Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Please Help - Only Some Port Forwards Working

Hi all,

I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.

Port forwards on the follow ports all work fine:

External port 8021 to 192.168.4.253 on port 80 works

External port 8022 to 192.168.4.253 on port 8022 works

All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0

Any help would be great appreciated as this sending me mad. Fully running config below.

Louise ;-)

Building configuration...

Current configuration : 36870 bytes

!

! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname QQQ_ADSL_Gateway

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 64000

enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone Magadan 11 0

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3471381936

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3471381936

revocation-check none

rsakeypair TP-self-signed-3471381936

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-3471381936

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133

  38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9

  7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07

  AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD

  6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79

  51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06

  03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609

  2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8

  9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290

  AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660

  644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A

  3D7107BA AA4E7273 1D43690E C4A5D4

                quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

no ip source-route

!

!

!

ip dhcp excluded-address 192.168.0.230 192.168.0.255

ip dhcp excluded-address 192.168.0.1 192.168.0.200

!

ip dhcp pool QQQ_LAN

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.254

dns-server 192.168.0.6 202.1.161.36

netbios-name-server 192.168.0.6

domain-name QQQ.Local

lease 3

!

!

ip cef

no ip bootp server

ip domain name QQQ.Local

ip name-server 192.168.0.6

ip name-server 202.1.161.37

ip name-server 202.1.161.36

ip inspect log drop-pkt

no ipv6 cef

!

!

parameter-map type inspect global

log dropped-packets enable

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

password encryption aes

license udi pid CISCO887VA-K9 sn FGL162321CT

!

!

object-group service MAIL-PORTS

description QQQ User Mail Restrictions

tcp eq smtp

tcp eq pop3

tcp eq 995

tcp eq 993

udp lt rip

udp lt domain

tcp eq telnet

udp lt ntp

udp lt tftp

tcp eq ftp

tcp eq domain

tcp eq 5900

tcp eq ftp-data

tcp eq 3389

tcp eq 20410

!

object-group network Network1

description QQQ Management Network

192.168.1.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.8.0 255.255.255.0

range 192.168.0.200 192.168.0.254

range 192.168.0.1 192.168.0.25

!

object-group network Network2

description QQQ User Network

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.6.0 255.255.255.0

range 192.168.0.26 192.168.0.199

!

object-group network QQQ.Local

description QQQ_Domain

192.168.0.0 255.255.255.0

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.4.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.6.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.10.0 255.255.255.0

10.1.0.0 255.255.0.0

!

object-group network QQQ_Management_Group

description QQQ I.T. Devices With UnRestricted Access

range 192.168.0.200 192.168.0.254

range 192.168.0.1 192.168.0.25

192.168.1.0 255.255.255.0

192.168.8.0 255.255.255.0

192.168.7.0 255.255.255.0

192.168.5.0 255.255.255.0

192.168.4.0 255.255.255.0

10.1.0.0 255.255.0.0

192.168.10.0 255.255.255.0

10.8.0.0 255.255.255.0

192.168.9.0 255.255.255.0

192.168.100.0 255.255.255.0

192.168.20.0 255.255.255.0

192.168.21.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.23.0 255.255.255.0

!

object-group network QQQ_User_Group

description QQQ I.T. Devices WIth Restricted Access

range 192.168.0.26 192.168.0.199

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

192.168.6.0 255.255.255.0

!

object-group service WEB

description QQQ User Web Restrictions

tcp eq www

tcp eq 443

tcp eq 8080

tcp eq 1863

tcp eq 5190

!

username cpadmin privilege 15 password 7 1406031A2C172527

username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU

!

!

!

!

controller VDSL 0

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 118

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 121

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 120

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 122

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 117

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect match-any SDM_HTTP

match access-group name SDM_HTTP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all sdm-cls-http

match access-group name dmz-traffic

match protocol http

class-map type inspect match-any Telnet

match protocol telnet

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS

match access-group name FIREWALL_EXCEPTIONS_ACL

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT

match access-group 102

match access-group 103

match access-group 104

match access-group 105

match access-group 106

match access-group 107

match access-group 108

match access-group 109

match access-group 110

match access-group 111

match access-group 112

match access-group 113

match access-group 114

match access-group 115

class-map type inspect match-any SIP

match protocol sip

class-map type inspect pop3 match-any ccp-app-pop3

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect sip match-any ccp-cls-sip-pv-2

match  protocol-violation

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-all ccp-cls-ccp-permit-1

match access-group name ETS1

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match access-group name ETS

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2

match class-map Telnet

match access-group name Telnet

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect match-any ccp-dmz-protocols

match user-group qqq

match protocol icmp

match protocol http

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all sdm-cls-sip

match access-group name dmz-traffic

match protocol sip

class-map type inspect match-all ccp-dmz-traffic

match access-group name dmz-traffic

match class-map ccp-dmz-protocols

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1

match class-map SIP

match access-group name SIP

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect PF_OUT_TO_IN

class type inspect FIREWALL_EXCEPTIONS_CLASS

  pass

policy-map type inspect PF_IN_TO_OUT

class type inspect FIREWALL_EXCEPTIONS_CLASS

  pass

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class type inspect ccp-invalid-src

  drop log

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class type inspect ccp-cls-ccp-permit-1

  pass

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_EASY_VPN_CTCP_SERVER_PT

  inspect

class class-default

  drop

policy-map type inspect sip ccp-app-sip-2

class type inspect sip ccp-cls-sip-pv-2

  allow

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-cls-ccp-permit-dmzservice-1

  pass

class type inspect ccp-dmz-traffic

  inspect

class type inspect sdm-cls-http

  inspect

  service-policy http ccp-action-app-http

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class type inspect sdm-cls-VPNOutsideToInside-3

  pass

class class-default

  pass

policy-map type inspect ccp-pol-outToIn

class type inspect ccp-cls-ccp-pol-outToIn-1

  pass

class type inspect ccp-cls-ccp-pol-outToIn-2

  pass

class type inspect CCP_PPTP

  pass

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class type inspect sdm-cls-VPNOutsideToInside-3

  pass

class type inspect sdm-cls-VPNOutsideToInside-4

  inspect

class class-default

  drop log

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class type inspect sdm-cls-VPNOutsideToInside-2

  inspect

class type inspect sdm-cls-VPNOutsideToInside-3

  pass

class type inspect sdm-cls-VPNOutsideToInside-4

  inspect

class class-default

  drop log

!

zone security dmz-zone

zone security in-zone

zone security out-zone

zone security ezvpn-zone

zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security dmz-to-in source dmz-zone destination in-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

!

crypto ctcp port 10000 1723 6299

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219

crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group QQQ

key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB

dns 192.168.0.6 202.1.161.36

wins 192.168.0.6

domain QQQ.Local

pool SDM_POOL_1

include-local-lan

max-users 20

max-logins 1

netmask 255.255.255.0

banner ^CCWelcome to QQQ VPN!!!!1                 ^C

crypto isakmp profile ciscocp-ike-profile-1

   match identity group QQQ

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address initiate

   client configuration address respond

   keepalive 10 retry 2

   virtual-template 1

!

!

crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 43200

set transform-set ESP_AES_SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to220.245.109.219

set peer 220.245.109.219

set transform-set ESP-3DES-SHA

match address 119

!

!

!

!

!

interface Loopback0

description QQQ_VPN

ip address 192.168.9.254 255.255.255.0

!

interface Null0

no ip unreachables

!

interface Ethernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

no fair-queue

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description Telekom_ADSL

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security out-zone

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description QQQ_LAN-VLAN_1

switchport access vlan 1

no ip address

!

interface FastEthernet1

description QQQ_LAN-VLAN_1

no ip address

!

interface FastEthernet2

description QQQ_WAN-VLAN_2

switchport access vlan 2

no ip address

!

interface FastEthernet3

description QQQ_DMZ-IP_PBX-VLAN_3

switchport access vlan 3

no ip address

!

interface Virtual-Template1 type tunnel

description QQQ_Easy_VPN

ip unnumbered Loopback0

ip nat inside

ip virtual-reassembly in

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description QQQ_LAN-VLAN1$FW_INSIDE$

ip address 192.168.0.254 255.255.255.0

ip access-group QQQ_ACL in

ip mask-reply

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Vlan2

description QQQ_WAN-VLAN2$FW_INSIDE$

ip address 192.168.5.254 255.255.255.0

ip access-group QQQ_ACL in

ip mask-reply

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Vlan3

description QQQ_IP-PBX_WAN-VLAN3

ip address 192.168.4.254 255.255.255.0

ip mask-reply

ip nat inside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Vlan4

description VLAN4 - 192.168.20.xxx (Spare)

ip address 192.168.20.253 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Dialer0

description ATM Dialer

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

no cdp enable

!

interface Dialer2

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxx

ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx

ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx

no cdp enable

crypto map SDM_CMAP_1

!

router rip

version 2

redistribute static

passive-interface ATM0

passive-interface ATM0.1

passive-interface Dialer0

passive-interface Dialer2

passive-interface Ethernet0

passive-interface Loopback0

network 10.0.0.0

network 192.168.0.0

network 192.168.1.0

network 192.168.2.0

network 192.168.3.0

network 192.168.4.0

network 192.168.5.0

network 192.168.6.0

network 192.168.7.0

network 192.168.8.0

network 192.168.10.0

network 192.168.100.0

!

ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200

ip forward-protocol nd

ip http server

ip http access-class 5

ip http authentication local

ip http secure-server

!

ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0

ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060

ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208

ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209

ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200

ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218

ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219

ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210

ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278

ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279

ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270

ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288

ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289

ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280

ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723

ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389

ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390

ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022

ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021

ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023

ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443

ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload

ip default-network 192.168.0.0

ip default-network 192.168.4.0

ip route 0.0.0.0 0.0.0.0 Dialer2 permanent

ip route 10.1.0.0 255.255.0.0 Vlan2 permanent

ip route 10.8.0.0 255.255.255.0 Vlan2 permanent

ip route 192.168.0.0 255.255.255.0 Vlan1 permanent

ip route 192.168.4.0 255.255.255.0 Vlan3 permanent

ip route 192.168.5.0 255.255.255.0 Vlan2 permanent

ip route 192.168.100.0 255.255.255.0 Dialer2 permanent

!

ip access-list extended ACCESS_FROM_INSIDE

permit ip object-group QQQ_Management_Group any

permit tcp object-group QQQ_User_Group any eq smtp pop3

permit tcp object-group QQQ_User_Group any eq 993 995

permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3

permit tcp 192.168.0.0 0.0.0.255 any eq 993 995

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

permit ip 192.168.7.0 0.0.0.255 any

permit ip 192.168.8.0 0.0.0.255 any

permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain

permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control

permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control

permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control

permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control

permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control

permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control

ip access-list extended ETS

remark CCP_ACL Category=128

permit ip host 203.219.237.252 any

ip access-list extended ETS1

remark CCP_ACL Category=128

permit ip host 203.219.237.252 any

ip access-list extended FIREWALL_EXCEPTIONS_ACL

permit tcp any host 192.168.0.100 eq 25565

permit tcp any eq 25565 host 192.168.0.100

ip access-list extended QQQ_ACL

permit ip any host 192.168.4.253

permit udp any any eq bootps bootpc

permit ip any 192.168.4.0 0.0.0.255

permit ip host 203.219.237.252 any

remark QQQ Internet Control List

remark CCP_ACL Category=17

remark Auto generated by CCP for NTP (123) 203.12.160.2

permit udp host 203.12.160.2 eq ntp any eq ntp

remark AD Services

permit udp host 192.168.0.6 eq domain any

remark Unrestricted Access

permit ip object-group QQQ_Management_Group any

remark Restricted Users

permit object-group MAIL-PORTS object-group QQQ_User_Group any

permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control

permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control

permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control

permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control

remark ICMP Full Access

permit icmp object-group QQQ_User_Group any

permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control

permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control

permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control

permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control

permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control

ip access-list extended QQQ_NAT

remark CCP_ACL Category=18

remark IPSec Rule

deny   ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255

permit ip any any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTP

remark CCP_ACL Category=0

permit tcp any any eq telnet

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=0

permit tcp any any eq 443

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SIP

remark CCP_ACL Category=128

permit ip any 192.168.4.0 0.0.0.255

ip access-list extended Telnet

remark CCP_ACL Category=128

permit ip any any

ip access-list extended dmz-traffic

remark CCP_ACL Category=1

permit ip any 192.168.4.0 0.0.0.255

!

access-list 1 remark CCP_ACL Category=2

access-list 1 remark QQQ_DMZ

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 remark QQQ_LAN

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 3 remark QQQ Insid NAT

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 192.168.0.0 0.0.0.255

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 3 permit 192.168.2.0 0.0.0.255

access-list 3 permit 192.168.3.0 0.0.0.255

access-list 3 permit 192.168.4.0 0.0.0.255

access-list 3 permit 192.168.5.0 0.0.0.255

access-list 3 permit 192.168.6.0 0.0.0.255

access-list 3 permit 192.168.7.0 0.0.0.255

access-list 3 permit 192.168.8.0 0.0.0.255

access-list 3 permit 192.168.9.0 0.0.0.255

access-list 3 permit 192.168.10.0 0.0.0.255

access-list 4 remark QQQ_NAT

access-list 4 remark CCP_ACL Category=2

access-list 4 permit 10.1.0.0 0.0.255.255

access-list 4 permit 10.8.0.0 0.0.0.255

access-list 4 permit 192.168.0.0 0.0.0.255

access-list 4 permit 192.168.1.0 0.0.0.255

access-list 4 permit 192.168.2.0 0.0.0.255

access-list 4 permit 192.168.3.0 0.0.0.255

access-list 4 permit 192.168.4.0 0.0.0.255

access-list 4 permit 192.168.5.0 0.0.0.255

access-list 4 permit 192.168.6.0 0.0.0.255

access-list 4 permit 192.168.7.0 0.0.0.255

access-list 4 permit 192.168.8.0 0.0.0.255

access-list 4 permit 192.168.9.0 0.0.0.255

access-list 4 permit 192.168.10.0 0.0.0.255

access-list 5 remark HTTP Access-class list

access-list 5 remark CCP_ACL Category=1

access-list 5 permit 192.168.4.0 0.0.0.255

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 deny   any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip 192.168.4.0 0.0.0.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip host 255.255.255.255 any

access-list 101 remark QQQ_Extended_ACL

access-list 101 remark CCP_ACL Category=1

access-list 101 permit tcp any host 192.168.0.254 eq 10000

access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp

access-list 101 permit udp any host 192.168.0.254 eq isakmp

access-list 101 permit esp any host 192.168.0.254

access-list 101 permit ahp any host 192.168.0.254

access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp

access-list 101 permit udp host 192.168.0.6 eq domain any

access-list 101 remark NTP (123) 203.12.160.2

access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp

access-list 101 remark QQQ_ANY_Any

access-list 101 permit ip object-group QQQ.Local any

access-list 101 remark QQQ_DMZ

access-list 101 permit ip any 192.168.4.0 0.0.0.255

access-list 101 remark QQQ_GRE

access-list 101 permit gre any any

access-list 101 remark QQQ_Ping

access-list 101 permit icmp any any

access-list 102 remark CCP_ACL Category=1

access-list 102 permit tcp any any eq 10000

access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp any any eq 10000

access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022

access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet

access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www

access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060

access-list 103 permit tcp any eq telnet host 192.168.0.254

access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet

access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060

access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000

access-list 104 remark CCP_ACL Category=1

access-list 104 permit tcp any any eq 10000

access-list 105 remark CCP_ACL Category=1

access-list 105 permit tcp any any eq 10000

access-list 106 remark CCP_ACL Category=1

access-list 106 permit tcp any any eq 10000

access-list 107 remark CCP_ACL Category=1

access-list 107 permit tcp any any eq 10000

access-list 108 remark CCP_ACL Category=1

access-list 108 permit tcp any any eq 10000

access-list 109 remark CCP_ACL Category=1

access-list 109 permit tcp any any eq 10000

access-list 110 remark CCP_ACL Category=1

access-list 110 permit tcp any any eq 10000

access-list 111 remark CCP_ACL Category=1

access-list 111 permit tcp any any eq 10000

access-list 112 remark CCP_ACL Category=1

access-list 112 permit tcp any any eq 10000

access-list 113 remark CCP_ACL Category=1

access-list 113 permit tcp any any eq 10000

access-list 114 remark CCP_ACL Category=1

access-list 114 permit tcp any any eq 10000

access-list 115 remark CCP_ACL Category=1

access-list 115 permit tcp any any eq 10000

access-list 116 remark CCP_ACL Category=4

access-list 116 remark IPSec Rule

access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255

access-list 117 remark CCP_ACL Category=128

access-list 117 permit ip any any

access-list 117 permit ip host 220.245.109.219 any

access-list 118 remark CCP_ACL Category=0

access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 119 remark CCP_ACL Category=4

access-list 119 remark IPSec Rule

access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255

access-list 120 remark CCP_ACL Category=0

access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 121 remark CCP_ACL Category=0

access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 122 remark CCP_ACL Category=0

access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255

dialer-list 1 protocol ip permit

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address QQQ_NAT

!

!

!

banner login ^CCWelcome to QQQ ADSL Gateway

359
Views
0
Helpful
0
Replies
CreatePlease to create content