https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371080#M920080 <HTML><HEAD></HEAD><BODY><P>Thankyou for your reply</P><P>yes I used CCP for it and I found the same lines in my configuration, could you please define how to tell policy-map to allow/pass http from command line? I did not find allow or pass type in class-map, policy-map....kindly help</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/7/6/163675-cmap.PNG" class="jive-image" /></P></BODY></HTML> Wed, 30 Oct 2013 06:13:49 GMT engr.moaz 2013-10-30T06:13:49Z https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371078#M920078 <P>I have configured Basic firewall on my cisco 2911,<STRONG> I want to open port 80 </STRONG>for a packaging machine IP (192.168.0.28 255.255.252.0) which uses tcp port 80 to connect with live ip of its server in case of any technical problem, so that support technicians can access this machine. Actually it dials a VPN by using proprietry software buit in the machine. they provided me same software from which it can check if this software connects or not.</P><P>below is the snapshot of software.</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/1/8/5/163581-snapshot.PNG" alt="snapshot.PNG" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P> Fri, 21 Feb 2020 13:01:43 GMT https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371078#M920078 engr.moaz 2020-02-21T13:01:43Z https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371079#M920079 <HTML><HEAD></HEAD><BODY><P>I suspect it not that port 80 isn't open but rather the request it uses to check tcp/80 is not actually http-encoded and your firewall is inspecting tcp/80 traffic to ensure it's legitimate http and not something else masquerading as web traffic.</P><P></P><P></P><P>If you used CCP, you probably have something like the following lines in your configuration:</P><P></P><P>class-map type inspect match-all ccp-protocol-http</P><P> match protocol http</P><P><SPAN style="font-size: 10pt;">policy-map type inspect ccp-inspect</SPAN></P><P><SPAN style="font-size: 10pt;"> class type inspect ccp-protocol-http</SPAN></P><P>&nbsp; inspect </P><P></P><P>If you tell the policy-map to "pass" vs. "inspect" http that will probably fix it.</P></BODY></HTML> Tue, 29 Oct 2013 15:47:52 GMT https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371079#M920079 Marvin Rhoads 2013-10-29T15:47:52Z https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371080#M920080 <HTML><HEAD></HEAD><BODY><P>Thankyou for your reply</P><P>yes I used CCP for it and I found the same lines in my configuration, could you please define how to tell policy-map to allow/pass http from command line? I did not find allow or pass type in class-map, policy-map....kindly help</P><P></P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/5/7/6/163675-cmap.PNG" class="jive-image" /></P></BODY></HTML> Wed, 30 Oct 2013 06:13:49 GMT https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371080#M920080 engr.moaz 2013-10-30T06:13:49Z https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371081#M920081 <HTML><HEAD></HEAD><BODY><P>The command has to be done from within the right context in the modular QOS CLI framework. First go into the policy-map and then to the class so that your command prompt shows you are in Policy-map class configuration mode ("config-pmap-c"):</P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">#conf t</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">Enter configuration commands, one per line.&nbsp; End with CNTL/Z.</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">(config)#policy-map type inspect ccp-inspect</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">(config-pmap)#class type inspect ccp-protocol-http</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">(config-pmap-c)#?</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">Policy-map class configuration commands:</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; drop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Drop the packet</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; exit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Exit from QoS class action configuration mode</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; inspect&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Context-based Access Control Engine</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; no&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Negate or set default values of a command</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; pass&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Pass the packet</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; police&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Police</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">&nbsp; service-policy&nbsp; Deep Packet Inspection Engine</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">CCHS_ADMIN_R_1(config-pmap-c)#</SPAN></P><P></P><P>At that point you can negate the "inspect" action and add a "pass" action.</P></BODY></HTML> Wed, 30 Oct 2013 13:36:57 GMT https://community.cisco.com/t5/network-security/how-to-open-port-80/m-p/2371081#M920081 Marvin Rhoads 2013-10-30T13:36:57Z