Below are portions of the running config of a 2911 with a firewall configured (partially through CCP, but mainly through CLI). In the CCP GUI, is shows the proper zones and zone pairs, and under the Firewall Policy editor, it seems to show the proper policy/class maps. Basically, I want to allow ALL traffic between the router and select external IP address in both directions. The problem I have is that while I'm expecting all other traffic (from any address other than those specified) to be blocked (dropped) and logged, I can still ping the external interface of the router from another external address and I can also access the CCP Express from another IP also (we have a sperate cable line we can use for testing outside connections and I used Google to determine the source external IP). Clearly, this testing IP is not one of the IPs in the access list that are allowed, yet I can still ping and access the CCP Express (which uses https) which I would expect to be blocked. Now when I run TERMINAL MONITOR, I see traffic being dropped from a variety of other address but I still echo replies going out, which means other IPs can also ping. Now perhaps the other traffic is being blocked but I would like to know why pings and https can get through? Please help me out here. Thanks in advance.
Current firewall commands in the config (IPs have been changed for security, but the IPs shown are all public or otherwise trusted):
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :