Zone Based FW on 800's.
This has become very confusing for me....
881 - supports Zone FW's with Advanced IP Feature set
871 - Same
861 - ??
851 - Does not support Zone FW - but allows me to enter the commands.
For the 881 the image name is "universal" and you are required to install the AIS licenese. But for the 871 the image names are similar to others - i.e. advIPservices or AdvSecurity...
I didn't figure any of this our until I bought a pair of 851's and then found out I could not do Zone FW's.
To top all of this off the Software Advisor indicated that I could not do Zone FW's with an 881 - which I know is untrue as I am doing it right now.....
Once I can find the Cisco documentation explaining all of this I will be OK, but finding it is the part I am having trouble with.
Can anyone point me to a resource that explains this new and complex licensing model?
Thanks,
Similar Messages
-
Traditional ACL vs Zone Based FW
I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config. We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco. Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with?
If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
The choice is based on your comfort level, but both are viable options...
BR,
Cary
Sent from Cisco Technical Support iPad App -
Nearest time zones based on user time zone
Hi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
AravindHi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
Aravind -
Look-up java time zone based on location?
I have a test app where I can assign a java timezone and return time info - However, I don't see a way to look-up a java time zone based on location (combination of city/province/state/country).
Is this possible?Has any one found a way to lookup a timezone based on a city/region in the world? So one could be able to type any city and state/province and country combination and get the corresponding timezone for that region. Is there a place where one can buy this data?
Thank you -
CSS Zone based DNS solution question
I have a css at the main site configured as a stand alone unit at the moment.
I have the advanced feature set and want to use our second CSS for a dynamic failover sceanario in the DR site.
At the moment in the event of Internet access interruption of the Main site, the DR site is configured to advertise the main site Internet subnet out it's edge router to BGP.
The DR edge router receives updates from the Main site edge router through everything end to end and distributes this into BGP.
The DR PIX has static mappings to the main site servers.
But this is only if the link drops and everything else is up.
If the site gets wiped out, there is no failover plan.
I am thinking this will be a problem if I set up the Zone Based DNS scenario.
I have the CSS devices, is this a huge problem to work around?
Any thoughts?Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
CSS Zone based DNS for Site Redundancy?
I am in the process of changing from rules based dns to zone based dns. I had used the document below to provide redundancy between 2 sites.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
The is an acl in the document which says
"If the primary site is up, then this ACL will tell requests landing on this site to prefer the Primary site.
clause 10 permit any any destination content owner_backup/WWW-backup prefer hacked_redirectt
clause 99 permit any any destination any
apply circuit-(VLAN1)
apply dns
Once I implemented a dns-server zone, this acl no longer has an effect. The requests are round robbining unless I set the dns-server zone to preferlocal. Unfortunately this does not solve my problem, if the main site is up both css's should prefer the main site.
How is this same thing accomplished with zone based dns, or is it even possible? Thanks.Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
Cisco Zone-based firewall issue/ not receiving return traffic
Hi,
I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
I have two zone pairs: Internal to Outside and Outside to Internal.
In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.Please share your config. Then we can see what's wrong there.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Introduction:
There is a date’s type field in the database. When using the field in the report, clients want to convert the field’s values based on own Time Zone to show the date field.
Workaround:
Currently, Reporting Services doesn’t provide the function that can get the Time Zone of a client machine. To work around the issue, you need to add a custom code in the report to convert Time Zone and create a parameter through which the client users can
select his/her Time Zone, and then pass the parameter value to the custom function. Please see the details as follows:
1. Click the Report, select Report Properties and add the custom code as the screenshot shown:
Custom code:
Shared Function FromUTC (ByVal d As Date, ByVal tz As String) As Date
Return (TimeZoneInfo.ConvertTimeBySystemTimeZoneId(d, TimeZoneInfo.Utc.Id, tz))
End Function
2. Create a parameter named TimeZone (you can name the parameter according to your requirement), select Available value and click Specify values.
Label
Value
China Standard Time
China Standard Time
Central European Time Zone Central European Time Zone
India Time Zone
India Time Zone
United States of America Time zones United States of America Time zones
3. Call the custom code and type the expression to convert the Time Zone as follows:
=Code.FromUTC(Fields!UTCDateFromDatabase.Value,Parameters!TimeZone.Value)
Note: If you use the expression “=Code.FromUTC(Fields!UTCDateFromDatabase.Value,TimeZone.CurrentTimeZone.StandardName)”, it cannot achieve the goal because TimeZone.CurrentTimeZone.StandardName gets the TimeZone of Report Server side rather than Client side.
More information:
TimeZone Class
http://msdn.microsoft.com/en-us/library/system.timezone(v=vs.110).aspx
Applies to
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2012Hello,
Please read the answer provided by Kalman on the following thread:
http://social.technet.microsoft.com/Forums/es-ES/446df85a-7ad8-4891-8748-478a26350c5c/how-to-compare-tables-in-two-different-servers-while-one-of-the-server-name-has-a-?forum=transactsql
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
Websense web filtering not working with 2911 with zone based firewall
Hi,
Any one ran into this issue
We use websense for guest wifi but i dont see requests hitting websense server
config is below
class-map type inspect match-any test-1
match protocol http
policy-map type inspect Wifi-test
class type inspect test-1
inspect
urlfilter websense-parmap
class class-default
drop
parameter-map type urlfilter websense-parmap
server vendor websense 10.10.1.4
source-interface GigabitEthernet0/2
allow-mode on
cache 100
zone-pair security Wifi-in-out source Wifi destination outside
service-policy type inspect Wifi-test
interface GigabitEthernet0/1
description Internet
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
zone-member security Wifi
interface GigabitEthernet0/2
description LAN
ip address 10.10.4.1 255.255.255.0
zone-member security insideHi Stan,
You should be able to adapt this config example to your environment.
Andy-
class-map type inspect match-any http-cm
match protocol http
parameter-map type urlfpolicy websense websense-parm
server <websense server IP>
source-interface <lan interface>
allow-mode on
truncate hostname
class-map type urlfilter websense match-any websense-cm
match server-response any
policy-map type inspect urlfilter websense-pm
parameter type urlfpolicy websense websense-parm
class type urlfilter websense websense-cm
server-specified-action
policy-map type inspect Inside->Internet-pm
description Inside trusted to Internet
class type inspect http-cm
inspect
service-policy urlfilter websense-pm
class type inspect Inside->Internet-cm
inspect
class class-default
drop
zone-pair security Inside->Internet source Inside destination Internet
service-policy type inspect Inside->Internet-pm
! to check status & url block counts
show policy-map type inspect zone-pair Inside->Internet urlfilter -
Problems with Zone based Firewall and mtr (mytraceroute)
We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
<code>
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 100.0 8 0.0 0.0 0.0 0.0 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
7. de-cix20.net.google.com 100.0 7 0.0 0.0 0.0 0.0 0.0
8. 72.14.238.230 100.0 7 0.0 0.0 0.0 0.0 0.0
9. 72.14.239.62 100.0 7 0.0 0.0 0.0 0.0 0.0
10. 209.85.242.187 100.0 7 0.0 0.0 0.0 0.0 0.0
11. ???
12. ???
13. ???
14. bk-in-f94.1e100.net 0.0% 7 20.0 20.6 20.0 21.2 0.4
</code>
So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
At the moment I am inspecting all kind of traffic from my network outgoing:
ip access-list extended 101
permit ip any any
class-map type inspect match-all cmap1
match access-group name 101
policy-map type inspect pmap1
class type inspect cmap1
inspect
etc... (zones, zone-pair in-out with policies applied)
So I tried to let pass all icmp-traffic from the outside to my network:
class-map type inspect match-all cmap_icmp
match protocol icmp
policy-map type inspect pmap2
class type inspect cmap_icmp
pass
etc... (zones, zone-pair out-in with policies applied)
So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
BUT then normal ping does not work anymore, because it will not be inspected any more.
But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
Has anyone the same problem or can even solve this issue?
Thanks in advance,
StefanHi Andrew, thanks for Your answer...
So I have now:
class-map type inspect match-any cmap_icmp
match access-group name icmp_types
ip access-list extended icmp_types
permit icmp any any ttl-exceeded
PMAP IN--> OUT
(don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
policy-map type inspect vlan664_pmap_in
class type inspect vlan664_cmap_in (this is an extended ACL "permit ip x.x.x.x any")
inspect
class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
pass log
class class-default
drop log
PMAP OUT-->IN
policy-map type inspect vlan664_pmap_out
class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
pass log
class type inspect vlan664_cmap_out (some open ports for some clients)
inspect
class type inspect ipsec_cmap_out (same problem with VPN when inspected)
pass log
class class-default
drop log
But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 50.0% 3 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 50.0% 3 0.9 0.9 0.9 0.9 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 0.0% 2 2.7 2.7 2.7 2.7 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 0.0% 2 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 0.0% 2 2.5 2.5 2.5 2.5 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 0.0% 2 4.1 4.1 4.1 4.1 0.0
7. de-cix20.net.google.com 0.0% 2 5.0 5.0 5.0 5.0 0.0
8. 72.14.238.44 0.0% 2 39.2 39.2 39.2 39.2 0.0
9. 72.14.236.68 0.0% 2 5.4 5.4 5.4 5.4 0.0
10. 209.85.254.118 0.0% 2 5.4 5.4 5.4 5.4 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 2 5.5 5.3 5.2 5.5 0.2
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 66.7% 4 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 66.7% 4 0.8 0.8 0.8 0.8 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 66.7% 4 2.1 2.1 2.1 2.1 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 66.7% 4 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 66.7% 4 2.6 2.6 2.6 2.6 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 66.7% 4 4.2 4.2 4.2 4.2 0.0
7. de-cix20.net.google.com 66.7% 4 5.3 5.3 5.3 5.3 0.0
8. 72.14.238.44 66.7% 4 70.3 70.3 70.3 70.3 0.0
9. 72.14.239.60 66.7% 4 5.8 5.8 5.8 5.8 0.0
10. 209.85.254.116 66.7% 4 5.8 5.8 5.8 5.8 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 4 6.3 5.7 5.2 6.3 0.5
In the sessions on the routers, I see only this entry:
Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
Any other suggestions? -
Problem in Zone Based FW Config
Could anyone see why the below config is making http downloads/streaming hang. Cant watch any streaming as it hangs in various parts but also downloading MS service packs, it will sometimes not start at all or get a few percent then cut off.
Downloading off newsgroups though is not an issue.
It is deffo router in some way. Tried a bog standard one and no issues. Seems to be since I adjusted the FW config through the CCP wizard and might of selected the medium security option.
Any ideas please?
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-PolicyThis is the current running config:
HOME_RTR#sho term len 0
HOME_RTR#show run
Building configuration...
Current configuration : 8216 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname
logging message-counter syslog
enable secret 5
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2045468537
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2045468537
revocation-check none
rsakeypair TP-self-signed-2045468537
crypto pki certificate chain TP-self-signed
certificate self-signed 01
quit
dot11 syslog
ip source-route
ip dhcp pool PRIVATE
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool WORK
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip dhcp pool SERVER
host 192.168.10.200 255.255.255.0
client-identifier 0100.248c.3fdb.a9
client-name SERVER
ip dhcp pool XBOX
host 192.168.10.210 255.255.255.0
client-identifier 0100.25ae.eae4.88
client-name XBOX
ip cef
ip domain name home.local
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
shutdown
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
interface Dialer0
description ADSL Dialup
ip address negotiated
no ip redirects
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp address accept
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip access-list extended XBOX-Live
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
snmp-server community public RO
control-plane
banner login ^CHOME
^C
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
scheduler max-task-time 5000
end
HOME_RTR#exit -
Cisco IOS Zone Based Firewall and IPv6
Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX -
GSLB Zone-Based DNS Payment Gw - Config Active-Active: Not Failing Over
Hello All:
Currently having a bit of a problem, have exhausted all resources and brain power dwindling.
Brief:
Two geographically diverse sites. Different AS's, different front ends. Migrated from one site with two CSS 11506's to two sites with one 11506 each.
Flow of connection is as follows:
Client --> FW Public Destination NAT --> CSS Private content VIP/destination NAT --> server/service --> CSS Source VIP/NAT --> FW Public Source NAT --> client.
Using Load Balancers as DNS servers, authoritative for zones due to the requirement for second level Domain DNS load balancing (i.e xxxx.com, AND FQDNs http://www.xxxx.com). Thus, CSS is configured to respond as authoritative for xxxx.com, http://www.xxxx.com, postxx.xxxx.com, tmx.xxxx.com, etc..., but of course cannot do MX records, so is also configured with dns-forwarders which consequently were the original DNS servers for the domains. Those DNS servers have had their zone files changed to reflect that the new DNS servers are in fact the CSS'. Domain records (i.e. NS records in the zone file), and the records at the registrar (i.e. tucows, which I believe resells .com, .net and .org for netsol) have been changed to reflect the same. That part of the equation has already been tested and is true to DNS Workings. The reason for the forwarders is of course for things such as non load balanced Domain Names, as well as MX records, etc...
Due to design, which unfortunately cannot be changed, dns-record configuration uses kal-ap, example:
dns-record a http://www.xxxx.com 0 111.222.333.444 multiple kal-ap 10.xx.1.xx 254 sticky-enabled weightedrr 10
So, to explain so we're absolutely clear:
- 111.222.333.444 is the public address returned to the client.
- multiple is configured so we return both site addresses for redundancy (unless I'm misunderstanding that configuration option)
- kal-ap and the 10.xx.1.xx address because due to the configuration we have no other way of knowing the content rule/service is down and to stop advertising the address for said server/rule
- sticky-enabled because we don't want to lose a payment and have it go through twice or something crazy like that
- weighterr 10 (and on the other side weightedrr 1) because we want to keep most of the traffic on the site that is closer to where the bulk of the clients are
So, now, the problem becomes, that the clients (i.e. something like an interac machine, RFID tags...) need to be able to fail over almost instantly to either of the sites should one lose connectivity and/or servers/services. However, this does not happen. The CSS changes it's advertisement, and this has been confirmed by running "nslookups/digs" directly against the CSSs... however, the client does not recognize this and ends up returning a "DNS Error/Page not found".
Thinking this may have something to do with the "sticky-enabled" and/or the fact that DNS doesn't necessarily react very well to a TTL of "0".
Any thoughts... comments... suggestions... experiences???
Much appreciated in advance for any responses!!!
Oh... should probably add:
nslookups to some DNS servers consistently - ALWAYS the same ones - take 3 lookups before getting a reply. Other DNS servers are instant....
Cheers,
Ben Shellrude
Sr. Network Analyst
MTS AllStream IncHi Ben,
if I got your posting right the CSSes are doing their job and do advertise the correct IP for a DNS-query right?
If some of your clients are having a problem this might be related to DNS-caching. Some clients are caching the DNS-response and do not do a refresh until they fail or this timeout is gone.
Even worse if the request fails you sometimes have to reset the clients DNS-demon so that they are requesting IP-addresses from scratch. I had this issue with some Unixboxes. If I remeber it corretly you can configure the DNS behaviour for unix boxes and can forbidd them to cache DNS responsed.
Kind Regards,
joerg -
Can't getting layer 7 app filtering in ZONE based policy FW
Hi all,
I am trying to get layer 7 application protocol to work in a simple test setup, I need to get this working to filter roommate traffric . Simple configuration with two interface(inside and outside). With layer application configured, everything works fine, but when applied layer 7 it does not block the web site i want... URL filter and parameter map don't work either...
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
parameter-map type urlfilter URL-FILTER
audit-trail on
parameter-map type regex humoron
pattern [Hh][Uu][Mm][Oo][Rr][Oo][Nn][.][Cc][Oo][Mm]
parameter-map type regex LAPOSTE1
pattern LAPOSTE.NET
class-map type inspect match-any EXPRESSION
match access-group 105
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-any HTTP
match access-group 105
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect http match-any HUMORON
match request body regex humoron
match request header regex humoron
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match request port-misuse any
match request arg regex humoron
match request uri regex humoron
match response status-line regex humoron
match req-resp header regex humoron
match req-resp protocol-violation
class-map type inspect http match-any LAPOSTE
match request body regex LAPOSTE1
match request header regex LAPOSTE1
match request port-misuse p2p
match request port-misuse tunneling
match request arg regex LAPOSTE1
match request uri regex LAPOSTE1
match response body regex LAPOSTE1
match response body java-applet
match response status-line regex LAPOSTE1
match req-resp protocol-violation
policy-map type inspect HTTP_POL
class type inspect HTTP
inspect
class type inspect EXPRESSION
inspect
class class-default
drop
policy-map type inspect http Adult_site
class type inspect http HUMORON
log
reset
policy-map type access-control out2inside_policy
zone security INSIDE_ZONE
description inside interface f0/2
zone security OUTSIDE_ZONE
description outside interface f0/0
zone-pair security outside2inside source OUTSIDE_ZONE destination INSIDE_ZONE
zone-pair security INSIDE2OUTSIDE source INSIDE_ZONE destination OUTSIDE_ZONE
description web traffic
service-policy type inspect HTTP_POL
IOS_VPN#sh policy-map type inspect
Policy Map type inspect HTTP_POL
Class HTTP
Inspect
Class EXPRESSION
Drop
Class class-default
Pass
Thanks,Any ideas??
Thanks,
Eddy -
Get time Zone based on Country code
Hi All,
I am looking for getting the time and date of a particular country based on country code in XI. For ex. if IN comes in payload then get IST (Date and time). Can we do that in UDF?
Thanks & Regards,
Venu V> I am looking for getting the time and date of a particular country based on country code in XI.
How should that work? Have you thought about Russia? USA?
Check java class Calendar and TimeZone:
http://java.sun.com/j2se/1.5.0/docs/api/java/util/Calendar.html
http://java.sun.com/j2se/1.5.0/docs/api/java/util/TimeZone.html
Maybe you are looking for
-
New-Asset Report - awesome, but can't get it to run?
Howdy - I am trying to run the awesome new-asset report that Zachary Loeber shared with the technet community. The script is here: http://gallery.technet.microsoft.com/Excel-and-HTML-Asset-0ffbf569 However I can't get it to run against 1 server or m
-
HT1947 Having trouble syncing iPad to Apple TV
I am trying to sync my tv to my iPad . Not sure what I'm doing.
-
Flash MX2004..flashlight or spotlight effect with extra effect
HI..I'm trying to make a flashlight effect that automatically (not mouse controlled) goes over the text and image (all on the image) and then have the flashlight beam fade then open completely to the 900x400 image and stay visible... Appreciate your
-
Can elements11 work with raw images from a Sony DSC-RX100 camera?
-
I am having trouble with the IMAQ vis on the myRIO. When I compile my VI, I get an error message that asks me to check to make sure the software is installed on the myRIO. I have checked, and it is. A screenshot of MAX, the error message, and my bloc