Hi All,

I currently have two issues, both of which a related to router generated traffic.

My understanding is that CBAC should not have a problem with this as long as the "router-traffic" keyword is used?

First problem is NTP won't synchronise and the second is that DDNS won't update.

Can someone spot any issues with my config?

Cheers

Chris

NTP:

#############################

Alpha#
000113: .Apr 29 18:05:16.817 PCTime: %SYS-5-CONFIG_I: Configured from console by sampsonc on vty0 (10.130.2.5)
Alpha#
000114: .Apr 29 18:05:27.352 PCTime: NTP message sent to 192.231.203.132, from interface 'Dialer0' (118.209.84.13).
000115: .Apr 29 18:05:27.380 PCTime: NTP message received from 192.231.203.132 on interface 'Dialer0' (118.209.84.13).
000116: .Apr 29 18:05:27.380 PCTime: NTP Core(DEBUG): ntp_receive: message received
000117: .Apr 29 18:05:27.384 PCTime: NTP Core(DEBUG): ntp_receive: peer is 0x833C8E80, next action is 1.
000118: .Apr 29 18:05:27.384 PCTime: NTP Core(DEBUG): receive: packet given to process_packet
000119: .Apr 29 18:05:27.384 PCTime: NTP Core(DEBUG): Peer becomes reachable, poll set to 6.
000120: .Apr 29 18:05:27.384 PCTime: NTP Core(INFO): peer 192.231.203.132 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
Alpha#

Alpha#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 249.9433 Hz, actual freq is 249.9436 Hz, precision is 2**16
reference time is D163AEA2.7CAA03C2 (19:15:14.486 PCTime Thu Apr 28 2011)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 1.18 msec, peer dispersion is 0.00 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000001218 s/s
system poll interval is 64, last update was 80882 sec ago.

Alpha#show ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp
~192.231.203.132 .USER.          16  79859   1024     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Alpha#

#############################

DDNS:

#############################

Alpha(config-if)#no shut

000088: .Apr 29 17:45:22.868 PCTime: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di0
000089: .Apr 29 17:45:22.868 PCTime: DYNUPD: SWIF comingup 'Dialer0'
000090: .Apr 29 17:45:22.880 PCTime: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
000091: .Apr 29 17:45:22.880 PCTime: DYNUPD: SWIF goingdown 'Virtual-Access2'
000092: .Apr 29 17:45:23.865 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
000093: .Apr 29 17:45:24.861 PCTime: %LINK-3-UPDOWN: Interface Dialer0, changed state to up
000094: .Apr 29 17:45:24.861 PCTime: DYNUPD: SWIF comingup 'Dialer0'
000095: .Apr 29 17:45:45.101 PCTime: %DIALER-6-BIND: Interface Vi2 bound to profile Di0
000096: .Apr 29 17:45:45.105 PCTime: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
000097: .Apr 29 17:45:46.242 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
000098: .Apr 29 17:45:46.242 PCTime: DYNUPD: SWIF comingup 'Virtual-Access2'
000099: .Apr 29 17:45:48.754 PCTime: DYNDNSUPD: Adding DNS mapping for xxxxxxx.dyndns-ip.com <=> 1xx.2xx.84.xx
000100: .Apr 29 17:45:48.754 PCTime: HTTPDNS: Update add called for xxxxxxx.dyndns-ip.com <=> 1xx.2xx.84.xx
000101: .Apr 29 17:45:48.754 PCTime: HTTPDNSUPD: Session ID = 0x6
000102: .Apr 29 17:45:48.754 PCTime: HTTPDNSUPD: URL = 'http://xxxxxx:xxxxxx@members.dyndns.org/nic/update?hostname=xxxxxxxxx.dyndns-ip.com&myip=xxxxxxxxxxxxxxx@members.dyndns.org/nic/update?hostname=xxxxxxxxx.dyndns-ip.com&myip=xxxxxxxxx'
000103: .Apr 29 17:45:48.754 PCTime: HTTPDNSUPD: Sending request
000104: .Apr 29 17:46:04.318 PCTime: HTTPDNSUPD: Call returned Response time out, update of xxxxxxx.dyndns-ip.com <=> 1xx.2xx.84.xx failed
000105: .Apr 29 17:46:04.318 PCTime: DYNDNSUPD: Another update completed (outstanding=0, total=0)
000106: .Apr 29 17:46:04.318 PCTime: HTTPDNSUPD: Clearing all session 6 info


Alpha#sh ip ddns update
Dynamic DNS Update on Dialer0:
  Update Method Name            Update Destination
  DDNS_UPDATE_METHOD            not available
Alpha#

#############################

Here is my entire config, I know it's probably not needed but I wanted to add it for compleness.

#############################

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Alpha
!
boot-start-marker
boot system flash
boot-end-marker
!
logging message-counter syslog
logging buffered 50000
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!

dot11 syslog
!
dot11 ssid xxxxxxxxxxx
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii xxxxxxxxxxxxxxxxx
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.130.2.1 10.130.2.15
!
ip dhcp pool Home
   import all
   network 10.130.2.0 255.255.255.0
   default-router 10.130.2.1
   dns-server 192.231.203.132 192.231.203.3
!
!
ip cef
no ip bootp server
ip domain name home.local
ip host r1 10.130.2.2
ip name-server 203.10.110.101
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp router-traffic
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp router-traffic timeout 300
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip ddns update method DDNS_UPDATE_METHOD
HTTP
  add http://xxxxx:xxxx@members.dyndns.org/nic/update?hostname=xxxx@members.dyndns.org/nic/update?hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!
ip dhcp-server 10.130.2.1
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp mode transparent
username sampsonc privilege 15 secret 5 xxxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxx
key xxxxxxxxxxxx
dns 203.10.110.101
domain home.local
pool vpnpool
acl vpn-splitacl
crypto isakmp profile sdm-ike-profile-1
   match identity group xxxxxxxx
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set vpn-transset esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set vpn-transset
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
  hidekeys
!
!
ip tcp window-size 750000
ip tcp synwait-time 40
ip ssh version 2
!
bridge irb
!
!
interface Loopback1
description SSL VPN Website Address
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Loopback2
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
shutdown
no dot11 qos mode
no dot11 extension aironet
!
encryption mode ciphers aes-ccm
!
ssid xxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
station-role root
world-mode dot11d country AU both
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip virtual-reassembly
bridge-group 1
!
interface Dialer0
description ADSL2+ Internet
mtu 1492
ip ddns update hostname xxxxxxxxxxx.dyndns-ip.com
ip ddns update DDNS_UPDATE_METHOD
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect Firewall out
ip virtual-reassembly max-reassemblies 32
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxx
!
interface BVI1
description Internal Network
ip address 10.130.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool vpnpool 10.1.1.1 10.1.1.5
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 150.101.212.45
ip route 0.0.0.0 0.0.0.0 150.101.212.44
ip route 192.168.168.0 255.255.255.0 10.130.2.250
ip route 192.168.240.0 255.255.255.0 10.130.2.250
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4443
!
ip flow-export source BVI1
ip flow-export version 5
ip flow-export destination 10.130.2.5 2048
!
ip pim rp-address 10.130.2.1
ip nat inside source list 102 interface Dialer0 overload
ip nat inside source static tcp 10.130.2.15 13501 interface Dialer0 13501
ip nat inside source static tcp 10.130.2.5 13500 interface Dialer0 13500
ip nat inside source static tcp 10.10.10.1 10443 interface Dialer0 10443
ip nat inside source static tcp 10.130.2.250 443 interface Dialer0 443
!
ip access-list extended vpn-splitacl
permit ip 10.130.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
logging trap debugging
logging 10.130.2.5
access-list 1 permit 10.1.1.1
access-list 1 remark SSH Access
access-list 1 permit 10.130.2.0 0.0.0.255
access-list 101 remark ALLOW GAMES PORTS
access-list 101 permit tcp any any range 28960 29000
access-list 101 permit udp any any range 28960 29000
access-list 101 permit udp any any range 27000 27020
access-list 101 permit tcp any any range 27021 27050
access-list 101 remark ALLOW IPSEC RULE
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 remark ALLOW APACHE2 WEB SERVER ****DENIED****
access-list 101 deny   tcp any host 10.130.2.15 eq www
access-list 101 remark ALLOW SSLVPN
access-list 101 permit tcp any any eq 10443
access-list 101 permit tcp any any eq 443
access-list 101 remark ALLOW DYNDNS
access-list 101 permit tcp host 204.13.248.112 eq www any log
access-list 101 remark ALLOW PORT
access-list 101 permit tcp any any eq 13500
access-list 101 permit tcp any any eq 13501
access-list 101 permit udp any any eq ntp
access-list 101 permit udp host 203.10.110.101 eq domain any
access-list 101 remark DENY FIREWALL RULES
access-list 101 deny   icmp any any echo-reply
access-list 101 deny   icmp any any time-exceeded
access-list 101 deny   icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   tcp any any
access-list 101 deny   udp any any
access-list 101 deny   ip any any
access-list 102 remark DENY IPSEC TRAFFIC FROM NAT
access-list 102 deny   ip 10.130.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 remark ALLOW NAT ACCESS-LIST
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 permit ip any any

!
!
snmp-server community xxxxxxxxx RO
snmp-server ifindex persist
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp source Dialer0
ntp server 192.231.203.132 prefer
!
webvpn gateway MyGateway
ip address 10.10.10.1 port 10443
ssl trustpoint TP-self-signed-3585849034
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.5.0217-k9.pkg sequence 1
!
webvpn context SecureMeContext
title "SSL VPN"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
!
url-list "WebServers"
   heading "Cacti"
   url-text "Cacti" url-value "http://10.130.2.15/cacti"
!
login-message "Cisco SSL VPN Service"
!
port-forward "Port-Forwarding"
   local-port 222 remote-server "10.130.2.1" remote-port 22 description "Alpha"
   local-port 223 remote-server "10.130.2.15" remote-port 22 description "Ubuntu"
   local-port 224 remote-server "10.130.2.5" remote-port 3389 description "Bravo RDP"
!
policy group MyDefaultPolicy
   url-list "WebServers"
   port-forward "Port-Forwarding"
   functions file-access
   functions file-browse
   functions file-entry
   functions svc-enabled
   svc address-pool "sslvpnpool"
   svc keep-client-installed
   svc split include 10.130.2.0 255.255.255.0
   svc dns-server primary 203.10.110.101
default-group-policy MyDefaultPolicy
aaa authentication list default
gateway MyGateway domain home
max-users 2
inservice
!
end

#############################