Cisco Firewall :: 7204 VXR - ZBFW Passing SCTP
Feb 16, 2012
I have a 7204VXR NPE-400 running c7200-adventerprisek9-mz.124-24.T3.bin at the moment. This device is being used as a firewall between zones in a service provider network.
My issue is we have a lab device on the corporate side that needs to talk SCTP to the core device. Since there is no option to match SCTP in ACLs or protocol matching, I can't really get this to pass properly. What is the new IOS versions support SCTP? Any options to pass this traffic through the firewall?
View 7 Replies
ADVERTISEMENT
Sep 23, 2010
I would like to know if ASA 5550 appliance is able to handle SCTP (IP protocol 135) stream in terms of allowing/filtering based on FW rules. We have a problem, though we allowed SCTP IP prot to go through an interface, however I can see that 135 packet are permanently discarded in live monitor. I found some hints here[ URL } but it still seems to me as an assumption
View 9 Replies
View Related
Jul 31, 2012
I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
View 3 Replies
View Related
Apr 22, 2013
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
View 5 Replies
View Related
Dec 27, 2011
I need to update my Cisco 881W config to allow port forwarding FROM the Internet TO the following inside device as follows:
IP Address: 192.168.1.254
Protocol: TCP/UDP
Port: 5001
This device is a Slingbox Pro-HD and I want to be able to view it from the Internet.
Attached is a copy of my 881W config. I am horrible at properly configuring my zone based firewall (ZBFW) config
View 9 Replies
View Related
May 6, 2011
I can't find any specific information on the implementation of packet inspection in a zone based policy firewall. In other words, is there a specification or even just a set of values that define the default inspection parameters for all protocols? With DPI I can manage 'some' of the inspection capabilities but I have some fairly rigorous and specific requirements to meet and I need to validate that the IOS ZBFW will meet those requirements. Specifically, I'm interested in HTTP, DNS, and ICMP but all other protocols would be useful as well.I'm working with basic routers; 871's, 2811's, 1841's, etc. The IOS in use in most cases is adventerprisek9-mz.151-3.T.
View 4 Replies
View Related
Jun 9, 2012
I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
View 4 Replies
View Related
May 3, 2011
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
View 2 Replies
View Related
Jan 16, 2013
Ive got a problem with passing traffic through a Cisco 515e firewall.im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x? ive configured a group called infrastructure and added the 10.x.x.x addresses.ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
theres a route to the inside net:
inside 172.16.0.0 255.255.0.0 172.16.163.1
and theres a translation:
static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok. access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
View 8 Replies
View Related
Jan 30, 2012
Does 3945 support nat for SCTP ?
View 3 Replies
View Related
Aug 8, 2011
I have been trolling around looking for answers on this particular subject and i have come up empty handed, how to verify if the private ip address will be suppressed in the sctp initialization packet when NAT is applied.
View 1 Replies
View Related
Dec 20, 2011
FTP traffic routed from outside to the inside interface works fine. I have another interface with multiple sub-interfaces and vlans configured. FTP traffic routed from the outside to vlan2_servers is not making it through the firewall. I must be missing something. I have attached my config.
View 4 Replies
View Related
Jun 15, 2011
We are trying to get a video conference system (POLYCOM) up running. Thrue a Cisco 1812 router with Firewall feature set.
I Have heard in the past that there should be issues with Polycom and Cisco, but have actually never seen it.I can establish a video call from inside the 1812 to outside.
But when I try from outside to the public ip adress there is nattet to, then it reach the video system and die straight after, so there is never any video session set up.
I have tried to remove everything regarding firewall feature and passing true, so the only thing the 1812 should do is NAT. And still the same.
I can not see anything in the log on the router from the ACL's where I permittet everything, other then it connect on the port TCP 1720, as it should. This is the software I'm running on the router:
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T3, RELEASE SOFTWARE (fc1)
When I search Google, it look like there is a lot issues with Cisco and Polycom, but I have not found any concret solution. Other then I should use a ADSL line with a public IP address. As we probably is going to do.
View 6 Replies
View Related
May 14, 2012
how can i check that ASA is passing traffic? Also what command we can use to make sure VPN is working fine.
View 2 Replies
View Related
Sep 20, 2012
So I was doing some testing with my BB Playbook where I wanted to see what outside connections it tried to make during startup and whatnot. I have a pix 506e running 6.3(5). I created an simple 'deny ip any any' access list on the inside interface so that the Playbook doesn't actually make any connections, but I set up a 'capture' on the inside interface accepting 'ip any any' to see what kind of traffic I could see heading outbound from the Playbook. Well, it started off showing attempts to query DNS (and failed, naturally), but then after a couple of minutes, it tried to connect to a couple of IPs over port 443 and actually got a response!!! For the life of me, I can't figure out how this can happen. NO traffic should be allowed outbound due to my explicit 'deny' rule, but for some reason some traffic on port 443 made it past the firewall and got a response back. There are no other rules in the access list except the 'deny' rule. My PIX configuration is quite simple and I cannot see anything that would allow the Playbook traffic to circumvent the access list.
I've come to think that either RIM has found away around Cisco access-lists, or there is a bug in the Pix OS. I know it's an old appliance/OS, but still. I wouldn't think it could be THAT easy to bypass the firewall.
View 4 Replies
View Related
Dec 26, 2011
after upgrading an ASA 5520 to 8.4.2-8 VPN clients traffic is not passing destinations other then destinations behind the inside interface. the log shows routing failure for the vpn client on the inside interface.it was working fine with 8.4.1 but the traffic is originated from the outside interface. confirm the the interface for VPN clients changed from outside to the inside interface.
View 5 Replies
View Related
Apr 12, 2012
I have an issue where our ASA 5520 is impacting upload (from LAN to internet) speed. We have a 100Mbps SDSL internet link and only see around 45-50 Mbps on the upload when going via the firewall, download is around 90+ Mbps so that is acceptable. I have tested a laptop connected directly to the internet router and that give near on the 100Mbps up and down speeds, but if I put that laptop on the LAN or directly onto the firewall interface I only see 90Mbps down and 45Mbps up. I have check that the interface speeds/duplex on the firewall, switch and laptop are correct and also checked there are no errors on the ports. I also turned off the IPS and that made no difference. In addition I have checked the CPU during download/upload (max): CPU utilization for 5 seconds = 9%; 1 minute: 3%; 5 minutes: 1%
In theory the 5520 should be able to cope with this throughput:
Cisco ASA 5500 Series Model/License: 5520
Maximum firewall throughput (Mbps): 450 Mbps
Maximum firewall connections: 280,000
[Code].....
View 1 Replies
View Related
Apr 18, 2013
I am trying to determine why Comcast Business Class modem configured with a static IP (IPV4) works with a laptop or Linksys Cable modem but not with a Cisco ASA 5505. After a few minutes, the 5505 stop passing web traffic. I am able to ping the default gateway even though I can not surf the web. Restarting the 5505 and the Comcast modem, web traffic flows for a short period of time, then stops. I can connect inside the firewall via ASDM 7.1.1 and via SSH. I can not connect via either from the outside. Comcast tech support indicated their router is working and is configured in bridge mode. I swapped out the 5505's memory, and then with another 5505. Nothing seems to resolve the issue. I am trying to determine if the 5505 or the Comcast router is not configured correctly.
Here are the parameters: The 5505 was reset to default factory settings via the command: config factory-default. Configured the outside interface with static IP Address followed by the no shutdown command, then removed DHCP features from outside interface. Added Comcast DNS servers, default route, ntp servers, configured DHCP features on the inside interface. Enabled HTTP/SSH (inside & outside interfaces) and ICMP echo-reply (outside only).
I believe the Comcast modem is not configured correctly. The show version and show startup output are below.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(1)
Device Manager Version 7.1(2)
[Code].....
View 5 Replies
View Related
Apr 2, 2013
I'm getting below msgs in my ZBFW logs on my test router. .Apr 2 23:09:43: %FW-6-DROP_PKT: Dropping icmp session 115.186.192.153:0 10.40.2.100:0 on zone-pair ZP-OUTSIDE-INSIDE class class-default due to DROP action found in policy-map with ip ident 0
The bit I'm curious about is that I am NOT NAT-ting any ICMP. Hence why is the ZBFW even triggering against the LAN IP? It should only activate after NAT according to order of operations (and hence why unlike CBAC you put the inside local IP not the outside global IP).....
If the ICMP was directed at the WAN interface (not the 10.40.2.100 internal IP) then it is allowed, but morever even if blocked it should be logged against my WAN IP (which is publicly routable not a 10.x internal).
View 2 Replies
View Related
May 23, 2011
I have a cisco 7204 vxr that terminates a 300 meg ethernet circuit asn well as an mpls DS-3. CPU increases along with utilization of the ethernet circuit. When the utilization gets to around 150 Mbps on the receive, the cpu is maxed out at 100%. I am wondering if the router can support the amount of traffic coming through it. The majority of the traffic is voip using g729 codec, so packet size is small. We are no where close to peak utilization and cpu is at 39%. Here is what I see currently:
#sh verCisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)Technical Support: [URL] 1986-2008 by Cisco Systems, Inc.Compiled Thu 13-Mar-08 10:40 by prod_rel_team
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(15), RELEASE SOFTWARE (fc3)
uptime is 3 years, 1 week, 3 days, 6 hours, 40 minutesSystem returned to ROM by Reload CommandSystem restarted at 08:26:49 UTC Wed May 14 2008System image file is "disk2:c7200-advipservicesk9-mz.124-15.T4.bin"
This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.
[code].....
View 5 Replies
View Related
Dec 19, 2011
We have a cisco 7204 VXR and would like to know the module which has two fastethernet port. We tried a PA-2FEISL-TX but it did not work.
View 1 Replies
View Related
Mar 6, 2012
Today we got a new cisco 7204 with NPE-G2 , so we wanna to configure to root for the internet so here is my scenerio
1- Public Ip address =155.155.155.20
2 Private Ip Address =192.168.2.0 /24
3- Gateway = 155.155.155.1
4-DNS Server = 194.155.12.133
Interfaces:
1- Gigabite 0/1 - We put this for Public ip address
2- Gigabite 0/2 - and this for Private Ip address
how to route this for the internet . after routed we want our client computers to get internet from Gigabite 0/2 Interface
View 8 Replies
View Related
May 20, 2012
is 633+ seconds (approximately 10 minutes) load time normal for a Cisco 7204 router? I find that it takes forever for the router to do :Self decompressing the image". I tried the latest IOS and tried different bootloaders but it doesnt seem improve it?
View 2 Replies
View Related
Feb 28, 2010
We have point to point metro ether net link terminating on 7204VXR router.On this point to point link we are configuring GRE over ip sec. Problem is when the traffic exceeding 8mbps we started getting packet drops. from the Cisco documentation it seems the tunnel bandwidth is by default 8mbps and there is parameter like Inherit/receive but those actually not change the tunnel interface bandwidth.If we just give tunnel bandwidth with bandwidth mentioned it allows me to give option of 100mbps but again the tunnel interface bandwidth remains 8mbpos only and probably that 100mbps is useful only for routing decisions.
i am using advance security 12.4.15T12 image. Whether this is a limitation or any other way to go beyond 8mbps for the tunnel interface (7204VXR-NPEG1 processor)
View 18 Replies
View Related
May 8, 2011
One of our Routers 7204 rebooted unexpectedly. I try to access Output interpreter but is not working. The output from our router is the following:
WAN-ROUTER#sh version
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7)
[Code].....
View 7 Replies
View Related
May 22, 2011
I would like to find out what the status is of the Cisco 7204 VXR and 7206 VXR routers?I understand they are EOLife and EOSale.Are they also EOSupport? we planning to upgrade 3 of them in our environment and management requires feedback around this.We thinking of going the ASR1000 route..
View 15 Replies
View Related
Nov 8, 2011
I need to route a subnet from a 7204 to 2 different gateway's which are not Cisco based. I cannot use HSRP, GLBP or VRRP as the other 2 gateways don't support theses protocols. Yet they do support OSPF, RIP, and BGP.... Take note that this setup is in a ISP scenario. How can I acheive gateway redundancy?
View 4 Replies
View Related
Jan 18, 2012
I need to configure BGP on our 7204 and 2811 router. The 7204 is our main router and currently running EIGRP internally. Our remote locations just moved to an MPLS connectivity and they have a 2811 router. I will need to configure BGP for the routing protocol. I have the AS number and the remote AS number. Attached is the the current configuration of the two routers.
View 4 Replies
View Related
Jan 3, 2011
We have a leased line from one office to a DR site which we use to back up our data. We are using Cisco 7204 and and OC3 circuit. The data is sent in blocks (SRDF) and we are sending changes only. However, we are getting requests from compliance to further secure this connection since it is a leased line. I guess I need to know how secure SRDF traffic is and then if required, how to secure it.
Can we create a simple VPN between the two routers without having to use a VPN concentrator or Firewall? If so, what IOS would be required? How much impact will the VPN have on current bandwidth?
View 3 Replies
View Related
Dec 22, 2011
We are replacing a DS3 Internet connection with a 100 Mbps fastE connection from a Tier 1 Provider. I currently have a Cisco 7204VXR with 512 Mb DRAM and 128 Mb of Flash and two 10/100 ports that is connected to the DS3. I also have a 3845 with 1 Gb of DRAM and 256 Mb of Flash with two 10/100/1000 ports available.
We are currently running BGP, below is the summary
BGP table version is 88880414, main routing table version 88880414
379041 network entries using 44347797 bytes of memory
379043 path entries using 19710236 bytes of memory(code)
View 4 Replies
View Related
Nov 28, 2007
I can't seem to find out what this means. Every 6 months or so, my 7204 locks up. I can't even get to it via the console port and I must reboot to access it. I noticed this alarm in my logs.( ASSERT CRITICAL PO1/0 Threshold Cross Alarm - B3) I've looked on-line but can't pinpoint it's meaning. Looks like a flapping interface but might be something else.
View 6 Replies
View Related
May 11, 2011
My router, a Cisco 7204 with NPE 300, is experiencing output drops and input errors on a fastethernet interface. I have a 100Mbps connection with less than 15Mbps utilization at peak times.
FastEthernet1/0 is up, line protocol is up Hardware is DEC21140, address is 0014.a985.1a1c (bia 0014.a985.1a1c) Internet address is 38.102.66.134/30 MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 1/255
[Code]....
View 17 Replies
View Related
Aug 25, 2012
I was planning to buy 7204 VXR for my site's router for the following requirements:
- support for ATM, Serial, ISDN
- support for 3 10/100/1000 ethernet interface
- support for 2 WAN interface
However, I realized that the 7200 series will not be available for sale after September of this year!! Any "reasonable" replacement for 7204 VXR that meets the above requirements?
View 5 Replies
View Related
