topic Cisco 881 Zone Firewall issues in Network Security https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175815#M360008 <HTML><HEAD></HEAD><BODY><P>Hello Martin,</P><P></P><P>Please apply the following changes and let us know:</P><P></P><P>ip access-list extend DMZtoAny</P><P>1 permit udp 192.168.12.0 0.0.0.255 any eq 53</P><P>no permit ip 192.168.112.0 0.0.0.255 any</P><P></P><P></P><P>Ip access-list extended DMZ-Out</P><P>1 permit tcp 192.168.12.0 0.0.0.255 any eq 80</P><P>2 permit tcp 192.168.12.0 0.0.0.255 any eq 443</P><P>no <SPAN style="font-size: 10pt;">permit ip 192.168.112.0 0.0.0.255 any</SPAN></P><P></P><P></P><P>Change that, try and if it does not work post the configuration with the changes applied,</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helfpul posts, that is as important as a thanks</P><P></P><P>Julio</P></BODY></HTML> Tue, 19 Mar 2013 01:55:51 GMT Julio Carvajal 2013-03-19T01:55:51Z Cisco 881 Zone Firewall issues https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175813#M360006 <P>I'm having issues with an 881 that I have configured as a zone based firewall.</P><P></P><P>I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.</P><P></P><P>On the corporate side the user complains that some websites fail, such as Linked in.</P><P></P><P>I have been using CCP to configure the device. What am I doing wrong?</P><P></P><P><SPAN style="font-size: 12pt;"></SPAN></P><P>=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=</P><P>sh run</P><P>Building configuration...</P><P>Current configuration : 22210 bytes</P><P>!</P><P>! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS</P><P>! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis</P><P>! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis</P><P>version 15.1</P><P>no service pad</P><P>service tcp-keepalives-in</P><P>service tcp-keepalives-out</P><P>service timestamps debug datetime msec localtime show-timezone</P><P>service timestamps log datetime msec localtime show-timezone</P><P>service password-encryption</P><P>service sequence-numbers</P><P>!</P><P></P><P>hostname -Rt</P><P></P><P>!</P><P>boot-start-marker</P><P>boot-end-marker</P><P>!</P><P>!</P><P>security authentication failure rate 10 log</P><P>security passwords min-length 6</P><P>logging buffered 51200</P><P>logging console critical</P><P>enable secret 5 </P><P>enable password 7 </P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login local_auth local</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>aaa session-id common</P><P>!</P><P>memory-size iomem 10</P><P>crypto pki token default removal timeout 0</P><P>!</P><P>crypto pki trustpoint TP-self-signed-3066996233</P><P>enrollment selfsigned</P><P>subject-name cn=IOS-Self-Signed-Certificate-3066996233</P><P>revocation-check none</P><P>rsakeypair TP-self-signed-3066996233</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed-3066996233</P><P>certificate self-signed 01</P><P></P><P>quit</P><P>no ip source-route</P><P>no ip gratuitous-arps</P><P>!</P><P>!</P><P>!</P><P>ip dhcp excluded-address 10.0.2.2</P><P>ip dhcp excluded-address 10.0.2.1</P><P>!</P><P>ip dhcp pool Trusted</P><P>import all</P><P>network 10.0.2.0 255.255.255.0</P><P>default-router 10.0.2.1 </P><P>domain-name spectra.local</P><P>dns-server 10.0.2.2 10.0.1.6 </P><P>option 150 ip 10.1.1.10 10.1.1.20 </P><P>!</P><P>ip dhcp pool Guest</P><P>import all</P><P>network 192.168.112.0 255.255.255.0</P><P>default-router 192.168.112.1 </P><P>dns-server 4.2.2.2 4.2.2.3 </P><P>!</P><P>!</P><P>ip cef</P><P>no ip bootp server</P><P>ip domain name yourdomain.com</P><P>ip name-server 10.0.2.2</P><P>ip name-server 4.2.2.2</P><P>login block-for 5 attempts 3 within 2</P><P>no ipv6 cef</P><P>!</P><P>!</P><P>multilink bundle-name authenticated</P><P>vpdn enable</P><P>!</P><P>vpdn-group 1</P><P>!