Cisco :: CISCO Advanced Firewall On 2911 Router Using CCP?
Dec 29, 2012
Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.I have webservers and Terminal servers/File Servers with 10.0.0.0 network address connected throught My Gi0/0 interface.Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 0,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]
I have a SRP547W that I have configured the following way:
LAN 192.168.15.1/24 VLAN1 LAN 10.10.10.1/24 VLAN10 LAN 10.10.2.1/24 VLAN100 PPPOE ADSL Software DMZ going to 10.10.10.x and another to 10.10.2.x - this is working OK
I now want to use the Advanced Firewall features to block all ports except those that I need as the software DMZ forwards everything. When I try to create the rules I get "the values are invalid" message no matter what I try.
I want to create explicit allow rules, followed by a deny all rule for each of the IP addresses used for the software DMZ
Have I got the Subnet Mask Correct for the Destination IP? Or should it be 255.255.255.0? It doesnt make a difference either way
Policy DetailsNameValueSource IP Address0.0.0.0Source Subnet Mask0.0.0.0Destination IP Address10.10.10.xDestination Subnet Mask255.255.255.254ProtocolAnySource PortAnyDestination Port443ActionPermitScheduleEverydayTimes24 Hours
I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?Are both areas providing packet level inspection?Can I build Firewall rules (within the Security area) to replace the ACL's?
I cant access the advanced user interface web page through the IP address 192.168.2.1. It's a belkin N router that worked for the first few days but now we can't access the Internet wirelessly if we shut the laptop down and reboot. Belkin talked me through every possible way to connect to AUI but no joy. Even tried using firefox, which worked once but we then lost connection again. Getting frustrated now. May take router back to the shop as it's only ten days old.
A few months ago I purchased an e2500 Cisco Linksys router to use in my home. This past Christmas, my family got about 4 new wifi devices which they added to the network bringing the total number of devices on my home network to 10. I wanted to know if there are any advanced settings in Cisco Connect that I can tweak to make my wifi speeds faster because right now I'm getting about 55 Mbps on most of my devices. I was also wondering what the typical range of the e2500 router was and if the e4200 offers a large improvement.
Manually type http://192.168.1.1/Wireless_Advanced.asp and the Advanced Wireless Settings tab appears! (I found this info in dd-wrt forum). A lot more settings to play with here, including transmission power for both 5GHz and 2.4GHz.
I just installed new E4200V2. After completing software install, everything appears to be working fine, except that I can't get to the advanced setup page, either through Cisco connect software or from the web page utility. Either way, the advanced settings web page never finishes loading. I am using the correct login information for the web page utility. It accepts the username "admin" and password, but never loads. Browser just sits there. Browser status bar says "waiting for http://192.168.1.1.
I recently bought a rtp300 and its on the 3.1.24 fw version I have been looking everywhere and i have not found any answer to my problem.It doesnt seem that you can change the pppoe settings (vpi,vci, encapsulation or PPP authentication ) anywhere. Should i return it If i apply the 5.01.04 i could those settings?
I've got a WPA wireless network set up that utilizes a total of 4 WRT54GL routers as access points (on channels 1, 6, and 11 [the two APs furthest from each other both utilize 11). Each AP generally supports about 5 clients at a time (though sometimes as high as 10).Generally, everything is working, but the clients furthest from the access points occasionally lose their connections, and some users have reported periods when they are completely unable to obtain an IP. I am virtually certain that this is based on poor signal strength resulting from distance from the APs and/or RF interference from other APs in the building. I have done everything possible to improve signal strength by router placement, optimizing channel usage based upon RF surveys, and upgrading to high-gain omnis.
This leaves nothing to do apart from tweaking the advanced wireless settings to marginally improve problems related to weak signal and/or RF interference, so I've been reading everything I can find on these boards and elsewhere about changing Fragmentation Threshold, RTS threshold, and beacon interval. However, I'm left with the following questions.
1) There seems to be disagreement about Fragmentation threshold and RTS threshold settings. Some (including the Linksys Technical Troubleshooting Wizard) recommend that both be set to 2304. I have also seen people insist that Fragmentation be set to 2306 and RTS to 2304. A few recommend 2306 for both thresholds, and some advise 2306 for Fragmentation and 2307 for RTS (though by my limited understanding, it simply disables RTS when the value is higher than the fragmentation threshold value). Which of these settings is best? And more importantly, WHY is it the best? Generally, I understand what the settings do, but I am reluctant to change them when there doesn't seem to be a consensus about exactly what they should be.
2) With respect to beacon interval, I've seen both 75ms and 50ms recommmended to replace the default of 100ms. For a network of my size (4 APs, averaging 5 users each), will increasing the number of beacons (and hence the RF traffic even when the network is idle) pose a problem? Also, I'm a little less clear as to how this would improve connectivity.
Since these settings will affect all users, I want to make sure that I'm using settings that will be beneficial on the whole. The last thing I want to do is inadvertantly make things worse, and since I can't test things directly from the standpoint of each user.
I use to use 2 routers, one for me and my dad, another for my brother and sister. We decided to get rid of the other router, and make our cisco E2000 our main router, but, everything on the router settings got removed so we had to reset it up. I remember reading an advanced setting guide on making my wireless speed go from 13.5MBPS to 216 MBPS, but i forgot what the settings was in advance settings.
We have some Cisco 2911's that we are configuring 2 VPN's ( second is for redundancy) We are pretty confident on the failover VPN setup using SLA monitoring.
One thing we are stuck on is the redundant VPN will be setup over a 3G connection provided by verizon. Verizon issues a Private IP ( 192.168.100.X) the far end device terminating the VPN has a public ip of 183.172.22.XX , what kind of NAT translation do I need to make this work ? Also does Cisco have any good configuration examples for VPN Failover setups for Cisco 2911's?
I am using the E2500 v1.0 on TWC network (road runner) wit a VISTA upgraded to Windows 7 laptop.After few months the router is starting losing connection. I tried connecting my laptop directly to the twc modem and the connection is fine, while if I connect to the E2500 v1.0, through wired or wireless connections, I see that the connection is going back and forth.I tried resetting the modem and the router, upgrading the wireless router firmware, but nothing worked.
I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Source Address 220.127.116.11 ==> Destination 18.104.22.168 (nat this to 22.214.171.124) inbound.
So if from the internet tries to hit 126.96.36.199 we want to nat that to 188.8.131.52 both of which sit on our public space.
[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A | | [DMZ]
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine. The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed. I did another test from the LAN and the captured traffic is attached. I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.
I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
policy-map type inspect FWPol_Out-In class type inspect CCP_PPTP pass class type inspect FCMAP_In-Email pass class type inspect FCMAP_In-OutlookWebAccess inspect(code)
%FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic wasn't generated internally as all InZone>OutZone is inspected.
I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription. Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page [URL] or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlf policy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect -url') but how to do more with either the built in page or the redirect- url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?
I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:
redundancy application redundancy group 1 control <interface> protocol 1
only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?
I'm having a issue when configuring Cisco ACS 5.2 appliance 1121 to integrate windows 2000 Active Directory as an External Users Database.I'm using an account with administrator privileges on AD (can create computer objects).The ACS register itself successfully to the domain but it doesn't retrieve the AD Groups, even when i change the seach base and filter.At this link says that ACS supports AD over Windows 2003, 2008 and 2008R2 but it doesnt say that not supports Windows 2000.[URL]
LMS 3.2.1, what is the correct baseline template syntax to accomplish the requirement 2:
• Check if the router is running H323: You can do it looking for the command “h323-gateway voip interface”. If that command is found on a router then it is an H323 voice gateway • Configure the global command: voice class h323 1 [Code]...
I got a ISE 3315 with an IP-Plus license on it. Now I need to install a Wireless advanced license, but I got an error when trying. I've read that the wireless license doesn't need the ip-base one but I can't remove it?
I am trying to set up a minecraft server but I am having trouble port forwarding. I port forwarded a linksysWRT160v3 router but still nobody could connect. So I read online that I might have to also port forward something sitting next to my router. (IDK what it is, i think its a modem or something) It is a Efficient Simon Speed Stream 5100. It says to type in 192.168.0.1 in my web browser for advanced setup but when I did it took me to a search engine.