ZBF woes
Hi I’m having some difficulty in understanding the behaviour of zone based firewalls on a 887va router, I do not understand the implications of including the self zone in a zone-pair. It seems that if you include the self zone in a pair with any other zone, the self zone becomes restrictive between all zones whether paired or not. For example if I include the self zone in a pair with the OUTSIDE zone, pinging the router from a host from the INSIDE zone no longer works…..
Secondly we operate a DMVPN (this is a spoke router) and the tunnel will successfully establish with the following traffic configured to PASS
Tcp 4500
Tcp 500
ESP
GRE
However traffic through the tunnel will fail (including rip).
If however I modify the firewall policy to permit all traffic to and from the Self and OUTSIDE zones, tunnel traffic seems to work successfully between the SELF and VPN zones and the VPN and internal zones.
However given that all traffic destined for the tunnel would be encapsulated in a GRE header and GRE is permitted between the SELF and OUTSIDE Zones, I cannot see what other ports would need opening?
I’ve included some config below, any help would be greatly appreciated.
Access Lists
Extended IP access list OUTSIDE>INSIDE
10 permit ip any any
Extended IP access list OUTSIDE>SELF
( if this entry is included tunnel traffic works permit ip object-group DMVPNIPGROUP object-group SELF (818 matches))
10 permit gre object-group DMVPNIPGROUP object-group SELF
20 permit tcp object-group DMVPNIPGROUP object-group SELF eq 4500
30 permit tcp host HO host SELF eq 22 (18589 matches)
40 permit tcp object-group DMVPNIPGROUP object-group SELF eq 500
50 permit esp object-group DMVPNIPGROUP object-group SELF (424 matches)
70 deny ip any any (7570 matches)
Extended IP access list SELF>OUTSIDE
( if this entry is included tunnel traffic works 8 permit ip object-group SELF object-group DMVPNIPGROUP (1013 matches))
10 permit gre object-group SELF any
20 permit tcp object-group SELF any eq 4500
30 permit tcp object-group SELF eq 22 host HO (12899 matches)
40 permit tcp object-group SELF any eq 500
50 permit esp object-group SELF any
Extended IP access list SELF>OUTSIDE_Insp
10 permit tcp any any eq domain
20 permit udp any any eq domain (86 matches)
Extended IP access list SELF>VPN
10 permit ip any any (31 matches)
Extended IP access list SSH_Allow
20 permit tcp network_obj HO any eq 22 log (22 matches)
70 permit tcp LocalSubnet any eq 22
80 deny ip any any log (8 matches)
Extended IP access list VPN>INSIDE
10 permit ip any any (568 matches)
Extended IP access list VPN>SELF
10 permit ip any any (15 matches)
Zone: self
Description: System defined zone
Zone: OUTSIDE
Member Interfaces:
Dialer1
Zone: INSIDE
Member Interfaces:
Vlan1
Zone: VPN
Member Interfaces:
Tunnel0
Zone-pair : OUTSIDE>SELF
Source Zone : OUTSIDE
Destination Zone : self
Service-policy inspect : PM-OUTSIDE>SELF
Class-map : CM-OUTSIDE>SELF(match-any)
Action : pass log
Class-map : class-default(match-any)
Action : drop log
Zone-pair : INSIDE>OUTSIDE
Source Zone : INSIDE
Destination Zone : OUTSIDE
Service-policy inspect : PM-INSIDE>OUTSIDE
Class-map : CM-INSIDE>OUTSIDE(match-any)
Action : inspect
Service Policy: http PM-DPI_HTTP_OUT
Class-map : CM-INSIDE>OUTSIDE2(match-any)
Action : inspect
Class-map : class-default(match-any)
Action : drop log
Zone-pair : SELF>OUTSIDE
Source Zone : self
Destination Zone : OUTSIDE
Service-policy inspect : PM-SELF>OUTSIDE
Class-map : CM-SELF>OUTSIDE(match-any)
Action : pass log
Class-map : CM-SELF>OUTSIDE_Insp(match-any)
Action : inspect
Class-map : class-default(match-any)
Action : drop log
Zone-pair : VPN>INSIDE
Source Zone : VPN
Destination Zone : INSIDE
Service-policy inspect : PM-VPN>INSIDE
Class-map : CM-VPN>INSIDE(match-any)
Action : pass log
Class-map : class-default(match-any)
Action : drop log
Zone-pair : INSIDE>VPN
Source Zone : INSIDE
Destination Zone : VPN
Service-policy inspect : PM-INSIDE>VPN
Class-map : CM-INSIDE>VPN(match-any)
Action : pass log
Class-map : class-default(match-any)
Action : drop log
Zone-pair : SELF>VPN
Source Zone : self
Destination Zone : VPN
Service-policy inspect : PM-SELF>VPN
Class-map : CM-SELF>VPN(match-any)
Action : pass log
Class-map : class-default(match-any)
Action : drop log
Zone-pair : VPN>SELF
Source Zone : VPN
Destination Zone : self
Service-policy inspect : PM-VPN>SELF
Class-map : CM-VPN>SELF(match-any)
Action : pass log
Class-map : class-default(match-any)
Action : drop log
Class Map type inspect match-any CM-SELF>OUTSIDE_Insp (id 33)
Match access-group name SELF>OUTSIDE_Insp
Class Map type inspect match-any CM-VPN>INSIDE (id 29)
Match access-group name VPN>INSIDE
Class Map type inspect match-any CM-INSIDE>VPN (id 30)
Match access-group name INSIDE>VPN
Class Map type inspect match-any CM-SELF>VPN (id 47)
Match access-group name SELF>VPN
Class Map type inspect match-any CM-VPN>SELF (id 48)
Match access-group name VPN>SELF
Class Map type inspect match-any CM-OUTSIDE>SELF (id 4)
Match access-group name OUTSIDE>SELF
Class Map type inspect match-any CM-OUTSIDE>INSIDE (id 5)
Match access-group name OUTSIDE>INSIDE
Class Map type inspect match-any CM-INSIDE>OUTSIDE (id 6)
Match protocol http
Class Map type inspect match-any CM-SELF>OUTSIDE (id 7)
Match access-group name SELF>OUTSIDE
Class Map type inspect match-any CM-INSIDE>OUTSIDE2 (id 10)
Match protocol https
Match protocol smtp
Hi
Sounds like you are having some problems :)
It would be easier to see what has been done if you posted your running-config, instead of show commands, they are harder to follow than the running-config.
And its UDP port 500 and 4500 you want to open, not TCP.
Similar Messages
-
Continual Mac woes (no question, just a rant)
It's Tuesday, and I am having terrible problems with my Mac. But then, why should Tuesday be different from any other day of the week.
Here is a typical day for me. The computer appears to be working OK. I need to watch a DVD for my work. I turn on DVD player, and put one in. The machine can't read the disc. It clicks and whirls, but the icon does not show up on the desktop. Meanwhile, so distressed is the machine that it freaks out. What was up until now was a fluidly operating machine suddenly reverts back to its old ways (i.e., its ways of two days ago). The hold ups and spinning pinwheels begin to eat of hours of my work day. (Remember the old days when computers made life easier?) The machine becomes sticky, gummy. Oh, I can move the curser and it seems to work for a second but then gets stuck in the dock, which explodes in icons and then freezes for five minutes. Yes. Five minutes.
Would love to use Force Quit, but the cursor is spinning, and nothing is responding. Funny about that old Mac. You can't force quit Force Quit. I guess I need to leave it open all the time.
Of course, FQ usually works on Safari. I have never just "quit" Safari. It always requires Force Quit, otherwise I can't turn off my computer. It stalls shut down.
Now I have a DVD trapped in there and can't get it out. [But I just got an answer from another posting.]
In the old macs, there used to be a pin hole you could stick a needle into ... can't find one on my flatpanel iMac.
I bought my Apple flat panel iMac in August of 2002. Yes, I know that that is a long time to have a computer, but I am not rich nor attached to a corporation that can splurge on computers. The first weekend I had the machine, I had three kernal panics.
Among the other problems I have documented are the following: the dock hiding itself unbidden and other features checking and unchecking themselves (Aug 2002); bus errors connected with OS 9 (Sept); some problems that inspired the tech person (Eric)) to talk me through deleting my user i.d., resulting in the loss of two months worth of e-mail (Thursday, 12 September); Preview problems (September); a bizarre box with an unmovable and undeletable red stop sign in it that no tech person or other Mac user I know had ever hear of (Monday 30 September); printing problems; computer won't shut down, numerous disconnection errors, which turned out to be caused by an OS X update (beginning December, 2002, or later); Kernel panics (Feb); computer won't shut down (March); Faxstexx problems, program won't allow me to set it up, finally just deleted the software (April); keys like "V" freeze and repeat endlessly (May 21); DVD Player freezes (May); Safari and Mail begin quitting unexpectedly (May); cursor begins to blink and fade out, plus odd sounds come out of the speakers, a constant error beeping (Sept 9); DVD Player problems (Oct 4).
I called AppleCare while I had it about once a week (the total between August 2002 and the time it ran out was about 155 calls). Naturally, some of these calls are motivated by user error. On the other hand, many of the issues I have called about were unprecedented as far as the Tech person was concerned, such as the blinking mouse, the red stop sign, and the DVD Player woes.
Things improved with Panther, but in Tiger many of the same old issues have returned.
I have been having so many problems with my Mac that I once wrote a letter to the company asking when do I qualify for a new replacement machine. I never received an answer, but I felt better for about a day. Then I turned on my Mac again.The spinning ball of death as we used to call it is often caused by a lack of RAM, it is hard to be sure as I am not working on your machine, but sometimes things can be improved with additional RAM, it makes it seem like a whole new computer.
A lot of your problems sound like stuff that can be fixed easily enough, and although frustrating things happen here and there with updates. It sounds like you are in fairly good spirits with it all, I would suggest just researching a bit more into maintenance you can do to help maintain the computer and educate yourself a bit more (sounds like you already have learned quite a bit along the way) and you will find a lot of these issues take you a few seconds to rid yourself of. I would start by making sure you are repairing permissions regularly and running the most up to date software. If a lot of problems persist, try creating a second user that is a "test" user to see if the problem is replicated on that user (don't delete your other one, but if you do find the problem not on the other user, you might have a corrupt user, however you don't have to lose all your emails there are plenty of ways to back it up and import it in, or even just bring the entire Mail folder from your library over to the new user). Another thing you can do if you find a lot of system problems is archive and install the OS, it takes a bit of time, but doing it overnight shouldn't be an issue, and you won't lose any of your stuff. -
Hi everyone, I am having some major iCal woes that I hope someone has the answer to.
Ok this is how I handle my workflow. I have numerous calendars such as "call", "viewing", "meeting", "work misc", "personal" etc. All colour coded and I use the month view as standard.
Under SL I would double click the day I add an event go through the boxes (name, location, time, etc) click save and job done.
Now under Lion when I double click a day I get an event box but only the header. So I have to type the header hit return then double click on the event again to get the box up so I can assign the event the right time and calendar to use. This is taking twice as long as it did before under SL and is a pain when you have a client on the phone. Am I missing something here? Why is it now so hard? - and I have tried that quick entry business but it doesn't work for me, I simply want the whole calendar entry box when I double click in month view.
Next problem is all new events go in as a all day event. Again another click I didn't need to do in SL. Then untick all day and enter a time LionCal doesn't set the end time 1 hour later anymore it sets it hours later for me, sometimes into the next day so I have to click into the date box and type the end date, again a massive slow down in my workflow.
Finally and most annoyingly in month view I cannot for the life of me get a 12 hour clock with AM/PM. I checked my international page in sys prefs and all is ok but LionCal is not playing ball.
Any help would be appreciated as I love iCal and run my life with it over MobileMe.If you want to Commit changes at every record level in a Multi-Record Block, you may have to write the following triggers at the block level :-
1) Key-Down
2) Key-Up
3) You will also have to handle Mouse Events
i.e When-Mosue-Click etc
In each of these triggers, issue a commit statement :-
i.e.
Trigger Name :- KEY-DOWN [ Defined at Block Level ]
Trigger Code
Commit_Form;
Next_Record;
The Commit_Form statement will display a message for the user to COMMIT transaction to the DB.
Shailender -
Airport express "G" - My woes and some thoughts. . .
I got the airport about this time last year. it worked great and i loved it. In December 2007 I moved to an apartment. I got the local cable co's internet, ran it to my ax and all was well. 6 weeks ago, due to our wonderful economy, i had the cable shut off as I talked to one of my neighbors who has wireless internet running unprotected (no password)..i asked him if i could leech for a bit till i got things sorted. he said cool and all was.....hmmm. SO in my airport menu i select his network and my internet works, sometimes drops then comes right back but no biggie. I reset my ax to just do airtunes and join his network, it restarted and voila, airtunes. problem is that in the last month i get a lot more drop outs and if i go more than 2 days with out streaming by ax disappears and i have to do a hard reset to get it to show up in the utility. The light is green but nothing...sometimes the amber light blinks and it never come on line at all....grrrrrr.
could all my newfound ax woes be due to the fact i am adding it to his network? i had no issues at all when i created my own one with my internet and airtunes.....
anyone?
EDIT: let me ask this then...when i am streaming music from my mbp to the ax, am i doint it dorectly or am i using his network? If I am sending music from my MBP to the ax via his network then that would basically answer all my questions, if the mbp goes direct then I have no clue....
edits as i am brainstormingEDIT: let me ask this then...when i am streaming music from my mbp to the ax, am i doint it dorectly or am i using his network?
It goes from your MacBook Pro to his wireless base station... then from his base station to the AX. So it depends on the performance of his base station and network. -
Hp Warranty Woes & Hard Drive Heartache
HP – Warranties Woes & Hard Drive Headaches.
Dear Internet Community (I.C)
I need your help.
I would like to know if I’m being unreasonable in my expectations or is Hewlett Packard (HP) not living up to its both moral & legal obligations as a good corporate citizen & what it alleges to be – a Customer Focused Global Computer Services company.
Apologies if this is a little long winded but in the interests of fairness I need to put as many HP comments in as possible – to give you a clear picture.
So bear with me, you will not be disappointed & there are a couple of questions you might like to answer & feedback to the appropriate parties.
Keep in mind at all times we are talking about approximately a $200 (NZD) fix – less than the lost profit on one lost sale for an HP PC ( you might think twice about HP products after reading this).
There are two parts to this problem :
Part 1 :
I purchased an HP Touch Smart a few years ago, I registered the product & warranty with them & over the years have received have received numerous emails stating “buy this, upgrade now”.
But I don’t recall ever receiving an “WARNING – Critical Failure Issue (CFI) apply attached patch immediately” email while under warranty. Why is this relevant?
Ø Seagate makes Hard Drives – in this case a Barracuda 7200.11
Ø HP buys said HD’s from Seagate
Ø Seagate finds a problem with firmware in HD’s & advises HP & supplies a fix
Ø HP knows which Customers have these HD’s, because you know what goes into your machines – right ? - see below
Ø HP FAILS to send email to Customers with the fix (a simple email with attachment would solve problem) or issue recall.
Ø HP even offers previously to fix problem FOC & puts fix on its Website - but only if the Customer knows somehow of the problem.
Ø Should the Customer intuitively& telepathically know of problems in HP Products in advance before it fails, because of course HP is not telling their Customers.
Problem or Outcome: My HD has bricked itself & will not operate as I never received notice of the firmware fix at any time either in or out of warranty.
Paul Boshoff - G M -Personal Systems Group- HP NZ (PB- GMPSG) says
“It would be very difficult, if not impossible, for any computer vendor to proactively notify it’s customers of component-level updates”
“Failures of the kind you’ve experienced are usually related to a specific batch of serial numbers and often those component serial numbers aren’t available when the user is registering that particular computer.”
Now let me know if you think I’m wrong, but it sounds like HP does not know what goes into its machines or at the very minimum does not keep track of this.
HP, a Global Computer Services company cannot possibly be expected to track what goes into its machines. HP apparently does not record or match the serial number of the HD with the machine it goes into.
If Ford & Toyota can track & record what tyres go on which make & model of their cars which are in the millions each year & can recall cars dating back 8-10 years just case of a manufacturers component malfunction why can’t HP link & record the HD details.
I can just hear it now “I’m sorry we don’t know which engine we put in your car”.
And let’s be real clear here – we are not talking about some small screw at the back of a PC – Along with the CPU & the RAM, the Hard Drive is pretty much up there in the top 3 of important components of any computer.
I.C – Do you feel
ü That fills you with confidence in HP products & services ?
ü Should HP be required to tell its customer of CFI’s with its products – particularly while under warranty?
ü Has HP tried to limit their liability & cost by directly NOT telling Customers of CFI’s while under warranty?
Part 2 :
When your HD bricks itself – apparently all is not lost – some very clever person has found a solution so you can get the HD going long enough to apply the firmware fix & then your HD is a good as new – Here is the link that spells it out with pics http://www.overclock.net/t/457286/seagate-bricked-firmware-drive-fix-with-pics)
You’ll see the relevance of this shortly.
After much messing about I received the following email from PB- GMPSG : “I have escalated your issue and have just received the go-ahead to repair your unit at our cost. We will be utilizing our own, authorized service provider to re-install the original hard-drive and to run the software fix on that unit.” (This guy most likely earns a six figure salary & isn’t able to sign off $200 fix).
NOTE : it does not limit or restrict what type of fixes will be used & also at this time HP was aware of both the Seagate fix & above fix.
I delivered the PC & bricked HD into the HP Authorised Repair Centre (ARC) as requested –their ticket instructions read “do firmware update…HP to incur costs. NO COST to customer”.
Obviously it’s not rocket science but you need the HD going before you can apply any firmware fix including this one – HP knew that to get the HD going they would need a special fix to enable them to apply the Seagate fix.
After all this is not an isolated case & I did point out to HP that they would need the fix I supplied (or something similar HP approved or designed if that made them more comfortable) prior to their offer of fixing the HD.
HP said their ARC’s had all the right software for fixing their machines. In addition I have been told on several occasions, the ARC’s are the bee’s knees, the cat pajamas, the whiz kids of the PC service world “The first port of call for the repair centre agent is to download all the latest service advisory notices and updates. This is a very fundamental part of the repair process and one that we spend a great deal of time emphasizing with our authorised repair centres” Keep this in mind.
A week later I received a call from Peter Gasporaratos, HP CS Melbourne (poor guy – caught in the middle) & stated “there is nothing else we can do for you”. When I asked if they had applied the fix he said “its not our responsibility.. its not part of our guidelines.. the ARC does not practice unauthorised methods..& this ARC will not go down this path”
Ironically the day before, Barry from the ARC said “we can attempt it, but we will charge you too”. So HP’s own ARC will do it, but there will be a cost – but hang on a minute, didn’t PB- GMPSG say “to repair your unit at our cost. We will be utilizing our own, authorized service provider to re-install the original hard-drive and to run the software fix on that unit” & HP CS put on the instructions “HP to incur costs. NO COST to customer”.
I.C – Do you feel
ü HP have said they will fix it at NO COST to me, regardless of what the fix entails ?
ü Should HP honour this commitment ?
ü Would you do business with a company that says one thing & does another & does not honour its commitment ?
ü That given the bricking fault did not need to happen if HP had been proactive in letting their customers know of the firmware issue & this is not an isolated case– shouldn’t they then be responsible in finding or developing a fix for getting the HD going long enough to apply the firmware fix if they are not going to use other recognised fixes.
Abstract
So that’s it – what do you think I.C. ?
Would you want HP computers & servers controlling the Traffic Lights, Air Traffic Control, Patient records & Medications at Hospitals knowing that HP will not tell these organisations that there is CFI with their products & they could suddenly lose everything. All dead while they try to find a back up computer with all the data – god forbid if President Obama’s “football” is powered by an HP – Nuclear War before we know it.
But seriously – I would love your feedback – Am I being unreasonable in asking them to honour their commitment for a $200 fix ?
And of course HP being a Customer Focused Global Computer Services company, would welcome your feedback.
Here are a couple of the players contact details who would love to hear from you :
ü Keith Watson – CEO –HP NZ -I initially contacted him & he thanked me for bringing it to his attention, then nothing.
Email : [email protected]
ü Paul Boshoff - G M -Personal Systems Group- HP NZ – well of course you now know who he is now – he would love feedback.
Email : [email protected]
ü Jessica Rangi – She’s the Spokes person/PR/Marketing for HP NZ & has just help launch HP new PC range in NZ – She would love your feedback as it might impact on her marketing & she is quoted as having helped out in warranty situations before & has worked at HP head office.
Email : [email protected]
ü Meg Whitman - President and Chief Executive Officer of HP Global
Email : [email protected]
They would all like to hear from you J
I.C
J Thanks for being patience & reading through to the end – now it’s up to you
L buy HP Products & Services or not.
L Do HP deserve your hard earned money if you now believe they aren’t going tell you about problems with their Product & Services.
Be kind to one another & take care.
Regards
Smithie
P.S - I sent this blog to HP for fact & quote checking prior to uploading (I gave them over a week to reply) – the silence was deafening from HP.When requesting assistance, please provide the complete model name and product number of the HP computer in question. HP/Compaq makes thousands of models of computers. Without this information it may be difficult or impossible to assist you in resolving your issue.
The above requested information can be found on the bottom of your computer or inside the battery compartment. Please do not include your serial number. Please enter the model/product information into HP's Online Consumer Support page and post it here for our review.
I doubt the hard drive would be covered by buying an extended warranty after the fact. There is also no reason to buy a new hard drive from HP. Almost any 2.5" hard drive on the market will work in your computer. You will need your personal HP Recovery Disc set to return the computer to a factory like state. If you didn't create these discs, you will need to order a set.
If you have any further questions, please don't hesitate to ask.
Please click the white KUDOS star to show your appreciation
Frank
{------------ Please click the "White Kudos" Thumbs Up to say THANKS for helping.
Please click the "Accept As Solution" on my post, if my assistance has solved your issue. ------------V
This is a user supported forum. I am a volunteer and I don't work for HP.
HP 15t-j100 (on loan from HP)
HP 13 Split x2 (on loan from HP)
HP Slate8 Pro (on loan from HP)
HP a1632x - Windows 7, 4GB RAM, AMD Radeon HD 6450
HP p6130y - Windows 7, 8GB RAM, AMD Radeon HD 6450
HP p6320y - Windows 7, 8GB RAM, NVIDIA GT 240
HP p7-1026 - Windows 7, 6GB RAM, AMD Radeon HD 6450
HP p6787c - Windows 7, 8GB RAM, NVIDIA GT 240 -
ZBF Class-map and different way of doing them
Hi People just though i would ask a question on how to set up a ZBF. (question at the end of example config's)
i have been playing with this for a while now and like to get advice over what way is the recomended way of doing multiple matchs
ok we we all know the basic
class-map type inspect match-any ZBF_CM_ICMP
match protocol icmp
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_ICMP
inspect
and then the ZP dont need to show, this is a simple map using nbar fair enough
then we could a mulitiple matches
class-map type inspect match-any ZBF_CM_STD_DMZ_PORTS
match protocol icmp
match protocol http
match protocol dns
match protocol https
policy-map type inspect ZBF_PM_DMZ->EXTERNAL
class type inspect ZBF_CM_STD_DMZ_PORTS
inspect
Ok still easy to understand but now come the bit that a little more copmplex non NBAR matches
ip access-list extended AL_RDP_PORT
permit tcp any any eq 3389
class-map type inspect match-all ZBF_CM_RDP
match access-group name AL_RDP_PORT
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_RDP
inspect
This config is now using an access list because NBAR dosent have the protocol in it then map the AL to the CM then CM to PM. next is example is what i setup to get more non NBAR ports and only for 1 host
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match access-group name AL_ISATAP
match access-group name AL_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect (or pass with rule for other direction)
THis is what i setup and it works not for this example but the rule flow i then was having issues with DMVPN and ZBF (turned out to be an iso bug annoying me) but i used CiscoCP to setup the ZBF automaticly forthe DMVPN and it ZBF rule where same proceduare as below.
ip access-list extended AL_HOST_IP_IN
permit ip any host 11.11.11.11
ip access-list extended AL_ISATAP
permit 41 any any
ip access-list extended AL_TEREDO
permit udp any any eq 3544
class-map type inspect match-ANY CM_ISATAP
match access-group name AL_ISATAP
class-map type inspect match-ANY CM_TEREDO
match access-group name AL_TEREDO
class-map type inspect match-ANY ZBF_CM_DirectAccess_Protocols
description Nested Class Map
match class-map CM_ISATAP
match class-map CM_TEREDO
match protocol https
class-map type inspect match-ALL ZBF_CM_APP_IN
match access-group name AL_HOST_IP_IN
match access-group name ZBF_CM_DirectAccess_Protocols
policy-map type inspect ZBF_PM_EXTERNAL->DMZ
class type inspect ZBF_CM_APP_IN
inspect
So what Cisco CP did was make yet another level of nesting rather then the match-all class map having the match access list command then made a cm with access list then the main class map had only other match class maps in it..
QUESTION:
Why did CiscoCP do the extra nesting
both ways worked but i would like to know why the cisco CP did the same thing with the other layer of CM did it do this for best practise or dose this make changed later easier i cant understand whats the advange to doing it this way... but if there is a valid reason then ill great jjust trying to understand.
thanks
regards
A very sore headed
DaveWhen people say "use as few classes as possible", it's usually related not to optimize heap usage, but jar size.
But it's true that some smart use of OOP can save a lot of memory during runtime (and even jar size in some cases). Using an interface in my GUI library helps make the architecture a lot simpler and more compact, to the point that even if all the GUI widgets are being used (so the "just loading the code you need at the moment" argument is moot) memory use is still smaller because I need a lot less hacks to glue everything together.
It still is worth noting that often memory fragmentation is the true cause of running-out-of-memory-errors, and in this case loading many small classes will achieve exactly the opposite.
shmoove -
Ok, I'm pretty saavy when it comes to most things computer related but maybe I'm missing something on this one. I bought my Intel mini with the stock 512mb of RAM and decided I wanted to upgrade to 2gb. The price of RAM is fairly steep right now so I decided I would do this one stick at a time. I purchased my 1GB stick to get me going from Crucial (due to their reputation). I used their memory advisor to make sure I was ordering the correct memory for my machine and verified the memory matched what I ordered before it was installed. I installed the 1gb stick with one of the original 256mb sticks thinking I would maximize what I had available until I was able to purchase my second stick. After doing so I had nothing but problems. I kept getting spontaneous shutdowns and when booting up it would reboot itself sometimes 2 or 3 times before I could finally get to the desktop. So, I'm stumped. I've gone through and double checked that the memory was seated right, ran TechTool Pro 4, ran the Apple hardware test, reset my pram, reset my smc and even took out my 256mb stick to see if having an unmatched pair could be the issue. Everything looked fine and all tests passed. According to Crucial's website it is not "necessary" to have a pair of sticks in the mini to run properly. It even says I should be able to run different speeds and chip capacities. I was still getting the same result just the 1gb Crucial stick by itself. I have since put my 2 original 256mb sticks back in and all seems to be well. I know there is a possibility that I got a bad stick of RAM but I definitely have my doubts based on Crucial's reputation. I know how to handle computer components so I also highly doubt that I damaged the RAM. Is there something I'm missing? Do I need to have a matching pair of sticks (size and speed)? I'm racking my brain on this one, hopefully someone will be able to shed some light on my dilemma.
Okay, new problem... I'm starting to think now that maybe my RAM woes were not RAM woes at all. I'm beginning to think that perhaps I have a failing hard drive. Right away after purchasing my Mac mini I took the original 80GB hdd out and replaced it with a brand new 120GB 5400rpm Seagate hdd. I started having these random shutdown problems and then yesterday after having my new 2GB's of RAM installed for about a week or so (and working flawlessly), I got the screen that tells me that I need to hold down the power button to restart my computer. I do so and it goes to this terminal type screen and runs through all kinds of command lines. I restarted and desktop came back up so I did a couple software updates (1 Airport update, 1 Security update). After that finishes the mini restarts and it hangs at the grey screen w/the apple. So, I shut the computer down and restarted and this time it gets to the 'OS X starting up' screen and hangs when the status bar reaches the end. So, I shut it down and restart yet again. It goes on and on like this and finally ends up getting to the desktop after roughly 6 restarts. I quickly back up everything on my computer and try a few more restarts to see the progression of the problem and try to troubleshoot. At one point I heard the hard drive click 2 times. After another round of numerous restarts I get back to the desktop and by this time alot of my programs were getting the beachball when opened and would never function (i.e. - Disk Utility, System Profiler & Safari). I put my Mac mini OS X install disc in and restarted to wipe everything out and see if my OS got messed up somewhere along the way and was causing my problems. As soon as it boots from the disc I got an error box informing me that It cannot install the OS but allows me to access Disk Utility. I erased and did a 1X pass zero out. I restarted my machine and yet again it hanged at the grey screen with the apple. I restarted a couple more times and now it just tells me it can not install the OS and shuts itself down within a few seconds of this message.
So, this is where I'm at now... Can anyone else confirm that this sounds hard drive related vs. RAM related? The only variable that has changed recently has been the RAM and I refuse to believe that I got bad RAM twice in a row from a company as reputable as Crucial.
Help me AndyO, you're my only hope! (yes, that was a nerdy Star Wars reference) -
Can a zbf be used as an application proxy
By that I mean, can it it accept an incoming connection, then turn around and forward that connection off to an internal host, making it appear that the connection request came from the ZBF itself? If so, can someone point me to a config example?
Thanks,
-Mathew RouchHi Tiberiu,
I think SAP Web dispatcher will fill most of your requierments,
http://help.sap.com/saphelp_nw04/helpdata/en/42/5cfd3b0e59774ee10000000a114084/frameset.htm
Hope this help!
Juan
Please reward with points if helpful -
Top Margin Woes: Setting the "Before" Margin for Every Page in a Section
Hi,
I've scoured the forums to no avail on this one. I am trying to create a document where the text in Section 1 appears 1 inch from the top of each page and 2 inches from the top of each page in Section 2. Should be pretty straightforward, right? Please tell me it is! I'm using Pages '09 (version 4.0.5).
Right now, the document margin is set to 1 inch from the Top, so Section 1 is fine. For Section 2, when setting the Before margins after a Layout Break (in the Layout Inspector under the Layout tab), only the first page of that section gets a Before margin of 2 inches. Every page after that in Section 2 is still 1 inch from the top.
Suggested Workaround Attempted
I tried the "Move Object to Section Master" workaround, but the menu item "Format > Advanced > Move Object to Section Master" is disabled when performed on an "inline" object, which is what is required to force the text down from the top of each page in Section 2. Turning it into a "floating" object enables the "Move Object to Section Master" menu item, but since it is floating. the text for that section is not pushed down, the rectangle is just displayed in the background of each page in Section 2.
Any ideas on how to solve my Top margin woes would be much appreciated!Hello
To push a text down in the text body using the clean way which means setting space after, requires that we have already a paragraph which means a chunk of text ended by a paragraph break.
It's exactly what I do.
Most of the time, we don't put a paragraph break at the end of a header so it's not a paragraph and so, we can't define the space after value.
My tip just gives it the status of paragraph allowing me to define space after the clean way. The dirty one was to insert several returns to adjust the height which I carefully rejected.
It's exactly what we discovered some months ago:
we can't set space before (above) at top of a page because there is no paragraph before (above) in the page.
As far as I know, the "Use Previous Headers and Footers" must always be set correctly. I'm remembering a thread which became huge because the OP can't understand that he had to define these properties correctly to get correct results with his captured pages.
I wish to add that at this time we don't know exactly what the OP want to achieve.
Maybe he want to move down the top of the print area and the header.
You can't do that with your tip.
With mine, I just insert a paragraph break at the beginning of the header.
Yvan KOENIG (VALLAURIS, France) vendredi 8 juillet 2011 17:50:30
iMac 21”5, i7, 2.8 GHz, 4 Gbytes, 1 Tbytes, mac OS X 10.6.8
Please : Search for questions similar to your own before submitting them to the community
To be the AW6 successor, iWork MUST integrate a TRUE DB, not a list organizer ! -
Using InDesign's (CS4) TOC generator, it generates the TOC with the proper page numbers for the book's sections, but the page size seems to be wrong. I'm using 1/2 letter size for the page, but the TOC generated appears to have been formatted for a full letter page... it looks like this...
if the pipe symbols below represent the page boundaries, the dots preceding the page numbers "wrap" to the next line... I know that it's formatting the page for a full letter size, because when I print it out, everything is alligned perfectly on a sheet of 8-1/2" x 11" paper:
| Chapter 1....................................|
|.................... 25 |
| Chapter 2....................................|
|.................... 76 |
Anyone out there have any idea why it's doing this ?... I created the TOC document page with a size of 1/2-letter, but the TOC generator doesn't seem to be recognizing this. Any help is greatly appreciated.
regards,
TerryTHANK-YOU, Gabriel!... that worked!
regards,
Terry
Date: Sat, 7 Nov 2009 11:44:39 -0700
From: [email protected]
To: [email protected]
Subject: TOC Page-size woes...
It appears that you need to adjust the tab settings in the paragraph style that is being applied to the TOC entries. Make sure that only one Right-justified tab is set at the end of the text frame. If a tab extends beyond the edge of the text frame, the text will be forced to "wrap" to a new line. Sometimes it helps to clear all the tabs and then start over if multiple and unneeded tabs have been set.
> -
Hello, i am working with 871w and i am trying to switch form ip inspect to zone-based firewall. Below are the class-maps, policy-map, zone-pairs, zones, and ACLs. The issues i am having is that onces i depoly the ZBF, i can not get ip via DHCP. Please review and suggest any impovements or fixes needed?
class-map type inspect match-any Egress-Filter match access-group name egress-filter
class-map type inspect match-any Guest_Protocols match protocol http
match protocol https match protocol dns
class-map type inspect match-any Ingress-Filter match access-group name ingress-filter
class-map type inspect match-any All_Protocols match protocol tcp
match protocol udp match protocol icmp
class-map type inspect match-all DHCP-Allow match access-group name dhcp-allow
policy-map type inspect Self_to_Internet class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_To_Self class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Guest_to_Internet class type inspect Guest_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Self class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Trusted class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Trusted_to_Internet class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self class type inspect All_Protocols inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
zone-pair security Trusted->Internet source Trusted destination Internet service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self service-policy type inspect Guest_to_Self
zone security Trustedzone security Guestzone security Internet
ip access-list extended NAT deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter permit ip <REMOVED> 0.0.0.2 any
remark ----- Junk Traffic -----
deny ip any host <REMOVED>
deny ip any host <REMOVED>
deny ip host <REMOVED> any
deny ip host <REMOVED> any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter remark ----- Allow access from work
permit ip <REMOVED> 0.0.0.127 any
permit ip <REMOVED 0.0.0.31 any
permit ip <REMOVED> 0.0.0.255 any
permit esp any host <REMOVED>
permit gre any host <REMOVED>
permit udp any host <REMOVED> eq isakmp
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host <REMOVED>
deny ip any host <REMOVED>
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip <REMOVED> 0.0.0.3 any
deny ip any anyRunning Config
! Last configuration change at 05:24:59 AZT Sun Feb 19 2012 by asucrews
! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews
version 12.4
configuration mode exclusive auto expire 600
parser cache
no service log backtrace
no service config
no service exec-callback
service nagle
service slave-log
no service slave-coredump
no service pad to-xot
no service pad from-xot
no service pad cmns
no service pad
no service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service exec-wait
service linenumber
no service internal
no service scripting
no service compress-config
service prompt config
no service old-slip-prompts
service pt-vty-logging
no service disable-ip-fast-frag
service sequence-numbers
hostname rtwan
boot-start-marker
boot-end-marker
logging exception 4096
logging count
no logging message-counter log
no logging message-counter debug
logging message-counter syslog
no logging snmp-authfail
no logging userinfo
logging buginf
logging queue-limit 100
logging queue-limit esm 0
logging queue-limit trap 100
logging buffered 65536
no logging persistent
logging rate-limit 512 except critical
logging console guaranteed
logging console critical
logging monitor debugging
logging on
enable secret 5
enable password 7
aaa new-model
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
aaa session-id common
memory-size iomem 10
clock timezone AZT -7
clock save interval 8
errdisable detect cause all
errdisable recovery interval 300
dot11 syslog
dot11 activity-timeout unknown default 60
dot11 activity-timeout client default 60
dot11 activity-timeout repeater default 60
dot11 activity-timeout workgroup-bridge default 60
dot11 activity-timeout bridge default 60
dot11 ssid guestonpg
vlan 2
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7
dot11 ssid playground
vlan 1
authentication open
authentication key-management wpa optional
wpa-psk ascii 7
dot11 aaa csid default
no ip source-route
no ip gratuitous-arps
ip icmp redirect subnet
ip spd queue threshold minimum 73 maximum 74
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.16.33 192.168.16.40
ip dhcp excluded-address 192.168.16.1 192.168.16.7
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name jeremycrews.home
lease 4
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.224
default-router 192.168.16.33
domain-name guest.jeremycrews.home
lease 0 6
ip cef
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
no ip bootp server
no ip domain lookup
ip domain name jeremycrews.home
ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33
ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34
ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35
ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36
ip host ooma.jeremycrews.home 192.168.16.5
ip host xbox.jeremycrews.home 192.168.16.6
ip host wii.jeremycrews.home 192.168.16.7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.31
ip accounting-transits 25
ip igmp snooping vlan 1
ip igmp snooping vlan 1 mrouter learn pim-dvmrp
ip igmp snooping vlan 2
ip igmp snooping vlan 2 mrouter learn pim-dvmrp
ip igmp snooping
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
parameter-map type inspect log
audit-trail on
dot1x system-auth-control
memory free low-watermark processor 65536
memory free low-watermark IO 16384
file prompt alert
emm clear 1b5b324a1b5b303b30480d
vtp file flash:vlan.dat
vtp mode server
vtp version 1
username privilege 15 password 7
username privilege 15 password 7
no crypto isakmp diagnose error
archive
log config
no record rc
logging enable
no logging persistent reload
no logging persistent
logging size 255
notify syslog contenttype plaintext
no notify syslog contenttype xml
hidekeys
path tftp://192.168.16.12/rtwan-config
maximum 10
no rollback filter adaptive
rollback retry timeout 0
write-memory
time-period 10080
scripting tcl low-memory 28965007
scripting tcl trustpoint untrusted terminate
no scripting tcl secure-mode
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string ~break
ip ssh logging events
ip ssh version 2
ip ssh dh min size 1024
class-map type inspect match-any Egress-Filter
match access-group name egress-filter
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
match protocol bootpc
match protocol bootps
class-map type inspect match-any Ingress-Filter
match access-group name ingress-filter
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all DHCP-Allow
match access-group name dhcp-allow
policy-map type inspect Self_to_Internet
class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Self_To_Self
class class-default
drop log
policy-map type inspect Trusted_To_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Trusted
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class class-default
drop log
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest
service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet
service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted
service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self
service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest
service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self
service-policy type inspect Guest_to_Self
bridge irb
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
snmp trap link-status
interface Null0
no ip unreachables
interface FastEthernet0
description To switch
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
snmp trap link-status
ip igmp snooping tcn flood
interface FastEthernet1
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet2
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet3
description Ooma Hub 192.168.16.5
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
snmp trap link-status
no cdp enable
zone-member security Internet
interface Dot11Radio0
description Radio b/g
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
beacon period 100
beacon dtim-period 2
dot11 extension aironet
encryption vlan 1 mode ciphers aes-ccm tkip wep128
encryption vlan 2 mode ciphers aes-ccm tkip wep128
broadcast-key vlan 1 change 3600 membership-termination
broadcast-key vlan 2 change 3600 membership-termination
ssid guestonpg
ssid playground
countermeasure tkip hold-time 60
short-slot-time
speed ofdm join
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 64
preamble-short
channel least-congested
fragment-threshold 2346
station-role root
rts threshold 2312
rts retries 64
antenna receive diversity
antenna transmit diversity
payload-encapsulation rfc1042
snmp trap link-status
interface Dot11Radio0.1
description Home WLAN
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.2
description Guest WLAN
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Vlan1
description Home LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
interface Vlan2
description Guest LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
interface BVI1
description Home Bridge LAN to WLAN
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Trusted
interface BVI2
description Guest Bridge LAN to WLAN
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Guest
ip classless
ip forward-protocol nd
no ip http server
ip http port 80
ip http authentication enable
no ip http secure-server
ip http secure-port 443
ip http secure-active-session-modules all
ip http max-connections 5
ip http timeout-policy idle 180 life 180 requests 1
ip http active-session-modules all
ip http digest algorithm md5
ip http client cache memory pool 100
ip http client cache memory file 2
ip http client cache ager interval 5
ip http client connection timeout 10
ip http client connection retry 1
ip http client connection idle timeout 30
ip http client response timeout 30
ip http path
ip flow-top-talkers
top 10
sort-by bytes
ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80
ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source list NAT interface FastEthernet4 overload
ip access-list extended NAT
deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter
permit ip 0.0.0.2 any
remark ----- Junk Traffic -----
deny ip any host
deny ip any host
deny ip host any
deny ip host any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter
remark ----- Allow access from work
permit ip 0.0.0.127 any
permit ip 0.0.0.31 any
permit ip 0.0.0.255 any
permit esp any host
permit gre any host
permit udp any host eq isakmp
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host
deny ip any host
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip 0.0.0.2 any
deny ip any any
no ip sla logging traps
ip sla 1
icmp-echo 8.8.4.4 source-interface FastEthernet4
frequency 120
history hours-of-statistics-kept 1
history filter failures
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 30
history hours-of-statistics-kept 1
history filter failures
ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive 5 action-type trapAndTrigger
ip sla reaction-trigger 1 2
logging history size 1
logging history warnings
logging trap informational
logging delimiter tcp
logging facility local7
no logging source-interface
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 192.43.244.18
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
access-list 22 permit 192.168.16.0 0.0.0.63
mac-address-table aging-time 300
cdp run
snmp-server engineID local
snmp-server view *ilmi system included
snmp-server view *ilmi atmForumUni included
snmp-server view v1default iso included
snmp-server view v1default internet.6.3.15 excluded
snmp-server view v1default internet.6.3.16 excluded
snmp-server view v1default internet.6.3.18 excluded
snmp-server view v1default ciscoMgmt.394 excluded
snmp-server view v1default ciscoMgmt.395 excluded
snmp-server view v1default ciscoMgmt.399 excluded
snmp-server view v1default ciscoMgmt.400 excluded
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F ieee802dot11 included
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included
snmp-server community 1682CrewsSNMP v1default RW 22
snmp-server priority normal
no snmp-server trap link ietf
snmp-server trap authentication vrf
snmp-server trap authentication acl-failure
snmp-server trap authentication unknown-content
snmp-server packetsize 1500
snmp-server queue-limit notification-host 10
snmp-server chassis-id FHK111016LX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps pw vc
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server host 192.168.16.10 traps version 1 udp-port 162
snmp-server inform retries 3 timeout 15 pending 25
snmp mib nhrp
snmp mib notification-log globalsize 500
snmp mib notification-log globalageout 15
snmp mib community-map ILMI engineid
snmp mib community-map engineid
radius-server local
no authentication mac
eapfast authority id
eapfast authority info
eapfast server-key primary 7
eapfast server-key secondary 7
nas key 7
group users
vlan 1
ssid playground
block count 5 time 60
reauthentication time 3600
group guest
vlan 2
ssid guestonpg
block count 3 time 60
reauthentication time 3600
user nthash 7 group users
user nthash 7 group guest
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1645 acct-port 1646 key 7
radius-server vsa send accounting
control-plane
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
alias exec h help
alias exec lo logout
alias exec p ping
alias exec r resume
alias exec s show
alias exec u undebug
alias exec un undebug
alias exec w where
default-value exec-character-bits 7
default-value special-character-bits 7
default-value data-character-bits 8
line con 0
password 7
logging synchronous
no modem enable
transport output ssh
line aux 0
password 7
logging synchronous
transport output ssh
line vty 0 4
password 7
logging synchronous
transport preferred ssh
transport input all
transport output ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5 7
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
cns id hostname
cns id hostname event
cns id hostname image
cns image retry 60
netconf max-sessions 4
netconf lock-time 10
netconf max-message 0
event manager scheduler script thread class default number 1
event manager scheduler applet thread class default number 32
event manager history size events 10
event manager history size traps 10
end -
All my DVD burner woes are gone!
I wanted to pass along my good news - I have surmounted my SuperDrive woes, and I am a happy camper.
To make a long story short, my G5 2x2GhZ of mid-2003 vintage developed a distaste for burning DVD's via the SuperDrive. I replaced it with a new Pioneer "DVR-112D-BK" and it rocks!
I read several posts regarding the fine folks at Other World Computing (macsales.com). This not a paid endorsement, but wow! For around $40, I got the new drive that burned 10 DVD-R's back to back at 18X right outta the gate! I am simply purring. This is on the heels of fussin' & cussin' at my old SuperDrive.
My advice - don't mess with an old drive! Replace it!
Just for a little further bragging on my new drive - I just burned to a Fuji DVD-R at 16X. Even in its healthy days, the SuperDrive would not burn to that media!Hi! OWC is a great place to buy Mac stuff as you have discovered and they are always helpful and good prices too! That's why many of us recommend them. Tom
-
Hello,
I am wondering if this is necessary to enable ip virtual-reassembly on the internet facing interface on a VPN router(DMVPN spoke) in case if I don't have any NAT configured on it. I run ZBF and have only policy that allows only VPN traffic for DMVPN spoke, DHCP and management via SSH from some specific host only . I am reluctant to enable it, need expert's comment.
Here is my configuration below, so all far works fine:
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
zone-member security outside
ip tcp adjust-mss 1360
duplex auto
speed auto
no cdp enable
end
ip access-list extended ISAKMP_IPSEC_DHCP_in
permit udp any any eq bootpc
permit esp host <PUBLIC IP OF DMVPN HUB> any
permit udp host <PUBLIC IP OF DMVPN HUB> eq isakmp any eq isakmp
permit udp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp any eq non500-isakmp
ip access-list extended ISAKMP_IPSEC_DHCP_out
permit udp any any eq bootps
permit esp any host <PUBLIC IP OF DMVPN HUB>
permit udp any eq isakmp host <PUBLIC IP OF DMVPN HUB> eq isakmp
permit udp any eq non500-isakmp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp
ip access-list extended SSHaccess
permit tcp host <MGMT HOST> any eq 22
permit tcp host <MGMT HOST> any eq 22
class-map type inspect match-all IPSEC-DHCP-IN-cmap
match access-group name ISAKMP_IPSEC_DHCP_in
class-map type inspect match-all SSHaccess-cmap
match access-group name SSHaccess
policy-map type inspect Outside-Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect IPSEC-DHCP-IN-cmap
pass
class class-default
drop log
class-map type inspect match-all IPSEC-DHCP-OUT-cmap
match access-group name ISAKMP_IPSEC_DHCP_out
policy-map type inspect Router-Outside-pmap
class type inspect IPSEC-DHCP-OUT-cmap
pass
class class-default
drop log
policy-map type inspect Inside-Outside-pmap
class class-default
drop log
policy-map type inspect Outside-Inside-pmap
class class-default
drop log
policy-map type inspect Outside-Outside-pmap
class class-default
drop log
zone-pair security outside-to-router source outside destination self
service-policy type inspect Outside-Router-pmap
zone-pair security router-to-outside source self destination outside
service-policy type inspect Router-Outside-pmap
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect Inside-Outside-pmap
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect Outside-Inside-pmap
zone-pair security outside-to-outside source outside destination outside
service-policy type inspect Outside-Outside-pmapHello Ruterford,
As Marcin said not related to that.
Now let's talk about the usage of that feature:
It would basically let you configure the router to react to fragmentation attacks where you will deterine how much fragments a packet can have or the maximum amount of IP packets that can be using the reasembly feature at the same time, the time you have to reassemble an IP packet.
So based on how the network behaves, the traffic you receive you can make a desicion about to enable it or not/
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Hey!
Are there any better examples with diargrams how to configure zbf ha than these:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-15-2mt-book.pdf
I just need a simple configuration where 2 routers LAN interface is in HA state and WAN interfaces are in default zones without HAI cannot say which one it will be since I do not have a final plan yet. The initial request shows that 2 WLC's are active while one is in standby. I do not believe this is a supported configuration based on this link.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01110100.html#concept_6C8DB7891E764C869E5FC11349120C20
Let's say though this is going to be setup in the old fashion, Primary/Secondary/Tertiary, is there some detailed documentation on this? HA SSO seems like the way to go but I am going off the info I have gotten so far. -
ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4
I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
class-map type inspect match-any fullproto
description Permitted Traffic to internet
match protocol http
match protocol https
match protocol dns
match protocol imaps
match protocol icmp
match protocol ftp
match protocol ntp
match protocol rtsp
match protocol realmedia
match protocol netshow
match protocol appleqtc
match protocol streamworks
match protocol vdolive
match protocol ssh
match protocol user-rdp
So far there is only a CBAC solution in place for ipv6.
I'm showing my Interfaces:
interface FastEthernet0/0
description *** Inside IPV6 ***
no ip address
speed auto
full-duplex
ipv6 address FE80::1 link-local
ipv6 address ????:????:????:10::1/64
ipv6 nd other-config-flag
ipv6 dhcp relay destination ?:?:?:10::12
ipv6 traffic-filter inne6-inn in
no cdp enable
no mop enabled
interface FastEthernet0/0.4
description *** Inside IPV4 ***
encapsulation dot1Q 4
ip address 82.?.?.129 255.255.255.248
no cdp enable
interface FastEthernet0/1
description *** Outside ***
ip address 82.?.?.42 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
full-duplex
ipv6 address FE80::2 link-local
ipv6 address ?:599::2/126
ipv6 enable
ipv6 nd prefix default no-advertise
ipv6 nd prefix ?:599::/126 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 inspect ipv6-cbac out
ipv6 traffic-filter ut-inn6 in
no cdp enable
no mop enabled
Please advise.
Regards,
HenningI didn't test it, but what about the following:
Configure a new class-map where you match on an ipv6 access-list "any to any"
Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
For ipv4-traffic you configure a class with a "pass" action in both directions.
Maybe you are looking for
-
I carefully number my iPod bound photos so that they are in a desired order by filename. When I sync the photos to my iPod Classic they are not in the same order. A typical filename would be: 001 001 IMG-3489.jpg followed by 001 002 IMG-3478.jpg.
-
How to convert video files on itunes help
how do you convert a movie file using itunes? i have a movie file randomly as .mkv thanks!
-
Capturing 720/24 with Gy-Hd100 Probelms...?
I can't get FCP 5.1.2 to recognize my JVC Gy_hd100! I can only capture 720/24p when the capture preset is on "HDV - Apple Intermediate Codec" and NOT on "HDV"! When I do capture something it is 29.97 frames... Why is this any one know? I changed my d
-
Some Hope For iPhone 5 Preorder Customers
I ordered 12:20AM (PST) Sep 14, and although Apple still has my order listed as "Preparing for shipment" I have a UPS tracking number and info. I am in Oregon right now and am showing 9/21 as my delivery date. If you don't see your info pop up after
-
Satellite P750 - wrong warranty date
Hi everyone! I just got a message from Tempro saying that my Warranty was going to expire soon. The thing is that I bought my laptop on Amazon.de on February 3rd 2013. When looking at the registered date, it says 2012. This is completly wrong and I k