</P><P>parameter-map type inspect global</P><P>log dropped-packets enable</P><P>log summary flows 256 time-interval 30</P><P>parameter-map type regex ccp-regex-nonascii</P><P>pattern [^\x00-\x80]</P><P>parameter-map type protocol-info yahoo-servers</P><P>server name scs.msg.yahoo.com</P><P>server name scsa.msg.yahoo.com</P><P>server name scsb.msg.yahoo.com</P><P>server name scsc.msg.yahoo.com</P><P>server name scsd.msg.yahoo.com</P><P>server name cs16.msg.dcn.yahoo.com</P><P>server name cs19.msg.dcn.yahoo.com</P><P>server name cs42.msg.dcn.yahoo.com</P><P>server name cs53.msg.dcn.yahoo.com</P><P>server name cs54.msg.dcn.yahoo.com</P><P>server name ads1.vip.scd.yahoo.com</P><P>server name radio1.launch.vip.dal.yahoo.com</P><P>server name in1.msg.vip.re2.yahoo.com</P><P>server name data1.my.vip.sc5.yahoo.com</P><P>server name address1.pim.vip.mud.yahoo.com</P><P>server name edit.messenger.yahoo.com</P><P>server name messenger.yahoo.com</P><P>server name http.pager.yahoo.com</P><P>server name privacy.yahoo.com</P><P>server name csa.yahoo.com</P><P>server name csb.yahoo.com</P><P>server name csc.yahoo.com</P><P>parameter-map type protocol-info msn-servers</P><P>server name messenger.hotmail.com</P><P>server name gateway.messenger.hotmail.com</P><P>server name webmessenger.msn.com</P><P>parameter-map type protocol-info aol-servers</P><P>server name login.oscar.aol.com</P><P>server name toc.oscar.aol.com</P><P>server name oam-d09a.blue.aol.com</P><P>license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y</P><P>!</P><P>!</P><P>archive</P><P>log config</P><P>logging enable</P><P></P><P>username S privilege 15 secret 4</P><P></P><P>username ed privilege 15 password 7 </P><P>!</P><P>!</P><P>!</P><P>!</P><P>ip tcp synwait-time 10</P><P>ip tcp path-mtu-discovery</P><P>ip ssh time-out 60</P><P>ip ssh authentication-retries 2</P><P>!</P><P>class-map type inspect match-any SDM_BOOTPC</P><P>match access-group name SDM_BOOTPC</P><P>class-map type inspect imap match-any ccp-app-imap</P><P>match invalid-command</P><P>class-map type inspect match-any ccp-cls-protocol-p2p</P><P>match protocol edonkey signature</P><P>match protocol gnutella signature</P><P>match protocol kazaa2 signature</P><P>match protocol fasttrack signature</P><P>match protocol bittorrent signature</P><P>class-map type inspect match-any SDM_DHCP_CLIENT_PT</P><P>match class-map SDM_BOOTPC</P><P>class-map type inspect match-any SDM_AH</P><P>match access-group name SDM_AH</P><P>class-map type inspect match-any ccp-skinny-inspect</P><P>match protocol skinny</P><P>class-map type inspect http match-any ccp-app-nonascii</P><P>match req-resp header regex ccp-regex-nonascii</P><P>class-map type inspect match-any sdm-cls-bootps</P><P>match protocol bootps</P><P>class-map type inspect match-any TFTP</P><P>match protocol tftp</P><P>class-map type inspect match-any SDM_ESP</P><P>match access-group name SDM_ESP</P><P>class-map type inspect match-any SDM_VPN_TRAFFIC</P><P>match protocol isakmp</P><P>match protocol ipsec-msft</P><P>match class-map SDM_AH</P><P>match class-map SDM_ESP</P><P>class-map type inspect match-all SDM_VPN_PT</P><P>match access-group 105</P><P>match class-map SDM_VPN_TRAFFIC</P><P>class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1</P><P>match access-group name Any-From-HO</P><P>class-map type inspect match-any Skinny</P><P>match protocol skinny</P><P>class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2</P><P>match class-map Skinny</P><P>match access-group name Hostcom-Skinny</P><P>class-map type inspect match-any ccp-h323nxg-inspect</P><P>match protocol h323-nxg</P><P>class-map type inspect match-any ccp-cls-icmp-access</P><P>match protocol icmp</P><P>class-map type inspect match-any ccp-cls-protocol-im</P><P>match protocol ymsgr yahoo-servers</P><P>match protocol msnmsgr msn-servers</P><P>match protocol aol aol-servers</P><P>class-map type inspect match-any Pings</P><P>match protocol icmp</P><P></P><P>class-map type inspect match-any Ping-</P><P></P><P>match class-map Pings</P><P>class-map type inspect match-all ccp-cls-ccp-inspect-2</P><P></P><P>match class-map Ping-</P><P>match access-group name Ping-</P><P></P><P>class-map type inspect match-any DNS</P><P>match protocol dns</P><P>class-map type inspect match-all ccp-cls-ccp-inspect-3</P><P>match class-map DNS</P><P>match access-group name Any-any</P><P>class-map type inspect match-all ccp-protocol-pop3</P><P>match protocol pop3</P><P>class-map type inspect match-any ccp-h225ras-inspect</P><P>match protocol h225ras</P><P>class-map type inspect match-all ccp-cls-ccp-inspect-1</P><P>match access-group name Any/Any</P><P>class-map type inspect match-any https</P><P>match protocol https</P><P>class-map type inspect match-all ccp-cls-ccp-inspect-4</P><P>match class-map https</P><P>match access-group name any-any</P><P>class-map type inspect match-any UDP</P><P>match protocol udp</P><P>match protocol tcp</P><P>class-map type inspect match-all ccp-cls-ccp-inspect-5</P><P>match class-map UDP</P><P>match access-group name InsideOut</P><P>class-map type inspect match-any ccp-h323annexe-inspect</P><P>match protocol h323-annexe</P><P>class-map type inspect match-any SDM_SSH</P><P>match access-group name SDM_SSH</P><P>class-map type inspect pop3 match-any ccp-app-pop3</P><P>match invalid-command</P><P>class-map type inspect match-any SDM_HTTPS</P><P>match access-group name SDM_HTTPS</P><P>class-map type inspect match-all ccp-protocol-p2p</P><P>match class-map ccp-cls-protocol-p2p</P><P>class-map type inspect match-all ccp-cls-ccp-permit-2</P><P>match class-map Pings</P><P>match access-group name RespondtoSomePings</P><P>class-map type inspect match-any RemoteMgt</P><P>match protocol ssh</P><P>match protocol https</P><P>class-map type inspect match-all ccp-cls-ccp-permit-1</P><P>match class-map RemoteMgt</P><P>match access-group name Spectra-RemoteMgt</P><P>class-map type inspect match-any SDM_SHELL</P><P>match access-group name SDM_SHELL</P><P>class-map type inspect match-any ccp-h323-inspect</P><P>match protocol h323</P><P>class-map type inspect match-all ccp-protocol-im</P><P>match class-map ccp-cls-protocol-im</P><P>class-map type inspect match-all ccp-icmp-access</P><P>class-map type inspect match-all ccp-invalid-src</P><P>match access-group 103</P><P>class-map type inspect http match-any ccp-app-httpmethods</P><P>match request method bcopy</P><P>match request method bdelete</P><P>match request method bmove</P><P>match request method bpropfind</P><P>match request method bproppatch</P><P>match request method connect</P><P>match request method copy</P><P>match request method delete</P><P>match request method edit</P><P>match request method getattribute</P><P>match request method getattributenames</P><P>match request method getproperties</P><P>match request method index</P><P>match request method lock</P><P>match request method mkcol</P><P>match request method mkdir</P><P>match request method move</P><P>match request method notify</P><P>match request method options</P><P>match request method poll</P><P>match request method post</P><P>match request method propfind</P><P>match request method proppatch</P><P>match request method put</P><P>match request method revadd</P><P>match request method revlabel</P><P>match request method revlog</P><P>match request method revnum</P><P>match request method save</P><P>match request method search</P><P>match request method setattribute</P><P>match request method startrev</P><P>match request method stoprev</P><P>match request method subscribe</P><P>match request method trace</P><P>match request method unedit</P><P>match request method unlock</P><P>match request method unsubscribe</P><P>class-map type inspect match-any ccp-dmz-protocols</P><P>match protocol http</P><P>match protocol dns</P><P>match protocol https</P><P>class-map type inspect match-any WebBrowsing</P><P>match protocol http</P><P>match protocol https</P><P>class-map type inspect match-any DNS2</P><P>match protocol dns</P><P>class-map type inspect match-any ccp-sip-inspect</P><P>match protocol sip</P><P>class-map type inspect http match-any ccp-http-blockparam</P><P>match request port-misuse im</P><P>match request port-misuse p2p</P><P>match request port-misuse tunneling</P><P>match req-resp protocol-violation</P><P>class-map type inspect match-all ccp-protocol-imap</P><P>match protocol imap</P><P>class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1</P><P>match class-map WebBrowsing</P><P>match access-group name DMZ-Out</P><P>class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2</P><P>match class-map DNS2</P><P>match access-group name DMZtoAny</P><P>class-map type inspect match-all ccp-protocol-smtp</P><P>match protocol smtp</P><P>class-map type inspect match-all ccp-protocol-http</P><P>match protocol http</P><P>!</P><P>!</P><P>policy-map type inspect ccp-permit-icmpreply</P><P>class type inspect sdm-cls-bootps</P><P>pass</P><P>class type inspect ccp-icmp-access</P><P>inspect </P><P>class class-default</P><P>pass</P><P>policy-map type inspect imap ccp-action-imap</P><P>class type inspect imap ccp-app-imap</P><P>log</P><P>reset</P><P>policy-map type inspect pop3 ccp-action-pop3</P><P>class type inspect pop3 ccp-app-pop3</P><P>log</P><P>reset</P><P>policy-map type inspect ccp-inspect</P><P>class type inspect ccp-cls-ccp-inspect-2</P><P>inspect </P><P>class type inspect ccp-cls-ccp-inspect-1</P><P>inspect </P><P>class type inspect ccp-cls-ccp-inspect-5</P><P>pass log</P><P>class type inspect TFTP</P><P>inspect </P><P>class type inspect ccp-invalid-src</P><P>drop log</P><P>class type inspect ccp-cls-ccp-inspect-4</P><P>inspect </P><P>class type inspect ccp-protocol-http</P><P>inspect </P><P>class type inspect ccp-protocol-smtp</P><P>inspect </P><P>class type inspect ccp-cls-ccp-inspect-3</P><P>inspect </P><P>class type inspect ccp-protocol-imap</P><P>inspect </P><P>service-policy imap ccp-action-imap</P><P>class type inspect ccp-protocol-pop3</P><P>inspect </P><P>service-policy pop3 ccp-action-pop3</P><P>class type inspect ccp-protocol-p2p</P><P>drop log</P><P>class type inspect ccp-protocol-im</P><P>drop log</P><P>class type inspect ccp-sip-inspect</P><P>inspect </P><P>class type inspect ccp-h323-inspect</P><P>inspect </P><P>class type inspect ccp-h323annexe-inspect</P><P>inspect </P><P>class type inspect ccp-h225ras-inspect</P><P>inspect </P><P>class type inspect ccp-h323nxg-inspect</P><P>inspect </P><P>class type inspect ccp-skinny-inspect</P><P>inspect </P><P>class class-default</P><P>drop log</P><P>policy-map type inspect ccp-permit-outside-in</P><P>class type inspect ccp-cls-ccp-permit-outside-in-2</P><P>inspect </P><P>class type inspect ccp-cls-ccp-permit-outside-in-1</P><P>pass</P><P>class class-default</P><P>drop log</P><P>policy-map type inspect http ccp-action-app-http</P><P>class type inspect http ccp-http-blockparam</P><P>log</P><P>reset</P><P>class type inspect http ccp-app-httpmethods</P><P>log</P><P>reset</P><P>class type inspect http ccp-app-nonascii</P><P>log</P><P>reset</P><P>policy-map type inspect ccp-permit</P><P>class type inspect SDM_VPN_PT</P><P>pass</P><P>class type inspect ccp-cls-ccp-permit-2</P><P>inspect </P><P>class type inspect ccp-cls-ccp-permit-1</P><P>pass</P><P>class type inspect SDM_DHCP_CLIENT_PT</P><P>pass</P><P>class class-default</P><P>drop log</P><P>policy-map type inspect ccp-permit-dmzservice</P><P>class type inspect ccp-cls-ccp-permit-dmzservice-1</P><P>inspect </P><P>class type inspect ccp-cls-ccp-permit-dmzservice-2</P><P>inspect </P><P>class class-default</P><P>drop</P><P>!</P><P>zone security in-zone</P><P>zone security out-zone</P><P>zone security dmz-zone</P><P>zone-pair security ccp-zp-in-out source in-zone destination out-zone</P><P>service-policy type inspect ccp-inspect</P><P>zone-pair security ccp-zp-out-self source out-zone destination self</P><P>service-policy type inspect ccp-permit</P><P>zone-pair security ccp-zp-out-in source out-zone destination in-zone</P><P>service-policy type inspect ccp-permit-outside-in</P><P>zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone</P><P>service-policy type inspect ccp-permit-dmzservice</P><P>! </P><P>!</P><P>crypto isakmp policy 2</P><P>encr aes 256</P><P>authentication pre-share</P><P>group 5</P><P>lifetime 28800</P><P>crypto isakmp key Y address x.x.x.x</P><P>crypto isakmp key o1 address x.x.x.x</P><P>!</P><P>!</P><P>crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac </P><P>!</P><P>crypto map SDM_CMAP_1 1 ipsec-isakmp </P><P>description Tunnel to x.x.x.x</P><P>set peer x.x.x.x</P><P>set transform-set ESP-AES256-SHA </P><P>match address 100</P><P>crypto map SDM_CMAP_1 2 ipsec-isakmp </P><P>description Tunnel to x.x.x.x</P><P>set peer x.x.x.x</P><P>set security-association lifetime kilobytes 128000</P><P>set security-association lifetime seconds 28800</P><P>set transform-set ESP-AES256-SHA </P><P>match address 102</P><P>!</P><P>!</P><P>!</P><P>!</P><P>!</P><P>interface FastEthernet0</P><P></P><P>description B</P><P></P><P>switchport access vlan 2</P><P>no ip address</P><P>spanning-tree portfast</P><P>!</P><P>interface FastEthernet1</P><P>description Docker</P><P>switchport access vlan 2</P><P>no ip address</P><P>spanning-tree portfast</P><P>!</P><P>interface FastEthernet2</P><P>description Phone</P><P>switchport access vlan 2</P><P>no ip address</P><P>spanning-tree portfast</P><P>!</P><P>interface FastEthernet3</P><P>description Guest</P><P>switchport access vlan 3</P><P>no ip address</P><P>spanning-tree portfast</P><P>!</P><P>interface FastEthernet4</P><P>description External $FW_OUTSIDE$</P><P>bandwidth inherit</P><P>no ip address</P><P>no ip redirects</P><P>no ip unreachables</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip nat outside</P><P>ip virtual-reassembly in</P><P>ip verify unicast source reachable-via rx allow-default 104</P><P>duplex auto</P><P>speed auto</P><P>pppoe-client dial-pool-number 1</P><P>hold-queue 224 in</P><P>!</P><P>interface Vlan1</P><P>description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$</P><P>no ip address</P><P>no ip redirects</P><P>no ip unreachables</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip tcp adjust-mss 1452</P><P>shutdown</P><P>!</P><P>interface Vlan2</P><P>description Trusted Network$FW_INSIDE$</P><P>ip address 10.0.2.1 255.255.255.0</P><P>no ip redirects</P><P>no ip unreachables</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip nat inside</P><P>ip virtual-reassembly in</P><P>zone-member security in-zone</P><P>ip tcp adjust-mss 1440</P><P>!</P><P>interface Vlan3</P><P>description Guest Network$FW_DMZ$</P><P>ip address 192.168.112.1 255.255.255.0</P><P>no ip redirects</P><P>no ip unreachables</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip nat inside</P><P>ip virtual-reassembly in</P><P>zone-member security dmz-zone</P><P>!</P><P>interface Dialer0</P><P>ip address negotiated</P><P>no ip redirects</P><P>no ip unreachables</P><P>ip directed-broadcast</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip nat outside</P><P>ip virtual-reassembly in</P><P>ip verify unicast reverse-path</P><P>encapsulation ppp</P><P>load-interval 30</P><P>dialer pool 1</P><P>dialer-group 1</P><P>ppp authentication chap pap callout</P><P>ppp chap hostname </P><P>ppp chap password 7 </P><P>ppp pap sent-username password 7 </P><P>no cdp enable</P><P>!</P><P>interface Dialer1</P><P>ip address negotiated</P><P>no ip redirects</P><P>no ip unreachables</P><P>ip directed-broadcast</P><P>no ip proxy-arp</P><P>ip flow ingress</P><P>ip nat outside</P><P>ip virtual-reassembly in</P><P>ip verify unicast reverse-path</P><P>zone-member security out-zone</P><P>encapsulation ppp</P><P>load-interval 30</P><P>dialer pool 1</P><P>dialer-group 1</P><P>ppp authentication chap pap callin</P><P>ppp chap hostname </P><P>ppp chap password 7 </P><P>ppp pap sent-username password 7 </P><P>ppp ipcp route default</P><P>ppp ipcp address accept</P><P>no cdp enable</P><P>crypto map SDM_CMAP_1</P><P>!</P><P>ip forward-protocol nd</P><P>no ip http server</P><P>ip http access-class 23</P><P>ip http authentication local</P><P>ip http secure-server</P><P>ip http timeout-policy idle 60 life 86400 requests 10000</P><P>!</P><P>!</P><P>ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload</P><P>!</P><P>ip access-list standard SSH-Management</P><P>permit x.x.x.x log</P><P>permit 10.0.2.0 0.0.0.255 log</P><P>permit 10.0.1.0 0.0.0.255 log</P><P>!</P><P>ip access-list extended Any-From-HO</P><P>remark CCP_ACL Category=128</P><P>permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255</P><P>permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255</P><P>ip access-list extended Any-any</P><P>remark CCP_ACL Category=128</P><P>permit ip any any</P><P>ip access-list extended Any/Any</P><P>remark CCP_ACL Category=128</P><P>permit ip host 10.0.2.0 host 10.0.1.0</P><P>ip access-list extended DMZ-Out</P><P>remark CCP_ACL Category=128</P><P>permit ip 192.168.112.0 0.0.0.255 any</P><P>ip access-list extended DMZtoAny</P><P>remark CCP_ACL Category=128</P><P>permit ip 192.168.112.0 0.0.0.255 any</P><P>ip access-list extended Hostcom-Skinny</P><P>remark CCP_ACL Category=128</P><P>permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255</P><P>ip access-list extended InsideOut</P><P>remark CCP_ACL Category=128</P><P>permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255</P><P>ip access-list extended Ping-Hostcom</P><P>remark CCP_ACL Category=128</P><P>permit ip host 10.0.2.2 any</P><P>ip access-list extended RespondtoSomePings</P><P>remark CCP_ACL Category=128</P><P>permit ip 10.0.1.0 0.0.0.255 any</P><P>permit ip host x.x.x.x any</P><P>permit ip host 37.0.96.2 any</P><P>ip access-list extended SDM_AH</P><P>remark CCP_ACL Category=1</P><P>permit ahp any any</P><P>ip access-list extended SDM_BOOTPC</P><P>remark CCP_ACL Category=0</P><P>permit udp any any eq bootpc</P><P>ip access-list extended SDM_ESP</P><P>remark CCP_ACL Category=1</P><P>permit esp any any</P><P>ip access-list extended SDM_HTTPS</P><P>remark CCP_ACL Category=1</P><P>permit tcp any any eq 443</P><P>ip access-list extended SDM_SHELL</P><P>remark CCP_ACL Category=1</P><P>permit tcp any any eq cmd</P><P>ip access-list extended SDM_SSH</P><P>remark CCP_ACL Category=1</P><P>permit tcp any any eq 22</P><P></P><P>ip access-list extended RemoteMgt</P><P></P><P>remark CCP_ACL Category=128</P><P>permit ip host x.x.x.x any</P><P>permit ip 10.0.1.0 0.0.0.255 any</P><P>ip access-list extended any-any</P><P>remark CCP_ACL Category=128</P><P>permit ip any any</P><P>!</P><P>logging trap debugging</P><P>logging facility local2</P><P>access-list 1 remark CCP_ACL Category=2</P><P>access-list 1 permit 10.0.2.0 0.0.0.255</P><P>access-list 1 permit 192.168.112.0 0.0.0.255</P><P>access-list 23 remark HTTPS Access</P><P>access-list 23 permit 10.0.2.1</P><P>access-list 23 permit x.x.x.x</P><P>access-list 23 permit 10.0.2.0 0.0.0.255</P><P>access-list 23 permit 10.0.1.0 0.0.0.255</P><P>access-list 100 remark CCP_ACL Category=4</P><P>access-list 100 remark IPSec Rule</P><P>access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255</P><P>access-list 101 remark CCP_ACL Category=2</P><P>access-list 101 remark IPSec Rule</P><P>access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255</P><P>access-list 101 remark IPSec Rule</P><P>access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255</P><P>access-list 101 permit ip 192.168.112.0 0.0.0.255 any</P><P>access-list 101 permit ip 10.0.2.0 0.0.0.255 any</P><P>access-list 102 remark CCP_ACL Category=4</P><P>access-list 102 remark IPSec Rule</P><P>access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255</P><P>access-list 103 remark CCP_ACL Category=128</P><P>access-list 103 permit ip host 255.255.255.255 any</P><P>access-list 103 permit ip 127.0.0.0 0.255.255.255 any</P><P>access-list 104 permit udp any any eq bootpc</P><P>access-list 105 remark CCP_ACL Category=128</P><P>access-list 105 permit ip host x.x.x.x any</P><P>access-list 105 permit ip host x.x.x.x any</P><P>dialer-list 1 protocol ip permit</P><P>no cdp run</P><P>!</P><P>!</P><P>!</P><P>!</P><P>route-map SDM_RMAP permit 1</P><P>!</P><P>route-map SDM_RMAP_1 permit 1</P><P>match ip address 101</P><P>!</P><P>!</P><P>!</P><P>!</P><P>control-plane</P><P>!</P><P>banner exec ^C</P><P>% Password expiration warning.</P><P>-----------------------------------------------------------------------</P><P></P><P>Cisco Configuration Professional (Cisco CP) is installed on this device </P><P>and it provides the default username "cisco" for one-time use. If you have </P><P>already used the username "cisco" to login to the router and your IOS image </P><P>supports the "one-time" user option, then this username has already expired. </P><P>You will not be able to login to the router with this username after you exit </P><P>this session.</P><P></P><P>It is strongly suggested that you create a new username with a privilege level </P><P>of 15 using the following command.</P><P></P><P>username &lt;myuser&gt; privilege 15 secret 0 &lt;mypassword&gt;</P><P></P><P>Replace &lt;myuser&gt; and &lt;mypassword&gt; with the username and password you </P><P>want to use.</P><P></P><P>-----------------------------------------------------------------------</P><P>^C</P><P>banner login ^C</P><P>-----------------------------------------------------------------------</P><P>Authorised Access Only</P><P>If your not supposed to be here. Close the connection</P><P>-----------------------------------------------------------------------</P><P>^C</P><P>banner motd ^C </P><P>-----------------------------------</P><P>-----------------------------------</P><P></P><P>Access Is Restricted To&nbsp; Personel ONLY^C</P><P></P><P>!</P><P>line con 0</P><P>exec-timeout 5 0</P><P>login authentication local_auth</P><P>transport output telnet</P><P>line aux 0</P><P>exec-timeout 15 0</P><P>login authentication local_auth</P><P>transport output telnet</P><P>line vty 0 4</P><P>access-class SSH-Management in</P><P>privilege level 15</P><P>logging synchronous</P><P>login authentication local_auth</P><P>transport input telnet ssh</P><P>!</P><P>scheduler interval 500</P><P>end</P><P></P> Tue, 12 Mar 2019 01:15:19 GMT https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175813#M360006 martinbuffleo 2019-03-12T01:15:19Z Cisco 881 Zone Firewall issues https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175814#M360007 <HTML><HEAD></HEAD><BODY><P>Apply the "<STRONG><EM>ip inspect log drop</EM>-pkt</STRONG>" command, run tests and check the logs.</P></BODY></HTML> Mon, 18 Mar 2013 19:57:48 GMT https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175814#M360007 jocamare 2013-03-18T19:57:48Z Cisco 881 Zone Firewall issues https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175815#M360008 <HTML><HEAD></HEAD><BODY><P>Hello Martin,</P><P></P><P>Please apply the following changes and let us know:</P><P></P><P>ip access-list extend DMZtoAny</P><P>1 permit udp 192.168.12.0 0.0.0.255 any eq 53</P><P>no permit ip 192.168.112.0 0.0.0.255 any</P><P></P><P></P><P>Ip access-list extended DMZ-Out</P><P>1 permit tcp 192.168.12.0 0.0.0.255 any eq 80</P><P>2 permit tcp 192.168.12.0 0.0.0.255 any eq 443</P><P>no <SPAN style="font-size: 10pt;">permit ip 192.168.112.0 0.0.0.255 any</SPAN></P><P></P><P></P><P>Change that, try and if it does not work post the configuration with the changes applied,</P><P></P><P>Regards,</P><P></P><P>Remember to rate all of the helfpul posts, that is as important as a thanks</P><P></P><P>Julio</P></BODY></HTML> Tue, 19 Mar 2013 01:55:51 GMT https://community.cisco.com/t5/network-security/cisco-881-zone-firewall-issues/m-p/2175815#M360008 Julio Carvajal 2013-03-19T01:55:51Z