cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3718
Views
0
Helpful
23
Replies
Highlighted
Advisor

Re: Open a port on Cisco 1811

Hi,

So at least you did get a logging message telling you the packet was dropped?

How are you connected to the device? if it is with telnet then issue terminal monitor command  and logging buffered 6

and  logging monitor 6.

Post the output of the log message.

Regards.

Alain.

Don't forget to rate helpful posts.
Highlighted
Beginner

Open a port on Cisco 1811

Here is the terminal monitor log:

000719: *Sep 15 14:03:24.926 PCTime: %FW-6-DROP_PKT: Dropping tcp session 70.xxx.xxx.xxx:1382 72.xxx.xxx.xxx:443 due to RST inside current window with ip ident 0

000720: *Sep 15 14:05:28.594 PCTime: %FW-6-DROP_PKT: Dropping tcp session 58.xxx.xxx.xxx:12200 70.xxx.xxx.xxx:2479 on zone-pair ccp-zp-out-self class class-defau

lt due to DROP action found in policy-map with ip ident 0

000721: *Sep 15 14:05:52.066 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 58.xxx.xxx.xxx:12200 => 70. xxx.xxx.xxx:2479 (target:class)-(ccp-zp-out-self:class-default)

000722: *Sep 15 14:05:52.066 PCTime: %FW-6-LOG_SUMMARY: 1 packet were dropped from 58.xxx.xxx.xxx:12200 => 70. xxx.xxx.xxx:3246 (target:class)-(ccp-zp-out-self:class-default)

000723: *Sep 15 14:06:36.002 PCTime: %FW-6-DROP_PKT: Dropping tcp session 142. xxx.xxx.xxx:20088 10.11.101.10:5950 on zone-pair sdm-zp-VPNOutsideToInside-1 class

class-default due to DROP action found in policy-map with ip ident 0

000724: *Sep 15 14:06:52.066 PCTime: %FW-6-LOG_SUMMARY: 3 packets were dropped f

rom 142. xxx.xxx.xxx:20088 => 10.11.101.10:5950 (target:class)-(sdm-zp-VPNOutsideToInside-1:class-default)

000725: *Sep 15 14:07:19.834 PCTime: %FW-6-DROP_PKT: Dropping tcp session 88. xxx.xxx.xxx:21171 70. xxx.xxx.xxx:3389 on zone-pair ccp-zp-out-self class class-default due to DROP action found in policy-map with ip ident 0

000726: *Sep 15 14:07:52.066 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 88. xxx.xxx.xxx:21171 => 70. xxx.xxx.xxx:3389 (target:class)-(ccp-zp-out-self:class-default)

Highlighted
Advisor

Open a port on Cisco 1811

Hi,

ok now we know why my config is not working:

LOG_SUMMARY: 3 packets were dropped f

rom 142. xxx.xxx.xxx:20088 => 10.11.101.10:5950 (target:class)-(sdm-zp-VPNOutsideToInside-1:class-default)

the traffic is matched by class default in the service-policy for VPN created by sdm.

But in your latest config I don't see this:

zone-pair security VNC_OUT_IN source out-zone destination in-zone

service-policy type inspect VNC_POLICY

Can you add it and try again.

Alain.

Don't forget to rate helpful posts.
Highlighted
Beginner

Open a port on Cisco 1811

When I type in  zone-pair security VNC_OUT_IN source out-zone destination in-zone I get this. I don't know if it is an error or just a warning perhaps:

% Already zone-pair sdm-zp-VPNOutsideToInside-1 exists for the specified source

and destination zones

and whe I type in service-policy type inspect VNC_POLICY I get:

Invalid input marker detected at ^. The ^ is a t the - in service-policy

Highlighted
Advisor

Open a port on Cisco 1811

Hi,

ok so we'll have to modify the existing policy.

I'll post the config when I get to work in about an hour.

Regards.

Alain.

Don't forget to rate helpful posts.
Highlighted
Advisor

Open a port on Cisco 1811

Hi,

ok let's try this:

ip access-list extended VNC

permit tcp any host 10.11.101.10 eq 5950

class-map type inspect match-all VNC_CLASS

   match access-group name VNC

  no policy-map type inspect VNC_POLICY

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect VNC_CLASS

inspect

class class-default

drop

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

Highlighted
Beginner

Open a port on Cisco 1811

That worked. Thank you so much for your help.

Beginner

Re: Open a port on Cisco 1811

Hi Alain,

I have a similar situation to the user you helped here, the key deiiference being that this router is an 1841 rather than an 1811. Nonetheless, I think they are pretty similar.

I have applied the changes you outlined in your post, but I am still not able to connect with vnc. Could you have a look at the config and let me know what you think I am missing.

  The only difference I noted was the port that I have vnc listening on is 5900, not 5950.

Much appreciated.

C.

Config below:

Current configuration : 12763 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname imd1841
!
boot-start-marker
boot-end-marker
!
...

!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
!
...

!
!
...

ip source-route
!
!
!
!
ip cef
ip domain name imdesign.local
no ipv6 cef
ntp update-calendar
ntp server 129.6.15.28
ntp server 129.6.15.29
!
multilink bundle-name authenticated
!
!
!
...

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address x.x.x.x!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x

set peer x.x.x.x

set transform-set ESP-3DES-SHA
match address 103
!
archive
log config
  hidekeys
!
!
ip ssh time-out 30
ip ssh authentication-retries 5
!
track 123 ip sla 1 reachability
delay down 12
!
track 456 ip sla 2 reachability
delay down 12
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 107
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all out-in
match access-group 111
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all VNC_CLASS
match access-group name VNC
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all SELF-OUT
match access-group name SELF-OUT
class-map type inspect match-all OUT-SELF
match access-group name OUT-SELF
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
  pass
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
class type inspect out-in
  inspect
class type inspect VNC_CLASS
  inspect
class class-default
  drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class type inspect out-in
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect OUT-SELF
  pass
class class-default
  drop log
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
  pass
class type inspect ccp-icmp-access
class class-default
  pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect SELF-OUT
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.62.176.1 track 123
ip route 0.0.0.0 0.0.0.0 24.61.144.1 2 track 456
ip route 4.2.2.2 255.255.255.255 FastEthernet0/1
ip route 192.55.83.30 255.255.255.255 FastEthernet0/0
ip route 192.168.5.0 255.255.255.0 192.168.5.2
ip route 192.168.10.0 255.255.255.0 192.168.5.2
ip route 192.168.15.0 255.255.255.0 192.168.5.2
ip route 192.168.25.0 255.255.255.0 192.168.5.2
ip route 192.168.35.0 255.255.255.0 192.168.5.2
ip route 192.168.45.0 255.255.255.0 192.168.5.2
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.10.10 5900 interface FastEthernet0/0 5900
ip nat inside source route-map FA00 interface FastEthernet0/0 overload
ip nat inside source route-map FA01 interface FastEthernet0/1 overload
!
ip access-list extended OUT-SELF
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 22
permit udp any any eq bootpc
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq 22 any
permit tcp any eq www any
permit tcp any eq 443 any
ip access-list extended VNC
permit tcp any host 192.168.10.10 eq 5900
!
ip sla 1
icmp-echo 192.55.83.30
timeout 1500
threshold 10000
tag IMDFa00
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2
timeout 2500
threshold 10000
tag IMDFa01
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 2 life forever start-time now
logging 192.168.5.17
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=16
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 remark CCP_ACL Category=18
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 deny   ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 208.64.160.223 any
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 107 permit tcp any host 192.168.10.10 eq 5900
!
!
!
!
route-map FA01 permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map FA00 permit 10
match ip address 101
match interface FastEthernet0/0
!
!
!
control-plane
!
!
...

end

Highlighted
Enthusiast

Re: Open a port on Cisco 1811

Charles, that's becuase the SDM i crazy... You don't even have the VPN zone assigned anywhere and even though the SDM creates one...

But here is what you should do: (You should be able to copy and paste it when you have changed the IP-address)

ip access-list extended VNC_ACL

permit tcp any host eq 5900

class-map type inspect match-all VNC_CLASS-MAP

match access-group name VNC_ACL

policy-map type inspect OUTSIDE-TO-INSIDE_POLICY-MAP

class type inspect VNC_CLASS-MAP

  inspect

zone-pair security OUTSIDE-TO-INSIDE_ZONE-PAIR source out-zone destination in-zone

service-policy type inspect OUTSIDE-TO-INSIDE_POLICY-MAP