11-27-2012 02:09 AM - edited 03-11-2019 05:28 PM
Hi all
The other day I set up a firewall on my Cisco 1841 router, it all seems to work fine except for a few small problems. 2 wireless devices an iPhone and an Android tablet are having some problems with 1 or 2 apps.
iPhone 6.0.1
Facebook app and the App store will not load
Android tablet ICS
BBC iPlayer and Google play app store wont load or play content.
Both devices with their issue were working fine until the new firewall was installed. I’ve tried opening ports and adding ACLs but nothing seems to work. I’ve included my start up config if anyone is able to shed some light on this. All other PCs, laptops, smartphones and iPads work fine.
Building configuration...
Current configuration : 5551 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Vauxhall_Cross
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ZIm.$daY/Jq7JsIZrjcyYSyxiK0
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
ip port-map user-iPlayer port tcp 1947
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW vdolive
ip inspect name CCP_LOW appleqtc
ip domain name idrury.local
ip name-server 192.168.99.1
ip name-server 8.8.8.8
ip name-server 212.69.36.3
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4132939895
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4132939895
revocation-check none
rsakeypair TP-self-signed-4132939895
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4132939895
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313332 39333938 3935301E 170D3132 31313234 31313137
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333239
33393839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C6EA DF3C371A 659BC5D1 E2A7B3F2 2693FB25 EBADF417 555236DB 20C240E1
DE224E66 4F30415A 3DD3563F 5A60FF5C C3131B0E BC8B86B1 FA1FE1DE 99529F90
513364C9 51B6F697 631B5EAE 43C4AD67 13F49CCA B50D18D0 73940511 34996859
D11B754A D067CA3C 6E1B7B50 8CC2D9F2 D4102475 16116A46 95A71D23 39D15496
D7230203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B566175 7868616C 6C5F4372 6F73732E 69647275 72792E6C
6F63616C 301F0603 551D2304 18301680 14666F8A D0FBBD97 C59C65DD 5310BEF8
01632114 95301D06 03551D0E 04160414 666F8AD0 FBBD97C5 9C65DD53 10BEF801
63211495 300D0609 2A864886 F70D0101 04050003 81810044 01B2B240 D2C9A9C4
62032BD9 1CF71ED2 5CCC34A0 EC133E8B AD5742C4 4D9BA45D D872E294 3A11A624
F4561708 A6BF66FD 4B71BAF0 4F0F681E 883F22A0 C57ABA3F E399B9F6 DCB289B9
D79E4F1A CB62292F 472D5518 DB7E18BB 48E361AC 04278463 D7D5AE61 1C4522C2
977C812B 5BC7CB24 52C1D253 1FE03BF1 6BE4F9B4 1380CF
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
!
!
username drury secret 5 $1$Egaq$sjGRXhPMNduHUkuMXaXjC/
archive
log config
hidekeys
!
!
!
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 192.168.99.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip inspect CCP_LOW out
speed 100
full-duplex
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
speed 100
full-duplex
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
router rip
network 192.168.2.0
network 192.168.99.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.99.1
!
!
ip http server
ip http secure-server
!
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 remark Auto generated by CCP for NTP (123) 130.88.203.12
access-list 100 permit udp host 130.88.203.12 eq ntp host 192.168.2.1 eq ntp
access-list 100 deny ip 192.168.99.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark SSH
access-list 101 permit tcp any host 192.168.99.2 eq 22
access-list 101 permit udp host 212.69.36.3 eq domain host 192.168.99.2
access-list 101 permit udp host 8.8.8.8 eq domain host 192.168.99.2
access-list 101 permit udp host 192.168.99.1 eq domain host 192.168.99.2
access-list 101 remark Auto generated by CCP for NTP (123) 130.88.203.12
access-list 101 permit udp host 130.88.203.12 eq ntp host 192.168.99.2 eq ntp
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.99.2 echo-reply
access-list 101 permit icmp any host 192.168.99.2 time-exceeded
access-list 101 permit icmp any host 192.168.99.2 unreachable
access-list 101 permit udp any any eq rip
access-list 101 permit ip any host 224.0.0.9
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 130.88.203.12 source FastEthernet0/0
end
11-27-2012 11:16 PM
Is anybody able to hint what the problem could be. Any suggestions are much appreciated
Sent from Cisco Technical Support iPad App
11-28-2012 12:56 AM
Morning Douglas,
if you remove the access-lists from the interface one at a time when does it work? I would hazard a guess that the outside interface ACL may be your issue and to trace which ports are in use use an ACL and a packet debug on the router.
I've assumed that its all iPhones and androids or is this one iPhone/android of many ?
Best regards
Julian
Sent from Cisco Technical Support iPhone App
11-28-2012 01:51 AM
Hi Julian
Thanks for responding
It's just one iPhone and one Android in particular of many. I'll try your ACL suggestion when i get home.
Thanks
Douglas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide