- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: 1841 SSH Access under ZBFW
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2011 03:23 PM - edited 03-04-2019 02:03 PM
Hi,
Im unable to access my newly configured 1841 via SSH or via CCP from the WAN side.
Is there anything I can do from the LAN side in CCP that will assure that this router is able to be managed from the WAN?
TIA
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2011 05:58 PM
hi charles,
there are some missing lines for CCP and SSH. kindly temporarily removed your ZBFW while testing this out.
CCP:
username administrator privilege 15 secret
ip http authentication local
SSH:
crypto key generate rsa
ip ssh time-out
ip ssh authentication-retries
int f0/0
no zone-member security out-zone
int f0/1
no zone-member security out-zone
int vl1
no zone-member security in-zone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 12:10 AM
Hi,
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
This is why you can't access your router with ssh or CCP because you are only permitting DHCP replies to get an ip address but nothing else so to remedy do this:
zone-pair security ccp-zp-out-self source out-zone destination self
no service-policy type inspect ccp-permit
zone-pair security ccp-zp-self-out source self destination out-zone
no service-policy type inspect ccp-permit-icmpreply
or modify your policy-map ccp-permit and ccp-permit-icmpreply:
policy-map type inspect ccp-permit
no class type inspect SDM_DHCP_CLIENT_PT
class-type inspect OUT-SELF
pass
class class-default
drop log
class-map type inspect OUT-SELF
match ip access-group name OUT-SELF
ip access-list extended OUT-SELF
permit icmp any any
permit tcp any any eq bootpc
permit tcp any any eq ssh
permit tcp any any eq https
permit tcp any any eq http
zone-pair security ccp-zp-self-out source self destination out-zone
no service-policy type inspect ccp-permit-icmpreply
service-policy type inspect SELF-OUT
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
pass
class class-default
drop log
class-map type inspect SELF-OUT
match ip access-group name SELF-OUT
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq ssh any
permit tcp any https any
permit tcp any eq http any
Regards.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 07:29 AM
Hi Charles,
Glad to hear your CCP and SSH now works. For the web browsing issue, kindly try re-configuring your static default routes:
ip route 0.0.0.0 0.0.0.0 dhcp 2 track 123
ip route 0.0.0.0 0.0.0.0 ISP-NEXT-HOP 2 track 456
Please remember to rate helpful posts. Thanks!
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2011 04:40 PM
Hi Charles,
You would need to add the "transport input ssh" command under your VTYs for SSH to work. See useful URL how to setup SSH on your 1841:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2011 05:07 PM
Hi John,
Thanks for the reply. I checked my current config and those commands were already part of the VTYs. Im including the full config below, since it is a little complicated by slas and VPN.
BTW I am unable to ping either Fa port from the WAN side, but I can ping them both from the lan side and I have checked that both ports are up/up. Also, web browsing is extremely slow/fails/timesout. Maybe these are all related? I hope so.
Charlie
Here is the full config:
Current configuration : 12092 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname imd1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
.
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
!
crypto pki trustpoint TP-self-signed-3459452820
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3459452820
revocation-check none
rsakeypair TP-self-signed-3459452820
!
!
crypto pki certificate chain TP-self-signed-3459452820
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343539 34353238 3230301E 170D3131 31303235 31373334
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353934
35323832 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B908 A2994EE4 6E1B9B7C 8F5CAC45 510C34B2 4FD94E24 AB695477 F5AD259A
BEEEA023 C2804D69 9FB16E84 B68BB2D8 F15591EC 1639F86A 4750CD60 E745FCDA
9D3C5154 A0EAAD5D 8ABEF29A A059FB4E 8238299C D965C45E 922E961D FA6F0CFB
29932B3F C5D3428C FECF43C1 64C5D3D9 1A30BC8D DDC60B7F 525A2A2D 5874B1A7
AF8B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16696D64 31383431 2E696D64 65736967 6E2E6C6F 63616C30
1F060355 1D230418 30168014 ACB35655 A6462310 4AD5A142 4FEE72EE 9F9ED125
301D0603 551D0E04 160414AC B35655A6 4623104A D5A1424F EE72EE9F 9ED12530
0D06092A 864886F7 0D010104 05000381 810044E2 1C68291D D66FC13D 18F57304
9C28CBF2 31F6CEAC B070F129 ACBD82C3 2EFB9C81 159F9B3F C35703CF 469D9EBA
49151D6B 2514804F 6705FC10 E94D04FB 2E1AC867 7706BDB0 56A07D2A 2E376B1A
DE99D8D9 36062A65 AA29E40C FFC1F320 17F87B99 57336941 C99184CC 5952F742
223DBB82 6DA9037B F48FB28F 92C2DE73 2EAA
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.local
no ipv6 cef
ntp logging
ntp update-calendar
ntp server 129.6.15.18
ntp server 129.6.15.29
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
!
username administrator
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address zz.zz.zz.zz
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Onshore
set peer zz.zz.zz.zz
set transform-set ESP-3DES-SHA
match address 101
!
archive
log config
hidekeys
!
!
!
track 123 ip sla 1 reachability
!
track 456 ip sla 2 reachability
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xx.xx 255.255.248.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 2 track 123
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 2 track 456
ip route 4.2.2.2 255.255.255.255 FastEthernet0/1
ip route 192.55.83.30 255.255.255.255 FastEthernet0/0
ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map RMFA00 interface FastEthernet0/0 overload
ip nat inside source route-map RMFA01 interface FastEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
ip sla 1
icmp-echo 192.55.83.30
timeout 1500
threshold 10000
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2
timeout 2500
threshold 10000
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 2 life forever start-time now
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 208.64.160.223 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=0
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip any 192.168.5.0 0.0.0.255
!
!
!
!
route-map RMFA00 permit 10
match ip address 101
match interface FastEthernet0/0
!
route-map RMFA01 permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-25-2011 05:58 PM
hi charles,
there are some missing lines for CCP and SSH. kindly temporarily removed your ZBFW while testing this out.
CCP:
username administrator privilege 15 secret
ip http authentication local
SSH:
crypto key generate rsa
ip ssh time-out
ip ssh authentication-retries
int f0/0
no zone-member security out-zone
int f0/1
no zone-member security out-zone
int vl1
no zone-member security in-zone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 12:10 AM
Hi,
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
This is why you can't access your router with ssh or CCP because you are only permitting DHCP replies to get an ip address but nothing else so to remedy do this:
zone-pair security ccp-zp-out-self source out-zone destination self
no service-policy type inspect ccp-permit
zone-pair security ccp-zp-self-out source self destination out-zone
no service-policy type inspect ccp-permit-icmpreply
or modify your policy-map ccp-permit and ccp-permit-icmpreply:
policy-map type inspect ccp-permit
no class type inspect SDM_DHCP_CLIENT_PT
class-type inspect OUT-SELF
pass
class class-default
drop log
class-map type inspect OUT-SELF
match ip access-group name OUT-SELF
ip access-list extended OUT-SELF
permit icmp any any
permit tcp any any eq bootpc
permit tcp any any eq ssh
permit tcp any any eq https
permit tcp any any eq http
zone-pair security ccp-zp-self-out source self destination out-zone
no service-policy type inspect ccp-permit-icmpreply
service-policy type inspect SELF-OUT
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
pass
class class-default
drop log
class-map type inspect SELF-OUT
match ip access-group name SELF-OUT
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq ssh any
permit tcp any https any
permit tcp any eq http any
Regards.
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 06:45 AM
Thanks for the replies. I think this has solved the immediate problem. I made the changes offered by John and by Alain. Then I re-enabled the ZBFW on the external and internal interfaces and I am now able to access (via ssh and ccp) the router from remote.
I am still having some issues with web browsing. Often requests time-out. Here is an updated config. Does anyone see any reasons why Im having this issue?
Current configuration : 12733 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname imd1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5 ***********
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
!
crypto pki trustpoint TP-self-signed-3459452820
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3459452820
revocation-check none
rsakeypair TP-self-signed-3459452820
!
!
crypto pki certificate chain TP-self-signed-3459452820
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343539 34353238 3230301E 170D3131 31303235 31373334
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34353934
35323832 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B908 A2994EE4 6E1B9B7C 8F5CAC45 510C34B2 4FD94E24 AB695477 F5AD259A
BEEEA023 C2804D69 9FB16E84 B68BB2D8 F15591EC 1639F86A 4750CD60 E745FCDA
9D3C5154 A0EAAD5D 8ABEF29A A059FB4E 8238299C D965C45E 922E961D FA6F0CFB
29932B3F C5D3428C FECF43C1 64C5D3D9 1A30BC8D DDC60B7F 525A2A2D 5874B1A7
AF8B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16696D64 31383431 2E696D64 65736967 6E2E6C6F 63616C30
1F060355 1D230418 30168014 ACB35655 A6462310 4AD5A142 4FEE72EE 9F9ED125
301D0603 551D0E04 160414AC B35655A6 4623104A D5A1424F EE72EE9F 9ED12530
0D06092A 864886F7 0D010104 05000381 810044E2 1C68291D D66FC13D 18F57304
9C28CBF2 31F6CEAC B070F129 ACBD82C3 2EFB9C81 159F9B3F C35703CF 469D9EBA
49151D6B 2514804F 6705FC10 E94D04FB 2E1AC867 7706BDB0 56A07D2A 2E376B1A
DE99D8D9 36062A65 AA29E40C FFC1F320 17F87B99 57336941 C99184CC 5952F742
223DBB82 6DA9037B F48FB28F 92C2DE73 2EAA
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.local
no ipv6 cef
ntp logging
ntp update-calendar
ntp server 129.6.15.18
ntp server 129.6.15.29
!
multilink bundle-name authenticated
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
!
!
username admin privilege 15 secret 5 ********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address zz.zz.zz.zz
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to208.64.160.223
set peer zz.zz.zz.zz
set transform-set ESP-3DES-SHA
match address 101
!
archive
log config
hidekeys
!
!
ip ssh time-out 30
ip ssh authentication-retries 5
!
track 123 ip sla 1 reachability
!
track 456 ip sla 2 reachability
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all SELF-OUT
match access-group name SELF-OUT
class-map type inspect match-all OUT-SELF
match access-group name OUT-SELF
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect OUT-SELF
pass
class class-default
drop log
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect SELF-OUT
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address xx.xx.xx.xx 255.255.248.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 2 track 123
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 2 track 456
ip route 4.2.2.2 255.255.255.255 FastEthernet0/1
ip route 192.55.83.30 255.255.255.255 FastEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map RMFA00 interface FastEthernet0/0 overload
ip nat inside source route-map RMFA01 interface FastEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended OUT-SELF
permit icmp any any
permit udp any any eq bootpc
permit tcp any any eq 22
permit tcp any any eq 443
permit tcp any any eq www
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq 22 any
permit tcp any eq 443 any
permit tcp any eq www any
!
ip sla 1
icmp-echo 192.55.83.30
timeout 1500
threshold 10000
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2
timeout 2500
threshold 10000
frequency 4
history hours-of-statistics-kept 6
history distributions-of-statistics-kept 5
history statistics-distribution-interval 10
history buckets-kept 25
history enhanced interval 900 buckets 100
ip sla schedule 2 life forever start-time now
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host zz.zz.zz.zz any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=0
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip any 192.168.5.0 0.0.0.255
!
!
!
!
route-map RMFA00 permit 10
match ip address 101
match interface FastEthernet0/0
!
route-map RMFA01 permit 10
match ip address 101
match interface FastEthernet0/1
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 07:45 AM
Hi,
Are these request timeouts random?
Can you post sh ip route and sh arp output .
Alain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 08:04 AM
Here is the output from those commands:
imd1841#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 4.2.2.2 154 001d.4570.46e2 ARPA FastEthernet0/1
Internet 23.48.92.176 122 001d.4570.46e2 ARPA FastEthernet0/0
Internet 24.62.176.1 0 001d.4570.46e2 ARPA FastEthernet0/0
Internet 24.62.177.211 0 000f.b580.0c07 ARPA FastEthernet0/0
Internet 24.62.183.157 - 0018.1846.57f2 ARPA FastEthernet0/0
Internet 38.114.159.1 121 001d.4570.46e2 ARPA FastEthernet0/1
Internet 38.114.159.3 121 001d.4570.46e2 ARPA FastEthernet0/1
Internet 38.114.159.45 121 001d.4570.46e2 ARPA FastEthernet0/0
Internet 38.114.159.62 122 001d.4570.46e2 ARPA FastEthernet0/0
Internet 38.114.159.63 121 001d.4570.46e2 ARPA FastEthernet0/0
Internet 64.4.18.90 2 001d.4570.46e2 ARPA FastEthernet0/0
Internet 64.94.107.23 121 001d.4570.46e2 ARPA FastEthernet0/1
Internet 64.94.107.38 121 001d.4570.46e2 ARPA FastEthernet0/1
Internet 66.30.32.45 - 0018.1846.57f3 ARPA FastEthernet0/1
Internet 66.151.183.41 124 001d.4570.46e2 ARPA FastEthernet0/0
Internet 66.235.138.59 120 001d.4570.46e2 ARPA FastEthernet0/0
Internet 68.87.71.230 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 69.63.181.63 100 001d.4570.46e2 ARPA FastEthernet0/0
Internet 69.64.158.164 124 001d.4570.46e2 ARPA FastEthernet0/0
Internet 70.37.128.171 98 001d.4570.46e2 ARPA FastEthernet0/1
Internet 70.37.129.172 97 001d.4570.46e2 ARPA FastEthernet0/0
Internet 72.163.5.80 100 001d.4570.46e2 ARPA FastEthernet0/0
Protocol Address Age (min) Hardware Addr Type Interface
Internet 74.125.113.99 0 Incomplete ARPA
Internet 74.125.113.103 0 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.113.105 0 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.113.106 1 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.115.120 141 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.96 105 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.97 83 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.98 153 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.102 83 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.103 141 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.105 83 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.106 82 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.108 83 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.109 123 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.161 85 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.163 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.172 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.195 0 Incomplete ARPA
Internet 74.125.226.198 0 Incomplete ARPA
Internet 74.125.226.202 0 001d.4570.46e2 ARPA FastEthernet0/0
Internet 74.125.226.228 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.229 153 001d.4570.46e2 ARPA FastEthernet0/0
Protocol Address Age (min) Hardware Addr Type Interface
Internet 74.125.226.231 139 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.236 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 74.125.226.237 84 001d.4570.46e2 ARPA FastEthernet0/1
Internet 75.98.38.78 123 001d.4570.46e2 ARPA FastEthernet0/0
Internet 129.6.15.28 153 001d.4570.46e2 ARPA FastEthernet0/1
Internet 138.108.6.20 120 001d.4570.46e2 ARPA FastEthernet0/1
Internet 173.37.144.208 88 001d.4570.46e2 ARPA FastEthernet0/1
Internet 184.25.109.122 99 001d.4570.46e2 ARPA FastEthernet0/1
Internet 184.25.109.137 121 001d.4570.46e2 ARPA FastEthernet0/1
Internet 192.55.83.30 154 001d.4570.46e2 ARPA FastEthernet0/0
Internet 192.168.5.1 - 0018.1846.57f2 ARPA Vlan1
Internet 192.168.5.219 0 0021.70ab.d01d ARPA Vlan1
Internet 198.133.219.10 98 001d.4570.46e2 ARPA FastEthernet0/1
Internet 206.72.115.12 99 001d.4570.46e2 ARPA FastEthernet0/0
Internet 207.223.0.140 113 001d.4570.46e2 ARPA FastEthernet0/1
Internet 208.64.160.223 153 001d.4570.46e2 ARPA FastEthernet0/0
Internet 209.85.227.120 83 001d.4570.46e2 ARPA FastEthernet0/0
imd1841#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
68.0.0.0/32 is subnetted, 1 subnets
S 68.87.71.8 [254/0] via 24.62.176.1, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
S 4.2.2.2 is directly connected, FastEthernet0/1
66.0.0.0/21 is subnetted, 1 subnets
C 66.30.32.0 is directly connected, FastEthernet0/1
24.0.0.0/21 is subnetted, 1 subnets
C 24.62.176.0 is directly connected, FastEthernet0/0
C 192.168.5.0/24 is directly connected, Vlan1
192.55.83.0/32 is subnetted, 1 subnets
S 192.55.83.30 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
is directly connected, FastEthernet0/1
Any Ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-02-2011 01:36 PM
Hi Alain,
I have another issue with this 1841 config.
I am unable to bring up the Zone Based Firewall since applying some of the changes you suggested in your original post. When I turn debugs on I am able to see that firewall is dropping some packets during the ISAKMP phase of bringing up the tunnel:
Here is what I am seeing in the debugs:
.Nov 2 16:15:34.283 EST: ISAKMP:(0): beginning Main Mode exchange
.Nov 2 16:15:34.283 EST: ISAKMP:(0): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
.Nov 2 16:15:34.283 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Nov 2 16:15:34.283 EST: %FW-6-DROP_PKT: Dropping Other session yy.yy.yy.yy:500 xx.xx.xx.xx:500 on zone-pair ccp-zp-self-out class class-default due to DROP action found in policy-map with ip ident 0
.Nov 2 16:15:44.282 EST: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.Nov 2 16:15:44.282 EST: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.Nov 2 16:15:44.282 EST: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.Nov 2 16:15:44.282 EST: ISAKMP:(0): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
.Nov 2 16:15:44.282 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Nov 2 16:15:54.282 EST: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.Nov 2 16:15:54.282 EST: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.Nov 2 16:15:54.282 EST: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.Nov 2 16:15:54.282 EST: ISAKMP:(0): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) MM_NO_STATE
.Nov 2 16:15:54.282 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Nov 2 16:16:03.105 EST: %FW-6-LOG_SUMMARY: 5 packets were dropped from yy.yy.yy.yy:500 => xx.xx.xx.xx:500 (target:class)-(ccp-zp-self-out:class-default)
Here are the relevant zone/policy/class statements:
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect SELF-OUT
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect OUT-SELF
pass
class class-default
drop log
policy-map type inspect SELF-OUT
class type inspect SELF-OUT
pass
class class-default
drop log
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all SELF-OUT
match access-group name SELF-OUT
class-map type inspect match-all OUT-SELF
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host xx.xx.xx.xx any
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match access-group name OUT-SELF
ip access-list extended OUT-SELF
permit icmp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 22
permit udp any any eq bootpc
ip access-list extended SELF-OUT
permit icmp any any
permit tcp any eq 22 any
permit tcp any eq www any
permit tcp any eq 443 any
The Debug error seems to point to the self-out class-default DROP action? What would I need to add in order to allow the VPN tunnel to come up?
TIA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 07:29 AM
Hi Charles,
Glad to hear your CCP and SSH now works. For the web browsing issue, kindly try re-configuring your static default routes:
ip route 0.0.0.0 0.0.0.0 dhcp 2 track 123
ip route 0.0.0.0 0.0.0.0 ISP-NEXT-HOP 2 track 456
Please remember to rate helpful posts. Thanks!
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2011 08:07 AM
Hi,
Not sure what you are referrring to in each of these statements:
1. 'dhcp' This is currently FastEthernet0/0 in the current config. To what would dhcp refer?
2. 'ISP-NEXT-HOP' This is currently FastEthernet0/1 in the current config. Likewise to what should this refer?
TIA
I think I figured this out. For both of these items I placed the default gateway address assigned by the isp. Now things are moving a lot faster.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
