I disabled the incoming acl trying to troubleshoot incoming ftp packets. I did nothing to the acl. I have IPS and CBAC enabled. After this, I re-enabled the acl's on the interfaces (anti-spoofing inbound on LAN interface and incoming on WAN interface. Here is the config...
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.02.27 21:44:32 =~=~=~=~=~=~=~=~=~=~=~=
do sh run
Building configuration...
Current configuration : 11501 bytes
Last configuration change at 21:06:14 cst Sat Feb 27 2010
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime
service password-encryption
service sequence-numbers
hostname Edge
boot-start-marker
boot system flash:c2600-adventerprisek9-mz.124-25a.bin
boot-end-marker
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
no logging console
enable secret 5 $1$tLC1$Zxx3UJFvvJsQFO/KTChkF/
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
clock timezone cst -6
clock summer-time CST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.68.68.1 10.68.68.70
ip dhcp pool t
import all
network 10.68.68.0 255.255.255.0
default-router 10.68.68.1
dns-server x.x.x.x y.y.y.y
no ip bootp server
ip domain name directly_connected.com
ip host Switch 10.68.68.7
ip name-server x.x.x.x
ip name-server x.x.x.x
ip inspect log drop-pkt
ip inspect dns-timeout 300
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW xdmcp
ip inspect name SDM_LOW x11
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW who
ip inspect name SDM_LOW webster
ip inspect name SDM_LOW vqp
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW ttc
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW timed
ip inspect name SDM_LOW time
ip inspect name SDM_LOW telnets
ip inspect name SDM_LOW telnet
ip inspect name SDM_LOW tarantella
ip inspect name SDM_LOW tacacs-ds
ip inspect name SDM_LOW tacacs
ip inspect name SDM_LOW syslog-conn
ip inspect name SDM_LOW syslog
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tcp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://sigv5-SDM-S372.zip
ip ips notify SDEE
ip ips signature 2004 0 disable
ip ips name sdm_ips_rule
ip ddns update method TIMMAY!
HTTP
add interval maximum 0 0 11 0
interval minimum 0 0 10 0
ip sla monitor responder
ip sla monitor logging traps
crypto pki trustpoint TP-self-signed-152980644
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-152980644
revocation-check none
rsakeypair TP-self-signed-152980644
crypto pki certificate chain TP-self-signed-152980644
certificate self-signed 01
(cert output)
quit
file prompt quiet
username xxxxxxxxx privilege 15 secret 5 $1$lW9S$qs6nrUg19K5h2Mt4k8Zjx.
ip tcp intercept list 141
no ip ftp passive
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group
key xxxxxxxxxxxx
pool vpn_pool_1
acl SPLIT-TUNNEL
include-local-lan
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface ATM0/0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
no atm ilmi-keepalive
dsl operating-mode auto
clock rate aal5 7000000
clock rate aal2 2600000
interface ATM0/0.1 point-to-point
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet0/0
ip address 10.68.68.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
ip accounting mac-address input
ip accounting mac-address output
ip accounting access-violations
ip mtu 1492
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Dialer0
description AT&T_1-877-722-3755_acc_number_xxxxxxxxxxxxxxx
ip ddns update hostname 2621xm.gotdns.com
ip ddns update TIMMAY! host members.dyndns.org
ip address negotiated
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip inspect SDM_LOW in
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname
ppp chap password 7 xxxxxxxxxxxxx
ppp pap sent-username bla password 7 bla
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
router eigrp 69
network 10.0.0.0 0.0.0.3
network 10.10.10.0 0.0.0.0
no auto-summary
ip local pool vpn_pool_1 10.68.68.5 10.68.68.6
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
ip http secure-server
ip http secure-client-auth
ip http max-connections 1
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.68.68.71 21 interface Dialer0 21
ip access-list extended SPLIT-TUN
permit ip 10.68.68.0 0.0.0.3 10.68.68.4 0.0.0.3
permit ip 10.68.68.64 0.0.0.63 10.68.68.4 0.0.0.3
permit ip 10.68.68.32 0.0.0.31 10.68.68.4 0.0.0.3
permit ip host 10.68.68.10 10.68.68.4 0.0.0.3
ip access-list extended SPLIT-TUNNEL
kron occurrence daily in 1:0:0 recurring
policy-list clear_NAT
kron occurrence weekly in 7:0:0 recurring
policy-list clear_interface_counters
kron occurrence config at 21:28 recurring
policy-list config-list
kron policy-list clear_NAT
cli clear ip nat trans *
kron policy-list clear_interface_counters
cli clear counters
kron policy-list config-list
logging filter nvram args ICMP Echo Req
logging history warnings
logging trap debugging
logging server-arp
logging 10.68.68.71
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 20 permit x.x.x.x log
access-list 20 permit 10.68.68.0 0.0.0.255
access-list 20 deny any log
access-list 101 deny ip any 10.68.68.4 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
access-list 102 permit ip host 10.68.68.72 209.85.0.0 0.0.255.255 log
access-list 102 deny ip host 10.68.68.72 66.135.202.0 0.0.0.255 log
access-list 102 deny ip host 10.68.68.72 74.125.0.0 0.0.255.255 log
access-list 102 deny ip host 10.68.68.72 208.0.0.0 3.255.255.255 log
access-list 102 permit ip host 10.68.68.72 any log
access-list 102 permit ip any any
access-list 103 permit udp host x.x.x.x any eq ntp log
access-list 103 permit udp host x.x.x.x any eq ntp log
access-list 103 permit tcp host x.x.x.x any eq 22 log
access-list 103 permit udp host x.x.x.x eq domain any log
access-list 103 permit udp host x.x.x.x eq domain any log
xaccess-list 103 permit udp host x.x.x.x eq domain any log
access-list 103 permit tcp any host 10.68.68.71 eq ftp log
access-list 103 permit tcp host 198.36.171.18 any log
access-list 103 deny icmp host 192.41.12.197 any unreachable log
access-list 103 deny icmp host 192.41.12.197 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip host 255.255.255.255 any log
access-list 103 deny ip host 0.0.0.0 any log
access-list 103 deny ip any host 10.68.68.10 log
access-list 103 permit esp any any
access-list 103 permit tcp any any eq 10000
access-list 103 permit udp any any eq 10000
access-list 103 permit udp host x.x.x.x any eq isakmp
access-list 103 deny ip any any log
access-list 104 permit ip 10.68.68.0 0.0.0.255 any
access-list 104 permit udp host 0.0.0.0 host 255.255.255.255
access-list 104 permit udp 169.254.0.0 0.0.255.255 host 169.254.255.255
access-list 104 permit tcp 10.68.68.0 0.0.0.255 any
access-list 104 permit udp 10.68.68.0 0.0.0.255 any
access-list 104 deny ip any any log
access-list 141 permit tcp any 10.68.68.0 0.0.0.255 log
dialer-list 1 protocol ip permit
control-plane
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
alias exec sr show run
line con 0
logging synchronous
line aux 0
login ctrlc-disable
transport output none
line vty 0 3
access-class 20 in
transport input ssh
line vty 4
access-class 20 in
transport input ssh
parser view test
secret 5 $1$ko5t$DJ2VHzAkZNSWbpXqCVSle1
commands exec include show startup-config
commands exec include show
parser view tim
secret 5 $1$YF8q$9lB1TK88x9XlfQ5tNzO9O.
commands exec include all show
parser view test2
secret 5 $1$UP8l$wHDPW/W7qxxbIAad0L8640
commands exec include show running-config
commands exec include show
ntp clock-period 17180371
ntp master
ntp peer 10.68.68.7
ntp server x.x.x.x source Dialer0
ntp server x.x.x.x source Dialer0
end
Edge#
I also disabled ip inspect tcp and ftp, then re-enabled them. They ended up on the bottom of the list. After all this, as the config was original as it was before, acl 103 started blocking and http requests (when I tried to browse to Google, or anywhere).
syslog message was
02-27-2010 21:33:12 Local7.Info 10.68.68.1 772:
000779: Feb 28 03:33:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp
209.85.225.99(80) -> x.x.x.x(1372), 1 packet
when I tried to get to Google. So I added
Edge(config-ext-nacl)#1 permit tcp any any ack log-input
in order for it to work again...
Why would that acl block Google or anything else suddenly? I had also tried
Edge(config-ext-nacl)#1 permit tcp any any established
and that still did not work...
Any thoughts?
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.02.27 21:44:32 =~=~=~=~=~=~=~=~=~=~=~=
do sh run
Building configuration...
Current configuration : 11501 bytes
Last configuration change at 21:06:14 cst Sat Feb 27 2010
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime
service password-encryption
service sequence-numbers
hostname Edge
boot-start-marker
boot system flash:c2600-adventerprisek9-mz.124-25a.bin
boot-end-marker
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
no logging console
enable secret 5 $1$tLC1$Zxx3UJFvvJsQFO/KTChkF/
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
clock timezone cst -6
clock summer-time CST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.68.68.1 10.68.68.70
ip dhcp pool t
import all
network 10.68.68.0 255.255.255.0
default-router 10.68.68.1
dns-server x.x.x.x y.y.y.y
no ip bootp server
ip domain name directly_connected.com
ip host Switch 10.68.68.7
ip name-server x.x.x.x
ip name-server x.x.x.x
ip inspect log drop-pkt
ip inspect dns-timeout 300
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW xdmcp
ip inspect name SDM_LOW x11
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW who
ip inspect name SDM_LOW webster
ip inspect name SDM_LOW vqp
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW ttc
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW timed
ip inspect name SDM_LOW time
ip inspect name SDM_LOW telnets
ip inspect name SDM_LOW telnet
ip inspect name SDM_LOW tarantella
ip inspect name SDM_LOW tacacs-ds
ip inspect name SDM_LOW tacacs
ip inspect name SDM_LOW syslog-conn
ip inspect name SDM_LOW syslog
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tcp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://sigv5-SDM-S372.zip
ip ips notify SDEE
ip ips signature 2004 0 disable
ip ips name sdm_ips_rule
ip ddns update method TIMMAY!
HTTP
add interval maximum 0 0 11 0
interval minimum 0 0 10 0
ip sla monitor responder
ip sla monitor logging traps
crypto pki trustpoint TP-self-signed-152980644
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-152980644
revocation-check none
rsakeypair TP-self-signed-152980644
crypto pki certificate chain TP-self-signed-152980644
certificate self-signed 01
(cert output)
quit
file prompt quiet
username xxxxxxxxx privilege 15 secret 5 $1$lW9S$qs6nrUg19K5h2Mt4k8Zjx.
ip tcp intercept list 141
no ip ftp passive
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group
key xxxxxxxxxxxx
pool vpn_pool_1
acl SPLIT-TUNNEL
include-local-lan
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface ATM0/0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
no atm ilmi-keepalive
dsl operating-mode auto
clock rate aal5 7000000
clock rate aal2 2600000
interface ATM0/0.1 point-to-point
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet0/0
ip address 10.68.68.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
ip accounting mac-address input
ip accounting mac-address output
ip accounting access-violations
ip mtu 1492
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Dialer0
description AT&T_1-877-722-3755_acc_number_xxxxxxxxxxxxxxx
ip ddns update hostname 2621xm.gotdns.com
ip ddns update TIMMAY! host members.dyndns.org
ip address negotiated
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip inspect SDM_LOW in
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname
ppp chap password 7 xxxxxxxxxxxxx
ppp pap sent-username bla password 7 bla
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
router eigrp 69
network 10.0.0.0 0.0.0.3
network 10.10.10.0 0.0.0.0
no auto-summary
ip local pool vpn_pool_1 10.68.68.5 10.68.68.6
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http authentication local
ip http secure-server
ip http secure-client-auth
ip http max-connections 1
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 10.68.68.71 21 interface Dialer0 21
ip access-list extended SPLIT-TUN
permit ip 10.68.68.0 0.0.0.3 10.68.68.4 0.0.0.3
permit ip 10.68.68.64 0.0.0.63 10.68.68.4 0.0.0.3
permit ip 10.68.68.32 0.0.0.31 10.68.68.4 0.0.0.3
permit ip host 10.68.68.10 10.68.68.4 0.0.0.3
ip access-list extended SPLIT-TUNNEL
kron occurrence daily in 1:0:0 recurring
policy-list clear_NAT
kron occurrence weekly in 7:0:0 recurring
policy-list clear_interface_counters
kron occurrence config at 21:28 recurring
policy-list config-list
kron policy-list clear_NAT
cli clear ip nat trans *
kron policy-list clear_interface_counters
cli clear counters
kron policy-list config-list
logging filter nvram args ICMP Echo Req
logging history warnings
logging trap debugging
logging server-arp
logging 10.68.68.71
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 20 permit x.x.x.x log
access-list 20 permit 10.68.68.0 0.0.0.255
access-list 20 deny any log
access-list 101 deny ip any 10.68.68.4 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
access-list 102 permit ip host 10.68.68.72 209.85.0.0 0.0.255.255 log
access-list 102 deny ip host 10.68.68.72 66.135.202.0 0.0.0.255 log
access-list 102 deny ip host 10.68.68.72 74.125.0.0 0.0.255.255 log
access-list 102 deny ip host 10.68.68.72 208.0.0.0 3.255.255.255 log
access-list 102 permit ip host 10.68.68.72 any log
access-list 102 permit ip any any
access-list 103 permit udp host x.x.x.x any eq ntp log
access-list 103 permit udp host x.x.x.x any eq ntp log
access-list 103 permit tcp host x.x.x.x any eq 22 log
access-list 103 permit udp host x.x.x.x eq domain any log
access-list 103 permit udp host x.x.x.x eq domain any log
xaccess-list 103 permit udp host x.x.x.x eq domain any log
access-list 103 permit tcp any host 10.68.68.71 eq ftp log
access-list 103 permit tcp host 198.36.171.18 any log
access-list 103 deny icmp host 192.41.12.197 any unreachable log
access-list 103 deny icmp host 192.41.12.197 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip host 255.255.255.255 any log
access-list 103 deny ip host 0.0.0.0 any log
access-list 103 deny ip any host 10.68.68.10 log
access-list 103 permit esp any any
access-list 103 permit tcp any any eq 10000
access-list 103 permit udp any any eq 10000
access-list 103 permit udp host x.x.x.x any eq isakmp
access-list 103 deny ip any any log
access-list 104 permit ip 10.68.68.0 0.0.0.255 any
access-list 104 permit udp host 0.0.0.0 host 255.255.255.255
access-list 104 permit udp 169.254.0.0 0.0.255.255 host 169.254.255.255
access-list 104 permit tcp 10.68.68.0 0.0.0.255 any
access-list 104 permit udp 10.68.68.0 0.0.0.255 any
access-list 104 deny ip any any log
access-list 141 permit tcp any 10.68.68.0 0.0.0.255 log
dialer-list 1 protocol ip permit
control-plane
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
alias exec sr show run
line con 0
logging synchronous
line aux 0
login ctrlc-disable
transport output none
line vty 0 3
access-class 20 in
transport input ssh
line vty 4
access-class 20 in
transport input ssh
parser view test
secret 5 $1$ko5t$DJ2VHzAkZNSWbpXqCVSle1
commands exec include show startup-config
commands exec include show
parser view tim
secret 5 $1$YF8q$9lB1TK88x9XlfQ5tNzO9O.
commands exec include all show
parser view test2
secret 5 $1$UP8l$wHDPW/W7qxxbIAad0L8640
commands exec include show running-config
commands exec include show
ntp clock-period 17180371
ntp master
ntp peer 10.68.68.7
ntp server x.x.x.x source Dialer0
ntp server x.x.x.x source Dialer0
end
Edge#
I also disabled ip inspect tcp and ftp, then re-enabled them. They ended up on the bottom of the list. After all this, as the config was original as it was before, acl 103 started blocking and http requests (when I tried to browse to Google, or anywhere).
syslog message was
02-27-2010 21:33:12 Local7.Info 10.68.68.1 772:
000779: Feb 28 03:33:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp
209.85.225.99(80) -> x.x.x.x(1372), 1 packet
when I tried to get to Google. So I added
Edge(config-ext-nacl)#1 permit tcp any any ack log-input
in order for it to work again...
Why would that acl block Google or anything else suddenly? I had also tried
Edge(config-ext-nacl)#1 permit tcp any any established
and that still did not work...
Any thoughts?
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!