I have upgraded to PIX 525 7.2(2). When I did I used the same rules as on the 515. I know the fixup changed to inspect and have all working with the strange exception of VOIP and some special applications. one is with port 2000. I need to allow port 2000 to a specific PC, and have done so with an ACL entry.
All IPs are public and no NAT configured (only 2 interfaces inside and outside). However packets are dropped but do not reflect where they are dropped. A capture of both interfaces only shows traffic on the outside.
maybe you can track the dropped traffic and check for the drop code, try using the "show asp-drop" command and monitor the increasing number when passing the port 2000 traffic to get the error code, that could give a hint on what is causing the traffic drop.
don't forget to clear the counter before beginning "clear asp-drop"
you can also capture the dropped traffic using the capture asp-drop command:
Thanks for your reply, but we have the situation fixed now. The application I was using to upload files from outside the f/w to a machine on the inside used port 2000. We had port 2000 in the global inspection rules under skinny.
There was another issue with sip as well.
Removing the lines:
from the global ploicy allowed the traffic to flow properly. Some how because the originating traffic was from the outside the inspection engine dropped it because of the handling of those ports.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :