Unsolvable OS X firewall issues

Since switching from TWC to Verizon High Speed Internet, I've been unable to download Netflix, play Yahoo Backgammon, send email via Network Solutions server, send or receive email from mobile me account, and connect to a JSTOR server for downloading articles on my iMac, OS X 10.6.6. I suspect that it's a firewall issue, but haven't been able to confirm that with Verizon customer service.
The first time I called about the email, after verifying that we had an internet connection, Verizon said that it must be Network Solutions. I called Network Solutions and found that everything was in order there. I phoned Apple, and found that everthing was in order on my machine and software. Navigating the Automated Call Distrbution and hold times at each of these places took about 3 hours, which included about 40 minutes of trouble shooting - most of it by Apple. I had to go to work.
On my next day off I called verizon and asked to have my call escalated to a higher tier mac support technician, but they said that they didn't have higher tier technicians. We went through a laborious troubleshooting process, and the tech couldn't find the problem within 50 minutes, and I had to leave for an appointment. I couldn't call back that week. Verizon phoned a day or two later and left a message on my answering machine that invited me to call a toll free number if my issue had not been resolved. I called before leaving for work a few days later, got through to a Verizon mac OS tech, and went through the same laborious trouble shooting process to no avail. I asked to be transferred to a higher level tech, and the tech just put me back in the hold queue. The new service tech wanted to go through the same protocals that I had already been through, which I found unacceptable. As this was my forth attempt to correct this problem, I asked him to read the notes from previous service techs. The only note he could find said "Unable to connect to the internet."
I believe I'm beyond my 30 day trial, but I desperately want out of my contract with Verizon. Does anyone have any suggestions?

Log into the modem using the following Usernames/Passwords at http://192.168.1.1/
admin/password
admin/password1
admin/admin
admin/admin1
Yout Verizon Username and Password
Set the Firewall to Disabled and see if your applications begin working. The Wireless key can be gotten from the Wireles Settings section.
========
The first to bring me 1Gbps Fiber for $30/m wins!

Similar Messages

Cannot install any apps from Creative Cloud in corporate environment. Suspsected Firewall issues.

Hello all.
I subscribed successfully and easily to CC on my home PC (iMac) and downloaded a few apps. All is fine.
I wanted to download those same few apps on a remove machine I use several times a week (Win 7).
After many many attempts of trying to download CC and getting a generic error message, I learned it could be a firewall issue here at this work/office. I found this in Adobe's forums:
Many organizations use a hardware firewall and proxy server that can prevent software from accessing an FTP server. A hardware solution applies to all computers within the corporate network. Most home networks do not use hardware firewall or proxy technology.
Contact your company's IT department to obtain firewall or proxy information.
Configure your browser with proxy or firewall information.
Configure your corporate firewall to by-pass the servers. The following servers are accessed:
ccmdl.adobe.com:80
swupmf.adobe.com:80
swupdl.adobe.com:80
Having nothing to loose, I put in a request and had these addresses/ports opened up in our firewall. That seems to partially fix the problem.
Now the problem is the speed and traffic is so terribly slow with CC that nothing installs with out failing and giving error. For example, I am trying to install PhotoShop CC and it will take a couple of HOURS to even get to 10% and then it fails. Usually, it doesn't get that far. CC just gives me the generic message:
"Installation Failed - Learn More."
Download error. Press Retry to try again or contact customer support.(-7).
Our network admins swear that there is nothing wrong with the ports/firewall and yet all this works fine at my home. Can anyone offer any suggestions or advice? My internet connection here is fine. All other sites load and work fine. I simply cannot download any of the CC aps here with any reasonable speed.
Help!
PS - The URLs and ports ping just fine.

Hi RedBirdOBX1,
I'd recommend checking out the two pdf documents in the
Adobe Creative Cloud Service Access Documentation for IT section on this page:
http://www.adobe.com/devnet/creativesuite/enterprisedeployment.html
Adobe Creative Cloud Network Endpoints
Adobe Creative Cloud Controlling Service Access
and if you're still struggling this might be another alternative:
http://prodesigntools.com/adobe-cc-direct-download-links.html
Hope that helps,
-Dave

Can't scan from Lexmark multifunction printer - firewall issue?

Hi there!
I got a Lexmark printer/scanner combo which used to work fine on my arch install. However, its mobo died, so now I'm back at another install which refuses to scan. Scanning is done through the browser via a java applet residing on the printer's webserver. The applet does start (so it's not a java issue), but refuses to receive data from the scanner. Within the printer's web interface, it reads
If using Windows XP, the Windows XP personal firewall must be disabled before using Scan to PC profiles.
, so I'm assuming it might be a firewall issue. Lexmark's website provides the following advice:
The following two command lines will open the port 5353 for incoming and outgoing connections:
iptables -I INPUT -p udp -m udp --sport 5353 -j ACCEPT
iptables -I OUTPUT -p udp -m udp --dport 5353 -j ACCEPT
NOTE: These steps will work on most distributions configured with IPTABLES. There is no common command to make these rules persistent.
As I don't know anything about IP tables, I've simply copied these commands (as root, obviously). Still, I can't scan.
So, my questions are:
1. Has anybody else ever come across an issue like this?
2. I don't even know for sure, whether this is a firewall issue - What iptabled magic would I need to temporarily disable the firewall to check?
3. I tried checking my rules by "iptables -L". How can I tell "iptables -L" to specify the ports it is working on (as I did in the commands copied from lexmark's website)?
Best wishes,
Rufus

Hi Bob
I believe so. We put the install disc into this mac back when we bought it to set up the printer. I'm assuming the scanning drivers were there as well since it's a multifunctional printer/scanner/fax wireless printer.
We've tried it both ways. If I press the button scan on the printer, it reads can't find computer (or something like that). When we go thru the HP icon on my computer screen and choose scan to computer, it does nothing.
We don't scan that often. So the few times when we ran into this problem, we just did something else (like take a pic from our iPhone and email the pic...kinda stupid but did the trick.
But I want to have the function of the scanner available. So that's why I'm here asking...thought others had this issue and had a solution.

Windows Firewall issue, Inbound rule opend all, still not the same as turning off

This is Windows Firewall issue on Windows 8.1 Pro.
Backup Exec server cannot expand a computer node in selection list. I drill down to Microsoft Windows Network/Domain/Computers, then when I tried to expand a Windows 8.1 Pro computer node, it hangs out.
I narrowed this problem to Windows firewall related issue on Windows 8.1 Pro computer.
When I turn off Windows Firewall on Domain profile, Backup Exec Selection expands the computer node of the Windows 8.1 Pro computer. So, I created an inbound rule opening all to BAckup Exec server as following, but it's still not the same as turning off
Windows firewall specifically on Windows 8.1 Pro computer;
Any Local IP address, Any Remote IP address, Any port, Any protocol, All Interface, All Programs and Services, All profiles(Domain, Private, Public)
And there are no rules blocking any which may override the above rule.
Ethernet on Windows 8.1 Pro computer shows profile is linked with Domain, but just to make it work, I selected all profiles.
Even though I opened all available in inbound rule, it's still not the same as turning off windows firewall. Why am I missing?

It looks as something related to RPC(UDP 135), but even when inbound rule is all open, why it matters? RPC seems working fine only when firewall is turned off on domain profile.
Protocol 17 is UDP
Port: 135
===============================
Event ID 5152
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
0
Application Name:
Network Information:
Direction:
Outbound
Source Address:
192.168.1.120
Source Port:
0
Destination Address:
192.168.1.11
Destination Port:
0
Protocol:
1
Filter Information:
Filter Run-Time ID:
245836
Layer Name:
ICMP Error
Layer Run-Time ID:
32
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
0
Application Name:
Network Information:
Direction:
Inbound
Source Address:
192.168.1.11
Source Port:
35341
Destination Address:
192.168.1.120
Destination Port:
135
Protocol:
17
Filter Information:
Filter Run-Time ID:
245834
Layer Name:
Transport
Layer Run-Time ID:
13

RMI firewall issue - opening port 1099 is not enough

Hello,
We have a distributed java desktop app that uses RMI with callbacks to communicate amongst the clients. It all works really well at our dev site and at 2 trial sites.
We are about to deploy out to more customer sites - so I have been doing more testing with firewalls etc and discovered some issues. Our customers are small businesses and typically have between 1 and 10 desktop clients that connect to the server via RMI. These customers are "very NOT technical", so we need to give them set-and-forget firewalls etc.
This is all on a LAN, with RMI using port 1099. On the firewalls (of the various PCs) we open ports 1099 (RMI) and 5432 (for the Postgres DB).
Also, I was using "CurrPorts" and "SmartSniff" to monitor the traffic at each PC - so I had a reasonable view of proceedings.
Basically, opening port 1099 on the server is necessary, but it is NOT ENOUGH. The RMI moves off to ports other than 1099, and the server firewall does not allow the connection.
Procedure ...
(1) start the "server" app - which starts the RMI registry - the "localhost" desktop app also starts and it works well to both the database and the RMI.
(2) start another client - it connects to the DB Server, but NOT the RMI server.
(3) open the server firewall to all traffic for a few seconds - then the client connects successfully.
From CurrPort logging I could watch the RMI comms progress over those first few minutes ...
Initially the comms do include port 1099 on the initial call to the server, but there after there are always 2 or 3 "channels" open, but not to 1099.
I notice that the Postgres DB keeps using port 5432 for all of its active channels - so it does not have the same firewall issue.
After we have opened the firewall for a few seconds - to enable the link - then we can turn the client on and off and the client re-connects without issue - so it would seem to be only an issue with the initial connection.
I am sure that this is all completely standard and correct RMI behavior.
QUESTIONS:
1. Can RMI be "forced" to always use port 1099 for connections, and not move to other ports? (like the database uses 5432)
2. Are there any suggestions for getting around this seemingly standard RMI behaviour?
Other comments ...
The firewall lets me open individual ports (say 1099) - BUT I can not justify opening ALL ports.
The firewall lets me open all ports to an application, say "C:\Program Files\Java\jre6\bin\java.exe", but that app will occasionally change at a customer's site as they will update their java version and suddenly our app will stop working.
Any guidance is appreciated.
Many Thanks,
-Damian

1. Can RMI be "forced" to always use port 1099 for connectionsYes. Export all your servers on the same port. See UnicastRemoteObject constructor that takes an int, or UnicastRemoteObject.exportObject(int). If the RMI Registry is a separate process you can't re-use 1099 for this purpose, but see below.
2. Are there any suggestions for getting around this seemingly standard RMI behaviour?Yes. Start the RMI Registry in the same JVM as the code, then you only need to use 1099 for everything.
If you are using server socket factories, make sure they have an equals() method, or use the same instance for all remote objects.

I have Internet access, but don't have an ability to watch videos on our new iPad2. We are in a hotel, could it be their service or firewall issue?

I have Internet access, but don't have an ability to watch videos on our new iPad2. We are in a hotel, could it be their service or firewall issue?

If you are unable to view content that has already been downloaded then you problem is within you device. First shut it down all the way by holiding the sleep button at the top until the power off slide appears at the top of your screen. Then slide that and wait while it powers off. Give it a good 30 seconds to do this. then power it back up. if that doesn't work, you may need to call the apple care folks. One other option is to restore it to factory settings and reload it with the updates first and then sink your media to it. You should already have it backed up to iCloud, but if not, do that first then do the restore.

Possible firewall issue

I've installed jboss on a non-global zone and verified the installation using lynx from within the non-global zone.
I can't see jboss from the global xone, another non-global zone, or a different machine. I can ping back and forth between all zones and other machines as well as ssh into the non-global jboss zone to admin it.
I tried issuing 'svcadm disable ipfilter' on both the global zone and non-global zone. It worked on the global zone but not the jboss zone (got 'pattern doesn't match any instances' error).
I tried rebooting the jboss-zone after disabling ipfilter on the global zone and still can't get anything.
Any ideas?

OK, just to test I started apache and it works as expected.
This must be a firewall issue. Does anyone know how to configure / diable it?

FormCentral Firewall Issue

Images on our forms do not load. We believe this may be a content-filter/firewall issue, but do not know where form images are served from. Is there a list of domains and/or IP's that should be allowed through our content-filter and firewall for Formscentral to work properly?

Hi,
If you are a personal user and have not setup desktop redirector than you should be setup as BIS.
This line in your post is what took me in that direction:
"Here's the message: The application mobireader has attempted to open a
connection to a location inside the firewall and outside the firewall which is which is not allowed by your IT policy"
IT policies are used in the server based networks to restrict functions of the BB.
Was your phone new when purchased? I'm trying to see if you have an IT policy on the phone.
Make sense?
Thanks,
Bifocals
Click Accept as Solution for posts that have solved your issue(s)!
Be sure to click Like! for those who have helped you.
Install BlackBerry Protect it's a free application designed to help find your lost BlackBerry smartphone, and keep the information on it secure.

OD firewall issue? maybe

I have 10.4.11 on my Xserve, things seems to be working, but I have never be able to add a client's computer to Open Directory. I get this:
Unable to add server.
An unexpected error of type -14102 (eDSAuthNoAuthServerFound) occorred.
Could that be a firewall issue? or Kerberos issue?
thanks

Hi
Sorry by Directory Service I meant Open Directory. Tellingly the overview pane says Kerberos is Stopped. Kerberos is the authentication method that the LDAP service will use to authenticate principals. So if its stopped then there is no KDC and no edu.mit.Kerberos file.
This more than likely could explain the problem you see.
Kerberos not starting is generally down to a poorly configured DNS Service. It could also be an obscure network issue or even an LDAP database problem. Occasionally there is a need to stop Kerberos starting on an Open Directory Master. This would typically be the case if you were integrating Open Directory into Active Directory. Usually - but not always - in that environment there would be no need to configure DNS Services on OSX Server. You would use the Active Directory’s DNS Service.
For Open Directory Services to function correctly the Server needs to have a reverse pointer (PTR) record created. On the server launch terminal and issue this command:
sudo changeip -checkhostname
Post the results, Tony

Cannot create ODBC connection to Azure - is this a firewall issue?

I am setting up a Access front-end, Azure back-end database. I am setting up the odbc on one of the clients machines and get sql state 28000, error 18456, sql state 01000, error 40608. I am using SQL Native client 10.0. I have not has issues with this before.
I opened all IPs. Is this a firewall issue on their computer?
Any ideas welcome.
Thanks,
Marcy

Hello Marcy,
Are you getting this error while doing test connection from ODBC datasource (DSN) ?
Please share the actual error message that you are getting so that I can guide you.
On the basis of the error 18456 please check following .
password must be correct.
check if port 1433 is blocked by windows firewall or any firewall on the client machine.
Pass the user name as username@<azure servername>
if you are using just username try to use sql native client 11.0
check if TCP/IP protocol in sql server configuration manager is enabled.
In case you tried all the above option then please share the error message that your client is getting.
Hope this help.
Mukesh
SQL Azure and Business Intelligence

Remote app, firewall issue?

I can't connect my iphone with my computer using the Remote app. I've tried all the help I can find, and it is not working. Here is my issue.
When I go to connect the "remote" app with my computer, it says that it can't connect due to either my wifi network or my firewall. I can tell you know that it is my firewall. I'm using the same wifi network for both the computer and the iphone, I have also check the IP addresses, they are the same. And it is strickly my computer, both me and my girlfriend have laptops, and it will work on her computer, and not mine (they are both connected on the same wifi network). So next would be to check my firewall settings...In firewall settings the "don't allow exceptions" box is NOT checked. Under the "exceptions" tab, the following boxes are checked: "Bonjour", "iTunes", "Remote Assistance", "File and printer sharing", Network diagonstics for windows XP", and "windows messenger".
I'm not understanding what the issue is. My iphone will show up under devices and allow me to enter the 4-digit code to connect each other, but after that it says that it is my firewall or network. Hope you can help, thanks.

Out of curiosity, I did some logging of my network to see what communication took place between my iPhone and iTunes:
When I turned on my iPhone, there were a 2 of packets on port 5353 (Bonjour) sent by iPhone, sent to 224.0.0.251 (mDNS).
When I fired up the Remote app, there were a 14 more packets on port 5353 sent by iPhone to 224.0.0.251, with a little more info in it. At this point, iTunes on my PC recognized the iPhone and prompted me for the PIN.
When I entered in the PIN, it looks like iTunes opens connection to iPhone in order to validate the PIN number, originating the conversation from a port number of its choosing, and using a destination port number that the iPhone advertised in it's last Bonjour packet. There were a dozen packets involved in this little handshake, originated by the PC.
Finally, the iPhone initiates a communication to iTunes on the PC, opening a connection to port 3689 on the computer. It looks like this is where the bulk of the "remote" app functions.
All this tells me that if you saw the screen to enter the PIN, then your PC successfully noticed the Bonjour advertisement the iPhone broadcasted on UDP port 5353. But the fact that it ceased to communicate after the PIN was entered tells me that most likely there is a problem with the PC accepting communications on TCP port 3689 (iTunes sharing). I guess it's possible that the firewall is preventing the computer from confirming the PIN with the iPhone, but that's a communication originated by iTunes, and usually firewalls are fairly permissive about what ports apps open going out, just really strict about what ports it accepts communications into.

XE and Symantec Client Firewall issue

I noticed that there is an issue when the SYmantec Client Firewall is enabled on a clients machine. I was trying to access XE and the connection was tiiming out. Has anyone else had this issue and how do you rectify the problem.
Thank you in advanced

You must set your firewall settings so that allow access to XE.
The default values for the port numbers are:
1521: Oracle database listener
2030: Oracle Services for Microsoft Transaction Server
8080: HTTP port for the XE graphical user interface (APEX)
HTH

IE HTTP close (reset) - port reuse causing firewall issues

Having an issue with some systems reusing the same TCP port number between sessions, causing the firewall to drop the connection.
Internet Explorer is creating the HTTP socket connection to port 80. An ephemeral port (assigned by Windows) is bound to the local side of the connection. The first connection goes through just fine. The socket is
closed/reset. However, the very next connection (hundreds of milliseconds later), is using the same ephemeral port, causing the firewall to discard the connection.
I have tried setting TcpTimedWaitDelay in the registry but that did not help. Since the socket is being reset, it never goes into the TIME_WAIT state.
Any suggestions? This does not happen consistently - on the order of 10s of times per day.
Thanks!

Problem is still occurring. Customer has built a new client system with MS-only software (no virus protection, etc.). Upgraded this system to IE9. Problem is still occurring. Tried disabling NativeXMLHTTP option but no difference.
Here is the ASP VBScript code that causes the error to appear:
function SubmitPost(data,ErrHow)
var d = new Date();
return SendData('POST','TDMaster.asp?InstID=' + document.getElementById("tdInstance").value + '&UID=' + d.getTime(),data,ErrHow,0);
//Returns valid version of MSXML
function GetMSXML()
var progIDs = ['Msxml2.XMLHTTP.6.0','Microsoft.XMLHTTP'];
for (var i = 0; i < progIDs.length; i++) {
try {
var http = new ActiveXObject(progIDs[i]);
return http;
catch (ex) {
return null;
// Function that actually sends the data and returns the response
// Format 0 = XML
// Format 1 = Binary
var http;
var timedOut;
function SendData(method,url,data,ErrHow,Format)
http = GetMSXML() ;
var ResultXML;
var e;
http.open(method, url, false);
http.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
http.setRequestHeader("Content-Length", data.length);
try {
http.send(data);
if(Format == 0) {
return http.responseText;
} else {
return http.responseBody;
} catch(e) {
return CreateError(e.number, e, ErrHow);

Firewall issues with Apple TV

Using Motorola SBG900 wireless modem, I can get Apple TV to work when disabling Firewall completely, but not with even the slightest firewall active. Following Apple's instructions here: http://support.apple.com/kb/HT2463?viewlocale=en_US I enabled the firewall ports that apple TV uses for both inbound and outbound traffic, but still I cannot use netflix, youtube, network time etc.
A lot of people seem to have the same issue. some, using my same modem as me has gotten things to work enabling the apple tv ports, but it's not working for me. What else could I try? is it ok to leave firewall turned off on the modem, if on my laptop I enable firewall in snowleopard? would this be enough to protect my computer?

are you talking about firewall on the computer or are you talking about router settings?
because if you mean computer firewall then it have no saying when it comes to atv accessing online services then it's 100% up to your routers settings
and if those are set correctly
I would look for a firmware update for the router

Cisco 881 Zone Firewall issues

I'm having issues with an 881 that I have configured as a zone based firewall.
I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
On the corporate side the user complains that some websites fail, such as Linked in.
I have been using CCP to configure the device. What am I doing wrong?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 22210 bytes
! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname -Rt
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
enable password 7
aaa new-model
aaa authentication login local_auth local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3066996233
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3066996233
revocation-check none
rsakeypair TP-self-signed-3066996233
crypto pki certificate chain TP-self-signed-3066996233
certificate self-signed 01
quit
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 10.0.2.2
ip dhcp excluded-address 10.0.2.1
ip dhcp pool Trusted
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
domain-name spectra.local
dns-server 10.0.2.2 10.0.1.6
option 150 ip 10.1.1.10 10.1.1.20
ip dhcp pool Guest
import all
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
dns-server 4.2.2.2 4.2.2.3
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.0.2.2
ip name-server 4.2.2.2
login block-for 5 attempts 3 within 2
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
archive
log config
logging enable
username S privilege 15 secret 4
username ed privilege 15 password 7
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any TFTP
match protocol tftp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
match access-group name Any-From-HO
class-map type inspect match-any Skinny
match protocol skinny
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
match class-map Skinny
match access-group name Hostcom-Skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any Pings
match protocol icmp
class-map type inspect match-any Ping-
match class-map Pings
class-map type inspect match-all ccp-cls-ccp-inspect-2
match class-map Ping-
match access-group name Ping-
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-all ccp-cls-ccp-inspect-3
match class-map DNS
match access-group name Any-any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name Any/Any
class-map type inspect match-any https
match protocol https
class-map type inspect match-all ccp-cls-ccp-inspect-4
match class-map https
match access-group name any-any
class-map type inspect match-any UDP
match protocol udp
match protocol tcp
class-map type inspect match-all ccp-cls-ccp-inspect-5
match class-map UDP
match access-group name InsideOut
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Pings
match access-group name RespondtoSomePings
class-map type inspect match-any RemoteMgt
match protocol ssh
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map RemoteMgt
match access-group name Spectra-RemoteMgt
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol dns
match protocol https
class-map type inspect match-any WebBrowsing
match protocol http
match protocol https
class-map type inspect match-any DNS2
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map WebBrowsing
match access-group name DMZ-Out
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map DNS2
match access-group name DMZtoAny
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-2
inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-cls-ccp-inspect-5
pass log
class type inspect TFTP
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-4
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
class type inspect ccp-cls-ccp-inspect-3
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop log
policy-map type inspect ccp-permit-outside-in
class type inspect ccp-cls-ccp-permit-outside-in-2
inspect
class type inspect ccp-cls-ccp-permit-outside-in-1
pass
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-app-nonascii
log
reset
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-2
inspect
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-outside-in
zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect ccp-permit-dmzservice
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Y address x.x.x.x
crypto isakmp key o1 address x.x.x.x
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-AES256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set security-association lifetime kilobytes 128000
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
match address 102
interface FastEthernet0
description B
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet1
description Docker
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet2
description Phone
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet3
description Guest
switchport access vlan 3
no ip address
spanning-tree portfast
interface FastEthernet4
description External $FW_OUTSIDE$
bandwidth inherit
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 104
duplex auto
speed auto
pppoe-client dial-pool-number 1
hold-queue 224 in
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
shutdown
interface Vlan2
description Trusted Network$FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1440
interface Vlan3
description Guest Network$FW_DMZ$
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callout
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip access-list standard SSH-Management
permit x.x.x.x log
permit 10.0.2.0 0.0.0.255 log
permit 10.0.1.0 0.0.0.255 log
ip access-list extended Any-From-HO
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended Any-any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Any/Any
remark CCP_ACL Category=128
permit ip host 10.0.2.0 host 10.0.1.0
ip access-list extended DMZ-Out
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended DMZtoAny
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended Hostcom-Skinny
remark CCP_ACL Category=128
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended InsideOut
remark CCP_ACL Category=128
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended Ping-Hostcom
remark CCP_ACL Category=128
permit ip host 10.0.2.2 any
ip access-list extended RespondtoSomePings
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host 37.0.96.2 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended RemoteMgt
remark CCP_ACL Category=128
permit ip host x.x.x.x any
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended any-any
remark CCP_ACL Category=128
permit ip any any
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 23 remark HTTPS Access
access-list 23 permit 10.0.2.1
access-list 23 permit x.x.x.x
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.112.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit udp any any eq bootpc
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP permit 1
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Authorised Access Only
If your not supposed to be here. Close the connection
^C
banner motd ^C
Access Is Restricted To Personel ONLY^C
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class SSH-Management in
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet ssh
scheduler interval 500
end

Hello Martin,
Please apply the following changes and let us know:
ip access-list extend DMZtoAny
1 permit udp 192.168.12.0 0.0.0.255 any eq 53
no permit ip 192.168.112.0 0.0.0.255 any
Ip access-list extended DMZ-Out
1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
no permit ip 192.168.112.0 0.0.0.255 any
Change that, try and if it does not work post the configuration with the changes applied,
Regards,
Remember to rate all of the helfpul posts, that is as important as a thanks
Julio

Unsolvable OS X firewall issues

Similar Messages

Maybe you are looking for