Connection hangs - VPN between UC540 and SR520

Unanswered Question
Aug 29th, 2010

We have an UC540 in our office and a teleworker site with an SR520 router connected to an DSL modem.

I configured both devices with Cisco Configuration Assistant (CCA), setup VPN server at the UC540, and VPN access at the SR520. VPN works for roaming clients (notebooks). VPN also works from the teleworker site behind the SR520:

- a Cisco phone works

- Internet access works

- you can ping, aka exchange ICMP packets from the teleworker site to the SR520 router, to the UC540 (internally), and to servers in the office LAN behind the UC540.

- you can also reach servers in the office LAN (via http, ssh).

BUT:

when I try to put data through the VPN, like copying data via scp, or viewing large HTML pages, the connection just stalls at the teleworker site. Other connections still work, even to the sam server, but each particular connection where data tried to flow is stalled forever.

I noticed that traffic from the teleworker site is coming from the VPN segment defined in the UC540 setup when it reaches the servers in the office LAN.

Any ideas ?

From the SR520 configuration:

------------------------------------------------------------------------------------------------------------------------------------

version 12.4

crypto isakmp key XXX hostname XXX.loopback.org

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

connect auto

group EZVPN_GROUP_1 key XXX

mode client

peer XXX.loopback.org

virtual-interface 3

username XXX password XXX

xauth userid mode local

!

!

archive

log config

  hidekeys

!

!

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM-Voice-permit

match protocol sip

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 101

class-map type inspect match-any Easy_VPN_Remote_VT

match access-group 102

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all dhcp_out_self

match access-group name dhcp-resp-permit

class-map type inspect match-all dhcp_self_out

match access-group name dhcp-req-permit

class-map type inspect match-all sdm-protocol-http

match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect dhcp_self_out

  pass

class type inspect sdm-cls-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-permit_VT

class type inspect Easy_VPN_Remote_VT

  pass

class class-default

  drop

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-cls-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class type inspect SDM-Voice-permit

  pass

class class-default

  pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

  pass

class class-default

  drop

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_REMOTE_PT

  pass

class type inspect dhcp_out_self

  pass

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit_VT

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit_VT

interface Virtual-Template3 type tunnel

no ip address

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.75.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXX

ppp chap password 7 XXX

ppp pap sent-username XXX password 7 XXX

ppp ipcp dns request accept

ppp ipcp route default

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended dhcp-req-permit

remark SDM_ACL Category=1

permit udp any eq bootpc any eq bootps

ip access-list extended dhcp-resp-permit

remark SDM_ACL Category=1

permit udp any eq bootps any eq bootpc

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.75.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip host 92.198.8.228 any

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip any any

dialer-list 1 protocol ip permit

From the UC540 configuration:

------------------------------------------------------------------------------------------------------------------------------------

version 12.4

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP_1

key XXX

dns 192.168.10.25 8.8.8.8

pool SDM_POOL_1

acl 105

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

   match identity group EZVPN_GROUP_1

   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

   client configuration address respond

   virtual-template 4

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

class-map match-all _class_Voice0

match ip dscp ef

class-map match-all _class_Voice1

match ip dscp cs3

class-map match-all L3-to-L2_VoIP-Cntrl

match ip dscp af31

class-map match-all L3-to-L2_VoIP-RTP

match ip dscp ef

class-map match-all SIP

match protocol sip

class-map match-all RTP

match protocol rtp

class-map match-any media

match  dscp ef

class-map match-any signaling

match  dscp cs3

match  dscp af31

!

!

policy-map EthOut

class RTP

policy-map output-L3-to-L2

class L3-to-L2_VoIP-RTP

  set cos 5

class L3-to-L2_VoIP-Cntrl

  set cos 3

policy-map Voice

class _class_Voice0

  set cos 6

class _class_Voice1

  set cos 3

policy-map queue

class signaling

    bandwidth percent 5

class media

    priority percent 50

class class-default

    fair-queue

policy-map shape

class class-default

    shape average 1024000

  service-policy queue

!

bridge irb

!

!

!

interface Loopback0

description $FW_INSIDE$

ip address 10.1.10.2 255.255.255.252

ip access-group 101 in

ip nat inside

ip virtual-reassembly

!

!

interface Loopback7

ip address 50.50.50.50 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Loopback12

ip address 51.51.51.51 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface FastEthernet0/0

description $FW_OUTSIDE$

bandwidth 1024

ip address XXX 255.255.255.248

ip access-group 104 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

duplex auto

speed auto

!

service-policy output shape

!      

interface Virtual-Template4 type tunnel

ip unnumbered BVI1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface BVI1

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

!

!

interface BVI100

description $FW_INSIDE$

ip address 10.1.1.1 255.255.255.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly

!

!

ip local pool SDM_POOL_1 192.168.10.200 192.168.10.220

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 92.198.8.225

ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0

!

ip http server

ip http authentication local

ip http secure-server

ip http path flash:/gui

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.10.25 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.10.25 143 interface FastEthernet0/0 143

ip nat inside source static tcp 192.168.10.25 993 interface FastEthernet0/0 993

ip nat inside source static tcp 192.168.10.25 465 interface FastEthernet0/0 465

ip nat inside source static tcp 192.168.10.25 587 interface FastEthernet0/0 587

ip nat inside source static tcp 192.168.10.25 443 interface FastEthernet0/0 4443

ip nat inside source static tcp 192.168.10.25 8443 interface FastEthernet0/0 8443

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 50.50.50.0 0.0.0.255

access-list 1 permit 51.51.51.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.10.1

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 212.117.222.248

access-list 3 deny   any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 192.168.10.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp

access-list 101 permit udp any host 10.1.10.2 eq isakmp

access-list 101 permit esp any host 10.1.10.2

access-list 101 permit ahp any host 10.1.10.2

access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp

access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 deny   ip 10.1.1.0 0.0.0.255 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 deny   ip 92.198.8.224 0.0.0.7 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp

access-list 102 permit udp any host 192.168.10.1 eq isakmp

access-list 102 permit esp any host 192.168.10.1

access-list 102 permit ahp any host 192.168.10.1

access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp

access-list 102 deny   ip 10.1.10.0 0.0.0.3 any

access-list 102 deny   ip 10.1.1.0 0.0.0.255 any

access-list 102 deny   ip 92.198.8.224 0.0.0.7 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp

access-list 103 permit udp any host 10.1.1.1 eq isakmp

access-list 103 permit esp any host 10.1.1.1

access-list 103 permit ahp any host 10.1.1.1

access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp

access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 deny   ip 10.1.10.0 0.0.0.3 any

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 deny   ip 92.198.8.224 0.0.0.7 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp

access-list 104 permit udp any host 92.198.8.228 eq isakmp

access-list 104 permit esp any host 92.198.8.228

access-list 104 permit ahp any host 92.198.8.228

access-list 104 permit tcp any host 92.198.8.228 eq 8443 log

access-list 104 permit tcp any host 92.198.8.228 eq 4443 log

access-list 104 permit tcp any host 92.198.8.228 eq 587 log

access-list 104 permit tcp any host 92.198.8.228 eq 465 log

access-list 104 permit tcp any host 92.198.8.228 eq 993 log

access-list 104 permit tcp any host 92.198.8.228 eq 143 log

access-list 104 permit tcp any host 92.198.8.228 eq smtp log

access-list 104 permit tcp any host 92.198.8.228 eq 443

access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp

access-list 104 deny   ip 10.1.10.0 0.0.0.3 any

access-list 104 deny   ip 10.1.1.0 0.0.0.255 any

access-list 104 deny   ip 192.168.10.0 0.0.0.255 any

access-list 104 permit udp host 213.148.129.10 eq domain any

access-list 104 permit udp host 213.148.130.10 eq domain any

access-list 104 permit icmp any host 92.198.8.228 echo-reply

access-list 104 permit icmp any host 92.198.8.228 time-exceeded

access-list 104 permit icmp any host 92.198.8.228 unreachable

access-list 104 permit udp host 212.117.222.248 eq 5060 any

access-list 104 permit udp host 212.117.222.248 any eq 5060

access-list 104 permit udp host 192.168.10.1 eq 5060 any

access-list 104 permit udp host 192.168.10.1 any eq 5060

access-list 104 permit udp any any range 16384 32767

access-list 104 deny   ip 10.0.0.0 0.255.255.255 any

access-list 104 deny   ip 172.16.0.0 0.15.255.255 any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 any

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any

access-list 104 deny   ip host 255.255.255.255 any

access-list 104 deny   ip host 0.0.0.0 any

access-list 104 deny   ip any any log

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 10.1.10.0 0.0.0.255 any

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 50.50.50.0 0.0.0.255

access-list 1 permit 51.51.51.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.10.1

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 212.117.222.248

access-list 3 deny   any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 192.168.10.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp

access-list 101 permit udp any host 10.1.10.2 eq isakmp

access-list 101 permit esp any host 10.1.10.2

access-list 101 permit ahp any host 10.1.10.2

access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp

access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 deny   ip 10.1.1.0 0.0.0.255 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 deny   ip 92.198.8.224 0.0.0.7 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp

access-list 102 permit udp any host 192.168.10.1 eq isakmp

access-list 102 permit esp any host 192.168.10.1

access-list 102 permit ahp any host 192.168.10.1

access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp

access-list 102 deny   ip 10.1.10.0 0.0.0.3 any

access-list 102 deny   ip 10.1.1.0 0.0.0.255 any

access-list 102 deny   ip 92.198.8.224 0.0.0.7 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp

access-list 103 permit udp any host 10.1.1.1 eq isakmp

access-list 103 permit esp any host 10.1.1.1

access-list 103 permit ahp any host 10.1.1.1

access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp

access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 deny   ip 10.1.10.0 0.0.0.3 any

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 deny   ip 92.198.8.224 0.0.0.7 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp

access-list 104 permit udp any host 92.198.8.228 eq isakmp

access-list 104 permit esp any host 92.198.8.228

access-list 104 permit ahp any host 92.198.8.228

access-list 104 permit tcp any host 92.198.8.228 eq 8443 log

access-list 104 permit tcp any host 92.198.8.228 eq 4443 log

access-list 104 permit tcp any host 92.198.8.228 eq 587 log

access-list 104 permit tcp any host 92.198.8.228 eq 465 log

access-list 104 permit tcp any host 92.198.8.228 eq 993 log

access-list 104 permit tcp any host 92.198.8.228 eq 143 log

access-list 104 permit tcp any host 92.198.8.228 eq smtp log

access-list 104 permit tcp any host 92.198.8.228 eq 443

access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp

access-list 104 deny   ip 10.1.10.0 0.0.0.3 any

access-list 104 deny   ip 10.1.1.0 0.0.0.255 any

access-list 104 deny   ip 192.168.10.0 0.0.0.255 any

access-list 104 permit udp host 213.148.129.10 eq domain any

access-list 104 permit udp host 213.148.130.10 eq domain any

access-list 104 permit icmp any host 92.198.8.228 echo-reply

access-list 104 permit icmp any host 92.198.8.228 time-exceeded

access-list 104 permit icmp any host 92.198.8.228 unreachable

access-list 104 permit udp host 212.117.222.248 eq 5060 any

access-list 104 permit udp host 212.117.222.248 any eq 5060

access-list 104 permit udp host 192.168.10.1 eq 5060 any

access-list 104 permit udp host 192.168.10.1 any eq 5060

access-list 104 permit udp any any range 16384 32767

access-list 104 deny   ip 10.0.0.0 0.255.255.255 any

access-list 104 deny   ip 172.16.0.0 0.15.255.255 any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 any

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any

access-list 104 deny   ip host 255.255.255.255 any

access-list 104 deny   ip host 0.0.0.0 any

access-list 104 deny   ip any any log

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 10.1.10.0 0.0.0.255 any

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 1 permit 50.50.50.0 0.0.0.255

access-list 1 permit 51.51.51.0 0.0.0.255

access-list 1 permit 10.1.10.0 0.0.0.3

access-list 2 remark CCA_SIP_SOURCE_GROUP_ACL_INTERNAL

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.10.1

access-list 2 permit 10.1.10.0 0.0.0.3

access-list 2 permit 192.168.10.0 0.0.0.255

access-list 2 permit 10.1.1.0 0.0.0.255

access-list 3 remark CCA_SIP_SOURCE_GROUP_ACL_EXTERNAL

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 212.117.222.248

access-list 3 deny   any

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 192.168.10.0 0.0.0.255 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp any host 10.1.10.2 eq non500-isakmp

access-list 101 permit udp any host 10.1.10.2 eq isakmp

access-list 101 permit esp any host 10.1.10.2

access-list 101 permit ahp any host 10.1.10.2

access-list 101 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 101 permit udp host 17.72.255.12 eq ntp host 10.1.10.2 eq ntp

access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any

access-list 101 deny   ip 10.1.1.0 0.0.0.255 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 any

access-list 101 deny   ip 92.198.8.224 0.0.0.7 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_7##

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp any host 192.168.10.1 eq non500-isakmp

access-list 102 permit udp any host 192.168.10.1 eq isakmp

access-list 102 permit esp any host 192.168.10.1

access-list 102 permit ahp any host 192.168.10.1

access-list 102 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 102 permit udp host 17.72.255.12 eq ntp host 192.168.10.1 eq ntp

access-list 102 deny   ip 10.1.10.0 0.0.0.3 any

access-list 102 deny   ip 10.1.1.0 0.0.0.255 any

access-list 102 deny   ip 92.198.8.224 0.0.0.7 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip any any

access-list 103 remark auto generated by SDM firewall configuration##NO_ACES_9##

access-list 103 remark SDM_ACL Category=1

access-list 103 permit udp any host 10.1.1.1 eq non500-isakmp

access-list 103 permit udp any host 10.1.1.1 eq isakmp

access-list 103 permit esp any host 10.1.1.1

access-list 103 permit ahp any host 10.1.1.1

access-list 103 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 103 permit udp host 17.72.255.12 eq ntp host 10.1.1.1 eq ntp

access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000

access-list 103 deny   ip 10.1.10.0 0.0.0.3 any

access-list 103 deny   ip 192.168.10.0 0.0.0.255 any

access-list 103 deny   ip 92.198.8.224 0.0.0.7 any

access-list 103 deny   ip host 255.255.255.255 any

access-list 103 deny   ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_33##

access-list 104 remark SDM_ACL Category=1

access-list 104 permit udp any host 92.198.8.228 eq non500-isakmp

access-list 104 permit udp any host 92.198.8.228 eq isakmp

access-list 104 permit esp any host 92.198.8.228

access-list 104 permit ahp any host 92.198.8.228

access-list 104 permit tcp any host 92.198.8.228 eq 8443 log

access-list 104 permit tcp any host 92.198.8.228 eq 4443 log

access-list 104 permit tcp any host 92.198.8.228 eq 587 log

access-list 104 permit tcp any host 92.198.8.228 eq 465 log

access-list 104 permit tcp any host 92.198.8.228 eq 993 log

access-list 104 permit tcp any host 92.198.8.228 eq 143 log

access-list 104 permit tcp any host 92.198.8.228 eq smtp log

access-list 104 permit tcp any host 92.198.8.228 eq 443

access-list 104 remark Auto generated by SDM for NTP (123) 17.72.255.12

access-list 104 permit udp host 17.72.255.12 eq ntp host 92.198.8.228 eq ntp

access-list 104 deny   ip 10.1.10.0 0.0.0.3 any

access-list 104 deny   ip 10.1.1.0 0.0.0.255 any

access-list 104 deny   ip 192.168.10.0 0.0.0.255 any

access-list 104 permit udp host 213.148.129.10 eq domain any

access-list 104 permit udp host 213.148.130.10 eq domain any

access-list 104 permit icmp any host 92.198.8.228 echo-reply

access-list 104 permit icmp any host 92.198.8.228 time-exceeded

access-list 104 permit icmp any host 92.198.8.228 unreachable

access-list 104 permit udp host 212.117.222.248 eq 5060 any

access-list 104 permit udp host 212.117.222.248 any eq 5060

access-list 104 permit udp host 192.168.10.1 eq 5060 any

access-list 104 permit udp host 192.168.10.1 any eq 5060

access-list 104 permit udp any any range 16384 32767

access-list 104 deny   ip 10.0.0.0 0.255.255.255 any

access-list 104 deny   ip 172.16.0.0 0.15.255.255 any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 any

access-list 104 deny   ip 127.0.0.0 0.255.255.255 any

access-list 104 deny   ip host 255.255.255.255 any

access-list 104 deny   ip host 0.0.0.0 any

access-list 104 deny   ip any any log

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 permit ip 10.1.1.0 0.0.0.255 any

access-list 105 permit ip 10.1.10.0 0.0.0.255 any

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.