Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

887 firewall allow dns udp?

Hi, I have just replaced my pix 506e with a 887W and I have set it up.

My secondary DNS which is outside my network cannot get updates from the primary nameserver which is inside my network.

The CCP firewall page allows me to choose dns and inspect, but it does not allow tcp or udp, so I'm betting that it is permitting tcp to enter and not udp.

My device has a static IP on the outside port and I have also got 8 IP that point to the outside port. It is xxx.36.222.123 that I need to allow udp to enter

How do I get the firewall to permit dns udp to enter the network?

Desperate.....

regards, Mark

!
! Last configuration change at 22:16:10 PCTime Wed Nov 3 2010 by cisco1
! NVRAM config last updated at 22:16:11 PCTime Wed Nov 3 2010 by cisco1
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 887w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxx
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2295751304
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2295751304
revocation-check none
rsakeypair TP-self-signed-2295751304
!
!
crypto pki certificate chain TP-self-signed-2295751304
certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323935 37353133 3034301E 170D3130 31303138 31313135
  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32393537
  35313330 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D5AE B70EA312 9EFC787D 9243CE71 B8D2A5FD 9549039C 0FC0B819 13856AF3
  4C6A83EF C02EC394 D62C1BAA BB30C730 A9C5562B 96358F28 57CD50BF 4B3D586D
  EA650203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
  551D1104 14301282 10383837 772E616C 6976652E 6C6F6361 6C301F06 03551D23
  04183016 8014D50F 9F1FEF40 383FE49B 254B0841 75C07D9E 28AD301D 0603551D
  0E041604 14D50F9F 1FEF4038 3FE49B25 4B084175 C07D9E28 AD300D06 092A8648
  86F70D01 01040500 03818100 45226285 B2EEFADD 4514D3FD 03C35A5D B13B647C
  3C49C64F 7B11C9C0 430A91CA 00CF27FE 42185C3D E955AB68 9E1589EC 3EA454EA
  EBC7386F 061D1959 8172DC42 3446A617 0CBE7C5A 5F27F70B 1C08E4BB A73B0E6A
  EA658DE7 B74814C1 92B1B8B6 0DC2BF17 76E4EA5C 2F0DAF36 B4FC2D1D 508DC4E6
  9C21630B 2F5A184A 97AE583C
   quit
ip source-route
!
!
!
!
ip cef
ip domain name alive.local
ip name-server 192.168.1.48
ip name-server 139.130.4.4
no ipv6 cef
!
!
license udi pid CISCO887W-GN-A-K9 sn xxxx
!
username xxxx privilege 15 secret 5 xxxx
!
!
class-map type inspect match-all sdm-nat-smtp-2
match access-group 105
match protocol smtp
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-http-3
match access-group 105
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-all sdm-nat-imap-1
match access-group 105
match protocol imap
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any icmp
match protocol icmp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 103
match protocol pptp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all sdm-nat-pop3-1
match access-group 105
match protocol pop3
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map icmp
match access-group name icmp
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-dns-1
match access-group 104
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-3
match access-group 105
match protocol https
class-map type inspect match-all sdm-nat-https-2
match access-group 104
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 103
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class class-default
  drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-pptp-1
  inspect
class type inspect sdm-nat-http-2
  inspect
class type inspect sdm-nat-https-2
  inspect
class type inspect sdm-nat-dns-1
  inspect
class type inspect sdm-nat-smtp-2
  inspect
class type inspect sdm-nat-imap-1
  inspect
class type inspect sdm-nat-https-3
  inspect
class type inspect sdm-nat-pop3-1
  inspect
class type inspect sdm-nat-http-3
  inspect
class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 106 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address xxx.228.87.236 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxx
ppp chap password xxxx

no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.31 25 xxx.36.222.121 25 extendable
ip nat inside source static tcp 192.168.1.50 80 xxx.36.222.122 80 extendable
ip nat inside source static tcp 192.168.1.50 443 xxx.36.222.122 443 extendable
ip nat inside source static tcp 192.168.1.50 1723 xxx.36.222.122 1723 extendable
ip nat inside source static tcp 192.168.1.49 53 xxx.36.222.123 53 extendable
ip nat inside source static udp 192.168.1.49 53 xxx.36.222.123 53 extendable
ip nat inside source static tcp 192.168.1.49 80 xxx.36.222.123 80 extendable
ip nat inside source static tcp 192.168.1.49 443 xxx.36.222.123 443 extendable
ip nat inside source static tcp 192.168.1.45 25 xxx.36.222.124 25 extendable
ip nat inside source static tcp 192.168.1.45 80 xxx.36.222.124 80 extendable
ip nat inside source static tcp 192.168.1.45 110 xxx.36.222.124 110 extendable
ip nat inside source static tcp 192.168.1.45 143 xxx.36.222.124 143 extendable
ip nat inside source static tcp 192.168.1.45 443 xxx.36.222.124 443 extendable
ip route 0.0.0.0 0.0.0.0 xxx.228.87.1
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended icmp
remark CCP_ACL Category=128
permit ip any host 165.228.87.236
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 165.228.87.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.31
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.50
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.49
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.45
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq telnet
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq www
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 443
access-list 106 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq cmd
access-list 106 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq snmp
access-list 106 deny   tcp any host 192.168.1.254 eq telnet
access-list 106 deny   tcp any host 192.168.1.254 eq 22
access-list 106 deny   tcp any host 192.168.1.254 eq www
access-list 106 deny   tcp any host 192.168.1.254 eq 443
access-list 106 deny   tcp any host 192.168.1.254 eq cmd
access-list 106 deny   udp any host 192.168.1.254 eq snmp
access-list 106 permit ip any any
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark CCP_ACL Category=1
access-list 107 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CC
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 107 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 192.168.1.48 prefer source Vlan1
end

6 REPLIES
Hall of Fame Super Gold

Re: 887 firewall allow dns udp?

To be honest with you, all the inspect anf FW statements inserted by the GUI are totally unncessary, cumpberosn, and just too comples for the average human mind.

You are 100% protected using regular NAT, and nothing else.

In that case, DNS UDP, and anything else, will work without any problem.

New Member

Re: 887 firewall allow dns udp?

Hi Paolo,

I have absolutely no idea what to do. My dns problem continues, so I have no idea using ccp to permit dns udp and tcp to go to one of my hosts.

On the PIX, you could specify what to do.

I cannot even work out if I can turn the firewall feature off and get my setup back to something simple.

Any ideas welcome.

regards,

Mark

Hall of Fame Super Gold

Re: 887 firewall allow dns udp?

Telnet to router and from the interface config, take out zone statements.

That way you will have things working nice and easy then progressively intriduce all the scuirty feeatures in a gradual, controlled way.

Note, as soon you use a GUI, chances are it will mess up with your config again. So, don't use it.

New Member

Re: 887 firewall allow dns udp?

Hi Paolo,

I'm not a cisco engineer. I bought the 887w because I was told it was reasonably easy to setup using CCP.

Do you know of a way if I can test that udp is getting from outside to inside on port 53?

I can test tcp easy enough just using dig

regards,

Mark

Hall of Fame Super Gold

Re: 887 firewall allow dns udp?

Unfortunately, you need a trained person to configure cisco equipment the proper, professional way.

The best way to test your UDP problem, is the actual application or function.

Cisco Employee

Re: 887 firewall allow dns udp?

Do you know of a way if I can test that udp is getting from outside to inside on port 53?

I can test tcp easy enough just using dig

Dig uses UDP by default, so "dig @xxx.36.222.123 " should give you a clue.

As far as I can see the firewall should allow DNS (port 53) traffic to 192.168.1.49.

If you don't get an answer and can't see logs on the server, use "show ip nat translations" or configure "ip nat log translations syslog" to see NAT translations being created when you dig. If they are there the traffic at least getting into the router.

631
Views
5
Helpful
6
Replies
CreatePlease to create content