10-29-2013 05:26 AM - edited 02-21-2020 05:01 AM
I have configured Basic firewall on my cisco 2911, I want to open port 80 for a packaging machine IP (192.168.0.28 255.255.252.0) which uses tcp port 80 to connect with live ip of its server in case of any technical problem, so that support technicians can access this machine. Actually it dials a VPN by using proprietry software buit in the machine. they provided me same software from which it can check if this software connects or not.
below is the snapshot of software.
10-29-2013 08:47 AM
I suspect it not that port 80 isn't open but rather the request it uses to check tcp/80 is not actually http-encoded and your firewall is inspecting tcp/80 traffic to ensure it's legitimate http and not something else masquerading as web traffic.
If you used CCP, you probably have something like the following lines in your configuration:
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
If you tell the policy-map to "pass" vs. "inspect" http that will probably fix it.
10-29-2013 11:13 PM
Thankyou for your reply
yes I used CCP for it and I found the same lines in my configuration, could you please define how to tell policy-map to allow/pass http from command line? I did not find allow or pass type in class-map, policy-map....kindly help
10-30-2013 06:36 AM
The command has to be done from within the right context in the modular QOS CLI framework. First go into the policy-map and then to the class so that your command prompt shows you are in Policy-map class configuration mode ("config-pmap-c"):
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#policy-map type inspect ccp-inspect
(config-pmap)#class type inspect ccp-protocol-http
(config-pmap-c)#?
Policy-map class configuration commands:
drop Drop the packet
exit Exit from QoS class action configuration mode
inspect Context-based Access Control Engine
no Negate or set default values of a command
pass Pass the packet
police Police
service-policy Deep Packet Inspection Engine
CCHS_ADMIN_R_1(config-pmap-c)#
At that point you can negate the "inspect" action and add a "pass" action.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide