http://www.dslreports.com/forum/r20306637 en Sat, 05 Dec 2009 07:07:24 EDT Sat, 05 Dec 2009 07:07:24 EDT http://www.dslreports.com/forum/remark,20361413 Euphrates : Have you tried switching back to those OpenDNS servers again and seeing if you can replicate the problem? It may help someone in the future who is having the same problem.

Also, when you noticed that the only thing you changed was the OpenDNS servers did you check with their website to see if they were having any problems that may be resolved?]]> http://www.dslreports.com/forum/remark,20361413 Mon, 21 Apr 2008 03:41:00 EDT http://www.dslreports.com/forum/remark,20344393 jrpavel3 : Very odd: I removed the L7 inspection, found I could access those sites, and added it back again, and I can still access them.

The only other thing that I changed in recent days is to go back to my ISP's DNS servers from OpenDNS...]]> http://www.dslreports.com/forum/remark,20344393 Wed, 16 Apr 2008 15:46:01 EDT http://www.dslreports.com/forum/remark,20338878 mr_dirt : Have you checked to see if the http app inspection policy is causing the problem? Try removing the http app service policy by applying this snip to the config:

policy-map type inspect sdm-inspect  class type inspect sdm-protocol-http  no service-policy http sdm-action-app-http 
Check to see if the problem continues. Since you're seeing two different log behaviors for the two different sites you're having problems with, it's hard to tell what's causing the problems. Also, if you're not running 12.4(15)T4, and are able to upgrade, you might want to do so to take advantage of the improvements to some of the logging.

Be sure to back up your config before you start.
]]> http://www.dslreports.com/forum/remark,20338878 Tue, 15 Apr 2008 16:10:30 EDT http://www.dslreports.com/forum/remark,20306637 jrpavel3 : Does no one have any suggestions? What is it about, eg, the sites that I have cited that causes the firewall to drop the connection? Are they trying to set up new connections to me??]]> http://www.dslreports.com/forum/remark,20306637 Wed, 09 Apr 2008 05:50:26 EDT http://www.dslreports.com/forum/remark,20287594 jrpavel3 : I have an 1801 running my LAN and a single NATd public IP address, configured using SDM.

All works fine most of the time, but there are some www sites that seem to get dropped when I try to connect to them other that from the machine that hosts my own web site (and has NAT forwarding enabled to do that).

Two examples are www.dpnotes.com and www.t-mobile.co.uk/pmcollect

The first generates a log of
05-04-200818:06:37Local7.Inforouter%FW-6-DROP_PKT: Dropping tcp session gator79.hostgator.com:80 PCNAME:60883 on zone-pair sdm-zp-NATOutsideToInside-1 class class-default due to DROP action found in policy-map with ip ident 797 
The second does not seem to generate any log messages.

My config looks something like this:

!This is the running config of the router: router!----------------------------------------------------------------------------!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice linenumberservice sequence-numbers!hostname router!boot-start-markerboot system flash:c180x-advipservicesk9-mz.124-15.T4.binboot-end-marker!security authentication failure rate 3 logsecurity passwords min-length 6logging buffered 51200logging console warningsenable secret 5 <removed>!aaa new-model!!aaa group server radius rad_eap server <server ip address> auth-port 1645 acct-port 1646!aaa group server radius rad_mac server <server ip address> auth-port 1645 acct-port 1646!aaa group server radius rad_acct server <server ip address> auth-port 1645 acct-port 1646!aaa group server radius rad_admin server <server ip address> auth-port 1645 acct-port 1646!aaa group server radius rad_pmip server <server ip address> auth-port 1645 acct-port 1646!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authentication login local_authen localaaa authentication ppp default group radiusaaa authorization exec local_author local aaa authorization ipmobile default group rad_pmip aaa authorization network default group radius local aaa accounting network acct_methods start-stop group rad_acctaaa accounting system default start-stop group rad_acct!!aaa session-id commonclock timezone GMT 0clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00errdisable recovery cause bpduguarderrdisable recovery interval 30!crypto pki trustpoint TP-self-signed-4196600675 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4196600675 query certificate revocation-check none rsakeypair TP-self-signed-4196600675!crypto pki trustpoint <trustpoint> enrollment mode ra enrollment url http://<server>:80/certsrv/mscep/mscep.dll revocation-check crl none!!crypto pki certificate chain TP-self-signed-4196600675 certificate self-signed 01 <removed> quitcrypto pki certificate chain <trustpoint> certificate <removed> quit certificate ca <removed> quit!dot11 ssid Wireless authentication open  authentication key-management wpa accounting radius guest-mode wpa-psk ascii 7 <removed>!dot11 ssid Wirelessa authentication open  authentication key-management wpa accounting radius guest-mode wpa-psk ascii 7 <removed>!dot11 phonedot11 arp-cachedot11 location isocc UK cc 44 ac <xx>no ip source-routeip icmp rate-limit unreachable 100ip icmp rate-limit unreachable DF 1!!ip cef table event-logip cefip cef accounting per-prefix !!no ip bootp serverip domain list <domain 1>ip domain list <domain 2>ip domain list <domain 3>ip domain name <domain>ip name-server <server ip address>ip port-map user-sip-proxy port udp 5065 description SIP proxy for NAT traversalip port-map user-ftp-passive port tcp 20 description For passive ftpip port-map user-steam-tcp port tcp from 27000 to 27020 description Steam Clientip port-map user-steam-tcp port tcp 28900 description Steam Clientip port-map user-steam-udp port udp from 27020 to 27050 description Steam Clientip port-map user-http port tcp 8080ip port-map user-teredo port udp 3544 description Tunnels IPv6 in IPv4 ip port-map user-terminal port tcp 3389 description Terminal Servicesip port-map user-mmsu port udp 1755 description MMSUip port-map user-sharepoint port tcp 444 description Windows Sharepoint Servicesip port-map user-rsync port tcp 873 description Remote file copyip port-map user-rtp port udp 5004 5006 description Real Time Protocolip port-map user-rtspu port udp 5005 description RTSPUip port-map user-smtps port tcp 465 description Secure SMTPip port-map user-svn port tcp 3690 description SVNip port-map user-cvs port tcp 2401 description CVSip port-map user-nicname port tcp 43 description whois serviceip port-map user-remote-web port tcp 4125 description Remote Web Workplaceip port-map user-nat-stun port udp 3478 3479 description Simple Traversal of UDP through NATip inspect tcp reassembly alarm onip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3ip ips config location flash:/ips/ retries 5 timeout 10ip ips notify SDEEip ips name sdm_ips_rule!ip ips signature-category category all retired true category ios_ips advanced retired false!ip dhcp-server <server ip address>!multilink bundle-name authenticatedvpdn enablevpdn loggingvpdn logging localvpdn logging uservpdn logging tunnel-drop!vpdn-group L2TP! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication!parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com parameter-map type regex sdm-regex-nonascii pattern [^\x00-\x80] password encryption aes!!memory statistics history table 72file verify auto!spanning-tree portfast bpduguardspanning-tree uplinkfastl2tp congestion-controlusername <user> privilege 15 secret 5 <password>!crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101  00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16  17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128  B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E  5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35  FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85  50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36  006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE  2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3  F3020301 0001 quit! !crypto isakmp policy 10 encr aes 256 group 2!crypto isakmp policy 20 encr aes group 2!crypto isakmp policy 30 encr 3des group 2!crypto isakmp policy 40 encr aes 256 authentication pre-share group 2!crypto isakmp policy 50 encr aes authentication pre-share group 2!crypto isakmp policy 60 encr 3des authentication pre-share group 2crypto isakmp key 6 <key> address 0.0.0.0 0.0.0.0 no-xauth!!crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac  mode transportcrypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac  mode transportcrypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac  mode transportcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  mode transport!crypto dynamic-map Dynamic-CryptoMap 1 set nat demux set transform-set ESP-AES256-SHA ESP-AES128-SHA ESP-3DES-SHA !!crypto map IPSec-Policy 65535 ipsec-isakmp dynamic Dynamic-CryptoMap !archive log config logging enable logging size 1000 notify syslog contenttype plaintext hidekeys!!ip tcp ecnip tcp selective-ackip tcp window-size 750000ip tcp synwait-time 10ip tcp path-mtu-discoveryip ssh time-out 60ip ssh authentication-retries 2ip ssh logging events!class-map type inspect match-any SDM_ESP match access-group name SDM_ESPclass-map type inspect match-any sdm-protocol-ipsec match class-map SDM_ESP match protocol isakmp match protocol ipsec-msftclass-map type inspect smtp match-any sdm-app-smtp description Check for SMTP data > 20Mb match data-length gt 20000000class-map type inspect http match-any sdm-app-nonascii match req-resp header regex sdm-regex-nonasciiclass-map type inspect match-all sdm-nat-http-1 match access-group 111 match protocol httpclass-map type inspect match-any sdm-nat-user-nat-stun-1 match protocol user-nat-stunclass-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1 match class-map sdm-nat-user-nat-stun-1 match access-group 114class-map type inspect match-all sdm-nat-smtp-1 match access-group 110 match protocol smtp extendedclass-map type inspect imap match-any sdm-app-imap description Check for invalid IMAP command match invalid-commandclass-map type inspect match-any sdm-protocol-ftp match protocol ftp match protocol ftps match protocol user-ftp-passiveclass-map type inspect match-any sdm-cls-protocol-p2p match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signatureclass-map type inspect match-any sdm-cls-insp-traffic match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udpclass-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-trafficclass-map type inspect match-all sdm-nat-rtsp-1 match access-group 104 match protocol rtspclass-map type inspect match-all sdm-nat-pptp-1 match access-group 106 match protocol pptpclass-map type inspect match-any SDM-Voice-permit description SIP match protocol sipclass-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1 match protocol sip match protocol user-nat-stunclass-map type inspect match-any sdm-protocol-myprotocols match protocol user-sip-proxy match protocol user-ftp-passive match protocol user-teredo match protocol user-mmsu match protocol user-rsync match protocol user-smtps match protocol user-rtspu match protocol user-rtp match protocol user-svn match protocol user-cvs match protocol user-nicname match protocol user-remote-web match protocol user-terminalclass-map type inspect match-all sdm-nat-user-sharepoint-1 match access-group 108 match protocol user-sharepointclass-map type inspect match-all sdm-nat-user-terminal-1 match access-group 105 match protocol user-terminalclass-map type inspect match-all sdm-nat-user-mmsu-1 match access-group 102 match protocol user-mmsuclass-map type inspect match-all sdm-protocol-pop3 match protocol pop3class-map type inspect match-any sdm-cls-icmp-access description ICMP, TCP, and UDP match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any sdm-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-serversclass-map type inspect match-any sdm-service-sdm-inspect-1 match protocol smtp extended match protocol user-smtpsclass-map type inspect pop3 match-any sdm-app-pop3 description Check for invalid POP3 commands match invalid-commandclass-map type inspect match-all sdm-nat-user-rtspu-1 match access-group 101 match protocol user-rtspuclass-map type inspect match-all sdm-nat-user-rtp-1 match access-group 113 match protocol user-rtpclass-map type inspect match-all sdm-protocol-p2p match class-map sdm-cls-protocol-p2pclass-map type inspect match-all sdm-nat-netshow-1 match access-group 103 match protocol netshowclass-map type inspect http match-any sdm-http-blockparam match request port-misuse im match request port-misuse p2p match request port-misuse tunneling match request port-misuse anyclass-map type inspect match-all sdm-protocol-im match class-map sdm-cls-protocol-imclass-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-accessclass-map type inspect match-all sdm-invalid-src match access-group 100class-map type inspect http match-any sdm-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribeclass-map type inspect match-all sdm-protocol-http match protocol httpclass-map type inspect match-all sdm-protocol-smtp match class-map sdm-service-sdm-inspect-1class-map type inspect match-all sdm-nat-https-1 match access-group 109 match protocol httpsclass-map type inspect match-all sdm-nat-sip-1 match access-group 112 match protocol sipclass-map type inspect match-all sdm-nat-user-remote-web-1 match access-group 107 match protocol user-remote-webclass-map type inspect match-all sdm-protocol-imap match protocol imap!!policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default passpolicy-map type inspect sdm-pol-NATOutsideToInside-1 class type inspect sdm-nat-http-1 inspect class type inspect sdm-nat-https-1 inspect class type inspect sdm-nat-user-rtspu-1 inspect class type inspect sdm-nat-user-mmsu-1 inspect class type inspect sdm-nat-netshow-1 inspect class type inspect sdm-nat-rtsp-1 inspect class type inspect sdm-nat-user-terminal-1 inspect class type inspect sdm-nat-pptp-1 inspect class type inspect sdm-nat-user-remote-web-1 inspect class type inspect sdm-nat-user-sharepoint-1 inspect class type inspect sdm-nat-smtp-1 inspect class type inspect sdm-nat-sip-1 inspect class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1 inspect class type inspect sdm-nat-user-rtp-1 inspect class type inspect sdm-protocol-ftp inspect class class-default drop logpolicy-map type inspect http sdm-action-app-http class type inspect http sdm-http-blockparam allow log class type inspect http sdm-app-httpmethods log allow class type inspect http sdm-app-nonascii log reset class class-defaultpolicy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-protocol-http inspect service-policy http sdm-action-app-http class type inspect sdm-protocol-smtp inspect class type inspect sdm-protocol-imap inspect class type inspect sdm-protocol-pop3 inspect class type inspect sdm-protocol-im drop log class type inspect sdm-insp-traffic inspect class type inspect SDM-Voice-permit inspect class type inspect sdm-protocol-ftp inspect class type inspect sdm-protocol-myprotocols inspect class class-default passpolicy-map type inspect pop3 sdm-action-pop3 description Reset on invalid POP3 command class type inspect pop3 sdm-app-pop3 log class class-defaultpolicy-map type inspect sdm-permit class type inspect sdm-protocol-ipsec pass class class-default drop logpolicy-map type inspect imap sdm-action-imap description Log invalid IMAP commands class type inspect imap sdm-app-imappolicy-map type inspect smtp sdm-action-smtp description Limit SMTP to 20Mb class type inspect smtp sdm-app-smtp reset class class-default!zone security out-zonezone security in-zonezone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreplyzone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-NATOutsideToInside-1zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permitzone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspectbridge irb!!!interface Loopback0 no ip address zone-member security in-zone!interface Null0 no ip unreachables!interface FastEthernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly zone-member security in-zone ip route-cache flow shutdown duplex auto speed auto!interface BRI0 description ISDN (Unused) no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation hdlc ip route-cache flow shutdown!interface FastEthernet1 spanning-tree portfast!interface FastEthernet2 spanning-tree portfast!interface FastEthernet3 description Abit spanning-tree portfast!interface FastEthernet4 spanning-tree portfast!interface FastEthernet5 spanning-tree portfast!interface FastEthernet6 spanning-tree portfast!interface FastEthernet7 spanning-tree portfast!interface FastEthernet8 spanning-tree portfast!interface Dot11Radio0 description 802.11g no ip address ip accounting access-violations ! encryption mode ciphers aes-ccm  ! ssid Wireless ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 packet retries 128 station-role root access-point world-mode dot11d country GB indoor bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio1 description 802.11a no ip address ip accounting access-violations ! encryption mode ciphers aes-ccm  ! ssid Wirelessa ! dfs band 4 block speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root access-point world-mode dot11d country GB indoor bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 port-protected bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface ATM0 no ip address no ip redirects no ip proxy-arp ip route-cache policy ip route-cache flow logging event atm pvc state logging event subif-link-status no atm ilmi-keepalive dsl operating-mode auto  hold-queue 224 in!interface ATM0.1 point-to-point description Be Unlimited$ES_WAN$$FW_OUTSIDE$ mtu 1500 ip address <my static ip address> <my static ip mask> ip verify unicast reverse-path no ip redirects no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly zone-member security out-zone ip route-cache same-interface ip tcp adjust-mss 1460 snmp trap link-status atm route-bridged ip pvc BeUnlimited 0/101  oam-pvc manage encapsulation aal5snap ! crypto map IPSec-Policy!interface Virtual-Template1 type serial description L2TP/IPSec$FW_INSIDE$ ip unnumbered BVI1 no ip redirects ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1360 peer default ip address dhcp no keepalive ppp mtu adaptive ppp authentication eap ms-chap-v2 ppp ipcp header-compression ack ppp ipcp username unique!interface Vlan1 description LAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$ no ip address ip helper-address <server ip address> ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1460 bridge-group 1!interface BVI1 description LAN$ES_LAN$$FW_INSIDE$ ip address <router ip address> 255.255.255.0 no ip redirects ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow!router bgp <my as> no synchronization bgp log-neighbor-changes neighbor <cymru ip address> remote-as <remote as> neighbor <cymru ip address> description cymru neighbor <cymru ip address> password 7 <password> neighbor <cymru ip address> ebgp-multihop 255 neighbor <cymru ip address> prefix-list cymru-out out neighbor <cymru ip address> route-map CYMRUBOGONS in neighbor <cymru ip address> maximum-prefix 100 90 no auto-summary!no ip forward-protocol ndip route profileip route 0.0.0.0 0.0.0.0 <Be gateway IP address>ip route 192.0.2.1 255.255.255.255 Null0ip route <cymru ip address> 255.255.255.255 <Be gateway IP address>!ip bgp-community new-formatip community-list 10 permit <remote as>:888ip flow-export version 9ip flow-export destination <monitor ip address> 2055ip flow-top-talkers top 200 sort-by bytes cache-timeout 36000!ip http serverip http access-class 3ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat piggyback-support sip all-messages router 1ip nat inside source static udp <server ip address> 5005 interface ATM0.1 5005ip nat inside source static udp <server ip address> 1755 interface ATM0.1 1755ip nat inside source static tcp <server ip address> 1755 interface ATM0.1 1755ip nat inside source static tcp <server ip address> 554 interface ATM0.1 554ip nat inside source static tcp <server ip address> 3389 interface ATM0.1 3389ip nat inside source static tcp <server ip address> 1723 interface ATM0.1 1723ip nat inside source static tcp <server ip address> 4125 interface ATM0.1 4125ip nat inside source static tcp <server ip address> 444 interface ATM0.1 444ip nat inside source static tcp <server ip address> 443 interface ATM0.1 443ip nat inside source static tcp <server ip address> 25 interface ATM0.1 25ip nat inside source static tcp <server ip address> 80 interface ATM0.1 80ip nat inside source static udp <phone ip address> 5060 interface ATM0.1 5060ip nat inside source static udp <phone ip address> 5004 interface ATM0.1 5004ip nat inside source static udp <phone ip address> 5006 interface ATM0.1 5006ip nat inside source list 1 interface ATM0.1 overload!ip access-list extended SDM_ESP remark SDM_ACL Category=0 permit esp any any!!ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32logging trap debugginglogging <server ip address>access-list 1 remark INSIDE_IF=BVI1access-list 1 remark SDM_ACL Category=2access-list 1 permit <from lan> <lan mask>access-list 2 remark HTTP Access-class listaccess-list 2 remark SDM_ACL Category=1access-list 2 permit <from lan> <lan mask>access-list 2 deny anyaccess-list 3 remark HTTP Access-class listaccess-list 3 remark SDM_ACL Category=1access-list 3 permit <from lan> <lan mask>access-list 3 deny anyaccess-list 100 remark SDM_ACL Category=128access-list 100 permit ip host 255.255.255.255 anyaccess-list 100 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 100 permit ip <Be subnet> <Be subnet mask> anyaccess-list 101 remark SDM_ACL Category=0access-list 101 permit ip any host <server ip address>access-list 102 remark SDM_ACL Category=0access-list 102 permit ip any host <server ip address>access-list 103 remark SDM_ACL Category=0access-list 103 permit ip any host <server ip address>access-list 104 remark SDM_ACL Category=0access-list 104 permit ip any host <server ip address>access-list 105 remark SDM_ACL Category=0access-list 105 permit ip any host <server ip address>access-list 106 remark SDM_ACL Category=0access-list 106 permit ip any host <server ip address>access-list 107 remark SDM_ACL Category=0access-list 107 permit ip any host <server ip address>access-list 108 remark SDM_ACL Category=0access-list 108 permit ip any host <server ip address>access-list 109 remark SDM_ACL Category=0access-list 109 permit ip any host <server ip address>access-list 110 remark SDM_ACL Category=0access-list 110 permit ip any host <server ip address>access-list 111 remark SDM_ACL Category=0access-list 111 permit ip any host <server ip address>access-list 112 remark SDM_ACL Category=0access-list 112 permit ip any host <phone ip address>access-list 113 remark SDM_ACL Category=0access-list 113 permit ip any host <phone ip address>access-list 114 remark SDM_ACL Category=128access-list 114 permit ip any host <phone ip address>access-list 115 remark VTY Access-class listaccess-list 115 remark SDM_ACL Category=1access-list 115 permit ip <from lan> <lan mask> anyaccess-list 115 deny ip any anysnmp-server community <community 1> RWsnmp-server community <community 2> ROsnmp-server ifindex persistsnmp-server host <server ip address> monitor no cdp run!!!route-map CYMRUBOGONS permit 10 description Filter bogons learned from cymru.com bogon route-servers match community 10 set ip next-hop 192.0.2.1!!!radius-server attribute 32 include-in-access-req format %hradius-server host <server ip address> auth-port 1645 acct-port 1646 key 7 <password>radius-server vsa send accounting!control-plane!bridge 1 protocol ieeebridge 1 route ipbanner exec ^CTrespassers will be shot.Survivors will be prosecuted to the full extent of the law.You have been warned ...^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^Calias exec ru sh runalias exec ri sh run | i alias exec rb sh run | b !line con 0 login authentication local_authen transport output telnetline aux 0 login authentication local_authen transport output telnetline vty 0 4 access-class 115 in privilege level 15 authorization exec local_author login authentication local_authen transport input telnet sshline vty 5 15 access-class 115 in privilege level 15 authorization exec local_author login authentication local_authen transport input telnet ssh!scheduler allocate 4000 1000scheduler interval 500ntp loggingntp clock-period 17180251ntp update-calendarntp server <ntp1 ip address> source ATM0.1ntp server <ntp2 ip address> source ATM0.1end]]> http://www.dslreports.com/forum/remark,20287594 Sat, 05 Apr 2008 13:17:41 EDT