Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
964
Views
0
Helpful
3
Replies

Cisco IOS Firewall keeps stopping mobile apps

DOUGLAS DRURY
Level 1
Level 1

‎11-27-2012 02:09 AM - edited ‎03-11-2019 05:28 PM

Hi all

The other day I set up a firewall on my Cisco 1841 router, it all seems to work fine except for a few small problems.  2 wireless devices an iPhone and an Android tablet are having some problems with 1 or 2 apps. 

iPhone 6.0.1

Facebook app and the App store will not load

Android tablet ICS

BBC iPlayer and Google play app store wont load or play content. 

Both devices with their issue were working fine until the new firewall was installed.  I’ve tried opening ports and adding ACLs but nothing seems to work.  I’ve included my start up config if anyone is able to shed some light on this.  All other PCs, laptops, smartphones and iPads work fine. 

Building configuration...

Current configuration : 5551 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Vauxhall_Cross

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ZIm.$daY/Jq7JsIZrjcyYSyxiK0

!

no aaa new-model

dot11 syslog

ip cef

!

!

!

!

ip port-map user-iPlayer port tcp 1947

ip inspect name CCP_LOW dns

ip inspect name CCP_LOW ftp

ip inspect name CCP_LOW h323

ip inspect name CCP_LOW sip

ip inspect name CCP_LOW https

ip inspect name CCP_LOW icmp

ip inspect name CCP_LOW imap

ip inspect name CCP_LOW pop3

ip inspect name CCP_LOW rcmd

ip inspect name CCP_LOW esmtp

ip inspect name CCP_LOW sqlnet

ip inspect name CCP_LOW tftp

ip inspect name CCP_LOW tcp

ip inspect name CCP_LOW udp

ip inspect name CCP_LOW cuseeme

ip inspect name CCP_LOW netshow

ip inspect name CCP_LOW realaudio

ip inspect name CCP_LOW rtsp

ip inspect name CCP_LOW streamworks

ip inspect name CCP_LOW vdolive

ip inspect name CCP_LOW appleqtc

ip domain name idrury.local

ip name-server 192.168.99.1

ip name-server 8.8.8.8

ip name-server 212.69.36.3

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4132939895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4132939895

revocation-check none

rsakeypair TP-self-signed-4132939895

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-4132939895

certificate self-signed 01

  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313332 39333938 3935301E 170D3132 31313234 31313137

  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333239

  33393839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C6EA DF3C371A 659BC5D1 E2A7B3F2 2693FB25 EBADF417 555236DB 20C240E1

  DE224E66 4F30415A 3DD3563F 5A60FF5C C3131B0E BC8B86B1 FA1FE1DE 99529F90

  513364C9 51B6F697 631B5EAE 43C4AD67 13F49CCA B50D18D0 73940511 34996859

  D11B754A D067CA3C 6E1B7B50 8CC2D9F2 D4102475 16116A46 95A71D23 39D15496

  D7230203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603

  551D1104 1F301D82 1B566175 7868616C 6C5F4372 6F73732E 69647275 72792E6C

  6F63616C 301F0603 551D2304 18301680 14666F8A D0FBBD97 C59C65DD 5310BEF8

  01632114 95301D06 03551D0E 04160414 666F8AD0 FBBD97C5 9C65DD53 10BEF801

  63211495 300D0609 2A864886 F70D0101 04050003 81810044 01B2B240 D2C9A9C4

  62032BD9 1CF71ED2 5CCC34A0 EC133E8B AD5742C4 4D9BA45D D872E294 3A11A624

  F4561708 A6BF66FD 4B71BAF0 4F0F681E 883F22A0 C57ABA3F E399B9F6 DCB289B9

  D79E4F1A CB62292F 472D5518 DB7E18BB 48E361AC 04278463 D7D5AE61 1C4522C2

  977C812B 5BC7CB24 52C1D253 1FE03BF1 6BE4F9B4 1380CF

            quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

!

!

username drury secret 5 $1$Egaq$sjGRXhPMNduHUkuMXaXjC/

archive

log config

  hidekeys

!

!

!

!

!

!

!

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 192.168.99.2 255.255.255.0

ip access-group 101 in

ip verify unicast reverse-path

ip inspect CCP_LOW out

speed 100

full-duplex

!

interface FastEthernet0/1

description $FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip access-group 100 in

speed 100

full-duplex

!

interface ATM0/0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

router rip

network 192.168.2.0

network 192.168.99.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.99.1

!

!

ip http server

ip http secure-server

!

access-list 100 remark auto generated by CCP firewall configuration

access-list 100 remark CCP_ACL Category=1

access-list 100 remark Auto generated by CCP for NTP (123) 130.88.203.12

access-list 100 permit udp host 130.88.203.12 eq ntp host 192.168.2.1 eq ntp

access-list 100 deny   ip 192.168.99.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by CCP firewall configuration

access-list 101 remark CCP_ACL Category=1

access-list 101 remark SSH

access-list 101 permit tcp any host 192.168.99.2 eq 22

access-list 101 permit udp host 212.69.36.3 eq domain host 192.168.99.2

access-list 101 permit udp host 8.8.8.8 eq domain host 192.168.99.2

access-list 101 permit udp host 192.168.99.1 eq domain host 192.168.99.2

access-list 101 remark Auto generated by CCP for NTP (123) 130.88.203.12

access-list 101 permit udp host 130.88.203.12 eq ntp host 192.168.99.2 eq ntp

access-list 101 deny   ip 192.168.2.0 0.0.0.255 any

access-list 101 permit icmp any host 192.168.99.2 echo-reply

access-list 101 permit icmp any host 192.168.99.2 time-exceeded

access-list 101 permit icmp any host 192.168.99.2 unreachable

access-list 101 permit udp any any eq rip

access-list 101 permit ip any host 224.0.0.9

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login local

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 130.88.203.12 source FastEthernet0/0

end

Labels:
0 Helpful
3 Replies 3

DOUGLAS DRURY
Level 1
Level 1

‎11-27-2012 11:16 PM

Is anybody able to hint what the problem could be. Any suggestions are much appreciated

Sent from Cisco Technical Support iPad App

0 Helpful

ju_mobile
Level 1
Level 1

‎11-28-2012 12:56 AM

Morning Douglas,

if you remove the access-lists from the interface one at a time when does it work? I would hazard a guess that the outside interface ACL may be your issue and to trace which ports are in use use an ACL and a packet debug on the router.

I've assumed that its all iPhones and androids or is this one iPhone/android of many ?

Best regards

Julian

Sent from Cisco Technical Support iPhone App

0 Helpful

DOUGLAS DRURY
Level 1
Level 1
In response to ju_mobile

‎11-28-2012 01:51 AM

Hi Julian

Thanks for responding

It's just one iPhone and one Android in particular of many.  I'll try your ACL suggestion when i get home. 

Thanks

Douglas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card