Access list to permit outbound VPN?
We have the following ACL assigned to WAN port of our Cisco 831:
access-list 111 permit tcp any any established
access-list 111 permit tcp host [*remote private ip snipped*] any eq telnet
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit gre any any
access-list 111 permit udp any eq isakmp any
access-list 111 permit udp any eq non500-isakmp any
access-list 111 permit udp any eq domain any
access-list 111 permit udp any eq 21068 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 3390
access-list 111 permit tcp any any eq 143
access-list 111 permit tcp any any eq 443
access-list 111 permit tcp any any eq pop3
access-list 111 deny ip any any
Should that allow a host on the LAN to access a remote VPN connection (using Cisco VPN client)? Is anything else needed?
Router is running 12.3(8), already supporting inbound Cisco client connections and one remote LAN-to-LAN VPN.
i have a few questions:
Are you sure that this is outbound, and not inbound on the WAN interface?
The thing that needs to be identified, is which flavor of IPSEC you are uing in the client. Standard IPSEC and IPSEC over UDP do not work well unless they have a 1 for NAT translation. IPSEC over TCP usually works if you are doing PAT'ing of some sort. If the VPN device on the other end can support IPSEC of TCP (COncentrator or PIX/ASA running 7.x) then set the client to use IPSEC over TCP.
Similar Messages
-
Access-list 1 permit 0.0.0.0
Hi
What is the relevance of this command in the following context?
access-list 1 permit 0.0.0.0
interface g0/1
ip address 10.1.1.1 255.255.255.0
ip access-group 1 in
ThanksHilary,
When defining a standard access list and do not include a wildcard mask, you are specifying a particular host address. For example:
access-list 1 permit 192.168.10.10
will only permit traffic sourced from the 192.168.10.10 IP address.
Following the example above, unless you have a host with an IP of 0.0.0.0, the access list you're providing is essentially equivalent to:
access-list 1 deny any
If you would like an in-depth look on ACLs, please check out this Cisco doc on access lists:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#standacl
and read the section titled Standard ACLs.
Regards,
Eric Kang -
Different "access-list outside_cryptomap" for every VPN?
Hi,
Just for my understanding.
I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?
Currently I have:
access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
But wondered if I could use some thing like:
access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks
When I do this though I guess it will cause a problem with the peer address?Is there a certain order I need to add the config into the CLI aswell?
I have this to add:
access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
crypto map outside_map 1 match address outside_MYcryptomap_1
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy CBSO-L2L
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key abcdefgh -
Remote access VPN access across LAN-to-LAN VPN
I have two sites (site 1 & site 2) connected by a LAN-to-LAN VPN. At site 1, users connect with a remote access VPN and need to be able to access resources at site 2.
I started out with same-security-traffic intra-interface configured.
Here is the output from both ASAs:
NM-ASA# show crypto isakmp sa
Active SA: 6
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 74.138.171.237
Type : user Role : responder
Rekey : no State : AM_ACTIVE
3 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
4 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
5 IKE Peer: 74.138.126.195
Type : user Role : responder
Rekey : no State : AM_ACTIVE
6 IKE Peer: 96.28.201.133
Type : user Role : responder
Rekey : no State : AM_ACTIVE
NM-ASA#
NM-ASA# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.5/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.5
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 5E0D76C9
inbound esp sas:
spi: 0x969790AD (2526515373)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000003 0xFFFFFFFF
outbound esp sas:
spi: 0x5E0D76C9 (1577940681)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 315392, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28618
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.6/255.255.255.255/0/0)
current_peer: 96.28.201.133, username: joneal
dynamic allocated peer ip: 10.1.20.6
#pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
#pkts decaps: 945, #pkts decrypt: 945, #pkts verify: 945
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 96.28.201.133
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 968FF103
inbound esp sas:
spi: 0xA49C8920 (2761722144)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28703
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x968FF103 (2526015747)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 331776, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28702
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 352, #pkts encrypt: 352, #pkts digest: 352
#pkts decaps: 270, #pkts decrypt: 270, #pkts verify: 270
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 352, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 773AB6C7
inbound esp sas:
spi: 0xD34E0435 (3545105461)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914940/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x773AB6C7 (2000336583)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914941/28605)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 20, local addr: 2.2.2.2
access-list peak10-vpn permit ip 192.168.128.0 255.255.224.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 26, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 66CD02A3
inbound esp sas:
spi: 0x531B430A (1394295562)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x01FFFFFF
outbound esp sas:
spi: 0x66CD02A3 (1724711587)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 303104, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914990/28666)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.7/255.255.255.255/0/0)
current_peer: 74.138.126.195, username: jnord
dynamic allocated peer ip: 10.1.20.7
#pkts encaps: 990, #pkts encrypt: 990, #pkts digest: 990
#pkts decaps: 1429, #pkts decrypt: 1429, #pkts verify: 1429
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 990, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 3
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.126.195
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 62241B76
inbound esp sas:
spi: 0xB1F2F97B (2985490811)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x62241B76 (1646533494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 327680, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28674
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.20.4/255.255.255.255/0/0)
current_peer: 74.138.171.237, username: cbulmahn
dynamic allocated peer ip: 10.1.20.4
#pkts encaps: 832, #pkts encrypt: 832, #pkts digest: 832
#pkts decaps: 620, #pkts decrypt: 620, #pkts verify: 620
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 832, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 74.138.171.237
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 64CD5FBE
inbound esp sas:
spi: 0xCDFCE528 (3455903016)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x64CD5FBE (1691180990)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 311296, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28613
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 5228, #pkts encrypt: 5228, #pkts digest: 5228
#pkts decaps: 5246, #pkts decrypt: 5246, #pkts verify: 5246
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5229, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3200F1CB
inbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373446/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373496/28613)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.111.0 255.255.255.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 296, #pkts decrypt: 296, #pkts verify: 296
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 321, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EC77AF32
inbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373950/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373936/28636)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.112.0 255.255.240.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 2910, #pkts encrypt: 2910, #pkts digest: 2910
#pkts decaps: 3794, #pkts decrypt: 3794, #pkts verify: 3794
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2996, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: EEDD3278
inbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370659/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373556/28610)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2
access-list sg-vpn permit ip 192.168.128.0 255.255.224.0 192.168.0.0 255.255.192.0
local ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3034, #pkts encrypt: 3034, #pkts digest: 3034
#pkts decaps: 3748, #pkts decrypt: 3748, #pkts verify: 3748
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3034, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D1F3CBED
inbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4370712/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 319488, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (4373429/28609)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
NM-ASA#
QSRCORPFW# sho crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
QSRCORPFW# sho crypto ipsec sa
interface: WAN
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list PEAK10VPN permit ip 192.168.0.0 255.255.192.0 172.16.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 2162, #pkts encrypt: 2162, #pkts digest: 2162
#pkts decaps: 1761, #pkts decrypt: 1761, #pkts verify: 1761
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2162, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BDC6A8EE
inbound esp sas:
spi: 0x966B78C0 (2523625664)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914547/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBDC6A8EE (3183913198)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6328320, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914652/28485)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.10.6/255.255.255.255/0/0)
current_peer: 74.128.145.69, username: administrator
dynamic allocated peer ip: 10.1.10.6
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.128.145.69
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0ED4D561
inbound esp sas:
spi: 0x70133356 (1880306518)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28521
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0001FFFF
outbound esp sas:
spi: 0x0ED4D561 (248829281)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 6332416, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28508
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.111.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.111.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 350, #pkts encrypt: 350, #pkts digest: 350
#pkts decaps: 379, #pkts decrypt: 379, #pkts verify: 379
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 350, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 16C7E578
inbound esp sas:
spi: 0xEC77AF32 (3967266610)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914923/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x16C7E578 (382199160)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914939/28493)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.112.0 255.255.240.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.112.0/255.255.240.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 5270, #pkts encrypt: 5270, #pkts digest: 5270
#pkts decaps: 4314, #pkts decrypt: 4314, #pkts verify: 4314
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5270, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9FAA12E6
inbound esp sas:
spi: 0xEEDD3278 (4007473784)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914358/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9FAA12E6 (2678723302)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911355/28463)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.100.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 11323, #pkts encrypt: 11323, #pkts digest: 11323
#pkts decaps: 11262, #pkts decrypt: 11262, #pkts verify: 11262
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11323, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10DEE5CE
inbound esp sas:
spi: 0x3200F1CB (838922699)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914033/28461)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x10DEE5CE (283043278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3913939/28459)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 2, local addr: 1.1.1.1
access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.192.0 192.168.128.0 255.255.224.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.192.0/0/0)
remote ident (addr/mask/prot/port): (192.168.128.0/255.255.224.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4206, #pkts encrypt: 4206, #pkts digest: 4206
#pkts decaps: 3490, #pkts decrypt: 3490, #pkts verify: 3490
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4206, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7C688B5D
inbound esp sas:
spi: 0xD1F3CBED (3522415597)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914326/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7C688B5D (2087226205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 6324224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911559/28457)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
QSRCORPFW# -
Access-List Process - Urgent Help
Dear All,
My question here in this forum , in the Process of :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
Now, My question is here :-
Was I correct in choosing the Interface that I will apply this Access-list or not ?
Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
1. Fast Ethernet 0 / 0 :-
Description : connected to My Network as MY LAN .
IP Address of this Interface : 192.168.1.10 / 255.255.255.0
2. Fast Ethernet 0 /1 :-
Description : connected to Second Network on second Building.
IP Address of this Interface : 172.16.20.10 / 255.255.0.0
3. Serial Interface ( S 0 ).
Description : connected to My Server Farm which is in another Network
IP Address of this interface : 10.1.8.20 / 255.255.255.0.
> No any serial interface or any serial connection at all on my 1841 Route.
> The Default route on My Router is
> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
As anyone knows, its an Extended Access List.
So I wrote it like that:-
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
Router(config)# access-list 102 permit ip any any
Process of choosing the interface :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
To answer and to understand the answer, for the 2 questions, here is my Process :-
First Interface f 0 / 0 :-
< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
Second Interface f 0 / 1 :-
< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
Third Interface S0:-
Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
So, final answer will be as following :-
1- Which Interface should I apply this Access-list ?
( Serial / 0 ) .
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
( Outbound ) .
Was I correct or not ? please some one is update me.The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.
-
Hello,
any suggestions why the following ACL will not apply?
access-list 100 permit udp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 established
access-list 100 deny udp any host 192.168.155.18
access-list 100 deny tcp any host 192.168.155.18
access-list 100 permit ip any any
interface GigabitEthernet0/2.16
description Subnetz 192.168.155.16/28
encapsulation dot1Q 16
ip address 192.168.155.17 255.255.255.240
ip access-group 100 in
The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
Thanks,
ThomasHi Rick,
no there is no NAT or other things turned on on this device.
Router#sh ip access-list 100
Extended IP access list 100
10 permit udp any host 192.168.155.18 eq domain (379 matches)
20 permit tcp any host 192.168.155.18 eq domain (5 matches)
30 permit tcp any host 192.168.155.18 established (1 match)
40 deny udp any host 192.168.155.18 (788 matches)
50 deny tcp any host 192.168.155.18 (79 matches)
60 permit ip any any (562 matches)
Router#sh ip int gi0/2.16
GigabitEthernet0/2.16 is up, line protocol is up
Internet address is 192.168.155.17/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
Thanks,
Thomas -
Reflexive/established access list
We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.
Thanks.
Said
access-list 150 permit tcp any host <firewall outside IP>
access-list 150 permit tcp any host <Exchange server translated public IP> eq www
access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp
access-list 150 permit tcp any host < Exchange server translated public IP> eq 22
access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3
access-list 150 permit tcp any any eq telnet
access-list 150 permit icmp any any
access-list 150 permit udp any eq domain any
access-list 150 permit udp any any eq domain
access-list 150 permit esp any any
access-list 150 permit gre any any
access-list 150 permit udp any any eq non500-isakmp
access-list 150 permit udp any any eq isakmp
access-list 150 permit tcp any any established
access-list 150 deny ip any any log
interface MFR0.724
router(config-if)#ip access-group 150 inHave you considered using CBAC?
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.
Reflex documentation
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html -
Unable to access public ip from branch vpn (Cisco ASA 5510 Firewall)
Hi,
As per the above diagram
in Head office - able to access public ips
In Branch office - unable to access public ips only accessing head office servers and internet is shared from head office.
please see the below configuration in Branch office router:
access-list 1 permit any
access-list 100 remark ****** Link to Firewall-HO1 ******
access-list 100 permit ip 10.21.211.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 172.16.35.0 0.0.0.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 100 permit ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 100 permit ip 10.21.211.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip 10.21.111.0 0.0.0.255 host 78.93.190.226
access-list 100 permit ip any any
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.211.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.111.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 101 deny ip 10.21.10.0 0.0.0.255 172.0.0.0 0.255.255.255
access-list 101 permit ip host 10.21.211.51 any
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 66.147.240.160 eq smtp
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq pop3
access-list 101 permit tcp 10.21.211.0 0.0.0.255 host 78.93.56.10 eq smtp
access-list 102 permit ip 10.21.211.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
Thanks for your valuable time and cosiderationsany1 can help me ?
-
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Access-list in Cisco 3560 Series Switch
Guys,
I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
Hope you can help me guys.
Thanks,
Johnand then dont forget to call this access-list on the interface or vlan you want to apply it.
You can use a number for the ACL > 100 or a name as indicated earlier.
If you go with just a number :
access-list 100 permit tcp any any eq 80 81 ...
access-list 100 permit udp any any eq 23
int g1/0/1
ip access-group NAME in
OR
ip access-group 100 in
As for example :
NMS-3750-A(config-if)#ip acc
NMS-3750-A(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name -
ASA 5510 8.2(1) Using hostnames in access-lists?
I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014
But it's only for 8.4 updated ASA's and above.
Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
And have been trying to reverse engineer it. Am I on the right track?
Thanks in advance.Hello Adam,
Here is the configuration you need:
Access-list test permit tcp any any eq 80
Regex google \.google\.com
policy-map type inspect http GOOGLE
parameters
match not request header host regex GOOGLE
reset log
class-map TEST
match access-list test
policy-map global_policy
class TEST
inspect http GOOGLE
Regards
CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.
Julio -
Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
endHello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help ! -
Access-list block range of hosts
cisco 2600 router with wic1-adsl card
I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
In the past I've been able to deny a host using:
access-list 105 deny ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
I tried:
access-list 10 deny 123.125.0.0 0.0.0.255
access-list 10 deny 220.181.0.0 0.0.0.255
access-list 10 deny 61.135.0.0 0.0.0.255
access-list 10 permit any
all web traffic comes via the adsl-wic card in the router so I put:
ip access-group 10 out
into the dialer0 config but this didn't work.
thanks for any help.it looks like I've done it. I was using the wrong subnet mask.
I changed the access list to:
access-list 10 deny A.B.0.0 0.0.255.255 and from that moment baidu disappeared from the web log. -
We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
ThanksEric
We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
adjust addresses etc to fit your situation. Try it and let us know if it works.
HTH
Rick -
Port Forwarding & Access List Problems
Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-EvanHello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz
Maybe you are looking for
-
How to create Business Partner in CRM 2007
Hi gurus!! how are you? I´m a rooky to sap crm and I would like your help and guidance to know how can I create a Business Partners and Roles. Whatever detailed help or documentation you may give me will be rewarded =) Thanks a lot in advanced!!! Lor
-
Hi, I realize an Abap mapping for "IDoc -> XI -> File" and I want to "play" with idoc segments and idoc fields... Thus in my coding, I need to define some internal structures which are exactly the same than IDoc segments (e.g E2LFA1M for supplier). S
-
Trouble with iPhoto Library Updater
I've read all the posts on this subject but can't find my problem. When I run the Library Updater, the libraries I want to open are greyed out. If I click on a library on the desktop, it tells me I have to install the updater. I'm stumped!
-
Getting result of a PLSQL in ODI Variable
Hi experts I created a PLSQL Block in ODI Under the procedure. I have a variable which will get the result of a query/procedure inside my PL/Sql Block I need to assign this value to an odi Variable. Is this possible if so how... Please explain Any he
-
My skype no shows Line Busy Always
Hello, I have got Skype No for US [number redacted for privacy] forwarded to my Indian mobile no. However, if someone calls this no it always shows "Line Busy". Ideally, it should forward calls to my Indian mobile and also offer Voice Msg options..