rsakeypair TP-self-signed-3471381936
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-3471381936
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
3D7107BA AA4E7273 1D43690E C4A5D4
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip dhcp excluded-address 192.168.0.230 192.168.0.255
ip dhcp excluded-address 192.168.0.1 192.168.0.200
ip dhcp pool QQQ_LAN
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.6 202.1.161.36
netbios-name-server 192.168.0.6
domain-name QQQ.Local
lease 3
ip cef
no ip bootp server
ip domain name QQQ.Local
ip name-server 192.168.0.6
ip name-server 202.1.161.37
ip name-server 202.1.161.36
ip inspect log drop-pkt
no ipv6 cef
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
password encryption aes
license udi pid CISCO887VA-K9 sn FGL162321CT
object-group service MAIL-PORTS
description QQQ User Mail Restrictions
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 993
udp lt rip
udp lt domain
tcp eq telnet
udp lt ntp
udp lt tftp
tcp eq ftp
tcp eq domain
tcp eq 5900
tcp eq ftp-data
tcp eq 3389
tcp eq 20410
object-group network Network1
description QQQ Management Network
192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
object-group network Network2
description QQQ User Network
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
range 192.168.0.26 192.168.0.199
object-group network QQQ.Local
description QQQ_Domain
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.6.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.10.0 255.255.255.0
10.1.0.0 255.255.0.0
object-group network QQQ_Management_Group
description QQQ I.T. Devices With UnRestricted Access
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.4.0 255.255.255.0
10.1.0.0 255.255.0.0
192.168.10.0 255.255.255.0
10.8.0.0 255.255.255.0
192.168.9.0 255.255.255.0
192.168.100.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.21.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.23.0 255.255.255.0
object-group network QQQ_User_Group
description QQQ I.T. Devices WIth Restricted Access
range 192.168.0.26 192.168.0.199
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
object-group service WEB
description QQQ User Web Restrictions
tcp eq www
tcp eq 443
tcp eq 8080
tcp eq 1863
tcp eq 5190
username cpadmin privilege 15 password 7 1406031A2C172527
username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
controller VDSL 0
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 121
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 120
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 122
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 117
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-cls-http
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any Telnet
match protocol telnet
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 102
match access-group 103
match access-group 104
match access-group 105
match access-group 106
match access-group 107
match access-group 108
match access-group 109
match access-group 110
match access-group 111
match access-group 112
match access-group 113
match access-group 114
match access-group 115
class-map type inspect match-any SIP
match protocol sip
class-map type inspect pop3 match-any ccp-app-pop3
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect sip match-any ccp-cls-sip-pv-2
match protocol-violation
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-1
match access-group name ETS1
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match access-group name ETS
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map Telnet
match access-group name Telnet
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match user-group qqq
match protocol icmp
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-cls-sip
match access-group name dmz-traffic
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SIP
match access-group name SIP
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect PF_OUT_TO_IN
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect PF_IN_TO_OUT
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-invalid-src
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect sip ccp-app-sip-2
class type inspect sip ccp-cls-sip-pv-2
allow
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-cls-http
inspect
service-policy http ccp-action-app-http
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class class-default
pass
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-cls-ccp-pol-outToIn-1
pass
class type inspect ccp-cls-ccp-pol-outToIn-2
pass
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
crypto ctcp port 10000 1723 6299
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group QQQ
key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
dns 192.168.0.6 202.1.161.36
wins 192.168.0.6
domain QQQ.Local
pool SDM_POOL_1
include-local-lan
max-users 20
max-logins 1
netmask 255.255.255.0
banner ^CCWelcome to QQQ VPN!!!!1 ^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group QQQ
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
keepalive 10 retry 2
virtual-template 1
crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP_AES_SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to220.245.109.219
set peer 220.245.109.219
set transform-set ESP-3DES-SHA
match address 119
interface Loopback0
description QQQ_VPN
ip address 192.168.9.254 255.255.255.0
interface Null0
no ip unreachables
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no fair-queue
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description Telekom_ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description QQQ_LAN-VLAN_1
switchport access vlan 1
no ip address
interface FastEthernet1
description QQQ_LAN-VLAN_1
no ip address
interface FastEthernet2
description QQQ_WAN-VLAN_2
switchport access vlan 2
no ip address
interface FastEthernet3
description QQQ_DMZ-IP_PBX-VLAN_3
switchport access vlan 3
no ip address
interface Virtual-Template1 type tunnel
description QQQ_Easy_VPN
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description QQQ_LAN-VLAN1$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan2
description QQQ_WAN-VLAN2$FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan3
description QQQ_IP-PBX_WAN-VLAN3
ip address 192.168.4.254 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Vlan4
description VLAN4 - 192.168.20.xxx (Spare)
ip address 192.168.20.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description ATM Dialer
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
no cdp enable
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
router rip
version 2
redistribute static
passive-interface ATM0
passive-interface ATM0.1
passive-interface Dialer0
passive-interface Dialer2
passive-interface Ethernet0
passive-interface Loopback0
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
network 192.168.10.0
network 192.168.100.0
ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
ip forward-protocol nd
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
ip default-network 192.168.0.0
ip default-network 192.168.4.0
ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
ip access-list extended ACCESS_FROM_INSIDE
permit ip object-group QQQ_Management_Group any
permit tcp object-group QQQ_User_Group any eq smtp pop3
permit tcp object-group QQQ_User_Group any eq 993 995
permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
ip access-list extended ETS
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended ETS1
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit tcp any host 192.168.0.100 eq 25565
permit tcp any eq 25565 host 192.168.0.100
ip access-list extended QQQ_ACL
permit ip any host 192.168.4.253
permit udp any any eq bootps bootpc
permit ip any 192.168.4.0 0.0.0.255
permit ip host 203.219.237.252 any
remark QQQ Internet Control List
remark CCP_ACL Category=17
remark Auto generated by CCP for NTP (123) 203.12.160.2
permit udp host 203.12.160.2 eq ntp any eq ntp
remark AD Services
permit udp host 192.168.0.6 eq domain any
remark Unrestricted Access
permit ip object-group QQQ_Management_Group any
remark Restricted Users
permit object-group MAIL-PORTS object-group QQQ_User_Group any
permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
remark ICMP Full Access
permit icmp object-group QQQ_User_Group any
permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
ip access-list extended QQQ_NAT
remark CCP_ACL Category=18
remark IPSec Rule
deny ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SIP
remark CCP_ACL Category=128
permit ip any 192.168.4.0 0.0.0.255
ip access-list extended Telnet
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any 192.168.4.0 0.0.0.255
access-list 1 remark CCP_ACL Category=2
access-list 1 remark QQQ_DMZ
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 remark QQQ_LAN
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark QQQ Insid NAT
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 3 permit 192.168.6.0 0.0.0.255
access-list 3 permit 192.168.7.0 0.0.0.255
access-list 3 permit 192.168.8.0 0.0.0.255
access-list 3 permit 192.168.9.0 0.0.0.255
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark QQQ_NAT
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 4 permit 10.8.0.0 0.0.0.255
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.2.0 0.0.0.255
access-list 4 permit 192.168.3.0 0.0.0.255
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 4 permit 192.168.6.0 0.0.0.255
access-list 4 permit 192.168.7.0 0.0.0.255
access-list 4 permit 192.168.8.0 0.0.0.255
access-list 4 permit 192.168.9.0 0.0.0.255
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 101 remark QQQ_Extended_ACL
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any host 192.168.0.254 eq 10000
access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
access-list 101 permit udp any host 192.168.0.254 eq isakmp
access-list 101 permit esp any host 192.168.0.254
access-list 101 permit ahp any host 192.168.0.254
access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
access-list 101 permit udp host 192.168.0.6 eq domain any
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
access-list 101 remark QQQ_ANY_Any
access-list 101 permit ip object-group QQQ.Local any
access-list 101 remark QQQ_DMZ
access-list 101 permit ip any 192.168.4.0 0.0.0.255
access-list 101 remark QQQ_GRE
access-list 101 permit gre any any
access-list 101 remark QQQ_Ping
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit tcp any eq telnet host 192.168.0.254
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any any eq 10000
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any any eq 10000
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp any any eq 10000
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp any any eq 10000
access-list 110 remark CCP_ACL Category=1
access-list 110 permit tcp any any eq 10000
access-list 111 remark CCP_ACL Category=1
access-list 111 permit tcp any any eq 10000
access-list 112 remark CCP_ACL Category=1
access-list 112 permit tcp any any eq 10000
access-list 113 remark CCP_ACL Category=1
access-list 113 permit tcp any any eq 10000
access-list 114 remark CCP_ACL Category=1
access-list 114 permit tcp any any eq 10000
access-list 115 remark CCP_ACL Category=1
access-list 115 permit tcp any any eq 10000
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 117 remark CCP_ACL Category=128
access-list 117 permit ip any any
access-list 117 permit ip host 220.245.109.219 any
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 121 remark CCP_ACL Category=0
access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address QQQ_NAT
banner login ^CCWelcome to QQQ ADSL GatewayIt turns out the problem had nothing to do with wires or splitters. The Verizon tech was at my house yesterday and the ONT was failing. He replaced part of the ONT and it fixed the problem (finally!). At least I was able to watch the Celtics game last night.
I have a Tellabs ONT. Not sure the model but it's older like the ones in this thread.
http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT -
Can anyone tell me how to port forward and setup an XBOX 360 using my Time Capsule??
Xbox 360
When playing the game online, the minimum speed of your network should be 128kbps. The ideal network speed for playing the game online is 768kbps. If you are having a problems with lag check the following:
Network Troubleshooting:
Disable any firewall or security features on your router.
Set port forwarding on your router to the IP address of your Xbox 360. This game uses port 3074 (UDP/TCP). Additionally Xbox LIVE requires ports 80, 53 TCP and 88, 53 UDP.
Place your Xbox 360 into the DMZ of your router.
Disconnect your router and try the game. If it works regularly at this point something about your router may not be completely compatible with the specific needs of this game. Check with your router manufacturer and Microsoft's Xbox Live Connection Issues page for additional steps that may need to be done to resolve the issue you are having. You can also verify that you have an Xbox Live compatible router.
If you are having issues connecting while multiple Xbox 360 consoles are connected on the same network, try forwarding port 3074 (UDP/TCP) for one Xbox 360 and setting the other as DMZ. There is a chance that this may not resolve you issue, if it doesn’t then you may want to consider getting an additional public IP address by contacting your Internet Service Provider and assigning it to one of these two consoles.
NOTE: If setting port forwarding or DMZ helps your connection issue, you may want to assign your Xbox 360 a static IP address within your home network. This can help to ensure that the configurations you made do not need to be done again. You can visit PortForward's Static IP Guide for a detailed guide on how to do this.
NOTE: Many broadband internet modems are coming with routing capabilities built in. Please contact your internet service provider to determine if your internet modem has an integrated router. If it does, they should be able to assist you with the steps above for setting up your router.
Once you have verified that your network setup is not the cause of the issue, try the following:
Try connecting to a different server. Some servers may have other players connected to them that you do not have an optimal connection with. In most games this is accomplished by backing out to the main menu and then selecting multiplayer again. From there you can try connecting to another online game.
Run the Xbox Network Self Test to see how strong your NAT is currently set to. Once the test is completed you will be notified if there is an issue with your connection. If you select "More Info" you will be given information about your NAT type and some steps to resolve any issues with your connection.
Moderate and Strict NAT types may have issues connecting to online matches. You may get the error "Notice - The game session is no longer available." If you do then enabling UPnP, forwarding port 3074, or placing your Xbox in your router's DMZ may resolve this issue. Please consult your router documentation for instructions on how to do this.ouman88 wrote:
Whoa....this just went way over my head.... I already have 6.1 installed for my Airport Utility.
Read again what I wrote.. 6.1 is the problem.. or part of it.
You need to install the earlier 5.6 version which I have given you explicit instructions to do.
I have done something now and can not connect the XBOX at all now....unless you can provide me step by step directions I may have to call Apple Support.
This will happen over and over.. just press reset and start again.. you need to learn how to do the setup and using 5.6 utility will help you.. as will using ethernet from the computer to the TC.. trying to fix things over wireless is like sitting on a tree branch you are sawing off. As soon as you update you will fall to the ground.
I am not that sure that Apple Support will have any idea.
Do a google search .. you will find most people struggle with this.. Microsoft made the xbox to use upnp with vista specs.. if you use a router without upnp, ie any apple router.. you will have issues.
Have a go at bypassing the problem.. I have no idea if this will work.. I do not use a TC as the main router because much of my network including xbox and ps3 is just a pain.. I use a modem router with upnp. And bridge the TC.. that is the setup I would recommend.
Try this.. once you have installed 5.6 utility.
Get the IP of the XBox and click enable default host.. and put the IP address in there.. this is called DMZ.. all unassigned packets are forwarded to this ip address.. it is like a port forwarding for all ports.
See if it helps.. If it does you will need to lock the xbox address so it doesn't change.. we can get to that.
Tell me what kind of broadband you have and what modem router first.. none of this will work if you have double NAT. -
I will Paypal you $100 if you can resolve this Port Forward problem
Believe me when I tell you, If you are the person who fixes this problem, I will GLADLY Paypal you $100.
This is so unbelievable. Short story is, after 12 hours of paid support through Support RIX, 6 hours with TWC support, and 4 different modems there isn't a single person in these groups that can get ports forwarded on my Linksys E4200 router.
I am running a fresh copy of windows 7 with all updates and no anti virus installed. I purchased a Motorola ARRIS SURFboard modem 200 series DOCSIS 3.0 so I have no double router issues. Before I was using the TWC moden/routers in bridge mode.
I have no problem setting a static IP or configuring port forwarding. It doesn't matter if I have windows firewall on or off. I can't get an outside port checking website that can verify an open port.
I am trying to play Battlefield 4 using the port forwarding request they provide.
If I run a local port check program on my computer it will confirm the ports open. Ok, Fair enough. They tell me the outside port checking utilities will say the port is closed unless I am running the program that uses these open ports.
SO I run the game and check and it always says port closed. One of the ports I want to open is 80. It has to be open to get internet anyway but it still shows closed using the online port checking websites.
I connected the computer to the modem. No router. I keep getting ports closed or filtered when I check through 6 different port checking sites. Leads me to think their is some kind of block in the ethernet card software.
Its a Realtek PCIe GBE Family controller with a driver date of 8/26/2014. Latest one I could find.
I think its an ethernet card filter. Just my thoughts. Here is the current adapter card settings.
