Firstly I'm not sure if this is the correct place to put this enquiry. It is an issue with an 877 router, but the problem itself seems to be with the Firewall functionality on it.
For simplicity sake lets say I have 2 vlans setup on it VLAN1 is the inside and VLAN3 is the outside.
Using the SDM(2.5), if I go to configuration-> ACL's and then edit ACLS. I can see that the firewall is active going from VLAN1 -> VLAN3 and VLAN3 -> VLAN1. There is also inspection configured inbound on both interfaces.
When I go to the home screen of the SDM however, It lists the firewall as "inactive".
What does this mean? Is it just a bug in SDM?
The reason I am concerned is users and having itermitant issues with FTP(passive) and HTTP uploads not functioning, it seems when the 877 is taken out of the picture, things start to work again.
Any advice is much appreciated.
The Configuration is below:
!This is the running config of the router: 192.168.1.252 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption service sequence-numbers !
! boot-start-marker boot-end-marker ! logging buffered 52000 debugging ! clock timezone PCTime 10 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00 no aaa new-model ip subnet-zero no ip source-route ip cef ! ! ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool sdm-pool import all network 10.10.10.0 255.255.255.248 default-router 10.10.10.1 lease 0 2 ! ! ip tcp synwait-time 10 no ip bootp server no ip domain lookup ip inspect max-incomplete high 500 ip inspect max-incomplete low 300 ip inspect one-minute high 500 ip inspect one-minute low 300 ip inspect tcp max-incomplete host 500 block-time 0 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW sip ip inspect name SDM_LOW skinny ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no atm ilmi-keepalive dsl operating-mode auto ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 switchport access vlan 2 no ip address no cdp enable ! interface FastEthernet2 switchport access vlan 4 no ip address no cdp enable ! interface FastEthernet3 switchport access vlan 3 no ip address no cdp enable ! interface Vlan1 ip address 192.168.1.252 255.255.255.0 ip access-group sdm_vlan1_in in no ip redirects no ip unreachables ip nat inside ip inspect SDM_LOW in ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Vlan2 ip address 10.1.1.1 255.255.255.0 ip access-group sdm_vlan2_in_100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Vlan3 ip address X.X.X.X 255.255.255.252 ip access-group 102 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect SDM_LOW in ip virtual-reassembly crypto map SDM_CMAP_1 ! ! ip classless ip route 0.0.0.0 0.0.0.0 X.X.X.X ! ip flow-top-talkers top 5 sort-by bytes cache-timeout 2000 ! ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000
ip access-list extended sdm_vlan1_in remark SDM_ACL Category=1 permit ip any any ip access-list extended sdm_vlan2_in remark SDM_ACL Category=1 permit ip any any ip access-list extended sdm_vlan2_in_100 remark SDM_ACL Category=1 permit ip any any ip access-list extended sdm_vlan4_in remark SDM_ACL Category=1 permit ip any any ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 deny any
access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip any any
access-list 102 remark Inbound Traffic access-list 102 remark SDM_ACL Category=1 access-list 102 remark SVN Server access-list 102 remark RDP access-list 102 permit tcp any any eq 3389 access-list 102 permit tcp any any eq 1723 access-list 102 remark PPTP access-list 102 permit gre any any access-list 102 remark Secure Web access-list 102 permit tcp any any eq 443 access-list 102 remark Web access-list 102 permit tcp any any eq www access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.10.0 0.0.1.255 192.168.1.0 0.0.0.255 access-list 102 deny ip 192.168.1.0 0.0.0.255 any access-list 102 deny ip 172.16.0.0 0.15.255.255 any access-list 102 deny ip 192.168.0.0 0.0.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip host 0.0.0.0 any access-list 102 deny ip any any log
access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.10.0 0.0.0.255 any access-list 103 permit ip 192.168.1.0 0.0.0.255 any access-list 103 permit ip 10.0.0.0 0.0.0.255 any access-list 103 deny ip any any
access-list 120 remark outbound traffic access-list 120 remark SDM_ACL Category=2 access-list 120 remark IPSec Rule access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.1.255 access-list 120 permit ip 192.0.0.0 0.255.255.255 any access-list 120 permit ip 10.0.0.0 0.255.255.255 any
access-list 121 remark outbound web access-list 121 remark SDM_ACL Category=2 access-list 121 permit tcp 192.0.0.0 0.255.255.255 eq www host 10.0.0.1 no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address 120 ! ! control-plane ! banner login ^Authorised Access Only^C ! line con 0 login local no modem enable transport preferred all transport output telnet line aux 0 login local transport preferred all transport output telnet line vty 0 4 access-class 103 in privilege level 15 login local transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler interval 500 end
Yes that is a known bug. When you make CLI changes SDM doesn't recognize those and may say firewall inactive when it actually is active.
Seems like you have a lot of inspections configured. You can remove the following: which will leave icmp, tcp, udp and ftp.
ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW h323 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW sip ip inspect name SDM_LOW skinny
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...