cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1032
Views
0
Helpful
4
Replies

Can Access Webserver from Internet through Cisco router

orahman99
Level 1
Level 1

Everything works fine internally, but I have a website on the 10.0.0.52  server with the external IP of 216.140.140.4. When I tried to access It  from the internet It doesn't work. Please does anyone have any ideas on  what might be the issue here? Though If I use the IP 216.140.140.4 i can  access the website, even though I suspected it is a DNS issue, so I  opened the Dns ports 53 for  the 10.0.0.1 server still didnt work. It is  an issue with the router because as soon as i replace with the  proprietory firewall it works fine.

I also want to point out that  below is the configuration from my outside zone to the inside zone which  i configured to allow only ports that i want accessed from outside  since the website uses the http port which is opened and the dns server  10.0.0.1 needs port 53 i opened it also but did not make any difference,  , but I used CCP to configure my inside to outside zone which is  supposed to allow all traffic from inside to outside.

Please would appreciate your advice.

ip name server 10.0.0.1

Zone security out-zone

zone security in-zone

zone security teleworker

interface gi0/1

Zone-member security out-zone

interface gi0/0

zone-member security in-zone

interface gi0/2

zone-member security teleworker

exit

ip port-map user-RDP port tcp 3389

zone-pair security OUT-IN source out-zone destination in-zone

zone-pair security OUT-TELEWORKER source out-zone destination teleworker

zone-pair security TELEWORKER-OUT source teleworker destination out-zone

ip access-list extended OUTSIDE-TO-INSIDE-WEB

permit tcp any host 10.0.0.23 eq 80

permit tcp any host 10.0.0.59 eq 80

permit tcp any host 10.0.0.61 eq 80

permit tcp any host 10.0.0.228 eq 80

permit tcp any host 10.0.0.16 eq 80

permit tcp any host 10.0.0.30 eq 80

class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS

match protocol http

match access-group name OUTSIDE-TO-INSIDE-WEB

ip access-list extended OUTSIDE-TO-INSIDE-FTP

permit tcp any host 10.0.0.52 eq 20:21

permit tcp any host 10.0.0.23 eq 20:21

permit tcp any host 10.0.0.59 eq 20:21

permit tcp any host 10.0.0.61 eq 20:21

permit tcp any host 10.0.0.228 eq 20:21

class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS

match protocol ftp

match access-group name OUTSIDE-TO-INSIDE-FTP

ip access-list extended OUTSIDE-TO-INSIDE-SMTP

permit tcp any host 10.0.0.52 eq 25

permit tcp any host 10.0.0.23 eq 25

permit tcp any host 10.0.0.59 eq 25

permit tcp any host 10.0.0.61 eq 25

permit tcp any host 10.0.0.228 eq 25

class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS

match protocol smtp

match access-group name OUTSIDE-TO-INSIDE-SMTP

ip access-list extended OUTSIDE-TO-INSIDE-DNS

permit tcp any host 10.0.0.23 eq 53

permit udp any host 10.0.0.23 eq 53

permit tcp any host 10.0.0.59 eq 53

permit udp any host 10.0.0.59 eq 53

permit tcp any host 10.0.0.61 eq 53

permit udp any host 10.0.0.61 eq 53

permit tcp any host 10.0.0.228 eq 53

permit udp any host 10.0.0.228 eq 53

permit tcp any host 10.0.0.1 eq 53

permit udp any host 10.0.0.1 eq 53

class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS

match protocol dns

match access-group name OUTSIDE-TO-INSIDE-DNS

ip access-list extended OUTSIDE-TO-INSIDE-POP

permit tcp any host 10.0.0.52 eq 110

permit tcp any host 10.0.0.23 eq 110

permit tcp any host 10.0.0.59 eq 110

permit tcp any host 10.0.0.61 eq 110

permit tcp any host 10.0.0.228 eq 110

class-map type inspect match-all OUTSIDE-TO-INSIDE-POP-CLASS

match protocol pop

match access-group name OUTSIDE-TO-INSIDE-POP

ip access-list extended OUTSIDE-TO-INSIDE-IMAP

permit tcp any host 10.0.0.52 eq 143

permit tcp any host 10.0.0.23 eq 143

permit tcp any host 10.0.0.59 eq 143

permit tcp any host 10.0.0.61 eq 143

permit tcp any host 10.0.0.228 eq 143

class-map type inspect match-all OUTSIDE-TO-INSIDE-IMAP-CLASS

match protocol imap

match access-group name OUTSIDE-TO-INSIDE-IMAP

ip access-list extended OUTSIDE-TO-INSIDE-HTTPS

permit tcp any host 10.0.0.52 eq 443

permit tcp any host 10.0.0.23 eq 443

permit tcp any host 10.0.0.59 eq 443

permit tcp any host 10.0.0.61 eq 443

permit tcp any host 10.0.0.228 eq 443

class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS

match protocol https

match access-group name OUTSIDE-TO-INSIDE-HTTPS

ip access-list extended OUTSIDE-TO-INSIDE-RDP

permit tcp any host 10.0.0.52 eq 3389

permit tcp any host 10.0.0.23 eq 3389

permit tcp any host 10.0.0.59 eq 3389

permit tcp any host 10.0.0.61 eq 3389

permit tcp any host 10.0.0.228 eq 3389

permit tcp any host 10.0.0.58 eq 3389

permit tcp any host 10.0.0.33 eq 3389

permit tcp any host 10.0.0.25 eq 3389

permit tcp any host 10.0.0.44 eq 3389

permit tcp any host 10.0.0.251 eq 3389

permit tcp any host 10.0.0.21 eq 3389

permit tcp any host 10.0.0.22 eq 3389

ermit tcp any host 10.0.0.24 eq 3389

permit tcp any host 10.0.0.30 eq 3389

permit tcp any host 10.0.0.230 eq 3389

class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS

match protocol user-RDP

match access-group name OUTSIDE-TO-INSIDE-RDP

ip access-list extended TELEWORKER-TO-OUTSIDE

permit ip 10.0.3.254 any

class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS

match access-group name TELEWORKER-TO-OUTSIDE

ip access-list extended OUTSIDE-TO-TELEWORKER

permit ip any host 10.0.3.254

class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS

match access-group name OUTSIDE-TO-TELEWORKER

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-POP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-IMAP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS

inspect

policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY

class type inspect TELEWORKER-TO-OUTSIDE-CLASS

inspect

policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY

class type inspect OUTSIDE-TO-TELEWORKER-CLASS

inspect

zone-pair security OUT-IN source out-zone destination in-zone

service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

zone-pair security OUT-TELEWORKER source out-zone destination teleworker

service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY

zone-pair security TELEWORKER-OUT source teleworker destination out-zone

service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY

4 Replies 4

nefkensp
Level 5
Level 5

Just out of interest, have you enabled and checked your nat configuration that a static nat translation exists for your server?



Sent from Cisco Technical Support iPhone App

cadet alain
VIP Alumni
VIP Alumni

Hi,

So you can access the server from outside by specifying its WAN IP address but not its name ?

What DNS server is the outside client using to get the IP from the name ? Is it the internal DNS server, if so have you got a static  PAT entry for this server ?

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

The name to IP is resolved using DNS. So the DNS server should provide on the Internet the external IP adress.

However, you do need something to provide a static translation from external IP to internal IP (e.g. NAT).

So that the router knows that traffic coming for external IP address a.b.c.d on port 80 should be forwarded to internal ip address 10.1.1.x port 80

So the firewall works in conjunction with NAT

See the following configuration example (although it's for two ISP's), the concept is that an internal server is available on the internet using nat

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00809454c7.shtml

orahman99
Level 1
Level 1

Hello,

I have broken down my configuration into three phases

1) NAT

2)Zone Based Firewall (outside to inside)

3)Zone Based Firewall (inside to outside): done using CCP

My Nat is working perfectly fine, I configured the Outside to Inside Zone opening up the relevant ports, and all the right ports are opened, I used CCP to configure the Inside to Outside Zone because I am not sure of all the ports that would need to be opened and is pretty straight forward with CCP.

-My internal DNS server is 10.0.0.1 and configured properly because it is currently working with a proprietory Firewall.

-From inside to outside everything works fine.

-I can ping my DNS server from my router, I have opened port 53 for my DNS server on ZBF.

-I can Ping my website on my 10.0.0.52 webserver  from my Router using its name ie ping www.aaa.com,

-From the Internet I can access the website from the external Ip address (10.0.0.52- 216.140.140.4)

however cant get it with its name

-I dont have a  Nat entry for my internal DNS server however I have opened up Port 53 for it on Zone Based Firewall.

Now I dont understand how to provide the static Translation as I dont need the DNS server to really access the Internet, or am i getting something wrong?

Please would appreciate your help.

Bellow is my configuration.

1) NAT:


track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 10.0.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PRIVATE-INGRESS

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0/1

ip address 216.150.150.4 255.255.255.0 secondary

ip address 216.140.140.2 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat pool PRIMARY-POOL 216.140.140.2 216.140.140.2 prefix-length 27

ip nat pool SECONDARY-POOL 216.150.150.4 216.150.150.4 prefix-length 24

ip nat inside source route-map PRIMARY-NAT pool PRIMARY-POOL overload

ip nat inside source route-map SECONDARY-NAT pool SECONDARY-POOL overload

ip nat inside source static 10.0.0.52 216.140.140.4 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.53 216.140.140.5 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.59 216.140.140.6 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.61 216.140.140.7 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.228 216.140.140.8 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.16 216.140.140.11 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.30 216.140.140.12 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.251 216.140.140.13 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.44 216.140.140.15 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.54 216.140.140.16 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.23 216.140.140.17 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.58 216.140.140.18 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.230 216.140.140.19 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.216 216.140.140.21 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.220 216.140.140.22 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.33 216.140.140.25 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.21 216.140.140.26 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.22 216.140.140.27 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.24 216.140.140.28 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.25 216.140.140.29 route-map STATIC-NAT-PRIMARY

ip nat inside source static 10.0.0.59 216.150.150.5 route-map STATIC-NAT-SECONDARY

ip nat inside source static 10.0.0.52 216.150.150.6 route-map STATIC-NAT-SECONDARY

ip nat inside source static 10.0.0.53 216.150.150.7 route-map STATIC-NAT-SECONDARY

ip nat inside source static 10.0.0.16 216.150.150.8 route-map STATIC-NAT-SECONDARY

ip nat inside source static 10.0.0.58 216.150.150.9 route-map STATIC-NAT-SECONDARY

ip nat inside source static 10.0.0.61 216.150.150.11 route-map STATIC-NAT-SECONDARY

ip route 0.0.0.0 0.0.0.0 216.140.140.1 track 1

ip route 0.0.0.0 0.0.0.0 216.150.150.254 10

!

ip access-list standard DYNAMIC-PRIMARY

deny   10.0.0.24

deny   10.0.0.25

deny   10.0.0.30

deny   10.0.0.16

deny   10.0.0.22

deny   10.0.0.23

deny   10.0.0.21

deny   10.0.0.44

deny   10.0.0.33

deny   10.0.0.58

deny   10.0.0.59

deny   10.0.0.61

deny   10.0.0.54

deny   10.0.0.52

deny   10.0.0.53

deny   10.0.0.216

deny   10.0.0.220

deny   10.0.0.230

deny   10.0.0.228

deny   10.0.0.251

permit 10.0.0.0 0.255.255.255

ip access-list standard DYNAMIC-SECONDARY

permit 10.0.0.0 0.255.255.255

ip access-list standard PRIMARY-NEXT-HOP

permit 216.140.140.1

ip access-list standard SECONDARY-NEXT-HOP

permit 216.150.150.254

!

ip sla 1

icmp-echo 216.140.140.1 source-ip 216.140.140.2

threshold 2

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 216.150.150.254 source-ip 216.150.150.4

threshold 2

timeout 1000

frequency 3

ip sla schedule 2 life forever start-time now

!

!

!

!

route-map STATIC-NAT-PRIMARY permit 10

match ip next-hop PRIMARY-NEXT-HOP

!

route-map STATIC-NAT-PRIMARY deny 20

!

route-map STATIC-NAT-SECONDARY permit 10

match ip next-hop SECONDARY-NEXT-HOP

!

route-map STATIC-NAT-SECONDARY deny 20

!

route-map SECONDARY-NAT permit 10

match ip address DYNAMIC-SECONDARY

match ip next-hop SECONDARY-NEXT-HOP

!

route-map SECONDARY-NAT deny 20

!

route-map PRIVATE-INGRESS permit 10

set ip next-hop verify-availability 216.140.140.1 10 track 1

set ip next-hop verify-availability 216.150.150.254 20 track 2

!

route-map PRIVATE-INGRESS permit 11

!

route-map PRIMARY-NAT permit 10

match ip address DYNAMIC-PRIMARY

match ip next-hop PRIMARY-NEXT-HOP

!

route-map PRIMARY-NAT deny 20

2) OUTSIDE TO INSIDE ZONE (ZBF):

Zone security out-zone

zone security in-zone

zone security teleworker

interface gi0/1

Zone-member security out-zone

interface gi0/0

zone-member security in-zone

interface gi0/2

ip address 10.1.0.254 255.255.255.0

zone-member security teleworker

exit

ip name-server 10.0.0.1

ip port-map user-RDP port tcp 3389

ip port-map user-WEBB port tcp 8080

zone-pair security OUT-IN source out-zone destination in-zone

zone-pair security OUT-TELEWORKER source out-zone destination teleworker

zone-pair security TELEWORKER-OUT source teleworker destination out-zone

ip access-list extended OUTSIDE-TO-INSIDE-WEB

permit tcp any host 10.0.0.23 eq 80

permit tcp any host 10.0.0.59 eq 80

permit tcp any host 10.0.0.61 eq 80

permit tcp any host 10.0.0.228 eq 80

permit tcp any host 10.0.0.16 eq 80

permit tcp any host 10.0.0.30 eq 80

permit tcp any host 10.0.0.52 eq 80

permit tcp any host 10.0.0.55 eq 80

class-map type inspect match-all OUTSIDE-TO-INSIDE-WEB-CLASS

match protocol http

match access-group name OUTSIDE-TO-INSIDE-WEB

ip access-list extended OUTSIDE-TO-INSIDE-FTP

permit tcp any host 10.0.0.52 eq 20 21

permit tcp any host 10.0.0.23 eq 20 21

permit tcp any host 10.0.0.59 eq 20 21

permit tcp any host 10.0.0.61 eq 20 21

permit tcp any host 10.0.0.228 eq 20 21

permit tcp any host 10.0.0.55 eq 20 21

class-map type inspect match-all OUTSIDE-TO-INSIDE-FTP-CLASS

match protocol ftp

match access-group name OUTSIDE-TO-INSIDE-FTP

ip access-list extended OUTSIDE-TO-INSIDE-SMTP

permit tcp any host 10.0.0.52 eq 25

permit tcp any host 10.0.0.23 eq 25

permit tcp any host 10.0.0.59 eq 25

permit tcp any host 10.0.0.61 eq 25

permit tcp any host 10.0.0.228 eq 25

permit tcp any host 10.0.0.55 eq 25

class-map type inspect match-all OUTSIDE-TO-INSIDE-SMTP-CLASS

match protocol smtp

match access-group name OUTSIDE-TO-INSIDE-SMTP

ip access-list extended OUTSIDE-TO-INSIDE-DNS

permit tcp any host 10.0.0.23 eq 53

permit udp any host 10.0.0.23 eq 53

permit tcp any host 10.0.0.59 eq 53

permit udp any host 10.0.0.59 eq 53

permit tcp any host 10.0.0.61 eq 53

permit udp any host 10.0.0.61 eq 53

permit tcp any host 10.0.0.228 eq 53

permit udp any host 10.0.0.228 eq 53

permit tcp any host 10.0.0.52 eq 53

permit udp any host 10.0.0.52 eq 53

permit tcp any host 10.0.0.55 eq 53

permit udp any host 10.0.0.55 eq 53

permit tcp any host 10.0.0.1 eq 53

permit udp any host 10.0.0.1 eq 53

class-map type inspect match-all OUTSIDE-TO-INSIDE-DNS-CLASS

match protocol dns

match access-group name OUTSIDE-TO-INSIDE-DNS

ip access-list extended OUTSIDE-TO-INSIDE-HTTPS

permit tcp any host 10.0.0.52 eq 443

permit tcp any host 10.0.0.23 eq 443

permit tcp any host 10.0.0.59 eq 443

permit tcp any host 10.0.0.61 eq 443

permit tcp any host 10.0.0.228 eq 443

permit tcp any host 10.0.0.55 eq 443

permit tcp any host 10.0.0.53 eq 443

class-map type inspect match-all OUTSIDE-TO-INSIDE-HTTPS-CLASS

match protocol https

match access-group name OUTSIDE-TO-INSIDE-HTTPS

ip access-list extended OUTSIDE-TO-INSIDE-RDP

permit tcp any host 10.0.0.52 eq 3389

permit tcp any host 10.0.0.23 eq 3389

permit tcp any host 10.0.0.59 eq 3389

permit tcp any host 10.0.0.61 eq 3389

permit tcp any host 10.0.0.228 eq 3389

permit tcp any host 10.0.0.58 eq 3389

permit tcp any host 10.0.0.33 eq 3389

permit tcp any host 10.0.0.25 eq 3389

permit tcp any host 10.0.0.44 eq 3389

permit tcp any host 10.0.0.251 eq 3389

permit tcp any host 10.0.0.21 eq 3389

permit tcp any host 10.0.0.22 eq 3389

permit tcp any host 10.0.0.24 eq 3389

permit tcp any host 10.0.0.30 eq 3389

permit tcp any host 10.0.0.230 eq 3389

permit tcp any host 10.0.0.55 eq 3389

permit tcp any host 10.0.0.220 eq 3389

permit tcp any host 10.0.0.25 eq 3389

class-map type inspect match-all OUTSIDE-TO-INSIDE-RDP-CLASS

match protocol user-RDP

match access-group name OUTSIDE-TO-INSIDE-RDP

ip access-list extended OUTSIDE-TO-INSIDE-WEBB

permit tcp any host 10.0.0.23 eq 8080

permit tcp any host 10.0.0.228 eq 8080

class-map type inspect match-all OUTSIDE-TO-INSIDE-WEBB-CLASS

match protocol user-WEBB

match access-group name OUTSIDE-TO-INSIDE-WEBB

ip access-list extended TELEWORKER-TO-OUTSIDE

permit ip host 10.1.0.254 any

class-map type inspect match-all TELEWORKER-TO-OUTSIDE-CLASS

match access-group name TELEWORKER-TO-OUTSIDE

ip access-list extended OUTSIDE-TO-TELEWORKER

permit ip any host 10.1.0.254

class-map type inspect match-all OUTSIDE-TO-TELEWORKER-CLASS

match access-group name OUTSIDE-TO-TELEWORKER

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY

class type inspect OUTSIDE-TO-INSIDE-WEB-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-WEBB-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-FTP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-SMTP-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-DNS-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-HTTPS-CLASS

inspect

class type inspect OUTSIDE-TO-INSIDE-RDP-CLASS

inspect

policy-map type inspect TELEWORKER-TO-OUTSIDE-POLICY

class type inspect TELEWORKER-TO-OUTSIDE-CLASS

inspect

policy-map type inspect OUTSIDE-TO-TELEWORKER-POLICY

class type inspect OUTSIDE-TO-TELEWORKER-CLASS

inspect

zone-pair security OUT-IN source out-zone destination in-zone

service-policy type inspect OUTSIDE-TO-INSIDE-POLICY

zone-pair security OUT-TELEWORKER source out-zone destination teleworker

service-policy type inspect OUTSIDE-TO-TELEWORKER-POLICY

zone-pair security TELEWORKER-OUT source teleworker destination out-zone

service-policy type inspect TELEWORKER-TO-OUTSIDE-POLICY

3) INSIDE TO OUTSIDE ZONE CONFIGURATION (USING CCP)

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

exit

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

exit

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

exit

class-map type inspect edonkey match-any ccp-app-edonkeychat

match search-file-name

match text-chat

exit

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

exit

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

exit

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

exit

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

exit

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

exit

class-map type inspect match-all ccp-protocol-imap

match protocol imap

exit

class-map type inspect http match-any ccp-http-allowparam

match request port-misuse tunneling

exit

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

exit

class-map type inspect msnmsgr match-any ccp-app-msn

match service text-chat

exit

class-map type inspect aol match-any ccp-app-aol

match service text-chat

exit

class-map type inspect match-all ccp-protocol-http

match protocol http

exit

class-map type inspect http match-any ccp-app-httpmethods

match request method bcopy

match request method bdelete

match request method bmove

match request method bpropfind

match request method bproppatch

match request method connect

match request method copy

match request method delete

match request method edit

match request method getattribute

match request method getattributenames

match request method getproperties

match request method index

match request method lock

match request method mkcol

match request method mkdir

match request method move

match request method notify

match request method options

match request method poll

match request method propfind

match request method proppatch

match request method put

match request method revadd

match request method revlabel

match request method revlog

match request method revnum

match request method save

match request method search

match request method setattribute

match request method startrev

match request method stoprev

match request method subscribe

match request method trace

match request method unedit

match request method unlock

match request method unsubscribe

exit

class-map type inspect http match-any ccp-http-blockparam

match request port-misuse im

match request port-misuse p2p

match req-resp protocol-violation

exit

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

exit

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match file-transfer

exit

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match file-transfer

exit

class-map type inspect gnutella match-any ccp-app-gnutella

match file-transfer

exit

class-map type inspect fasttrack match-any ccp-app-fasttrack

match file-transfer

exit

class-map type inspect match-any ccp-sip-inspect

match protocol sip

exit

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match service any

exit

class-map type inspect ymsgr match-any ccp-app-yahoo

match service text-chat

exit

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

exit

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

exit

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

exit

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

exit

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

exit

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

exit

class-map type inspect aol match-any ccp-app-aol-otherservices

match service any

exit

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match service any

exit

class-map type inspect edonkey match-any ccp-app-edonkey

match file-transfer

match text-chat

match search-file-name

exit

class-map type inspect match-any ccp-h323-inspect

match protocol h323

exit

class-map type inspect imap match-any ccp-app-imap

match invalid-command

exit

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

exit

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

  exit

exit

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

  exit

class type inspect msnmsgr ccp-app-msn

  log

  allow

  exit

class type inspect ymsgr ccp-app-yahoo

  log

  allow

  exit

class type inspect aol ccp-app-aol-otherservices

  log

  reset

  exit

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

  exit

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

  exit

exit

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

  exit

class type inspect http ccp-app-httpmethods

  log

  reset

  exit

class type inspect http ccp-http-allowparam

  log

  allow

  exit

exit

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

  exit

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

  exit

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

  exit

class type inspect gnutella ccp-app-gnutella

  log

  allow

  exit

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

  exit

exit

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

  exit

exit

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  no drop

  inspect

  exit

class class-default

  no drop

  pass

  exit

exit

policy-map type inspect ccp-permit

class class-default

exit

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

  exit

class type inspect ccp-protocol-http

  no drop

  inspect

  service-policy http ccp-action-app-http

  exit

class type inspect ccp-protocol-imap

  no drop

  inspect

  service-policy imap ccp-action-imap

  exit

class type inspect ccp-protocol-pop3

  no drop

  inspect

  service-policy pop3 ccp-action-pop3

  exit

class type inspect ccp-protocol-p2p

  no drop

  inspect

  service-policy p2p ccp-action-app-p2p

  exit

class type inspect ccp-protocol-im

  no drop

  inspect

  service-policy im ccp-action-app-im

  exit

class type inspect ccp-insp-traffic

  no drop

  inspect

  exit

class type inspect ccp-sip-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323annexe-inspect

  no drop

  inspect

  exit

class type inspect ccp-h225ras-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323nxg-inspect

  no drop

  inspect

  exit

class type inspect ccp-skinny-inspect

  no drop

  inspect

  exit

exit

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

exit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

exit

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

exit

Review Cisco Networking for a $25 gift card