I have configured Basic firewall on my cisco 2911, I want to open port 80 for a packaging machine IP (192.168.0.28 255.255.252.0) which uses tcp port 80 to connect with live ip of its server in case of any technical problem, so that support technicians can access this machine. Actually it dials a VPN by using proprietry software buit in the machine. they provided me same software from which it can check if this software connects or not.
I suspect it not that port 80 isn't open but rather the request it uses to check tcp/80 is not actually http-encoded and your firewall is inspecting tcp/80 traffic to ensure it's legitimate http and not something else masquerading as web traffic.
If you used CCP, you probably have something like the following lines in your configuration:
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
If you tell the policy-map to "pass" vs. "inspect" http that will probably fix it.
yes I used CCP for it and I found the same lines in my configuration, could you please define how to tell policy-map to allow/pass http from command line? I did not find allow or pass type in class-map, policy-map....kindly help
The command has to be done from within the right context in the modular QOS CLI framework. First go into the policy-map and then to the class so that your command prompt shows you are in Policy-map class configuration mode ("config-pmap-c"):
Enter configuration commands, one per line. End with CNTL/Z.
(config)#policy-map type inspect ccp-inspect
(config-pmap)#class type inspect ccp-protocol-http
Policy-map class configuration commands:
drop Drop the packet
exit Exit from QoS class action configuration mode
inspect Context-based Access Control Engine
no Negate or set default values of a command
pass Pass the packet
service-policy Deep Packet Inspection Engine
At that point you can negate the "inspect" action and add a "pass" action.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :