WISM Blocking UDP traffic

Similar Messages

• ASA 5505 NAT rules blocking inside traffic

  Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
  Embarq :          Network                                      xxx.xxx.180.104
  Gateway:                                                             xxx.xxx.180.105
  Subnet Mask:                                                     255.255.255.248
  Our Static IP's:                                                    xxx.xxx.180.106 to xxx.xxx.180.110
  Cisco Pix for VPN tunnels :                              xxx.xxx.180.107  outside IP
      used for DataBase Servers :                        100.1.0.2  Inside IP/ Gateway 2
  Cisco ASA 5505:                                               xxx.xxx.180.106  outside IP
      all other traffic :                                              100.1.0.1  Inside IP/ Gateway 1
  Inside Network:                                                 100.1.0.0/24
  Application Server:                                          100.1.0.115 uses Gateway 1
  BackUp AppSrvr:                                             100.1.0.116 uses Gateway 1
  DataBase Server:                                            100.1.0.113 uses Gateway 2
  BackUp DBSrvr:                                               100.1.0.114 uses Gateway 2
  Cobox/Receiver:                                               100.1.0.140
  BackUp Cobox:                                                 100.1.0.150
  Workstation 1:                                                   100.1.0.112
  Workstation 2:                                                   100.1.0.111
  Network Speaker1,2,3,4:                                 100.1.0.125 to 100.1.0.128
  Future Workstations:                                        100.1.0.0/24
  1.           Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
  2.           All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
  3.           All Workstations/Network Speakers need to be able to communicate with all four servers, and   the Cobox/Receiver.
  4.          The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login  securely and edit their account info.
  5.          The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule  created NAT'ing them to xxx.xxx.180.109.
        A.          The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside    IP address.
        B.          The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
  6.          The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
        A.          The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
        B.           The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
  7.          Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
  8.         
  : Saved
  ASA Version 8.2(5)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 100.1.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address xxx.xxx.180.106 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object icmp
  protocol-object udp
  object-group protocol DM_INLINE_PROTOCOL_5
  protocol-object icmp
  protocol-object udp
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
  access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
  access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
  access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
  access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
  access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
  access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
  access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any outside
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
  nat (inside) 0 access-list inside_nat0_outbound
  static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
  static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
  static (inside,outside) xxx.xxx.180.109  access-list inside_nat_static_1
  static (outside,inside) 100.1.0.115  access-list outside_nat_static_1
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 100.1.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 100.1.0.5-100.1.0.15 inside
  dhcpd dns 71.0.1.211 67.235.59.242 interface inside
  dhcpd auto_config outside interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
  : end
  no asdm history enable

  OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
  In the meantime I will Close and Rate this post for now so others can get this info also.
  If we have any further issues after the upgrade, then I will open a new post.
  Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

• ASA5505 - Blocking internal traffic between 2 servers

  Hi guys/ladies
  I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
  10.50.15.4 > fileserver
  10.50.15.5 > domain controller (exchange)
  10.50.15.6 > terminal server
  10.50.15.7 > terminal server
  Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
  2
  Oct 27 2012
  14:51:05
  106007
  10.50.15.6
  55978
  DNS
  Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
  What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
  Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
  Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

  Result of the command: "show cap asp | include 10.50.15.6"
    15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163
    16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
    17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
    27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
    28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138:  udp 237
    29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138:  udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
    30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
    38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
    41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
    43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

• BT is blocking specific traffic - Connection probl...

  I started having this problem about two weeks ago, after multiple phonecalls to BT and a couple of emails nothing has been done, so hopefully someone on the forum can help.
  The problem is the BT server that my hub connects to runs software to block specific traffic, I assume this is handy for restricted torrents or illegal downloads. But what it's blocking is a game called EVE Online, I used to play this game without a single problem until about two weeks ago. I logged in one day and the lag was unbearable, mainly due to the fact BT is blocking around 90% of packets that are sent to me. As I said, I used to be able to play no problem, but now I can't even go on for 2 minutes before I get kicked.
  I've confirmed with the EVE support team that BT is causing the problem, EVE uses UDP and it only requires a packet loss of 5 consecutive packets before the game disconnects you. This may not seem like a lot, but due to the nature of it, any more than 5 packets can cause major problems in the game, so they just disconnect you. A friend of mine also had this problem, but to a lesser extent, but it did span accross multiple games, he has since then switched to another broadband provider which I will not name, and hasn't had the issue since. In EVE, recently BT have been known to block traffic, I'm not the first to ask EVE support for assistance on the matter, so they weren't strangers to the problem.
  I've ran a program called Ping Plotter to the EVE server, for those of you unaware Ping Plotter is a useful tool to (as the name suggests) Plot the latency (ping) of your connection to the server. PP also records packet loss and the exact route the client is using to connect to the server. The results average about 90% packet loss, Below are the results of PP.
  500 trace count, 1 second per trace.
  Packet loss is highlighted in RED
  BT IP's are highlighted in BLUE
  EVE IP's are highlighted in GREEN
  Target Name: srv200-g.ccp.cc
  IP: 87.237.38.200
  Date/Time: 21/01/2014 2:41:46 AM to 21/01/2014 2:50:12 AM
  Hop Sent Error    PL%  Min Max Avg  Host Name / [IP]
   1   500      0      0.0      1   34    2  BThomehub.home [192.168.1.254]  PC TO HUB 
   2   500    423    84.6    9   57   21  esr19.edinburgh8.broadband.bt.net [213.1.130.142] HUB TO BT
   3   500    474    94.8   10  149  26  [213.1.130.125]
   4   500    480    96.0   18   66   29  [213.1.69.74]
   5   500    481    96.2   19   63   31  [31.55.165.77]
   6   500    476    95.2   19   71   35  [31.55.165.107]
   7    14     11     78.6    18   53   29  acc1-10GigE-4-1-3.mr.21cn-ipp.bt.net [109.159.250.114]
   8   133    126    94.7   29   62   47  core2-te0-13-0-14.ilford.ukcore.bt.net [109.159.250.46]
   9   262    238    90.8   27   69   47  peer3-te0-1-0-7.telehouse.ukcore.bt.net [109.159.254.251]
  10  500    443    88.6   25    74   40  ccpgames.com [195.66.226.23]
  11  500    465    93.0   25    69   42  te-d2-e2.ccp.cc [87.237.37.246]
  12  500    422    84.4   25    77   38  srv200-g.ccp.cc [87.237.38.200]
  As you can see, that is completely unacceptable. The connection between my PC to my HUB is perfect, from the HUB to BT is where things go pearshaped.
  Onto another note, the three times I've phoned, I've spoken to someone reading from a card. What I mean by that is they haven't got a clue what they're speaking about. They are denying there is a problem because 'ping google' works fine. the first time I was redirected to the tech support, but then found out I wasn't paying for the service so I couldn't use it. The second time the advisor hung up on me when I requested to speak to her supervisor, and the third I hung up because the advisor claimed BT broadband isn't designed to support online gaming, and he said a 90% packet loss is to be expected when online gaming, alright then.
  Any help whatsoever on this issue is greatly appreciated, If I've missed anything out just ask for it and i'll post it
  Thanks.

  What home hub model do you have and have you tried rebooting it? Lots of UDP traffic can be difficult for some routers to handle due to inbuilt firewall, an older router or possibly a router thats starting to have problems might cause issues(Dust blocking airflow slowing the processor down) like this due to load on the processor of the router(These things normally have very slow processors). Have you tried running extended ping tests ? I'd try ping -n 1000 www.google.co.uk and ping -n 1000 www.bbc.co.uk additionally try using ping -l 750 -n 1000 www.google.co.uk and ping -l 750 -n 1000 www.bbc.co.uk , What package are you on are you sure you're not on a package with traffic shaping? If the devices BT use to shape traffic dont understand what eve is it might assume its P2P related and throttle it? A glasnost test should help there. But the package you are on should be Totally unlimited rather than just unlimited and was introduced from sometime around Feb last year I believe. If you are on an older contract you are probably being traffic shaped. Additionally its best to concentrate on Packet loss to servers rather than to routers. Backbone routers are often setup to depriorize icmp traffic directed to their own addresses except from servers used to manage them, concentrating on packet loss to intermediate devices is often a red herring.
  There are various utilities out there that can test a tcp or UDP in a similar sort of way to ping, however the remote servers if they are protected by firewalls and IDP systems might detect that as an anomoly and block it as a possible attack.

• UDP traffic analyzed in L4 traffic monitor?

  Dear all,
  I just wonder if anyone knows whether UDP traffic is analyzed by the WSA's L4 traffic monitor?
  It just tells "all ports" in the settings and reports also only reflect port numbers but no details like
  which protocol (tcp/udp).
  Anyone?
  Best,
  Hascha

  UDP ports will not be blocked.
  The L4TM will use the T1 interface to detect traffic to destinations that are on its blacklist.  Once detected, the the data interface on the WSA will send a packet with the TCP reset flag to the client to prevent a TCP connection.
  I have not tested this so someone correct me if I am wrong.  I am answering this based on my understanding of the L4TM feature, and how it works.  Since UDP is connectionless, there is no connection for it to kill.
  Now this makes me wonder about the Monitor feature though.  But I am almost certain it will not block if the action is set to block.
  I'll check this out when I'm in the office and will get back to you.
  -Vance

• ACLs on Dot11Radio interface blocks ALL traffic

  On an AP1220 w/IOS 12.2(11)JA1, all traffic is blocked when an ACL is applied on either the RF interface or the FastE interface, even explicitly permitted traffic. Also, using the "log" command after an ACL line fails to log anything. Below is the ACL I want to apply to the Dot11Radio 0 interface. It blocks ALL traffic:
  access-list 100 permit udp any any eq bootpc log
  access-list 100 permit tcp any host 10.0.0.1 eq 1723 log
  access-list 100 permit gre any host 10.0.0.1 log
  access-list 100 deny ip any any log
  Here is a test ACL that blocked ALL traffic, as well:
  access-list 101 permit udp any any log
  access-list 101 permit tcp any any log
  access-list 101 permit icmp any any log
  access-list 101 permit ip any any log
  Both ACLs blocked all traffic and failed to log a single event. If the ACL is removed, everything works. HELP!

  It's a known bug CSCec28612 - AP1200 access-list doesnt work on radio int with a log keyword

• Routing non-TCP/UDP traffic while using FWLB on CSS 11503s

  Hello all,
  I've been tasked to setup up FWLB with CSS 11503's as shown below. The issue is that intranet workstations use VPN client software when connecting to certain sites through the Internet and other times they use http or https (for connection to different sites). Because no flow is setup for ipsec and ECMP uses per packet routing for non TCP/UDP traffic, I'm concerned that load balancing through the firewalls will occur on a per packet basis. If that is true, stateful inspection in the firewalls will block asymmetrical traffic flows.
  Is my understanding correct? And, if so, is there a way to configure the CSS units to deal with this?
  Thanks in advance.
  (sorry for the dots in the drawing but the spaces kept getting deleted)
  .| Internet |
  ..........|
  .| CSS-outside |
  .............|
  ........|...............|
  .| FW1 |.....| FW2 |
  .......|................|
  ............|
  .| CSS-inside |
  ............|
  .| Intranet |

  for non-flowy traffic like IPSEC, we use a hash algorithm to decide where to send the traffic.
  So, it's not per packet loadbalancing.
  The same source/destination ip/port will always go to the same firewall.
  Gilles.

• Cisco RV042 Firewall Blocking LAN Traffic

  Hello Everyone,
  I currently have an RV042G with a downstream SG-300 connected to one of the LAN interfaces.  Connected to the SG-300 are a couple servers running ESXi.  Intervlan routing is working fine on the current setup; however, I only able to connect to my ESXi hosts on a separate VLAN for approximately a minute before the connection is dropped.  I have concluded that the firewall seems to be culprit in blocking my traffic.  If I turn the firewall off, everything acts as expected.  There is a default "ANY/ANY" rule for LAN traffic enabled and I have added a couple extras allowing all traffic for IP ranges, but I still seem to be losing my connections.  To make matters more confusing, I can see ACCESS_RULE events in the firewall logs permitting the traffic (or so I'm interpretting).
  Regardless, here's how my rules currently stand below.  I put another ANY/ANY rule in because the default didn't seem to be working -- I immediately was able to ping other hosts on different VLANs after adding the rule.  I was under the assumption allowing all traffic from any source to any destination would make the LAN pretty accessible.  I would appreciate any guidance or resources on this topic to set up some quick firewall rules to get things up and running.  Thanks in advance.
  Priority
  Enable
  Action
  Service
  Source
  Interface
  Source
  Destination
  Time
  Day
  Delete
  123
  Allow
  All Traffic [1]
  LAN
  10.10.21.1 ~ 10.10.21.31
  10.10.10.10 ~ 10.10.10.10
  Always
  123
  Allow
  All Traffic [1]
  LAN
  10.10.10.10 ~ 10.10.10.10
  10.10.21.1 ~ 10.10.21.31
  Always
  123
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Allow
  All Traffic [1]
  LAN
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN1
  Any
  Any
  Always
  Deny
  All Traffic [1]
  WAN2
  Any
  Any
  Always

  I guess I should clarify, the SG-300 is running in Layer 3 mode, and the VLANs are defined on it; however, the static routes are defined on the RV042.  Maybe there's a more efficient way of doing this? 
  Below is a scrubbed copy of my switch configuration. 
  config-file-header
  SWITCH01
  v1.3.5.58 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode router
  vlan database
  vlan 2
  exit
  no bonjour enable
  hostname SWITCH01
  no logging console
  ip ssh server
  ip ssh password-auth
  clock timezone CEST +1
  interface vlan 1
  ip address 10.10.10.2 255.255.255.0
  no ip address dhcp
  interface vlan 2
  name VIRTUAL-MANAGEMENT
  ip address 10.10.21.1 255.255.255.224
  interface gigabitethernet1
  description ESXI01:VMNIC0:MGMT
  switchport trunk allowed vlan add 2
  interface gigabitethernet20
  description UPLINK
  exit
  ip route 0.0.0.0 /0 10.10.10.1 metric 15
  The routes I have defined is:
  Destination IP
  Subnet Mask
  Default Gateway
  Hop Count
  Interface
  10.10.21.0
  255.255.255.224
  10.10.10.2
  1
  eth0
  10.10.10.0
  255.255.255.0
  0
  eth0
  255.255.252.0
  0
  eth1
  239.0.0.0
  255.0.0.0
  0
  eth0
  default
  0.0.0.0
  40
  eth1
  Just to reiterate the problem, I am able to connect to hosts on VLAN 2 from my computer on VLAN 1, but I am disconnected a minute or so later.  When the firewall is disabled, I have no issues with connecting to the host across VLANs and maintaining that connection.  Maybe I have a misconfiguration somewhere that is causing some issues?  I appreciate the help. 

• WRT54GC v2.0 - UDP Traffic issue

  Hi, i've bought last week the wireless router WRT54GC v2.0 and it works good for normal navigation, port forwarding, wireless signal, ecc...
  I've only a problem, a big problem, it can't handle high UDP traffic, this issue can be experienced, e.g. with Kad network of eMule. I can connect to Kad and i'm not firewalled, but if i try to search something, the search results are always empty or almost empty. If i made the same search connecting with my ISP router it works fine.
  I tried with both wireless and wired connection from WRT54GC and the result is the same, so it's not a wireless problem. I tried to disable firewall, playing with settings, using DMZ o port triggering. The result was the same. I've updated the firmware to version 1.01.0 too.
  Is there a solution for this problem??
  Sorry for my english
  Message Edited by RedKite on 08-31-2008 02:39 AM

  I am not sure about the workwround ... however you can try filtering the UDP packets that are incoming .....

• Doesn't Managed Server's sip channel support udp traffic by default ?

  Hi All,
  I am new to the WebLogic Server. I have tried to set up a Managed Server via an AdminConsole of BEA WebLogic 9.2.
  My configurations in config.xml are as shown below. In the AdminConsole, I could startup the Managed Server successfully. However, when I generated a SIP message (to the listening port of Managed Server, which is 5068) using sipp, the Managed Server could not receive the sip message.
  When, I used "netstat -a" to check listening ports. It showed that the Managed Server (Server-5) listened on tcp port 5068 but NOT on udp port 5068. And, since my sipp generated a sip message to udp port 5068, the Managed Server could not obtain the sip message.
  I read the online document and it states that when a channel is created for a server, it will automatically support both tcp and udp traffic. Therefore, from my understanding, the Managed Server should automatically listen on both udp and tcp port when it starts up. In fact, I have checked that my Admin Server listens on both udp port and tcp port (in this case, port 5060).
  I doubt that I may miss something in the configuration of the Managed Server. I woud be appreciated if someone could enlighten me up.
  Kind Regards,
  Kirati
  <server>
  <name>Server-5</name>
  <machine>Machine-0</machine>
  <listen-port>7007</listen-port>
  <web-server>
  <web-server-log>
  <number-of-files-limited>false</number-of-files-limited>
  </web-server-log>
  </web-server>
  <listen-address>10.252.8.241</listen-address>
  <network-access-point>
  <name>Channel-8</name>
  <protocol>sip</protocol>
  <listen-address>10.252.8.241</listen-address>
  <public-address>10.252.8.241</public-address>
  <listen-port>5068</listen-port>
  <public-port>5068</public-port>
  <http-enabled-for-this-protocol>false</http-enabled-for-this-protocol>
  <tunneling-enabled>false</tunneling-enabled>
  <outbound-enabled>true</outbound-enabled>
  <enabled>true</enabled>
  <two-way-ssl-enabled>false</two-way-ssl-enabled>
  <client-certificate-enforced>false</client-certificate-enforced>
  </network-access-point>
  </server>
  Edited by: user10871458 on Jan 30, 2009 1:17 AM

  I have found an answer to my question.
  I simply forgot to load a sip-container service to my new created server..

• Outside-PAT all UDP traffic, but exclude DNS

  8.4(3)
  I need to outside PAT all incoming UDP (SIP/RTP) traffic from outside to an internal IP. The following command makes it work:
  nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp
  But it breaks DNS resolution from inside. If I add the above command and try to nslookup from inside to an outside DNS server
  64.90.175.90, DNS times out. If I remove the above nat command, it works again. It seems like even though DNS UDP originates from inside which should create a statefull connection, ASA still messes with return DNS responses.
  I then tried to create an "exclusion" for that IP with the following:
  object-group network nat-exclusions
  network-object host 64.90.175.90
  nat (outside,inside) source static nat-exclusions nat-exclusions
  but it's not working.
  I also tried:
  nat (outside,inside) source static nat-exclusions nat-exclusions unidirectional
  Also not working.
  Any suggestions? How can outside-PAT all UDP traffic excluding DNS.

  TAC was able to help. I needed this:
  object network exclusions
  host 64.90.175.90
  nat (inside,outside) source dynamic any interface destination static exclusions exclusions
  nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp

• ASA5505 blocking return traffic

  Our network has slowed to a crawl and upon investigation it looks as if the ASA5505 is blocking returning traffic. The syslog is full of these from legitimate sites:
  2013-08-30 16:58:01 local4.critical 192.168.1.254  Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK  on interface outside\n
  2013-08-30 16:58:03 local4.critical 192.168.1.254  Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK  on interface outside\n
  I'm not really sure where to go next so any help would be appreciated.
  2013-08-30 16:58:01 local4.critical 192.168.1.254  Aug 30 2013 16:53:38: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/46099 flags PSH ACK  on interface outside\n
  2013-08-30 16:58:03 local4.critical 192.168.1.254  Aug 30 2013 16:53:40: %ASA-2-106001: Inbound TCP connection denied from 207.131.246.15/80 to aaa.bbb.ccc.xxx/31820 flags ACK  on interface outside\n
  We are also using Websense. I have a 'filter except' exception for the above examples (207.131.246.15) for both http and https. I have also reduced MTU to 1472 on the outside just to test. I also upgraded from 256 to 512 memory thinking maybe it was being stressed.
  It seems to work for a while and then out of nowhere shuts everyone down from wherever they are browsing and then about 20 seconds to a minute later it starts up again.
  I'm not really sure where to go next.
  I have attached (what I hope is) a scrubbed config.
  Thank you.

  I looked for asymmetric routing. We have one other router attached to the internet but that just does VPN to a datacenter and has a specific route set up on the gateway for it. Nothing else should be getting to it other than the single IP address routed to it.
  It seems to be affecting any ip address that needs a persistant connection. As an example I had to download Chrome to a PC this morning and it kept losing connection about 50% through the download. So from my experiments what I can tell is that it makes the first connection no problem, but quickly dies after that and a new connection has to be made. Also when this happens the IP address being accessed shows up in the "SYN Attack" list in ADSM. I have attached an image of the issue. The number one item on the list is a website we use all day long.

• Blocking international traffic to BC site

  Does anyone know how to block international traffic to a BC website? We recieive a flood of traffic for international countries that drastically distort our analytic reports. Thanks for any help....

  I understand the usability issue. It sucks to not have the information right when you log in. Sorry.
  It is normal to get visits from international countries though. Sometimes I get a lot of visits from specific countries like you did from Ukraine. This usually happens in our case when companies or bots are trying to post their links in our blog.
  Take advantage of the captcha from BC if you don't use it yet in your forms. I found extremely helpful lowering the number of spam that I was getting in both my blog posts and contact request tickets.
  These are some other links it might help you....
  To exclude certain IP Adresses in BC
  With Google Analytics these links may help you...
  DATA FILTERS FOR VIEWS - Filter on geography
  https://support.google.com/analytics/answer/1034773?hl=en&ref_topic=1034830
  These are all the filters you can apply
  https://support.google.com/analytics/answer/1034380?hl=en&ref_topic=1034830
  Hope it helps.
  PJ

• WRT54G blocking INTERNAL traffic ?

  Hello everybody!
  I own a WRT 54 G v3.1 Firmware Version: v4.30.5.
  Everything works fine except Age of Empires 2 Lan Games. I tried a direct connection between 2 PCs with a crossover cable and the game worked, but when we want to play via our router, we can't find hosted games. We don't want to play on the Internet, only on LAN. Is there any setting that is blocking internal Traffic ? Whats also strange: I tried DXdiag, as AOE2 uses DirectPlay, and DXdiag could establish a connection even when both PCs were connected via the router. Any ideas ? Thanks in advance.

  If you have a software firewall installed connected a computer to a different router does make a difference. Those software firewalls remember the firewall settings based on where they are connected. A different router is a different location and thus has different firewall settings. Thus, you have to disable the firewall completely, maybe have to deinstall it completely (ZA is a good candidate for that) to verify whether or not it is related to the computer configuration.
  Also, how do you connect between those computers for the game? Do they automatically detect each other? Do you have to enter IP addresses? Or how does it work?
  Technically the LAN side of the router is a simple switch. It does not do any filtering there. It may be slightly different if a connection is wireless. It can be completely different if a router runs a 3rd party firmware.

• Howto block p2p traffic of clients connected to the same ssid on different wlc

  Hi all,
  I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
  Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
  ===
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  ===
  Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
  Many thanks in advance,
  Thorsten

  Hi Sasha,Thorsten
  The bug is Junked and I believe which is what you are running into with your tests:
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
  Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  To answer your original query :
  ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
  ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
  Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
  Multicast traffic is not applicable for p2p.
  Your ACL can be as simple as this for the scenario :
  WLC 1 - clientvlan = 10
  WLC 2 - clientvlan = 10
  and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
  Basically in that case the ACL should look like on both WLCs :
  1. Permit statement to talk to gateway.
  2. Deny to subnet.
  3. Permit all.
  4. If DHCP/DNS other services are on same subnet then you would need to add a permit
  statement before the deny.
  5. Attach the ACL to SSID or dymanic interface.
  Thanks..Salil
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.