Cisco WAN :: 2951 - Using CCP To Create Service To Be Used In Zone Policy
Jan 16, 2012
Configuring Cisco 2951 router using Cisco Configuration Professional. I have created a zone based firewall on the router and have created a zone policy for network traffic between two LANs or two zones. I need a create a rule for new traffic that should allow a custom user defined service to flow between the two zones associated with with two LANs.
The problem is How do I created a custom service that I can use for the new traffic rule? I created a network service object as shown in the screenshot below:However, when I am adding the new rule, this service object does not appear in the user defined service in the protocols tree box as shown in the screenshot below:
What is the proper way to create a custom user defined service? I was not able to create it using Class map by the way because again I did not find the service object group in the user defined service when creating a class map.
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.
I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:
redundancy application redundancy group 1 control <interface> protocol 1
only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?
I have removed an embbedded service engine modole from an 2951 router, after reboot the rouiter. the service engine interface still appears; any command can I use to completely remove it.
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router: hostname sdc-1811-LocalLab ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.
I am Using Windows 7 32-Bit, and my Network usually works fine, and my internet has been working fine up until recently. However about a month (maybe more) I noticed a problem that kept cutting me off occasionally and said Diagnostic Policy was not started, I troubleshooted it and it was fine. Much more recently this has been happening more frequently and troubleshooting it doesn't solve the problem. I can get online for 10-15 Mins then I am cut off again. Restarting the computer often fixes it but not always. I went to Services and found the Diagnostic Policy Service is not running, I press start and receive this error message.
The Diagnostic Policy Service service on local computer started and then stopped. Some services stop automatically if they are not in use by services or programs.I am quite sure my loss of Internet is due to this as this is a network related service and what the troubleshooter always finds to be the problem. Other Computer/Devices in the house connect to the internet fine with no loss of connection so it has nothing to do with that. I have tried various fixes like uninstalling network adapter drivers, and checking permissions in Registry but it has not worked.
I have the following scenario: Pair of Cisco 887VA routers acting as Layer 3 for Voice/Data VLANs with a pair of 2960 LAN Base switches acting as Cores and possibly then 2960 LAN Lites hanging off them as access switches. Our Service Provider has provided an example config where the class-maps match based on dscp values for the QOS policy applied to the DSL circuits. We can obviously trust the attached phones but I want to be able to mark data traffic on my core switches based on destination IP/port to allow application definition. My major question is can I have a service policy on my Layer 2 uplinks to the routers where the linked classes setting dscp vlaues are based on class-maps matching on the contents of IP access lists based while at the same time not remarking the EF marked packets from the phones?
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
I am facing issue while configuring service-policy output command in Cisco 7609-S router with c7600s72033-adventerprisek9-mz.122-33.SRE2.bin IOS. However, in the same series router having IOS c7600s72033-adventerprisek9-mz.122-33.SRC6.bin is supported service-policy output.Both the switch have WS-SUP720-3BXL SUP.
I got this 3640, trying to apply a service-policy (output and input), but seems like I do it something wrong...because he only apply the output policy... here the config, I already try to config the service police inside the fa0/0, but is not showed at all, he only show the output, its like I never apply that
I run 2801 with 124-24.T3 and I have following problem: router is connected to internet over pppoe and ISP once per day breaks this link. so I get:
Jun 7 19:31:56.639 MSK: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 Jun 7 19:31:56.663 MSK: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
and I also have tunnel interface which endpoint is accessible over internet. so I get:
Jun 7 19:31:56.679 MSK: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 68844500 - looped chain attempting to stack Jun 7 19:31:57.635 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down Jun 7 19:31:59.199 MSK: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
this is not a problem, problem is that router when interface goes down removes service-policy output from it, so I receive such message every day from runcid:
ip ospf cost 1 ip ospf mtu-ignore tunnel source Loopback1 tunnel destination 192.168.200.199 - service-policy output tunnel_mpr_gre and have to restore policy manually.
Have installed an 887VA on the end of a ADSL connection. The provider has specified EF 150 on the link. The router is configured using a Virtual Template.
If the Virtual Template has a service policy applied, we don't have connectivity to their main site - although the CD and PPP lights are lit. As soon as the service policy is removed, we have connectivity.
We've had three sites with the same problem. Two of the sites don't have QoS specified on the link but had the same problem if the service policy was applied.
I have some trouble with that policy-map on my 2960 or 3560 switches with LAN base 12.2(53)SE2. I want to use that feature to catch video traffic from webcams in laptops which can't send dscp values out of the box. This is my test config to check if the function is working: catch every traffic from my workstation for testing, access-list 101 permit ip any any, class-map match-all CL_TEST
1. I can't see any counters with the command "sh policy-map interface FastEthernet 0/1". Cisco tells that this command is not possible. But how I can see if the policy is working correct? 2. When I did the configuration I can't see any packets with dscp af41 on the out going interface on the switch with "sh mls qos int gi0/1 statistic" as I expected. After reloading the switch I see the pakets with af41. Okay for that moment. But.After that I changed something in the policy-map. Only "set ip dscp ef" for a second test.
Generating some traffic I see only packets with af41 as before I changed the policy-map. No traffic with ef on the outgoing interface.
I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself. What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router. Each of the remote locations only have 1 serial interface. It is a flat network with few routes and a small shoretel voip system running across it. Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark match ip dscp ef match ip dscp cs3 match ip dscp af31 class-map match-any AutoQoS-VoIP-Control-UnTrust match access-group name AutoQoS-VoIP-Control class-map match-any AutoQoS-VoIP-RTP-UnTrust
[code]....
If I try to apply the policy map to serial0/0/0, I get the following error:
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error. We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask). I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing.
We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.
i just configured a C6K VSS with Sup2T, 15.1SY IOS software and a WS6724-SFP module with the follwing cos config:
auto qos default table-map cos-discard-class-map map from 0 to 0 map from 1 to 8 map from 2 to 16
[code]....
After applying the service policy to one interfac of the WS6724-SFP module the policy is deployed to all interfaces of the module. So far it should be ok but after a short time all interface of the module begin to go down an up and down and up ... flapping.
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any access-list ACL-Limitada extended permit ip any host srv-proxy access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1 Building configuration...
I have a 3750 switch (c3750-ipbasek9-mz.122-46.SE.bin) were i want to add bandwitdh limit pr. interface, doing the following:
ip access-list extended customer_A permit ip any any class-map match-all BW_10Mbps
[Code]....
When i trie to apply the "service-policy output 10 Mbps" to the interface, it says the service-policy output is not supported on the switch. Is this a software related isue ?
interface Vlan24 description Internal Wireless Internet ip address 10.x.0.1 255.255.254.0
[Code]....
So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to speedtest.net. My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module Sid - Switch Id) Int Sid Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
Unfortunately, it does not appear as if the SRP500 series will allow you to create an ipsec policy where the local or remote traffic selection is 0.0.0.0/0.0.0.0. It wants a specific network. I have a scenario where I want to send all traffic over the vpn tunnel.
Is there a workaround to this or a special way to input "ANY" as the remote network?
I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845 router.I am suspectting the problem with license in IOS.
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25) in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27) private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has: any any udp/tcp inspect any any icmp inspect unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
How to create a mixed service ports on ASA 8.4(2)?I need to create a service group which has ICMP, TCP ports and also different UDP ports.Normally you would create different service group based on TCP/UDP/TCP-UDP/ICMP/Protocol and add then to new nested service group.But I want to create a new service group where you can define everything without the need to different service groups and nesting them into a new one.
I fought with trying to hang two old BEFSR41 routers on an incoming TWC cable internet. I have a couple of streams going out and one coming in... and I think there are some collissions going on that cause little Urps in the streams. I thought I could put them on two different subnets. Ha. No luck at all so far. The scheme they gave me used a fixed IP and a subnet of 255.255.255.252... now I think I understand why TWC assigned a subnet of 255....252 - so I could only use ONE router. Their little toy is still routing, mine does it's thing.. that's it. In order to add another router and a totally different group of PC's on the same bandwidth... I'd have to get into their box and change the subnet scheme to something more open.. 255.....248, or maybe back down to 255...255.0 I guess..