Advanced settings on Ethernet card
Auto Disable Gigabit/ Disabled
Flow Control/ RX & TX Enabled
Green Ethernet/ Enabled
Interrupt Moderation/ Enabled
IPv4 Checksum Offload/ RX & TX Enabled
Jumbo Frame/ Disabled
Large send Offload v2 (IPv4)/ Enabled
Large Send Offload v2 (IPv6)/ Enabled
Network address/ You can check the box for Value and add one. Currently its checked to Not present
Priority & VLAN/ Enabled
Receive buffers/ 512
Receive Side Scaling/ Enabled
Shutdown Wake-on-Lan Enabled
Speed and duplex/ Auto Negotiation
TCP Checksum Offload (IPv4)/ RX & TX Enabled
''''''''''''''''''''''''''''''''''''''(IPv6)/ RX & TX Enabled
Transmit buffers/ 128
UDP Checksum Offload (IPv4) RX & TX Enabled
'''''''''''''''''''''''''''''''''''''''(IPv6) RX & TX Enabled
Wake on Magic Packet/ Enabled
Wake on Pattern match/ Enabled
WOL & Shutdown Link Speed/ 10 Mbps First
I used a port tester downloaded from PCWinTech.com v3.0.0. It says the ports are open. When I close port 80 it says port 80 is closed. My problem is nothing outside my network can confirm an open port. It always states port closed.
The game I am playing is Battlefield-4. I have played all of the campigns without any problem but once online it crashes. The BF-4 community says I need to open 5 single ports and 5 port ranges. This is what I am trying to do.
We have tried an ARRIS router modem, a Ubee router modem (both in bridge mode) and are now using a motorola modem. All with the same problem. We checked the ports during game play and they all say closed.
I will post pictures of my current router settings.What model router do you have?
What Firmware version is currently loaded?
What region are you located?
What is your current model ISP modem your using now?
What ISP Modem service link speeds UP and Down do you have?
Check cable between Modem and Router, swap out to be sure. Link>http://en.wikipedia.org/wiki/CAT6 is recommended.
Check ISP MTU requirements, Cable is usually 1500, DSL is around 1492 down to 1472. Call the ISP and ask.
http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=88e63d78588142e6bb68e22d7faf2046_Configuring_the_M...
Router and Wired Configurations
Setup DHCP reserved IP addresses for all devices ON the router. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting and maintain consistency for applications that need to connect as well as mapped drives.
Ensure devices are set to auto obtain an IP address.
If http://en.wikipedia.org/wiki/Ipv6 is an option on the router, select Local Connection Only.
If you set up port forwarding, disable uPnP and test.
When you check for port status, you have to be actively using the port before you scan check as you may get a false negative if your not using the port. If your using the port then check the status, you should get an accurate result.
I would try using Port Range Triggering instead of PF and set up the port as follows for your PC that your gaming with:
0 thru 65535. A bit less hassle to set up then all those different port rules.
PC 3rd Party Security Software Configurations
Turn off all anti virus and firewall programs on PC while testing. 3rd party firewalls are not generally needed when using routers as they are effective on blocking malicious inbound traffic.
Turn off all devices accept for one wired LAN PC while testing.
Disable any downloading client software managers, i.e. Torrents or similar.
Maybe you are looking for
-
SSO and Portal down after upgrade from AS 10.1.2.0.2 to 10.1.2.3
SSO and Portal is down after upgrade from AS 10.1.2.0.2 to 10.1.2.3. All others are running fine. Any similiar experience and solution? Thanks. Andy
-
ActiveX Bridge does not work in 1.4.2_04?
I tried my JavaBean with jre 1.4.2_04. Java Plugin started up at CreateObject("XXX.Bean.1") and popped up an error statement. Here is the stack trace: java.lang.UnsatisfiedLinkError: getBrowserProxySettings at sun.plugin.net.proxy.WIExplorerProx
-
Unusable 'Other' blocking up my iphone after update
I have just updated my operating system to version5, but now I am unable to sync with my iphone from iTunes, or use any apps or store any music on my iphone. I also have 11.5GB of unusable 'other' stuff in storage and cannot get access to it..... HE
-
CA certificate in high availability SCOM 2012
Hello, Do i need to insert a CA certificate to my second SCOM server (the same MG - high availability)? Thanks TechNet
-
Hello, I want to search for two strings "+error" and "+denied" at .txt files in one Folder. If one line exist in such file, it should Export this line into an new txt file. How can I do that? Thanks Horst MOSS 2007 Farm; MOSS 2010 Farm; TFS 2010; TF