https://community.cisco.com/t5/network-security/tried-to-activate-firewall-in-isr-but-blockes-allowed-services/m-p/1087447#M895032 <HTML><HEAD></HEAD><BODY><P>Configure an Access-list to open the port 3389 and apply the access-list on the interface where you have configured the zone based firewall which will prevent the port from being blocked.</P><P></P></BODY></HTML> Tue, 21 Oct 2008 15:08:58 GMT smahbub 2008-10-21T15:08:58Z https://community.cisco.com/t5/network-security/tried-to-activate-firewall-in-isr-but-blockes-allowed-services/m-p/1087446#M895031 <P>Hi,</P><P></P><P>I need your advice. tried to enable Firewall on the ISR using zone security but whenever i apply it on the interface (in/out)some of the ports like 3389 etc are blocked. Need to know if there is anything i need to configure to accept port 3389. </P><P></P><P>class-map type inspect match-all xxx</P><P> match access-group xxx</P><P></P><P>class-map type inspect match-any inspect-traffic</P><P> match protocol cuseeme</P><P> match protocol dns</P><P> match protocol ftp</P><P> match protocol h323</P><P> match protocol http</P><P> match protocol https</P><P> match protocol icmp</P><P> match protocol imap</P><P> match protocol pop3</P><P> match protocol netshow</P><P> match protocol shell</P><P> match protocol realmedia</P><P> match protocol rtsp</P><P> match protocol smtp extended</P><P> match protocol sql-net</P><P> match protocol streamworks</P><P> match protocol tftp</P><P> match protocol vdolive</P><P> match protocol tcp</P><P> match protocol udp</P><P></P><P>class-map type inspect match-all xxx</P><P> match access-group name xxx</P><P></P><P>class-map type inspect match-all xxx</P><P> match access-group xxx</P><P>class-map type inspect match-any out-self</P><P> match access-group xxx</P><P></P><P>class-map type inspect match-any self-out</P><P> match protocol icmp</P><P> match protocol tcp</P><P> match protocol udp</P><P></P><P>policy-map type inspect in-out</P><P> class type inspect xxx</P><P> pass</P><P> class type inspect inspect-traffic</P><P> inspect</P><P> class class-default</P><P>policy-map type inspect xxx</P><P> class type inspect xxx</P><P> pass</P><P> class class-default</P><P> drop</P><P>policy-map type inspect self-out</P><P> class type inspect self-out</P><P> inspect</P><P> class class-default</P><P> pass</P><P>policy-map type inspect out-self</P><P> class type inspect xxx</P><P> pass</P><P> class type inspect out-self</P><P> inspect</P><P> class class-default</P><P></P><P>zone security out-zone</P><P>zone security in-zone</P><P>zone-pair security self-out source self destination out-zone</P><P> service-policy type inspect self-out</P><P>zone-pair security out-self source out-zone destination self</P><P> service-policy type inspect out-self</P><P>zone-pair security in-out source in-zone destination out-zone</P><P> service-policy type inspect in-out</P><P>zone-pair security vpn-inside source out-zone destination in-zone</P><P> service-policy type inspect vpn-inside</P><P></P> Mon, 11 Mar 2019 13:57:58 GMT https://community.cisco.com/t5/network-security/tried-to-activate-firewall-in-isr-but-blockes-allowed-services/m-p/1087446#M895031 roxasmc 2019-03-11T13:57:58Z https://community.cisco.com/t5/network-security/tried-to-activate-firewall-in-isr-but-blockes-allowed-services/m-p/1087447#M895032 <HTML><HEAD></HEAD><BODY><P>Configure an Access-list to open the port 3389 and apply the access-list on the interface where you have configured the zone based firewall which will prevent the port from being blocked.</P><P></P></BODY></HTML> Tue, 21 Oct 2008 15:08:58 GMT https://community.cisco.com/t5/network-security/tried-to-activate-firewall-in-isr-but-blockes-allowed-services/m-p/1087447#M895032 smahbub 2008-10-21T15:08:58Z