08-29-2010 06:40 AM - edited 03-21-2019 02:56 AM
We have an UC540 in our office and a teleworker site with an SR520 router connected to an DSL modem.
I configured both devices with Cisco Configuration Assistant (CCA), setup VPN server at the UC540, and VPN access at the SR520. VPN works for roaming clients (notebooks). VPN also works from the teleworker site behind the SR520:
- a Cisco phone works
- Internet access works
- you can ping, aka exchange ICMP packets from the teleworker site to the SR520 router, to the UC540 (internally), and to servers in the office LAN behind the UC540.
- you can also reach servers in the office LAN (via http, ssh).
BUT:
when I try to put data through the VPN, like copying data via scp, or viewing large HTML pages, the connection just stalls at the teleworker site. Other connections still work, even to the sam server, but each particular connection where data tried to flow is stalled forever.
I noticed that traffic from the teleworker site is coming from the VPN segment defined in the UC540 setup when it reaches the servers in the office LAN.
Any ideas ?
From the SR520 configuration:
------------------------------------------------------------------------------------------------------------------------------------
version 12.4
crypto isakmp key XXX hostname XXX.loopback.org
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key XXX
mode client
peer XXX.loopback.org
virtual-interface 3
username XXX password XXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match access-group 101
class-map type inspect match-any Easy_VPN_Remote_VT
match access-group 102
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-permit_VT
class type inspect Easy_VPN_Remote_VT
pass
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
pass
class class-default
pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
pass
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit_VT
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit_VT
interface Virtual-Template3 type tunnel
no ip address
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
!
interface Vlan75
description $FW_INSIDE$
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username XXX password 7 XXX
ppp ipcp dns request accept
ppp ipcp route default
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 92.198.8.228 any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
From the UC540 configuration:
------------------------------------------------------------------------------------------------------------------------------------
version 12.4
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key XXX
dns 192.168.10.25 8.8.8.8
pool SDM_POOL_1
acl 105
save-password
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
class-map match-all _class_Voice0
match ip dscp ef
class-map match-all _class_Voice1
match ip dscp cs3
class-map match-all L3-to-L2_VoIP-Cntrl
match ip dscp af31
class-map match-all L3-to-L2_VoIP-RTP
match ip dscp ef
class-map match-all SIP
match protocol sip
class-map match-all RTP
match protocol rtp
class-map match-any media
match dscp ef
class-map match-any signaling
match dscp cs3
match dscp af31
!
!
policy-map EthOut
class RTP
policy-map output-L3-to-L2
class L3-to-L2_VoIP-RTP
set cos 5
class L3-to-L2_VoIP-Cntrl
set cos 3
policy-map Voice
class _class_Voice0
set cos 6
class _class_Voice1
set cos 3
policy-map queue
class signaling
bandwidth percent 5
class media
priority percent 50
class class-default
fair-queue
policy-map shape
class class-default
shape average 1024000
service-policy queue
!
bridge irb
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
!
interface Loopback7
ip address 50.50.50.50 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Loopback12
ip address 51.51.51.51 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
bandwidth 1024
ip address XXX 255.255.255.248
ip access-group 104 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
service-policy output shape
!
interface Virtual-Template4 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
!
interface BVI100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
!
!
ip local pool SDM_POOL_1 192.168.10.200 192.168.10.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 92.198.8.225
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.10.25 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.10.25 143 interface FastEthernet0/0 143
ip nat inside source static tcp 192.168.10.25 993 interface FastEthernet0/0 993
ip nat inside source static tcp 192.168.10.25 465 interface FastEthernet0/0 465
ip nat inside source static tcp 192.168.10.25 587 interface FastEthernet0/0 587
ip nat inside source static tcp 192.168.10.25 443 interface FastEthernet0/0 4443
ip nat inside source static tcp 192.168.10.25 8443 interface FastEthernet0/0 8443
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 50.50.50.0 0.0.0.255
access-list 1 permit 51.51.51.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.1
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 212.117.222.248
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 101 permit udp any host 10.1.10.2 eq isakmp
access-list 101 permit esp any host 10.1.10.2
access-list 101 permit ahp any host 10.1.10.2
access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 92.198.8.224 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp
access-list 102 permit udp any host 192.168.10.1 eq isakmp
access-list 102 permit esp any host 192.168.10.1
access-list 102 permit ahp any host 192.168.10.1
access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip 92.198.8.224 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 103 permit udp any host 10.1.1.1 eq isakmp
access-list 103 permit esp any host 10.1.1.1
access-list 103 permit ahp any host 10.1.1.1
access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 92.198.8.224 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp
access-list 104 permit udp any host 92.198.8.228 eq isakmp
access-list 104 permit esp any host 92.198.8.228
access-list 104 permit ahp any host 92.198.8.228
access-list 104 permit tcp any host 92.198.8.228 eq 8443 log
access-list 104 permit tcp any host 92.198.8.228 eq 4443 log
access-list 104 permit tcp any host 92.198.8.228 eq 587 log
access-list 104 permit tcp any host 92.198.8.228 eq 465 log
access-list 104 permit tcp any host 92.198.8.228 eq 993 log
access-list 104 permit tcp any host 92.198.8.228 eq 143 log
access-list 104 permit tcp any host 92.198.8.228 eq smtp log
access-list 104 permit tcp any host 92.198.8.228 eq 443
access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 permit udp host 213.148.129.10 eq domain any
access-list 104 permit udp host 213.148.130.10 eq domain any
access-list 104 permit icmp any host 92.198.8.228 echo-reply
access-list 104 permit icmp any host 92.198.8.228 time-exceeded
access-list 104 permit icmp any host 92.198.8.228 unreachable
access-list 104 permit udp host 212.117.222.248 eq 5060 any
access-list 104 permit udp host 212.117.222.248 any eq 5060
access-list 104 permit udp host 192.168.10.1 eq 5060 any
access-list 104 permit udp host 192.168.10.1 any eq 5060
access-list 104 permit udp any any range 16384 32767
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 50.50.50.0 0.0.0.255
access-list 1 permit 51.51.51.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.1
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 212.117.222.248
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 101 permit udp any host 10.1.10.2 eq isakmp
access-list 101 permit esp any host 10.1.10.2
access-list 101 permit ahp any host 10.1.10.2
access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 92.198.8.224 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp
access-list 102 permit udp any host 192.168.10.1 eq isakmp
access-list 102 permit esp any host 192.168.10.1
access-list 102 permit ahp any host 192.168.10.1
access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip 92.198.8.224 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 103 permit udp any host 10.1.1.1 eq isakmp
access-list 103 permit esp any host 10.1.1.1
access-list 103 permit ahp any host 10.1.1.1
access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 92.198.8.224 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp
access-list 104 permit udp any host 92.198.8.228 eq isakmp
access-list 104 permit esp any host 92.198.8.228
access-list 104 permit ahp any host 92.198.8.228
access-list 104 permit tcp any host 92.198.8.228 eq 8443 log
access-list 104 permit tcp any host 92.198.8.228 eq 4443 log
access-list 104 permit tcp any host 92.198.8.228 eq 587 log
access-list 104 permit tcp any host 92.198.8.228 eq 465 log
access-list 104 permit tcp any host 92.198.8.228 eq 993 log
access-list 104 permit tcp any host 92.198.8.228 eq 143 log
access-list 104 permit tcp any host 92.198.8.228 eq smtp log
access-list 104 permit tcp any host 92.198.8.228 eq 443
access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 permit udp host 213.148.129.10 eq domain any
access-list 104 permit udp host 213.148.130.10 eq domain any
access-list 104 permit icmp any host 92.198.8.228 echo-reply
access-list 104 permit icmp any host 92.198.8.228 time-exceeded
access-list 104 permit icmp any host 92.198.8.228 unreachable
access-list 104 permit udp host 212.117.222.248 eq 5060 any
access-list 104 permit udp host 212.117.222.248 any eq 5060
access-list 104 permit udp host 192.168.10.1 eq 5060 any
access-list 104 permit udp host 192.168.10.1 any eq 5060
access-list 104 permit udp any any range 16384 32767
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.255 any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 50.50.50.0 0.0.0.255
access-list 1 permit 51.51.51.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.1
access-list 2 permit 10.1.10.0 0.0.0.3
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 212.117.222.248
access-list 3 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp
access-list 101 permit udp any host 10.1.10.2 eq isakmp
access-list 101 permit esp any host 10.1.10.2
access-list 101 permit ahp any host 10.1.10.2
access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip 192.168.10.0 0.0.0.255 any
access-list 101 deny ip 92.198.8.224 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp
access-list 102 permit udp any host 192.168.10.1 eq isakmp
access-list 102 permit esp any host 192.168.10.1
access-list 102 permit ahp any host 192.168.10.1
access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip 92.198.8.224 0.0.0.7 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp
access-list 103 permit udp any host 10.1.1.1 eq isakmp
access-list 103 permit esp any host 10.1.1.1
access-list 103 permit ahp any host 10.1.1.1
access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 192.168.10.0 0.0.0.255 any
access-list 103 deny ip 92.198.8.224 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp
access-list 104 permit udp any host 92.198.8.228 eq isakmp
access-list 104 permit esp any host 92.198.8.228
access-list 104 permit ahp any host 92.198.8.228
access-list 104 permit tcp any host 92.198.8.228 eq 8443 log
access-list 104 permit tcp any host 92.198.8.228 eq 4443 log
access-list 104 permit tcp any host 92.198.8.228 eq 587 log
access-list 104 permit tcp any host 92.198.8.228 eq 465 log
access-list 104 permit tcp any host 92.198.8.228 eq 993 log
access-list 104 permit tcp any host 92.198.8.228 eq 143 log
access-list 104 permit tcp any host 92.198.8.228 eq smtp log
access-list 104 permit tcp any host 92.198.8.228 eq 443
access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12
access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.10.0 0.0.0.255 any
access-list 104 permit udp host 213.148.129.10 eq domain any
access-list 104 permit udp host 213.148.130.10 eq domain any
access-list 104 permit icmp any host 92.198.8.228 echo-reply
access-list 104 permit icmp any host 92.198.8.228 time-exceeded
access-list 104 permit icmp any host 92.198.8.228 unreachable
access-list 104 permit udp host 212.117.222.248 eq 5060 any
access-list 104 permit udp host 212.117.222.248 any eq 5060
access-list 104 permit udp host 192.168.10.1 eq 5060 any
access-list 104 permit udp host 192.168.10.1 any eq 5060
access-list 104 permit udp any any range 16384 32767
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.255 any
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide