Cisco Firewall :: 881W - Purpose And Logic Behind Consolidating First Class-map?
Jul 23, 2011
I really need understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
Code ....
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspectclass type inspect ccp-invalid-src drop logclass type inspect ccp-insp-traffic inspectclass type inspect ccp-protocol-httpclass class-default drop.
I'm currently looking at doing some re-design work for a platform we manage on the ACE.I want to be able to run a single VIP and only do a sticky session based around specific URL's not all. I've got the following configuration to apply a sticky session to a URL. [code]Notice, under the Policy-map type loadbalance http first-match WEB-POLICY-L7 i have two class statements, one that matches the URL L7 policy and applies a sticky farm and the second class falls into the default.Am i right in saying with this configuration, any http traffic hitting the VIP 192.168.1.1 that does NOT match /urltobedefined.co.uk/test sticky sessions are NOT applied. But traffic hitting 192.168.1.1 that does match /urltobedefined.co.uk/test will apply the sticky policy?
I have 3 ASA5520, 2 of them running as remote access VPN, 1 of the ASA as site to site VPN. There are 2 different ISP's which are used between them. Can I consolidate all these services in 1 ASA5520, relating to configuration and whether the ASA could handle these services together without performance degradation. I forgot to mention even e-mail service and Internet browsing is also though one of the ASA. I was just wondering whether the configuration will get messy or is there a different approach to go about it. The OS on ASA's is 8.3.
Is the ACLs matching logic between a Cisco router and a Cisco firewall (PIX/ASA) the same ? If not, What are the logic differences? I understand that in a router, once a match is found the statements below the match are ignored, I wonder if this applies to firewall.
After hours of trial and error, and searching user groups, I have found that on occasion, ASA v8.4 will stop pings with the IPsec-Spoofing logic. Interestingly, the packet-trace will say everything is allowed.
The fix (at least in my case, and one other) is to narrow the crypto-map to specific hosts, not subnets.
i two 5550 firewall set up for redundance purpose . in failover we define two different ip add one for primary and one for secondary .interface Ethernet0/0 nameif outside security-level 0 ip address xxxx.0.0.0.1 255.255.255.0 standby xxxx.0.0.2!interface Ethernet1/0 nameif inside security-level 100 ip address 10.0.0.12 255.255.255.0 standby 10.0.0.11.default gateway for host will be 10.0.0.12 (primary fw address) however in case of failover , the secondary fw will be up with ip address that was assigned for primary .in this case the secondary ip add 10.0.0.11 is actually nerver used? similarly do i need to have two public ip address for outside (one for primary and one for secondary ) ? or in case if primary fails the secondary comes onlie and take the ip of primary fw . hence i only need to purchase just one ip address.
I have a request for blocking urls using a class map. I have made this work with HTTP, however it does not work for https. This is a 2851 router with IOS Version 12.4(15)T7. I see i could use the command "match protocol secure-https" however this does not let me specify any specific urls.
Does a new IOS version will support what I'm trying to do? Or if there is another way?
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes ! version 12.4 no service pad
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
How to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?
I'm in the process of setting up a working VPN/Firewall setup on an 881W ISR. I have the firewall, NAT, and VPN working, and I'm able to connect remotely to my router. The problem I am having is that I none of my VPN cllients can connect to the internet. I suspect that my firewall rules may have something to do with this. Let me break-down what I have, and what I want to achieve:
1. My router is setup with VLAN1 (172.16.1.0/24) as the inside zone (in-zone), while my outside zone (out-zone) is FastEthernet4 (DHCP WAN Interface). I also have a guest zone (guest-zone) VLAN12 (192.168.12.0/24) used for my guest SSID wireless, which is NATed to the outside zone.
2. I have my EasyVPN setup using a Virtual Template Interface that terminates at the WAN interface FastEthernet4 (something tells me this should be changed). Should I terminate at VLAN1, or an interface or loopback on VLAN1?
3. I ultimately want the VPN users to be able to conenct to the local resources on VLAN1 only, while being able to get out to the internet. [code]
What are the benefits of consolidation the VPN client users to the ASA 5550? My client currently has the old VPN 3000 series concentrator. Other than it's EOL and EOS, are there any other reasons I can give them?
I'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Problem: Configuring an auth-proxy redirect on seccessful authentication,Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.
The command is:,ip admission proxy http success redirect <url-string>,However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
Platform: 881W IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3 License: I have tried both advsecurity and advipservices Problem: Configuring an auth-proxy redirect on seccessful authentication
Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated. The command is: ip admission proxy http success redirect <url-string>
However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
I got myself lately Cisco SR520 router with some basic firewall functions built in. This is going to be used for my home broadband, so no need to be really super secure, as it would be for some business. I managed to configure it, however there are few things on the firewall side, which I don't understand.
This router had some default configuration in it's flash, when I bought it. There are class maps.... how it works or how to add/edit rules. Also, do I need to use class maps, or can they be replaced by ACL's to certain extend? How to add/edit class maps rules to allow certain port (eg. 3333). Pease see below part of the default config:
class-map type inspect match-any SDM-Voice-permit match protocol sip class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp [Code]...
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
I have an RVS4000 router and it worked well with AT&T's DSL service. I installed it, with my limited knowledge, with no problems. I switched my internet service to Logix and the RVS4000 will not see the Logix signal (the internet LED does not light up on the router). I can hook my computer directly to the circuit and put in the IP address and other info and it works fine. I happened to have another Linksys router handy model # BEFVP41 and it works fine. The router sees the signal and I entered the Logix info in the router and I am off to the www. I can plug the RVS4000 back into the DSL modem and it sees the signal and the internet LED lights.
My question is why won't the RVS4000 work with the Logix signal or is there a setting I am missing? I would like to use the RVS4000 since I paid a lot more for it than I did the BEFVP41.
What is the purpose VPN label?As we know, in the MPLS VPN, the following mechanisms:RD - used to distinguish between overlapping routesRT - used to determine the VRF in which to send the route.But why need a VPN label?
I have bridged several w/l Tranzeo's together. I have given each of them an IP address on the same subnet as my gateway and manage the units using that addressOther than for management is the IP address of a bridge used for anything else? I have noticed that I can plug in any gateway address I like and the units are perfectly happy even if the phoney gateway does not exist.
I have a remote site that has an AP running in H-REAP mode which connects over our MPLS cloud to a WLC, which has one interface on the "inside" network and one on our DMZ. The remote AP in H-REAP mode currently only runs our Guest SSID, but now I need to established an isolated VLAN.
Two of the hosts on this isolated VLAN, which is need to support some conference room devices, need to run on wireless and communicate with two devices on the same VLAN that are hard-wired to the switch.
Getting the wireless devices to connect remotely is easy enough by setting up an SSID that uses an IP subnet which one of the WLC's interfaces actually connects to...but can I do that for a completely remote IP subnet (i.e. one that the WLC does NOT physically connect to?). I'm not sure and I'm wondering whether that's the purpose of the "Remote LAN" feature...which is a very new feature.
I am attempting to set up a proxy on a home network that is used for business purposes. I am not at all a networking person, I know enough to be dangerous. If I follow the steps listed here: URL Will this encrypt the data that is sent to the internet from any computer that connects to my network or just the one I follow the steps on?
On my 6509-E, all the modules show this: Region F1: INVALID Region F2: INVALID Currently running ROMMON from S (Gold) region
Is this alright? Is the Gold region like a default region where ROMMON is always installed. And are F1 and F2 just storage partitions that are available to hold backup copies of the ROMMON? From what I read, it sounds like I can copy ROMMON images to F1 and F2, either the same version as the Gold region or different versions. Is that correct? Why would I want to copy different ROMMON versions to F1 and F2?
I have a Dell R300 server and it does not have a separate DRAC card. When the system POSTs I see it shows something about DRAC and it even gets an IP address. But I can't do anything (ping, web, telnet, etc) with that IP address.So basically what is the point of the basic DRAC without buying the full DRAC card? Just a placeholder?
I have always done my port monitoring (SPAN) on Cisco layer 3 switches with no issues. This time I am trying to do this on a Cisco 2901 router:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M2, RELEASE SOFTWARE (fc1) System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M2.bin
I need to have the source port gig0/0 and destination port gig0/1. There is something about the gig port enumeration (slot/port#) that makes the command rejected. It is self explanatory:
#sh ip int brie Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down GigabitEthernet0/0 xxx.xxx.xxx.xxx YES NVRAM up up GigabitEthernet0/1 unassigned YES NVRAM up up Serial0/0/0:0 unassigned YES unset up up
[code]....
It doesn't matter what slot or port number I use, it is always rejected. The command is rejected for Both destination and source gig interfaces. I tried a wide variety of slot/port numbers. To my best understanding the complete port names are: GigabitEthernet0/0 and GigabitEthernet0/1, so why does it think there has to be another digit after 0/0 or 0/1? Does it have anything to do with the Embedded-Service-Engine0/0 being administratively down?
can i use both class B and class C at the same time?If so, what should i do with class B? and with the other Class C?i got 500 computer into 5 segments
I've noticed a Class A IP address on our Class C network. What does this mean and how can I determine what's causing this? I've can ping and tracert which gives 10.44.10.34 and 10.44.10.33. The DHCP Scope on the DC is 192.168.3.1 - 3.200.
Why my 857 adv security don't have class-map and policy map command ? now i wanna use traffic shaping on this but when i use command class-map it doesn't have. [code]