PPTP out & in, Cisco 881

Similar Messages

• Cisco 881 ISR IPSec VPN Tunnel does not pass traffic from the vlan.

  I have a cisco 881 ISR Router with a site-to-site IPsec vpn tunnel to a mikrotik device on the other end (I inherited this from my client). The tunnel is constructed properly and is up, however traffic does not pass or get routed to the FA4 interface. I see in my packet captures that it hits the vlan1 interface (vlans are required on the L2 ports) and does not pass to the tunnel.
  This is my configuration:
  141Kerioth#sh config
  Using 3763 out of 262136 bytes
  ! Last configuration change at 01:02:41 UTC Mon May 26 2014 by admin
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname 141Kerioth
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  141Kerioth#do wr mem
                ^
  % Invalid input detected at '^' marker.
  141Kerioth#wr mem
  Building configuration...
  [OK]
  141Kerioth#sh run
  Building configuration...
  Current configuration : 5053 bytes
  ! Last configuration change at 01:38:06 UTC Mon May 26 2014 by admin
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname 141Kerioth
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  aaa new-model
  aaa authentication login default local
  aaa authentication ppp default local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-580381394
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-580381394
   revocation-check none
   rsakeypair TP-self-signed-580381394
  crypto pki certificate chain TP-self-signed-580381394
   certificate self-signed 01
    30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 35383033 38313339 34301E17 0D313430 35323231 38323333
    365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 30333831
    33393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    B001A012 2CA6970C 0648798B 2A786704 84F2D989 83974B19 9B4287F2 4503D2C9
    173F23C4 FF34D160 202A7565 4A1CE08B 60B3ADAE 6E19EE6E 9CD39E72 71F9650E
    930F22FE C4441F9C 2D7DD420 71F75DFC 3CCAC94E BA304685 E0E62658 A3E8D01C
    D01D7D6A 5AF0B0E6 3CF6AF3A B7E51F83 9BF6D38E 65254E1F 71369718 ADADD691
    02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
    23041830 168014D6 24878F12 1FFADF2F 537A438E 6DD7FB6B D79E4130 1D060355
    1D0E0416 0414D624 878F121F FADF2F53 7A438E6D D7FB6BD7 9E41300D 06092A86
    4886F70D 01010505 00038181 00771667 FCA66002 8AB9E5FB F210012F C50B586F
    9A9640BB 45B4CEFD 030A38C0 E610AAC8 B41EF3C4 E55810F9 B2C727CF C1DEFCF1
    0846E7BC 1D95420E 5DADB5F8 EFE7EB37 B5433B80 4FF787D4 B1F2A527 06F065A4
    00522E97 A9D2335C E83C4AE1 E68D7A41 9D0046A7 ADCC282B 7527F84D E71CC567
    14EF37EA 15E57AD0 3C5D01F3 EF
          quit
  ip dhcp excluded-address 10.0.16.1
  ip dhcp pool ccp-pool
   import all
   network 10.0.16.0 255.255.255.0
   default-router 10.0.16.1
   dns-server 8.8.8.8
   lease 0 2
  ip domain name kerioth.com
  ip host hostname.domain z.z.z.z
  ip name-server 8.8.8.8
  ip name-server 4.2.2.2
  ip cef
  no ipv6 cef
  license udi pid CISCO881-K9 sn FTX180483DD
  username admin privilege 15 secret 4 CmmfIy.RPySmo4Q2gEIZ2jlr3J.bTBAszoe5Bry0z4c
  username meadowbrook privilege 0 password 0 $8UBr#Ux
  username meadowbrook autocommand exit
  policy-map type inspect outbound-policy
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 5
  crypto isakmp key 141Township address z.z.z.z
  crypto isakmp keepalive 10
  crypto ipsec transform-set TS esp-3des esp-sha-hmac
   mode tunnel
  crypto map mymap 10 ipsec-isakmp
   set peer z.z.z.z
   set transform-set TS
   match address 115
  interface Loopback0
   no ip address
  interface Tunnel1
   no ip address
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface FastEthernet4
   description $FW_OUTSIDE_WAN$
   ip address 50.y.y.y 255.255.255.240
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   crypto map mymap
  interface Vlan1
   description $ETH_LAN$
   ip address 10.0.16.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1452
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 115 interface Vlan1 overload
  ip nat inside source list 199 interface FastEthernet4 overload
  ip nat inside source route-map nonat interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 50.x.x.x
  access-list 110 deny   ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 110 permit ip 10.0.16.0 0.0.0.255 any
  access-list 115 permit ip 10.0.16.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 144 permit icmp host c.c.c.c host 10.0.1.50
  access-list 144 permit icmp host p.p.p.p host 10.0.16.105
  access-list 199 permit ip a.a.a.a 0.0.0.255 any
  no cdp run
  route-map nonat permit 10
   match ip address 100
  line con 0
   no modem enable
  line aux 0
  line vty 0 4
   access-class 1 in
   exec-timeout 30 0
   privilege level 15
   transport preferred ssh
   transport input ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   transport input telnet ssh
  cns trusted-server all-agents x.x.x.x
  cns trusted-server all-agents hostname
  cns trusted-server all-agents hostname.domain
  cns id hardware-serial
  cns id hardware-serial event
  cns id hardware-serial image
  cns event hostname.domain 11011
  cns config initial hostname.domain 80
  cns config partial hostname.domain 80
  cns exec 80
  end

  Why do you have following command on the PIX?
  crypto map outside_map 40 set transform-set 165.228.x.x
  Also you have this transform set on the PIX:
  crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
  This does not match the transfor set on the router:
  crypto ipsec transform-set tritest esp-3des esp-md5-hmac
  Where are you using the access-list/route-map
  101 ?

• Need help with cisco 881 configuration.

  Hi, I have cisco 881 wireless router, and I need to configure this as a switch, I have dhcp server in network 192.168.12.254, and I need that cisco wifi and lan clients get IP addresses from existing dhcp server.
  I connect wire from network (with dhcp server) to FastEthernet0, create vlan interface (192.168.12.10 255.255.255.0), described vlan on other FastEthernet interfaces, so LAN clients get IP addresses from my dhcp server without problems, but how to do the same with wifi clients?

  Follow this support doc because you need to trunk the AP to the router and specify the vlan the wireelss clients will be on.
  https://supportforums.cisco.com/docs/DOC-16145
  Here is a doc that guides you through multiple vlans/subnets on access points:
  https://supportforums.cisco.com/docs/DOC-14496
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco 881 max throughput

  Hi, I need to provide a router to connect Internet circuit and run IPsec to MPLS network. Circuit is 10Mbps.
  What is the max a Cisco 881 can handle if running IPsec?
  Also, if you are aware of any branch router (1941) which allows connection to future 4G LTE please let me know.

  Disclaimer
  The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of    this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising    out of the use or inability to use the posting's information even if    Author has been advised of the possibility of such damage.
  Posting
  The attachment notes 25 Mbps for an 800 series, but that would be unidirectional and w/o IPSec.

• P2P Blocking is disabled in cisco 881 W router

  Hi
  We are facing an issue with the communication between wireless clients in same subnet .These users are not able to ping each other in cisco 881 W wireless router.
  But we can do in this router to disable this P2P blocking.  

  Well I would use a static on the AP, but if you depending on IOS dhcp to be reliable, then maybe you need to setup a Mac reservation for the AP. It would be after to just set a static on the AP. Since you know your environment will grow, it might be better that you start setting them to static. IOS dhcp isn't 100% reliable as you have already experienced.
  Sent from Cisco Technical Support iPad App

• Help with cisco 881

  Hello
  I'm having some trouble configuring a cisco 881. I'm building a lab where I connect 2 cisco 881 through the fe4 interface (Wan port), and then connect to each router a PC, at interface fe0 (Lan port). The idea was to establish connection and implementing a static route between the 2 routers.
  As a default the 881 has dhcp enabled on VLAN1 (10.10.10.0/24). So I set the pc's to get Ip's automatically. On Router A, I changed the dhcp pool so that I had a different network (11.10.10.0/24). So I have PC1 (11.10.10.2) connected to Router A on interface fa0. Router A connects to Router B through the fe4 interfaces (WAN ports). And PC2 (10.10.10.0/24) connects to Router B on fa0 interface.
  I assigned an ip address to fe4 on Router A (192.168.10.1/24) and an ip address to fe4 on Router B (192.168.10.2/24).
  At last I configured the static routes on both routers.
  On Router A :                         ip route 10.10.10.0 255.255.255.0 192.168.10.2
  On Router B :                         ip route 11.10.10.0 255.255.255.0 192.168.10.1
  With everything configured I tested the connections.
  PC 1 to its gateway: successful
  PC 1 to 192.168.10.2: successful
  PC1 to the gateway of PC2(10.10.10.1/24): successful
  PC 1 to PC 2: failed
  PC 2 to its gateway: successful
  PC 2 to 192.168.10.1: successful
  PC2 to the gateway of PC1(11.10.10.1/24): successful
  PC 1 to PC 2: failed
  Well this is the scenario. I really don’t understand the problem. I thing I did everything right, but I simply don’t get the result. Is there an error with my configuration or is this simply not doable?
  Thanks a lot.

  Have you checked that the firewalls are turned off? If you can ping the far side, that tells me you have a default gateway configured on the workstation and that the far side router has a route back to you. The only thing left would be firewalls need to be turned off on the workstations.
  HTH,
  John
  *** Please rate all useful posts ***

• Cisco 881 password

  Hi All,
  I set up enable password as well as telnet password on cisco 881-k9.
  with the same password :kadd2013
  no username confugured
  when i saved the config , i was unable to login again using the same password i configured

  Did it just ask for password? Could have you gotten white space in the password? Try to enter the password with a space after it. Either that or a typo. Did you have caps lock enabled?
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• L2TPv3 on Cisco 881

  Hi,
  I am configuring staic L2TPv3 on Cisco 881. According to the feature navigator it is supported and I can configure without any problem. The L2TPv3 session seems to be UP but apparently there is no data I can send accross this L2TPv3 tunnel.
  Anyone can give suggestion ?
  thanks in advance.

  Please post on WAN, Routing and Switching community.
  Shelley.

• Cisco 881 Zone Firewall issues

  I'm having issues with an 881 that I have configured as a zone based firewall.
  I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
  On the corporate side the user complains that some websites fail, such as Linked in.
  I have been using CCP to configure the device. What am I doing wrong?
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
  sh run
  Building configuration...
  Current configuration : 22210 bytes
  ! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname -Rt
  boot-start-marker
  boot-end-marker
  security authentication failure rate 10 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5
  enable password 7
  aaa new-model
  aaa authentication login local_auth local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3066996233
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3066996233
  revocation-check none
  rsakeypair TP-self-signed-3066996233
  crypto pki certificate chain TP-self-signed-3066996233
  certificate self-signed 01
  quit
  no ip source-route
  no ip gratuitous-arps
  ip dhcp excluded-address 10.0.2.2
  ip dhcp excluded-address 10.0.2.1
  ip dhcp pool Trusted
  import all
  network 10.0.2.0 255.255.255.0
  default-router 10.0.2.1
  domain-name spectra.local
  dns-server 10.0.2.2 10.0.1.6
  option 150 ip 10.1.1.10 10.1.1.20
  ip dhcp pool Guest
  import all
  network 192.168.112.0 255.255.255.0
  default-router 192.168.112.1
  dns-server 4.2.2.2 4.2.2.3
  ip cef
  no ip bootp server
  ip domain name yourdomain.com
  ip name-server 10.0.2.2
  ip name-server 4.2.2.2
  login block-for 5 attempts 3 within 2
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  parameter-map type inspect global
  log dropped-packets enable
  log summary flows 256 time-interval 30
  parameter-map type regex ccp-regex-nonascii
  pattern [^\x00-\x80]
  parameter-map type protocol-info yahoo-servers
  server name scs.msg.yahoo.com
  server name scsa.msg.yahoo.com
  server name scsb.msg.yahoo.com
  server name scsc.msg.yahoo.com
  server name scsd.msg.yahoo.com
  server name cs16.msg.dcn.yahoo.com
  server name cs19.msg.dcn.yahoo.com
  server name cs42.msg.dcn.yahoo.com
  server name cs53.msg.dcn.yahoo.com
  server name cs54.msg.dcn.yahoo.com
  server name ads1.vip.scd.yahoo.com
  server name radio1.launch.vip.dal.yahoo.com
  server name in1.msg.vip.re2.yahoo.com
  server name data1.my.vip.sc5.yahoo.com
  server name address1.pim.vip.mud.yahoo.com
  server name edit.messenger.yahoo.com
  server name messenger.yahoo.com
  server name http.pager.yahoo.com
  server name privacy.yahoo.com
  server name csa.yahoo.com
  server name csb.yahoo.com
  server name csc.yahoo.com
  parameter-map type protocol-info msn-servers
  server name messenger.hotmail.com
  server name gateway.messenger.hotmail.com
  server name webmessenger.msn.com
  parameter-map type protocol-info aol-servers
  server name login.oscar.aol.com
  server name toc.oscar.aol.com
  server name oam-d09a.blue.aol.com
  license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
  archive
  log config
  logging enable
  username S privilege 15 secret 4
  username ed privilege 15 password 7
  ip tcp synwait-time 10
  ip tcp path-mtu-discovery
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect imap match-any ccp-app-imap
  match invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect http match-any ccp-app-nonascii
  match req-resp header regex ccp-regex-nonascii
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any TFTP
  match protocol tftp
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 105
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
  match access-group name Any-From-HO
  class-map type inspect match-any Skinny
  match protocol skinny
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
  match class-map Skinny
  match access-group name Hostcom-Skinny
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  class-map type inspect match-any ccp-cls-protocol-im
  match protocol ymsgr yahoo-servers
  match protocol msnmsgr msn-servers
  match protocol aol aol-servers
  class-map type inspect match-any Pings
  match protocol icmp
  class-map type inspect match-any Ping-
  match class-map Pings
  class-map type inspect match-all ccp-cls-ccp-inspect-2
  match class-map Ping-
  match access-group name Ping-
  class-map type inspect match-any DNS
  match protocol dns
  class-map type inspect match-all ccp-cls-ccp-inspect-3
  match class-map DNS
  match access-group name Any-any
  class-map type inspect match-all ccp-protocol-pop3
  match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-all ccp-cls-ccp-inspect-1
  match access-group name Any/Any
  class-map type inspect match-any https
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-inspect-4
  match class-map https
  match access-group name any-any
  class-map type inspect match-any UDP
  match protocol udp
  match protocol tcp
  class-map type inspect match-all ccp-cls-ccp-inspect-5
  match class-map UDP
  match access-group name InsideOut
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any SDM_SSH
  match access-group name SDM_SSH
  class-map type inspect pop3 match-any ccp-app-pop3
  match invalid-command
  class-map type inspect match-any SDM_HTTPS
  match access-group name SDM_HTTPS
  class-map type inspect match-all ccp-protocol-p2p
  match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-cls-ccp-permit-2
  match class-map Pings
  match access-group name RespondtoSomePings
  class-map type inspect match-any RemoteMgt
  match protocol ssh
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-permit-1
  match class-map RemoteMgt
  match access-group name Spectra-RemoteMgt
  class-map type inspect match-any SDM_SHELL
  match access-group name SDM_SHELL
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect match-all ccp-protocol-im
  match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 103
  class-map type inspect http match-any ccp-app-httpmethods
  match request method bcopy
  match request method bdelete
  match request method bmove
  match request method bpropfind
  match request method bproppatch
  match request method connect
  match request method copy
  match request method delete
  match request method edit
  match request method getattribute
  match request method getattributenames
  match request method getproperties
  match request method index
  match request method lock
  match request method mkcol
  match request method mkdir
  match request method move
  match request method notify
  match request method options
  match request method poll
  match request method post
  match request method propfind
  match request method proppatch
  match request method put
  match request method revadd
  match request method revlabel
  match request method revlog
  match request method revnum
  match request method save
  match request method search
  match request method setattribute
  match request method startrev
  match request method stoprev
  match request method subscribe
  match request method trace
  match request method unedit
  match request method unlock
  match request method unsubscribe
  class-map type inspect match-any ccp-dmz-protocols
  match protocol http
  match protocol dns
  match protocol https
  class-map type inspect match-any WebBrowsing
  match protocol http
  match protocol https
  class-map type inspect match-any DNS2
  match protocol dns
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect http match-any ccp-http-blockparam
  match request port-misuse im
  match request port-misuse p2p
  match request port-misuse tunneling
  match req-resp protocol-violation
  class-map type inspect match-all ccp-protocol-imap
  match protocol imap
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
  match class-map WebBrowsing
  match access-group name DMZ-Out
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
  match class-map DNS2
  match access-group name DMZtoAny
  class-map type inspect match-all ccp-protocol-smtp
  match protocol smtp
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
  pass
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
  log
  reset
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
  log
  reset
  policy-map type inspect ccp-inspect
  class type inspect ccp-cls-ccp-inspect-2
  inspect
  class type inspect ccp-cls-ccp-inspect-1
  inspect
  class type inspect ccp-cls-ccp-inspect-5
  pass log
  class type inspect TFTP
  inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-cls-ccp-inspect-4
  inspect
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-protocol-smtp
  inspect
  class type inspect ccp-cls-ccp-inspect-3
  inspect
  class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
  class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
  class type inspect ccp-protocol-p2p
  drop log
  class type inspect ccp-protocol-im
  drop log
  class type inspect ccp-sip-inspect
  inspect
  class type inspect ccp-h323-inspect
  inspect
  class type inspect ccp-h323annexe-inspect
  inspect
  class type inspect ccp-h225ras-inspect
  inspect
  class type inspect ccp-h323nxg-inspect
  inspect
  class type inspect ccp-skinny-inspect
  inspect
  class class-default
  drop log
  policy-map type inspect ccp-permit-outside-in
  class type inspect ccp-cls-ccp-permit-outside-in-2
  inspect
  class type inspect ccp-cls-ccp-permit-outside-in-1
  pass
  class class-default
  drop log
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
  log
  reset
  class type inspect http ccp-app-httpmethods
  log
  reset
  class type inspect http ccp-app-nonascii
  log
  reset
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
  pass
  class type inspect ccp-cls-ccp-permit-2
  inspect
  class type inspect ccp-cls-ccp-permit-1
  pass
  class type inspect SDM_DHCP_CLIENT_PT
  pass
  class class-default
  drop log
  policy-map type inspect ccp-permit-dmzservice
  class type inspect ccp-cls-ccp-permit-dmzservice-1
  inspect
  class type inspect ccp-cls-ccp-permit-dmzservice-2
  inspect
  class class-default
  drop
  zone security in-zone
  zone security out-zone
  zone security dmz-zone
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-out-in source out-zone destination in-zone
  service-policy type inspect ccp-permit-outside-in
  zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
  service-policy type inspect ccp-permit-dmzservice
  crypto isakmp policy 2
  encr aes 256
  authentication pre-share
  group 5
  lifetime 28800
  crypto isakmp key Y address x.x.x.x
  crypto isakmp key o1 address x.x.x.x
  crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set transform-set ESP-AES256-SHA
  match address 100
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set security-association lifetime kilobytes 128000
  set security-association lifetime seconds 28800
  set transform-set ESP-AES256-SHA
  match address 102
  interface FastEthernet0
  description B
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  description Docker
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  description Phone
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  description Guest
  switchport access vlan 3
  no ip address
  spanning-tree portfast
  interface FastEthernet4
  description External $FW_OUTSIDE$
  bandwidth inherit
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast source reachable-via rx allow-default 104
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  hold-queue 224 in
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip tcp adjust-mss 1452
  shutdown
  interface Vlan2
  description Trusted Network$FW_INSIDE$
  ip address 10.0.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1440
  interface Vlan3
  description Guest Network$FW_DMZ$
  ip address 192.168.112.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security dmz-zone
  interface Dialer0
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callout
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  no cdp enable
  interface Dialer1
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  zone-member security out-zone
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  ppp ipcp route default
  ppp ipcp address accept
  no cdp enable
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  no ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  ip access-list standard SSH-Management
  permit x.x.x.x log
  permit 10.0.2.0 0.0.0.255 log
  permit 10.0.1.0 0.0.0.255 log
  ip access-list extended Any-From-HO
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended Any-any
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended Any/Any
  remark CCP_ACL Category=128
  permit ip host 10.0.2.0 host 10.0.1.0
  ip access-list extended DMZ-Out
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended DMZtoAny
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended Hostcom-Skinny
  remark CCP_ACL Category=128
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended InsideOut
  remark CCP_ACL Category=128
  permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  ip access-list extended Ping-Hostcom
  remark CCP_ACL Category=128
  permit ip host 10.0.2.2 any
  ip access-list extended RespondtoSomePings
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 any
  permit ip host x.x.x.x any
  permit ip host 37.0.96.2 any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=1
  permit tcp any any eq 22
  ip access-list extended RemoteMgt
  remark CCP_ACL Category=128
  permit ip host x.x.x.x any
  permit ip 10.0.1.0 0.0.0.255 any
  ip access-list extended any-any
  remark CCP_ACL Category=128
  permit ip any any
  logging trap debugging
  logging facility local2
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.0.2.0 0.0.0.255
  access-list 1 permit 192.168.112.0 0.0.0.255
  access-list 23 remark HTTPS Access
  access-list 23 permit 10.0.2.1
  access-list 23 permit x.x.x.x
  access-list 23 permit 10.0.2.0 0.0.0.255
  access-list 23 permit 10.0.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 permit ip 192.168.112.0 0.0.0.255 any
  access-list 101 permit ip 10.0.2.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=4
  access-list 102 remark IPSec Rule
  access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 103 remark CCP_ACL Category=128
  access-list 103 permit ip host 255.255.255.255 any
  access-list 103 permit ip 127.0.0.0 0.255.255.255 any
  access-list 104 permit udp any any eq bootpc
  access-list 105 remark CCP_ACL Category=128
  access-list 105 permit ip host x.x.x.x any
  access-list 105 permit ip host x.x.x.x any
  dialer-list 1 protocol ip permit
  no cdp run
  route-map SDM_RMAP permit 1
  route-map SDM_RMAP_1 permit 1
  match ip address 101
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Authorised Access Only
  If your not supposed to be here. Close the connection
  ^C
  banner motd ^C
  Access Is Restricted To  Personel ONLY^C
  line con 0
  exec-timeout 5 0
  login authentication local_auth
  transport output telnet
  line aux 0
  exec-timeout 15 0
  login authentication local_auth
  transport output telnet
  line vty 0 4
  access-class SSH-Management in
  privilege level 15
  logging synchronous
  login authentication local_auth
  transport input telnet ssh
  scheduler interval 500
  end

  Hello Martin,
  Please apply the following changes and let us know:
  ip access-list extend DMZtoAny
  1 permit udp 192.168.12.0 0.0.0.255 any eq 53
  no permit ip 192.168.112.0 0.0.0.255 any
  Ip access-list extended DMZ-Out
  1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
  2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
  no permit ip 192.168.112.0 0.0.0.255 any
  Change that, try and if it does not work post the configuration with the changes applied,
  Regards,
  Remember to rate all of the helfpul posts, that is as important as a thanks
  Julio

• Cisco 881 - Ports won't open

  Hi All,
  I am trying to forward incoming external traffic from the internet on ports 25 and 433 to internal IP 10.10.10.29, but it's not working, any ideas what I've done wrong?
  I've replaced some of the config with "x"'s
  Config:
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname Router
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 xxxx
  aaa new-model
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network sdm_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone PCTime 10 0
  clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-704284261
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-704284261
  revocation-check none
  rsakeypair TP-self-signed-704284261
  crypto pki certificate chain TP-self-signed-704284261
  certificate self-signed 01
  xxx
  quit
  no ip source-route
  ip cef
  no ip bootp server
  ip domain name
  ip name-server 10.10.10.31
  ip port-map user-Intranet port tcp 8080 list 3 description Intranet
  ip port-map user-5610 port tcp 5610 description 5610
  ip inspect name DEFAULT100 ftp
  ip inspect name DEFAULT100 esmtp
  ip inspect name DEFAULT100 tftp
  ip inspect name DEFAULT100 tcp
  ip inspect name DEFAULT100 udp
  ip inspect name DEFAULT100 ldap
  no ipv6 cef
  license udi pid CISCO881-K9 sn FGL164227LM
  username admin privilege 15 secret 5 xx
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group xxx.remote
  key xxx
  dns 10.10.10.1 10.10.10.4
  wins 10.10.10.1 10.10.10.4
  domain xxx.local
  pool SDM_POOL_1
  acl 102
  split-dns xxx.local
  max-users 10
  netmask 255.255.255.0
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec df-bit clear
  crypto dynamic-map SDM_DYNMAP_1 1
  set security-association idle-time 3600
  set transform-set ESP-3DES-MD5
  reverse-route
  crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
  crypto map SDM_CMAP_1 client configuration address respond
  crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description WAN Interface$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
  ip address 125.7.x.x 255.255.255.252
  ip access-group 101 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip nat outside
  ip inspect DEFAULT100 in
  ip inspect DEFAULT100 out
  ip virtual-reassembly in
  ip verify unicast reverse-path
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface Vlan1
  description Internal Interface$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.10.10.3 255.255.255.0
  ip access-group 100 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip flow egress
  ip nat inside
  ip inspect DEFAULT100 in
  ip inspect DEFAULT100 out
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_1 10.10.20.100 10.10.20.120
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 20
  sort-by bytes
  ip nat inside source static tcp 10.10.10.29 25 interface FastEthernet4 25
  ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
  ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 125.7.x.x
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 2 remark SDM_ACL Category=1
  access-list 2 permit 10.10.10.51
  access-list 3 remark SDM_ACL Category=1
  access-list 3 permit 10.10.10.5
  access-list 100 remark auto generated by Cisco SDM Express firewall configuration
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit udp host 10.10.10.31 eq domain any
  access-list 100 remark SEP Cloud 1
  access-list 100 permit ip any host 67.134.208.160
  access-list 100 permit udp host 10.10.10.4 eq domain any
  access-list 100 remark MYOB File Confirmation
  access-list 100 permit ip any host 203.34.100.26
  access-list 100 remark Ansarada Dataroom
  access-list 100 permit ip any host 125.7.67.133
  access-list 100 remark ClassSuper
  access-list 100 permit tcp any host 125.7.68.130 eq 443
  access-list 100 remark Mercury Connective
  access-list 100 permit tcp any host 150.207.147.152 eq 2099
  access-list 100 remark AE Tax Lodgement 2
  access-list 100 permit tcp any any eq 7586
  access-list 100 remark AE Tax Lodgement
  access-list 100 permit tcp any any eq 10000
  access-list 100 remark Corporate Compliance
  access-list 100 permit tcp any any eq 5610
  access-list 100 remark GRE
  access-list 100 permit gre any any
  access-list 100 remark PPTP
  access-list 100 permit tcp any any eq 1723
  access-list 100 remark RDP
  access-list 100 permit tcp any any eq 3389
  access-list 100 remark Remote VMs
  access-list 100 permit tcp any eq 3389 10.10.20.0 0.0.0.255
  access-list 100 remark GetBusi to HTTP
  access-list 100 permit tcp host 10.10.10.18 any eq www
  access-list 100 remark GetBusi FILTERING
  access-list 100 permit tcp host 10.10.10.18 any eq 3436
  access-list 100 remark GetBusi NTP
  access-list 100 permit tcp host 10.10.10.18 any eq 123
  access-list 100 remark GetBusi RSYNC
  access-list 100 permit tcp host 10.10.10.18 any eq 873
  access-list 100 remark GetBusi DNS
  access-list 100 permit tcp host 10.10.10.18 any eq domain
  access-list 100 remark GetBusi SSH
  access-list 100 permit tcp host 10.10.10.18 any eq 22
  access-list 100 remark GetBusi FTP
  access-list 100 permit tcp host 10.10.10.18 any eq ftp
  access-list 100 remark GetBusi SSL
  access-list 100 permit tcp host 10.10.10.18 any eq 443
  access-list 100 remark Icarus
  access-list 100 permit ip host 10.10.10.99 any
  access-list 100 remark BlackHawk
  access-list 100 permit ip host 10.10.10.28 any
  access-list 100 remark Bane
  access-list 100 permit ip host 10.10.10.24 any
  access-list 100 remark Buffy
  access-list 100 permit ip host 10.10.10.31 any
  access-list 100 remark Skype TV Cam FTR
  access-list 100 permit ip host 10.10.10.173 any
  access-list 100 remark Pyro
  access-list 100 permit ip host 10.10.10.26 any
  access-list 100 remark TV in FTR
  access-list 100 permit ip host 10.10.10.32 any
  access-list 100 remark Quorra
  access-list 100 permit ip host 10.10.10.29 any
  access-list 100 remark Gambit
  access-list 100 permit ip host 10.10.10.12 any
  access-list 100 remark THOR
  access-list 100 permit ip host 10.10.10.21 any
  access-list 100 remark QBO Remote VM
  access-list 100 permit ip host 10.10.10.47 any
  access-list 100 remark VIZ
  access-list 100 permit ip host 10.10.10.5 any
  access-list 100 remark vCenter
  access-list 100 permit ip host 10.10.10.25 10.10.20.0 0.0.0.255
  access-list 100 remark WISE
  access-list 100 permit ip host 10.10.10.4 any
  access-list 100 remark Email - Lotus Domino
  access-list 100 permit ip host 10.10.10.1 any
  access-list 100 remark TQ's PC1
  access-list 100 permit ip host 10.10.10.124 any
  access-list 100 remark Thrace
  access-list 100 permit ip host 10.10.10.22 any
  access-list 100 remark TQ's PC2
  access-list 100 permit ip host 10.10.10.97 any
  access-list 100 remark TQ's PC2 UDP
  access-list 100 permit udp host 10.10.10.97 any
  access-list 100 deny ip 203.47.157.0 0.0.0.255 any log
  access-list 100 deny ip host 255.255.255.255 any log
  access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
  access-list 100 remark Block Port 25
  access-list 100 deny tcp any eq smtp any eq smtp log
  access-list 101 remark auto generated by Cisco SDM Express firewall configuration
  access-list 101 remark CCP_ACL Category=1
  access-list 101 remark Auto generated by CCP for NTP (123) 212.12.50.232
  access-list 101 permit udp host 212.12.50.232 eq ntp host 125.7.x.x eq ntp
  access-list 101 permit ahp any host 125.7.x.x
  access-list 101 permit esp any host 125.7.x.x
  access-list 101 permit udp any host 125.7.x.x eq isakmp
  access-list 101 permit udp any host 125.7.x.x eq non500-isakmp
  access-list 101 permit ip host 10.10.20.100 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.101 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.102 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.103 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.104 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.105 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.106 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.107 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.108 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.109 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.110 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.111 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.112 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.113 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.114 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.115 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.116 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.117 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.118 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.119 10.10.10.0 0.0.0.255
  access-list 101 permit ip host 10.10.20.120 10.10.10.0 0.0.0.255
  access-list 101 permit udp any any eq non500-isakmp
  access-list 101 permit udp any any eq isakmp
  access-list 101 permit esp any any
  access-list 101 permit ahp any any
  access-list 101 deny udp any any eq 603
  access-list 101 deny tcp any any eq 603
  access-list 101 permit tcp any any eq smtp
  access-list 101 remark Secure Inbound HTTPS
  access-list 101 permit tcp any any eq 443
  access-list 101 remark Allow remote ISW access to router
  access-list 101 permit tcp 203.33.128.0 0.0.0.255 any
  access-list 101 remark PPTP access to completekitchensolutions
  access-list 101 permit gre host 202.170.194.141 any
  access-list 101 permit icmp any any administratively-prohibited
  access-list 101 permit icmp any any time-exceeded
  access-list 101 permit icmp any any unreachable
  access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
  access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
  access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
  access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
  access-list 101 deny ip host 255.255.255.255 any log
  access-list 101 deny ip host 0.0.0.0 any log
  access-list 101 deny ip any any log
  access-list 102 remark SDM_ACL Category=4
  access-list 102 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark SDM_ACL Category=4
  access-list 103 remark SDM_ACL Category=2
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
  access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
  access-list 103 permit ip 10.10.10.0 0.0.0.255 any
  access-list 103 remark SDM_ACL Category=2
  access-list 104 remark SDM_ACL Category=2
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
  access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
  access-list 104 permit ip 10.10.10.0 0.0.0.255 any
  access-list 104 remark SDM_ACL Category=2
  no cdp run
  route-map SDM_RMAP_1 permit 1
  match ip address 103
  route-map SDM_RMAP_2 permit 1
  match ip address 104
  snmp-server community public RO
  banner login ^CCCCAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  transport output telnet
  line aux 0
  transport output telnet
  line vty 0 4
  transport input telnet ssh
  scheduler max-task-time 5000 4000 1000
  scheduler interval 500
  ntp server 212.12.50.232 source FastEthernet4
  end

  I decided it might be easier to factory restore, setup, enter the NAT setting and setup the firewall using the wizard, but still it is not working.
  Updated config: (some info replaced with "xx")
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 4 xx
  no aaa new-model
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-84280098
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-84280098
  revocation-check none
  rsakeypair TP-self-signed-84280098
  crypto pki certificate chain TP-self-signed-84280098
  certificate self-signed 01
  xx
  quit
  ip source-route
  ip cef
  ip name-server 8.8.8.8
  no ipv6 cef
  license udi pid CISCO881-K9 sn FGL164227LM
  username admin privilege 15 secret 4
  xx
  class-map type inspect match-all SDM_GRE
  match access-group name SDM_GRE
  class-map type inspect match-any CCP_PPTP
  match class-map SDM_GRE
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol pptp
  match protocol dns
  match protocol ftp
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  match protocol tcp
  match protocol udp
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect match-all sdm-nat-https-1
  match access-group 102
  match protocol https
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect sdm-pol-NATOutsideToInside-1
  class type inspect sdm-nat-https-1
  inspect
  class type inspect CCP_PPTP
  pass
  class class-default
  drop log
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-insp-traffic
  inspect
  class type inspect ccp-sip-inspect
  inspect
  class type inspect ccp-h323-inspect
  inspect
  class type inspect ccp-h323annexe-inspect
  inspect
  class type inspect ccp-h225ras-inspect
  inspect
  class type inspect ccp-h323nxg-inspect
  inspect
  class type inspect ccp-skinny-inspect
  inspect
  class class-default
  drop
  policy-map type inspect ccp-permit
  class class-default
  drop
  zone security in-zone
  zone security out-zone
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-NATOutsideToInside-1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  description $ETH-WAN$$FW_OUTSIDE$
  ip address 125.7.xx.xx 255.255.255.252
  ip nat outside
  ip virtual-reassembly in
  zone-member security out-zone
  duplex auto
  speed auto
  interface Vlan1
  description $FW_INSIDE$
  ip address 10.10.10.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 101 interface FastEthernet4 overload
  ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
  ip route 0.0.0.0 0.0.0.0 125.7.xx.xx
  ip access-list extended SDM_GRE
  remark CCP_ACL Category=1
  permit gre any any
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 100 permit ip 125.7.xx.xx 0.0.0.3 any
  access-list 101 permit ip 10.10.10.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=0
  access-list 102 permit ip any host 10.10.10.29
  line con 0
  exec-timeout 5 30
  password xx
  login
  line aux 0
  line vty 0 4
  privilege level 15
  password xx
  login local
  transport input telnet ssh
  end

• PPTP VPDN and Cisco Client errors

  Hello there, i have configured a cisco 1841 router as a vpn server for microsoft pptp client access. When connecting outside my local lan it hangs at verifying username and password then gives me error 619 message "remote computer did not respond so port was closed". I am however able to connect on my local lan. I also have Cisco's VPN client configured on the router which works fine and able to receive emails in microsoft outlook but cannot send any emails. The emails just sit in the outbox till i connect to my local lan.Anyone who has experienced a similar problem? I have tried all the configs in the the forum and problem still persists. Any solutions?? Thanks

  Try these links:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
  http://www.cisco.com/en/US/tech/tk827/tk369/tech_configuration_examples_list.html

• Any script to let me find out which Cisco switches have RSA key less than 800 bit?

  Hi,
  Imagine I have 500 Cisco switches (2950, 3750, 4507), IOS 12.3 but some may have different IOS level.
  I know that some of these switches got 'cry key gen rsa' key size = 512.
  I need to have key size = 800 bit.
  We do not have Cisco Works in place. Someone in my organization tells me that I would need all these switches at 800 bit otherwise CiscoWorks can't login to it. Does that make sense? I am not sure if I understand that correctly.
  Question:
  If it is true that CiscoWorks can't access such switches and let me change that setting automatically, do you know any script which I could use to let me run against a list of IP addresses and query the switches to find out where RSA key is 800 bits? If it is not 800 bit, I would like to log a message so that I could go manually to the switch to re-execute 'cry key gen rsa' and do 800 bit instead.

  IOS 12.3 doesn't run on any of these switches.
  LMS can login to switches with an RSA modulus of 512 bits.  It will just use SSHv1 instead of v2.  I do not know of any pre-built scripts to change the modulus size; however, it would be relatively trivial to do with expect.  You could deploy one command to avoid the interactivity:
  crypto key generate rsa gen mod 800

• Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

  Hi
  Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
  Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
  The tunnel goes form the 881 to the Windows server (not from the client...).
  Thanks
  Roland

  Hi Federico
  Thanks for your help! Much appreciated.
  In my case this should be transparent to the client - I would like not to initiate the connection from the client.
  Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
  Regards
  Roland

• Inter-vlan routing on CIsco 881 router ?

  Hello, I have configured my 881 to perform inter-VLAN routing i.e. I am using ports 0-2 as tagged switch ports (with PC's plugged in and addressed on their relevant subnets) and port 3 as a trunk feeding in to port 4 as a router on stick configuration.
  For some reason I am unable to ping between subnets. It seems the trunk is failing ?
  Could someone please take a look and help me out. It must be something basic. This is driving me crazy.
  p.s. I have entered 'switchport trunk encapsulation dot1q' on port 3 (the trunk) however it is not showing up.
  Thank you kindly for any help.
  Building configuration...
  Current configuration : 1564 bytes
  ! Last configuration change at 22:45:55 UTC Wed Apr 29 2015
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  memory-size iomem 10
  ip flow-cache timeout active 1
  ip cef
  no ipv6 cef
  license udi pid CISCO881-K9 sn FGL171824DY
  interface FastEthernet0
   switchport access vlan 10
   no ip address
  interface FastEthernet1
   switchport access vlan 10
   no ip address
  interface FastEthernet2
   switchport access vlan 2
   no ip address
  interface FastEthernet3
   switchport trunk native vlan 15
   switchport mode trunk
   no ip address
   spanning-tree portfast
  interface FastEthernet4
   no ip address
   ip flow ingress
   ip flow egress
   duplex auto
   speed auto
  interface FastEthernet4.1
   encapsulation dot1Q 15 native
   ip address 192.168.15.1 255.255.255.0
  interface FastEthernet4.2
   encapsulation dot1Q 2
   ip address 192.168.2.1 255.255.255.0
  interface FastEthernet4.10
   encapsulation dot1Q 10
   ip address XXX.XXX.XXX.XXX 255.255.255.252  <== altered to block public ip address details
  interface Vlan1
   ip address 192.168.1.1 255.255.255.0
  ip default-gateway XXX.XXX.XXX.XXX <== altered to block public ip address details
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip flow-export source FastEthernet4
  ip flow-export version 5 origin-as
  ip flow-export destination 192.168.247.232 9996
  ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX <== altered to block public ip address details
  line con 0
   no modem enable
  line aux 0
  line vty 0 4
   login
   transport input all
  end

  Are you able to provide a diagram please? Having trouble understanding what you are trying to do.

• I am unable to browse internet from my cisco 881 router and configuration is below could any one help me in this regard

  HOME#sho run
  Building configuration...
  Current configuration : 5657 bytes
  ! Last configuration change at 10:51:11 UTC Fri May 17 2013 by admin
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname HOME
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 $1$bgx9$VrtQW3Wg182VyYhKAHLbN.
  no aaa new-model
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-1190003239
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1190003239
  revocation-check none
  rsakeypair TP-self-signed-1190003239
  crypto pki certificate chain TP-self-signed-1190003239
  certificate self-signed 01
    3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31313930 30303332 3339301E 170D3133 30353137 31303333
    35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393030
    30333233 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C002 80BBF151 E095E469 AA7DBB18 2A9E3CC2 4AC223F6 ABE0AF49 876C1203
    65D0E246 786F174D E5B7897A 44C5755A 2571E58A 184A6C62 DD992A2A D8A24878
    25A8D3C3 03F5D3C2 522EC8BB 302B0CCD 2945087A 7AF01418 D0056679 6F64DB4A
    BE2D5DA1 106CD03A 83B422A2 3CCBAE88 F2413123 12269390 6949DFE0 411118E7
    8F210203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
    551D1104 16301482 12484F4D 452E7777 772E7961 686F6F2E 636F6D30 1F060355
    1D230418 30168014 3D2D854D 1203F50D 77F4ABC5 B61CEAF6 C922F4DF 301D0603
    551D0E04 1604143D 2D854D12 03F50D77 F4ABC5B6 1CEAF6C9 22F4DF30 0D06092A
    864886F7 0D010104 05000381 8100B24C 48BACACE 87ADEA03 386F2045 CC89624A
    4EB1AD09 062EB2A4 CF4C96CA 0B2CF001 BD2C3804 8DC47FED 6A5B5F0D 3965AC6E
    4FC4682F 707E4132 8F27C083 C7FAE1BD 21D055E6 C79D5DAD 051B6321 D35DB4F2
    044E6BBD DAD08B6A 6ED87C7E 08F4F7E1 4EFDFB6F 867AF6FA 84165CFC D219D56F
    A82EABD4 AD9CFA24 A5088145 E571
          quit
  ip source-route
  ip routing protocol purge interface
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1
     domain-name www.google.com
     dns-server 192.168.1.1
     lease 0 2
  ip cef
  ip domain name www.yahoo.com
  ip name-server 84.235.6.55
  ip name-server 84.235.57.230
  no ipv6 cef
  multilink bundle-name authenticated
  license udi pid CISCO881-SEC-K9 sn FCZ1516933C
  username admin privilege 15 password 0 cisco
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  ip address dhcp
  ip access-group 101 in
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip nat enable
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  interface Vlan2
  no ip address
  ip nat inside
  ip virtual-reassembly
  ip default-gateway 192.168.1.1
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 101 interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 FastEthernet4
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 101 permit ip any any
  dialer-list 1 protocol ip permit
  no cdp run
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
  PUBLICLY-KNOWN CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
  NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  banner motd ^Cuthorized ^C
  line con 0
  login local
  no modem enable
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  password cisco
  logging synchronous
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  end

  HOME#ping 4.2.2.2
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  HOME#sh ip int br
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0              unassigned      YES unset  down                  down
  FastEthernet1              unassigned      YES unset  down                  down
  FastEthernet2              unassigned      YES unset  down                  down
  FastEthernet3              unassigned      YES unset  down                  down
  FastEthernet4              192.168.1.120   YES DHCP   up                    up 
  NVI0                       10.10.10.1      YES unset  up                    up 
  Vlan1                      10.10.10.1      YES NVRAM  down                  down
  Vlan2                      unassigned      YES NVRAM  down                  down
  HOME#
  fast ethernet is connected to my internet connection