Cisco 851 firewall woes

Discussion in 'Cisco' started by vorpus@gmail.com, May 6, 2008.

  1. Guest

    I'm having a massive problem with my Cisco 851. I'm brand new to Cisco
    and the IOS and will actually be attending some technical training in
    the coming days. In the meantime, though, I am unable to use the built-
    in firewall.

    Using the SDM, here is the error I get when using the basic firewall
    wizard:

    -----------------------------------------------
    Submitting 99 commands, please wait...
    class-map type inspect match-any sdm-cls-insp-traffic


    Error detected at this command. Click OK
    -----------------------------------------------

    When I connect to the router via the console, this is what it tells
    me:

    -----------------------------------------------
    vorpalrouter#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    vorpalrouter(config)#class-map ?
    % Unrecognized command
    vorpalrouter(config)#class-map
    -----------------------------------------------

    Any idea why this is happening? Is there any other way I can lock down
    ports?
     
    , May 6, 2008
    #1
    1. Advertising

  2. Guest

    On 6 May, 09:42, "Peter" <> wrote:
    > Greetings,
    >
    > > When I connect to the router via the console, this is what it tells
    > > me:

    >
    > > -----------------------------------------------
    > > vorpalrouter#conf t
    > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > vorpalrouter(config)#class-map ?
    > > % Unrecognized command
    > > vorpalrouter(config)#class-map
    > > -----------------------------------------------

    >
    > > Any idea why this is happening?

    >
    > Without more info its hard to say exactly, but the error message
    > suggests to me that the version of IOS you are using does not include
    > that command (and that command is not firewall specific).
    >
    > Using the CLI, post the output of the "sh ver" command. This will tell
    > us the H/W and S/W details of what is in your Router.
    >
    > > Is there any other way I can lock down ports?

    >
    > If you really do have the Firewall IOS (which I doubt, we need to see
    > the the above output to be able to tell), then by default everything
    > already IS shut down.


    Hmmm. Not shut down in my experience.
    But then I usually blow away the SDM default
    anyway.

    You need the following.

    Deny EVERYTHING inbound
    Use inspect to allow "returning traffic" back in.
    Of course you can then add exceptions to the
    inbound block as required if you were publishing serviices
    to the internet.

    ip inspect name sunshine tcp
    ip inspect name sunshine udp
    ip inspect name sunshine icmp

    !! Add the following if you require/want:-
    ip inspect name sunshine ftp
    ip inspect name sunshine http
    ip inspect name sunshine tftp
    ip inspect name sunshine netshow
    ip inspect name sunshine realaudio
    ip inspect name sunshine sip
    ip inspect name sunshine skinny

    ip inspect name sunshine rtsp
    ip inspect name sunshine streamworks





    interface ATM0/0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0/0.1 point-to-point
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1

    interface Dialer0
    ip address <removed>
    ip access-group inbound in
    ip inspect sunshine out

    ip access-list extended inbound
    deny ip any any
     
    , May 6, 2008
    #2
    1. Advertising

  3. Uli Link Guest

    Peter schrieb:
    > Without more info its hard to say exactly, but the error message
    > suggests to me that the version of IOS you are using does not include
    > that command (and that command is not firewall specific).
    >

    The 850 series routers only comes with advsecurity IOS (which includes
    the Firewall featureset)

    --
    Uli
     
    Uli Link, May 6, 2008
    #3
  4. What feature packs? What version?

    class-map ? works for me.

    Cisco 1841 running

    Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.3(8)T4,
    RELEASE SOFTWARE (fc2)

    <host>(config)#class-map ?
    WORD class-map name
    match-all Logical-AND all matching statements under this classmap
    match-any Logical-OR all matching statements under this classmap

    I'm not an expert on the different cisco lines so maybe the 851 doesn't
    support what you want?

    You should check the release notes and feature matrix for your router.

    Charles



    wrote:
    > I'm having a massive problem with my Cisco 851. I'm brand new to Cisco
    > and the IOS and will actually be attending some technical training in
    > the coming days. In the meantime, though, I am unable to use the built-
    > in firewall.
    >
    > Using the SDM, here is the error I get when using the basic firewall
    > wizard:
    >
    > -----------------------------------------------
    > Submitting 99 commands, please wait...
    > class-map type inspect match-any sdm-cls-insp-traffic
    >
    >
    > Error detected at this command. Click OK
    > -----------------------------------------------
    >
    > When I connect to the router via the console, this is what it tells
    > me:
    >
    > -----------------------------------------------
    > vorpalrouter#conf t
    > Enter configuration commands, one per line. End with CNTL/Z.
    > vorpalrouter(config)#class-map ?
    > % Unrecognized command
    > vorpalrouter(config)#class-map
    > -----------------------------------------------
    >
    > Any idea why this is happening? Is there any other way I can lock down
    > ports?
     
    Charles N Wyble, Jun 3, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jas0n

    cisco 851 qos

    jas0n, Jun 18, 2005, in forum: Cisco
    Replies:
    0
    Views:
    1,783
    jas0n
    Jun 18, 2005
  2. m0rk

    FS: Cisco 851 Uk

    m0rk, Jul 10, 2005, in forum: Cisco
    Replies:
    0
    Views:
    507
  3. murphynev

    FA: Cisco 851 VPN Firewall Router

    murphynev, Oct 15, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,021
    Gizmo
    Oct 17, 2005
  4. Replies:
    0
    Views:
    6,991
  5. Zedsquared
    Replies:
    0
    Views:
    619
    Zedsquared
    Feb 3, 2010
Loading...

Share This Page