Cisco Firewall :: SR520 ADSL Router - How To Add / Edit Class Maps Rules
Mar 26, 2013
I got myself lately Cisco SR520 router with some basic firewall functions built in. This is going to be used for my home broadband, so no need to be really super secure, as it would be for some business. I managed to configure it, however there are few things on the firewall side, which I don't understand.
This router had some default configuration in it's flash, when I bought it. There are class maps.... how it works or how to add/edit rules. Also, do I need to use class maps, or can they be replaced by ACL's to certain extend? How to add/edit class maps rules to allow certain port (eg. 3333). Pease see below part of the default config:
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
[Code]...
View 1 Replies
ADVERTISEMENT
Jan 16, 2012
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
View 0 Replies
View Related
Aug 21, 2012
I'm currently looking at doing some re-design work for a platform we manage on the ACE.I want to be able to run a single VIP and only do a sticky session based around specific URL's not all. I've got the following configuration to apply a sticky session to a URL. [code]Notice, under the Policy-map type loadbalance http first-match WEB-POLICY-L7 i have two class statements, one that matches the URL L7 policy and applies a sticky farm and the second class falls into the default.Am i right in saying with this configuration, any http traffic hitting the VIP 192.168.1.1 that does NOT match /urltobedefined.co.uk/test sticky sessions are NOT applied. But traffic hitting 192.168.1.1 that does match /urltobedefined.co.uk/test will apply the sticky policy?
View 2 Replies
View Related
Jul 18, 2011
I have a requirement to provide stats on a per-department, per-destination basis between sites. If I take Voice as an example I have 5 child classes referring to the 5 departments each matching EF and a particular access-list that matches the department's subnet. I tie these 5 child classes into a parent Voice class-map.
Now when I issue a "show policy-map interface" command I see stats for the parent class-map only whereas I would expect to see a breakdown for each of the child classes which is what is required.
I am doing this on an ASR1002 running 3.2.2.
View 1 Replies
View Related
Sep 6, 2012
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
View 1 Replies
View Related
Mar 15, 2011
we have cisco sr520 adsl router at one of the sites. A device is connected to the LAN and needs to be communicated directly to the server with 3rd party over internet. we have a static public IP( a.b.c.d) for cisco router and want this IP redirected to the LAN IP address(192.168.1.20) of the device but locked to only 2 inbound IP address (eg.-1.2.3.4 , 5.6.7.8) .
View 1 Replies
View Related
Jan 15, 2012
I have cisco sr520 adsl router. I have configured two vlans i need in vlan 2 speed only 2 Mbit/s from 6Mbit/s (full speed).
View 1 Replies
View Related
Aug 6, 2012
I'am a bit newbie at using Cisco products and here is my problem : I have set up a VPN tunnel between 2 Sites (A and B) a few month ago using 2 cisco SR520-ADSL-K9. All was working fine until power failures occured on the sites B (secondary site).
What happened was that none of the ethernet ports were working, excepting during booting, I was then able to ping computers linked to ports Fastethernet0, FastEthernet1, FastEthernet2 and FastEthernet3 but after a few seconds all ports were disabled but my DSL seemed to be working.
So I took back the router home to check it. I managed (I think) to make a factory reset using a serial terminal and following the procedure described here [URL]
Since I did the reset, I thought I would be able to re-use Cisco Configuration Assistant (3.1) to re-configure the router (I am very bad at using the command lines) but I am unable to connect to the router using the supposed default IP : 92.168.75.1 (I set my computer to use 192.168.75.50 IP adress with mask 255.255.255.0). But I can't connect to the router ... even if the Ethernet ports seem to work because green light is on when plugging my cable. connect to my router using CCA ?
For more information, here is what I get when I run "show startup-config" and "show running-config" in terminal console. I guess the objective is to make the startup-config beeing the running-config, but I have no idea on how to do that ..
show startup-config
show running-config
Router#show startup-config
[Code]......
View 2 Replies
View Related
Dec 12, 2010
I have a SR520W-ADSL-K9, I´m trying to setup it trough CCA, but I have some troubles. At the internet connection I mark PPoE option, enter the vci=0, vpi=35, the username, the password (like the ISP TELMEX suggest), and mark the IP Negotiated option, but I have not find the ISP service give me an IP Address and establish the connection.
View 6 Replies
View Related
Dec 15, 2011
We've (an independent school) just bought an SR520 with a view to replacing one of our Draytek 2820s. We need to set up some site-to-site VPN with NAT and the Drayteks won't do it.
I've been trying to configure the SR520 in just the most basic fashion using CCA (3.1) and the CLI but with no success. I can't get a PPP connection with our ISP.
I've tried following the instructions in the software config pdf and also tried replicating the various 'running configs' reported in other posts in this forum to allow connection to a UK ISP, with no success. I don't know how many times I've reset the poor thing to factory defaults.
I have to say that I'm dismayed at how flaky the CCA appears to be. Many of the things I've tried with it simply don't work and often end up in it hanging. Close to useless in my view.
So instead I've tried to use the CLI which seems a lot more solid but is somewhat impenetrable and there's precious little by way of supporting explanation.
View 12 Replies
View Related
Apr 8, 2012
I am a novice with networks but do have a fair understanding of networks. I have a small business network, utilizing a RVS4000 router (Firmware V2.0.27)I am attempting to set up firewall rules to block certain web sites at certain times.I have successfully set up rules using source and destination ranges, to deny service 24 hours a day everyday.
However and here is the problem when I attempt to edit any of the rules (I want to change the time to certain hours of the day) it allows me to edit the rule but when I attempt to save I get an error message up saying there are invalid characters and it will not save the changes?create the whole thing with the changes I want it works fine, is this a known bug?
View 1 Replies
View Related
Aug 5, 2010
My goal is to be able to edit firewall exceptions "on the fly" and without having to hack an ACL. I have created a service object-group that contains exceptions to the firewall, however when I apply this object-group to the firewall ACL, it opens up the ACL entirely! What am I doing wrong with this configuration? Thanks very much for any insight you can provide!
Cisco 871 running c870-advsecurityk9-mz.124-22.T.bin. Here are the configs:
ip access-list extended FIREWALL permit object-group FIREWALL-EXCEPTIONS any any log permit udp any eq boot ps any eq boot pc deny ip any any
[Code]...
View 7 Replies
View Related
Aug 10, 2011
I just received a new SR520-FE router and am having a hard time getting it configured right. AS of now it is in my lab in a simulated "customer environment". I can ping what's behind it, what's in front of it. But I can't get outside access. I know it's probably something small so I am hoping another pair of eyes might be able to see what I don't. Here is the running-config. It's the factory setup minimally adjusted.
SR520 Base Config - MFG 1.0
User Access Verification
Username: ciscoPassword: SR520#show runBuilding configuration...
Current configuration : 6177 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname SR520!boot-start-markerboot-end-marker!logging message-counter syslogenable secret 5 $1$m/V3$CM6/dHniD1KgHsPZV6jV70!no aaa new-model!crypto pki trustpoint TP-self-signed-
[code]....
View 3 Replies
View Related
Nov 23, 2012
I bought the EA2700, and put the addresses for the DNS servers of OpenDNS into the Static DNS 1, 2, and 3 so that my internet access is filtered (OpenDNS provides content filtering). However I read online that users can bypass the use of OpenDNS DNS servers by choosing their own DNS servers on their computer network connections.The solution is involves firewall rules that limit DNS servers accessed through port 53 to only OpenDNS.
View 1 Replies
View Related
Oct 31, 2011
I have a system with a RV042 managing the internet connection.Behind the RV042 I have an e-mail server and a development machine that I access through SSH.My problem is that if I forward port 25 to my internal e-mail server it bypasses the firewall rules.I have an external vires and spam scan host that is the only one I should accept incoming email from - but it seems that whenever you add a portforward then it bypasses the firewall rules.
View 1 Replies
View Related
May 9, 2012
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
View 2 Replies
View Related
Aug 3, 2011
I have a request for blocking urls using a class map. I have made this work with HTTP, however it does not work for https. This is a 2851 router with IOS Version 12.4(15)T7. I see i could use the command "match protocol secure-https" however this does not let me specify any specific urls.
Does a new IOS version will support what I'm trying to do? Or if there is another way?
View 2 Replies
View Related
Aug 21, 2012
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
Jul 23, 2011
I really need understanding some of the logic behind the default ZBFW settings on my Cisco 881W courtesy of Cisco Configuration Professional. Here are my two questions:
1.) What is the purpose and logic behind consolidating the first class-map (ccp-cls-insp-traffic) in to the second Class-Map (ccp-insp-traffic) as follows?
Code ....
2.) What is the purpose and logic of Policy-Map ccp-inspect is trying to drop traffic from ccp-invalid-src, which is filtering based on ACL 100:
policy-map type inspect ccp-inspectclass type inspect ccp-invalid-src drop logclass type inspect ccp-insp-traffic inspectclass type inspect ccp-protocol-httpclass class-default drop.
Code ....
View 1 Replies
View Related
Sep 25, 2012
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
How to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?
View 4 Replies
View Related
Apr 30, 2013
I'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Here's our running config:
ASA Version 8.4(1)!hostname ciscoasadomain-name opanslab.comenable password yYME2neTGgA0S1./ encryptedpasswd yYME2neTGgA0S1./ encryptednames!interface Vlan1nameif insidesecurity-level 100ip address
[Code].....
View 5 Replies
View Related
Jan 20, 2012
My operations manager says "Could you go on-site and configure a new clients new internet connection?" I make the arrangements and go on-site. As I'm working with the providers tech he says "Do you have a sub-interface confgured for a dot1q VLAN id of 1057?", I say "What?". Anyway my firewall is not capable of dot1q VLAN, so he says "Do you have a Cisco router that can provide the trunking?", I say "Yes, I tink so but not with me". The question is can I use an SR520 between my firewall and the provider demarc to route the VLAN he is talking about? My initial discovery says yes but I am not quite sure of the details on how to achieve this on the SR520.
View 2 Replies
View Related
Mar 21, 2012
i have a cisco 837.I need hardening the access and firewall rules. I dont understand ip inspect.
View 1 Replies
View Related
Jul 5, 2012
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0
(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
View 1 Replies
View Related
Aug 24, 2012
i have a problem with my adsl line connected on a HWIC-ADSL on router 2901 it was working good until yesterday the atm interface is down but the interface dialer is up .i connected this line into home adsl modem and the line is working good?
View 2 Replies
View Related
Mar 25, 2011
I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall. However, when I test the VPN from outside the company, I find I can get to whatever server I want to. There is no allow any/any. I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
The only thing I could think of is that we are using the account management in the firewall to authenticate the users. I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.
View 3 Replies
View Related
Dec 5, 2011
Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work. I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
Outside --------> DMZ
200.1.1.1------> 10.1.1.1
200.1.1.2------> 10.1.1.1
200.1.1.3------> 10.1.1.1
View 16 Replies
View Related
Jun 24, 2011
I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
this is the relevant config:
interface Port-channel2.4
description Public TESA ADSL internet connection
vlan 7
[Code].....
View 7 Replies
View Related
Jan 30, 2010
I am a beginner to ASA. I am trying to connect the ASA 5505 behind the netgear ADSL router which is getting dynamic IP address from the ISP. How to configure the ASA5505 outside interface for SSL VPN connectivity?
View 8 Replies
View Related
Jan 11, 2012
I am new user of cisco router i can access the hardware and login in the account but the problem is if i use the command "enable" asking for a password, old I.T. personnel who setup this router already resign.
View 2 Replies
View Related
Feb 19, 2011
I want to edit existing wireless network in DLINK router. But I can't find any option to do it. If I go to "wireless settings" option, it shows the three options "wireless network setup wizard", "add wireless device with WPS", "manual wireless network setup", but I cannot find any option to edit the wireless network that was already set up.
View 3 Replies
View Related
Sep 18, 2011
I have WRT54GS I can't view the setting tab to check or change. It seem the tabs are light in color and I click on them. I did have a virius which I got rid of. I have removed the linksys software and re installed
View 1 Replies
View Related
May 17, 2012
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
View 17 Replies
View Related
