ACL - configuration help
Hello I've a newly configured 5510 would appreciate a look over of the configuration and some questions I have: Its a long post and I appreciate anyone taking time to read through it.
My goals are the following:
to make the inside network 10.20.145.0 to allow internet access - as long as the connection starts inside
To allow neighbor network that comes in through outside interface origin 170.20.0.0/16 access to the 10.20.145.0 (bidirectional)
The tunnel from neighbor lan to inside lan happens through vpn concentrator that has external ip address and 77.76.19.35
Allow certain devices on the DMZ to access the internet and allow outside to inside connections on certain ports
Much of the settings I have configured are coming from juniper that is currently online but needs to be replaced.
The network is set up as below for a chart of traffic:
ISP ---- Internet router ---- switch (3 active connections) 1. firewall 2. internet router 3. vpn concentrator
There is an internal 3750 that I have configured with ip 10.20.145.15 since it comes up often
I'm using pub IPs on the machines on the DMZ though I'm thinking of changing that to an internal vlan and than nating it out. Well here's what I have so far:
=================================================================================================
ASA Version 8.3(2)
hostname ASA
domain-name a.domain.com
enable password l4Tu/tqHeN0MdD7t encrypted
passwd dL9fmCBkHiwx4Iib encrypted
names
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface GigabitEthernet1/0
description outside-interface-connected-to-internet-switch
speed 1000
duplex full
shutdown
nameif outside
security-level 0
ip address 76.77.19.34 255.255.255.240
interface GigabitEthernet1/1
description inside-int-10.20.145-network
speed 1000
duplex full
shutdown
nameif inside
security-level 100
ip address 10.20.145.3 255.255.255.192
interface GigabitEthernet1/2
shutdown
nameif DMZ
security-level 50
ip address 76.77.19.49 255.255.255.240
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
lock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 76.77.6.11
name-server 66.72.76.84
name-server 4.2.2.1
name-server 8.8.8.8
domain-name a.domain.com
object network Inside_lan
subnet 10.20.145.0 255.255.255.0
object network NET-neighbor
subnet 170.20.0.0 255.255.0.0
description neighbor_LAN
object network 76.77.19.44_cake
host 76.77.19.44
description cake
object network 76.77.19.59
host 76.77.19.59
description streaming
object network 76.77.19.61
host 76.77.19.61
description streaming
object network cindy
host 50.56.249.224
description cindy
object-group network internal-LAN
network-object object Inside_lan
object-group service 3306 tcp
description 3306
port-object eq 3306
object-group service 4567 tcp
description 4567
port-object eq 4567
object-group icmp-type ICM
description ICM_basic
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Retriever_SVC tcp
description Retriever
port-object range 8000 8001
object-group service Production tcp
description PM
port-object range www www
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service Streaming tcp
description streaming server
port-object eq 7009
object-group service UDP123 udp
description 123
port-object eq ntp
object-group service affordable tcp
description affordable legacy
port-object eq 85
object-group service market tcp
description ports for market dmz
port-object eq 2189
port-object eq 2190
port-object eq 2192
port-object eq 2194
object-group service messenger tcp
description air messenger
port-object eq 444
object-group service traffic-701 tcp
description 701
port-object eq 701
object-group service ntp1 udp
description ntp-udp-1
group-object UDP123
object-group service payroll tcp
description payroll port
port-object eq 714
object-group service snmp-udp udp
description snmp udp 1
port-object eq snmp
object-group service vitrol tcp
description vitrol custom
port-object eq 5986
object-group service webconferrence tcp
description webconference legacy port
port-object eq 1417
port-object eq 407
object-group service webmail tcp
description webmail ports
port-object eq 2095
object-group service INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service INLINE_SERVICE_1
service-object tcp
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq echo
service-object udp destination eq ntp
service-object udp destination eq radius
service-object udp destination eq radius-acct
service-object udp destination eq syslog
object-group network INLINE_NETWORK_1
network-object host 76.57.19.53
network-object host 255.255.255.255
object-group service INLINE_TCP_2 tcp
group-object Streaming
group-object vitrol
object-group service INLINE_SERVICE_2
service-object ip
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
access-list internet extended permit ip object Inside_lan interface outside
access-list internet extended permit object-group DM_INLINE_SERVICE_1 object Inside_lan any
access-list syndicaster extended permit tcp object Cindy object Inside_lan object-group INLINE_TCP_1
access-list streaming extended permit tcp interface DMZ any object-group Streaming
access-list streaming59 extended permit tcp object 76.77.19.59 interface outside object-group Streaming
access-list streaming_outside_in extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list neighbor extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
access-group neighbor in interface outside
access-group neighbor out interface inside
route outside 0.0.0.0 0.0.0.0 76.77.19.33 1
route inside 10.0.0.0 255.255.255.0 10.20.145.4 1
route inside 10.0.1.0 255.255.255.0 10.20.145.2 1
route inside 10.20.145.0 255.255.255.0 10.20.145.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.20.145.39 255.255.255.255 inside
telnet timeout 5
ssh 10.20.145.39 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 76.77.6.11 64.22.16.84
dhcpd domain a domain
dhcpd option 6 ip 4.2.2.1
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username joe password m6OO.pH/13qc7ypS encrypted privilege 15
username bob password N./x1Ut.gM.QGZLa encrypted privilege 15
username bill password uZjIWeHtovCOweHJ encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06eb82d8d8a3ae82352512cd707e7f4a
========================================================================================================================================================
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list internet; 14 elements; name hash: 0xb30cf7fe
access-list internet line 1 extended permit ip object Inside_lan interface outside 0xe073f975
access-list internet line 1 extended permit ip 10.20.1450 255.255.255.0 interface outside (hitcnt=0) 0xe073f975
access-list internet line 2 extended permit object-group INLINE_SERVICE_1 object Inside_lan any 0x2e33ca08
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any (hitcnt=0) 0xa576d14f
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any echo-reply (hitcnt=0) 0x15cccd5c
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any traceroute (hitcnt=0) 0x8aab2f53
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any unreachable (hitcnt=0) 0xe02606e1
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp (hitcnt=0) 0x6d0043b6
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp-data (hitcnt=0) 0xce904411
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq www (hitcnt=0) 0x1ddebc69
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq https (hitcnt=0) 0x1a3b15bc
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq echo (hitcnt=0) 0xadc66030
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq ntp (hitcnt=0) 0xa67a4406
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius (hitcnt=0) 0x230419e6
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius-acct (hitcnt=0) 0xa8ae0824
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq syslog (hitcnt=0) 0x051c7ef5
access-list cindy; 2 elements; name hash: 0x807c55e5
access-list cindy line 1 extended permit tcp object cindy object Inside_lan object-group DM_INLINE_TCP_1 0xe35e702c
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0x64b321cc
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x55109118
access-list streaming; 1 elements; name hash: 0xfd34cf16
access-list streaming line 1 extended permit tcp interface DMZ any object-group Streaming_custom 0x8b2e87d1
access-list streaming line 1 extended permit tcp interface DMZ any eq 7009 (hitcnt=0) 0xb13a2776
access-list streaming59; 1 elements; name hash: 0x959c1f3b
access-list streaming59 line 1 extended permit tcp object 76.77.19.59 interface outside object-group Streaming_custom 0xc173840d
access-list streaming59 line 1 extended permit tcp host 76.77.19.59 interface outside eq 7009 (hitcnt=0) 0x84cd9084
access-list streaming_outside_in; 4 elements; name hash: 0x3f86c9d4
access-list streaming_outside_in line 1 extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 7009 (hitcnt=0) 0x06c04720
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 5986 (hitcnt=0) 0x9ae9047e
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 7009 (hitcnt=0) 0x5e3553e8
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 5986 (hitcnt=0) 0x1f5d8fd9
access-list neighbor; 7 elements; name hash: 0xc99eb2b4
access-list neighbor line 1 extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan 0xc9688a21
access-list neighbor line 1 extended permit ip 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0xe1e8b995
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0x462beedc
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0xf238c75e
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x266e675b
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq www (hitcnt=0) 0x8627ec0a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq https (hitcnt=0) 0x3cae424a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ssh (hitcnt=0) 0xcb6666b3
Hi,
For the Default Dynamic PAT rule that you are asking for the single "inside" network I would suggest the following
First remove the current NAT configurations
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
Then reconfigure the NAT in the following way
object-group network DEFAULT-PAT-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) after-auto sourece dynamic DEFAULT-PAT-SOURCE interface
This will create and "object-group" for the networks or hosts that should be PATed to the "outside" interface IP address when accessing the Internet. If you want more internal networks to get PATed the same way, you simply add the network under the "object-group" among the already existing "inside" network.
The "after-auto" parameter also makes sure that this NAT rule doesnt override any other future rules. The parameter in question moves the NAT rule at the bottom of the NAT rules so its one of the last matched agains when traffic arrives on the firewall from behind "inside"
With regards to the neighbor network of 172.20.0.0/16, is this some network that is going to be behind a L2L VPN or is simply almost directly behind the "outside" interface?
In general the NAT format for this kind NAT is
object network NEIGHBOR
subnet 172.20.0.0 255.255.0.0
object-group network NEIGHBOR-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) source static NEIGHBOR-SOURCE NEIGHBOR-SOURCE destination static NEIGHBOR NEIGHBOR
I basically use an "object network" to define the remote network and "object-group network" to define the source network for this NAT. I use "object-group" for the source again because it leaves us room to add more networks under it if needed. Notice that "object network" can only hold one subnet/range/host while "object-group network" can hold pretty much as many as you want.
I think the ACL configurations will have to be looked through also.
Notice that if you want to control traffic from a behind "outside" for example, then you can only use 1 interface bound ACL to control that traffic. So every rule from "outside" to "inside" or to "dmz" has to be in the same ACL. Also this ACL would be attached to the "outside" interface in "in" direction. For example "access-group OUTSIDE-IN in interface outside"
If we are talking about VPN connections configured directly to the ASA there are some other options compared to the above.
But as I said its better that your needs regards the ACL rules are gone through more in depth to really know how we should configure them as I am myself not sure what all the above ACL are supposed to do.
One final question for you. You have this network directly on the "inside" interface 10.20.145.3 255.255.255.192. But you also talk about it with mask /24. Is the ASA "inside" connected to some internal L3 device which hosts rest of the segments of this whole /24 network as currently the "inside" interface holds /26.
Is ANY users/networks behind the ASA "inside" interface using the ASA directly as their gateway? I noticed that you setup would seem to have (as I mentioned in another thread to you) several devices on connected by the same LAN network (Router,VPN,firewall). What I fear will happen is that IF any "inside" users uses the ASA as their gateway and has to be routed back through the ASA "inside" interface to some other gateway that this will result in asymmetric routing and the ASA doesnt really handle that kind of situation that well.
- Jouni
Similar Messages
-
4500 IOS-XE: Crash on ACL configuration
Hi All ,
We have recently migrated from standalone to VSS on our C4500 switches with Sup 7-E.
but the switch crashes every time we edit or modify the ACL with below error message :
%SYS-3-BADBLOCK: Bad block pointer
%SYS-6-MTRACE: mallocfree: addr, pc
%SYS-6-BLKINFO: Corrupted next pointer blk
%SYS-6-MEMDUMP: 0x7E043FF8
We noticed that there is a new bug for this issue i.e
CSCun33897 Symptom:
A Catalyst 4500 series switch running IOS-XE may unexpectedly reboot when ACL configuration is applied to an interface.
but there is no fix available yet.
Please let me know if anyone had this kind of issue. Appreciate your suggestion and feedback on this issue .
Current used Image : cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin .
Thanks in advance .its seems to be closely matching to the bug you mentioned
If you upload crashinfo i can look it and try to confirm.
Regards
Naveen
***rate if it is helpful*** -
Hello everyone,
I have a doubt about the ACL configuring in my ASA
I have this acl witch it means that 10.10.11.2 can do www to the host 10.10.10.1
access-list 100 extended permit tcp host 10.10.11.2 host 10.10.10.1 eq www
and
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2 (hitcnt=31)
witch it means that the host 10.10.10.1 can make www to the host 10.10.11.2
the host 10.10.10.1 can't do www to the host 10.10.11.2, but the host 10.10.11.2 can do, and the second ACL have hits.
is ti right?
Thanks.If you want to allow hosts 10.10.10.1 to hit 10.10.11.2 on www then you should change the syntax to:
access-list 100 extended permit tcp host 10.10.10.1 host 10.10.11.2 eq www
Your original syntax:
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2
By placing the "eq www" after the source IP, you are telling the ASA that the source port is 80/www. Instead, you want the destination port to be "80/www" and as a result, you need to place is after the destination IP.
Also, you can always use the "packet-tracer" command to see exactly what is blocking your traffic :)
Thank you for rating helpful posts! -
1941W configuration help needed
Our Deployment Scenario:-
1941W Gigabit Ethernet 0/0 is connected to the PPOE connection of the ISP.
Gigabit Ethernet 0/1 is connected to the wired LAN
I have created 2 wireless radio Cisco_Kamran_BGN which is operating at 2.4 Ghz Devices and Cisco_Kamran_A which is operating at 5Ghz Devices.
I have created 2 VLans for the Wireless.
Vlan 10 for Cisco_Kamran_A 192.168.10.x
Vlan 11 for Cisco _Kamran_BGN 192.168.11.X
The problem is the Wireless users are not getting the IP address from the respective DHCP server which has been configured on the Router.
Can please any from the community help me and show me where I am missing the configuration.
Please find my router & ap configuration below.
Router Configuration
Router#
sh run
Building configuration...
Current configuration : 3022 bytes
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable secret 5 $1$TdQt$npYeaf/W0kRElcfMggzJ31
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.10.1 192.168.10.10
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_A
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 195.229.241.222 213.42.20.20
ip dhcp pool Cisco_Kamran_BGN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 195.225.241.222 213.42.20.20
multilink bundle-name authenticated
crypto pki token default removal timeout 0
license udi pid CISCO1941W-E/K9 sn FCZ1553C1VK
hw-module ism 0
redundancy
bridge irb
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
arp timeout 0
no mop enabled
no mop sysid
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.11.1 255.255.255.0
ip access-group DSL_ACCESSLIST in
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 0 xxxxxx
ppp ipcp route default
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
ip access-list extended DSL_ACCESSLIST
permit ip 192.168.0.0 0.0.255.255 any
control-plane
line con 0
password xxxxxx
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password xxxxxx
login
transport input all
scheduler allocate 20000 1000
end
Router#
Router#
Router#
Access Point Configuration
ap#
ap#
ap#
sh run
Building configuration...
Current configuration : 2603 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$JxdQ$a2/00bWJuhUKP9QLC94YD/
no aaa new-model
dot11 syslog
dot11 ssid Cisco_Kamran_A
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 1045081417161C5A555C7A7B
dot11 ssid Cisco_Kamran_BGN
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 020D05561907017015165949
username Cisco password 7 14341B180F0B
bridge irb
interface Dot11Radio0
description 802.11bgn radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
broadcast-key change 3600
ssid Cisco_Kamran_BGN
antenna gain 0
station-role root
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio1
description 802.11a radio
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid Cisco_Kamran_A
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.10
description 802.11a bridge
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface GigabitEthernet0.11
description 802.11bgn bridge
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
no activation-character
line vty 0 4
login local
end
ap#
ap#
ap#Hi Stepehen,
Did the configuration as per your advice but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
Home
Re: 1941W configuration help needed
created by Stephen Rodriguez in Getting Started with Wireless - View the full discussion
conf t
interface Dot11Radio0
no ssid Cisco_Kamran_BGN
no encryption mode ciphers aes-ccm
exit
interface Dot11Radio1
no encryption mode ciphers aes-ccm
no ssid Cisco_Kamran_A
exit
dot11 ssid Cisco_Kamran_A
vlan 10
dot11 ssid Cisco_Kamran_BGN
vlan 11
exit
interface Dot11Radio0
encryption vlan 11 mode ciphers aes
ssid Cisco_Kamran_BGN
exit
interface dot11radio0.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio 0.11
encapsulation dot1q 11
bridge-group 11
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
exit
interface Dot11Radio1
encryption vlan 10 mode ciphers aes-ccm
ssid Cisco_Kamran_A
interface dot11radio1.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio1.10
encapuslation dot1q 10
bridge-group 10
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
end
wr
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home -
I have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
ThanksI have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
Thanks -
Need configuration help on producing dial tone
Hello Experts,
I have a Cisco 2921 router with VWIC3-2MFT-T1/E1 card. On this card we have T1-CAS digital line connected. We have been provided with a set of DID numbers. We have a requirement where, when we dial a DID, the router should provide a dial tone, and should allow the user to dial to extension numbers. Not sure if this is feasible. If at all possible, will need to some configuration help.
Thanks
ArabindaSure it's possible. What's the T1 connected to? The router will offer two-stage dialing (aka dial tone) when the incoming POTS dial-peer does not have the 'direct-inward-dial' command on it. The router will accept any input and search for an outbound dial-peer (or ephone-dn for locally registered DNs) to match. Be careful if the T1 is connected to the PSTN as this is a toll fraud risk. You need to use CoR to reign in what outbound dial-peers are available to it.
Dial Peer Basics:
http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010ae1c.shtml
Class of Restrictions:
http://www.cisco.com/en/US/tech/tk652/tk90/technologies_configuration_example09186a008019d649.shtml
Please remember to rate helpful responses and identify helpful or correct answers. -
Multiple ethernet network adaptors + MySQL/php5: configuration help needed
I would be grateful if someone could give me some advice on how to configure multiple ethernet adapters under OS X 10.5.6
I have set up my system to work nicely with two ethernet network adapters, each with its own fixed IP. This bit works just fine. The machine supports two separate servers - a mail server and the OS X Apache2 server. I have configured the mail server to only listen to one of the IPs, and the Apache2 server to listen to the other (via httpd.conf). The system also has MySQL and php5 installed / enabled, and these services are only used by the Apache2 server.
The problem I have is that when I start the machine, initially the php5 system cannot connect reliably to the MySQL database system. The fix I have found is to temporarily make the ethernet adapter connected to the mail server 'inactive'. While this is so, the php5/MySQL connection to Apache2 works. Curiously, once an initial connection between php5 and MySQL has been made, subsequently I can make the mail server's ethernet adapter active again without further problems.
I initially thought this might be due to 'service order' issues - but changing the service order (e.g. putting the Apache adapter 'above' the mail adapter in the service order does not help. The fix only works by making the mail adapter inactive temporarily.
I suspect that there is some configuration change I can make to clarify the setup I have. The MySQL and Apache installations only need to talk to the Apache server - but I am not sure how to record this configuration in the OS X system.
Thanks in advance for any assistance that you can provide.
Message was edited by: Gavin LawrieHi Stepehen,
Did the configuration as per your advice but i am getting the below mentioned error which i have highlighted it in red. Please advice what needs to be done.
Home
Re: 1941W configuration help needed
created by Stephen Rodriguez in Getting Started with Wireless - View the full discussion
conf t
interface Dot11Radio0
no ssid Cisco_Kamran_BGN
no encryption mode ciphers aes-ccm
exit
interface Dot11Radio1
no encryption mode ciphers aes-ccm
no ssid Cisco_Kamran_A
exit
dot11 ssid Cisco_Kamran_A
vlan 10
dot11 ssid Cisco_Kamran_BGN
vlan 11
exit
interface Dot11Radio0
encryption vlan 11 mode ciphers aes
ssid Cisco_Kamran_BGN
exit
interface dot11radio0.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio 0.11
encapsulation dot1q 11
bridge-group 11
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
exit
interface Dot11Radio1
encryption vlan 10 mode ciphers aes-ccm
ssid Cisco_Kamran_A
interface dot11radio1.1
encapsulation dot1q 1 native
bridge-group 1
interface dot11radio1.10
encapuslation dot1q 10
bridge-group 10
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
end
wr
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home -
Quick upload not configured Help
Quick upload not configured Help Why and how do I configure? Host ?, username, password?
I have exactly the same question, using almost the same system: MacBook Pro, OS X Mountain Lion (10.8.3).
What to do? I cannot find an answer for how do I configure? Host, Username? Password? -
How to do JAAS and J2EE Deployment Descriptor ACL : Please help
I am trying to develop a Single sign on application using EJB's, JAAS,
ACL, struts and JSP to Log in with a form authenticate (using
j_security_check to hook into the web.xml security) then pull a user
from a database and use the roles defined there for authorization in
the rest of the system?
The examples on the web are from java clients to RMI, they also sit
alone. They dont say how to hook them into weblogic. They say to use
JAAS but they have just JAAS examples! No hooking of it into an EJB,
servlet, etc! They also dont show how to hook that code into web
server to use it as your security module!
What Settings/configuration I need to make in the web server for JAAS
to work. How the logic proceeds to authorization after form is
submitted using j_security_check. and to further logic in the
application. How is it then integrated with the Struts action forms.
Help, I'm at a loss. They recommend using JAAS but their documentation
and examples do not explain how. We have a complex real world product
and need examples of
the same. Can somebody provide me a working real-life example which
really work and give me some pointers to proceeds that will be really
helpful.
Thanks in advance for the help.I am trying to develop a Single sign on application using EJB's, JAAS,
ACL, struts and JSP to Log in with a form authenticate (using
j_security_check to hook into the web.xml security) then pull a user
from a database and use the roles defined there for authorization in
the rest of the system?
The examples on the web are from java clients to RMI, they also sit
alone. They dont say how to hook them into weblogic. They say to use
JAAS but they have just JAAS examples! No hooking of it into an EJB,
servlet, etc! They also dont show how to hook that code into web
server to use it as your security module!
What Settings/configuration I need to make in the web server for JAAS
to work. How the logic proceeds to authorization after form is
submitted using j_security_check. and to further logic in the
application. How is it then integrated with the Struts action forms.
Help, I'm at a loss. They recommend using JAAS but their documentation
and examples do not explain how. We have a complex real world product
and need examples of
the same. Can somebody provide me a working real-life example which
really work and give me some pointers to proceeds that will be really
helpful.
Thanks in advance for the help. -
Clearing an Dynamic Cluster -HSRP and Dynamic Cluster -NAT ACL configuration
I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT ACL as shown in the following extract below.
I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please help
=========================================================
SW1#show access-list
Extended IP access list CMP-NAT-ACL
Dynamic Cluster-HSRP deny ip any any
Dynamic Cluster-NAT permit ip any any
=========================================================
interface Vlan1
ip address 192.168.87.2 255.255.255.0
no ip route-cache
ip http server
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
line con 0
exec-timeout 0 0
line vty 0 4I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT ACL as shown in the following extract below.
I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please help
=========================================================
SW1#show access-list
Extended IP access list CMP-NAT-ACL
Dynamic Cluster-HSRP deny ip any any
Dynamic Cluster-NAT permit ip any any
=========================================================
interface Vlan1
ip address 192.168.87.2 255.255.255.0
no ip route-cache
ip http server
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
line con 0
exec-timeout 0 0
line vty 0 4 -
I have a c2950 and want to config acl. I enter INTERFACE MODE and issue IP ACCESS-GROUP command ,But system prompt no this command . how can I do. Please help me . Issuing show ver command.Message as fallows.
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh
Image text-base: 0x80010000, data-base: 0x80676000
ROM: Bootstrap program is C2950 boot loader
tycib_sw29_f2office2 uptime is 3 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6k2l2q4-mz.121-22.EA6.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C2950-24 (RC32300) processor (revision R0) with 19973K bytes of memory.
Processor board ID FOC0935Z7SN
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:15:62:63:5D:C0
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC09343GDK
Power supply serial number: DAB0930DP48
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FOC0935Z7SN
Configuration register is 0xFHi There,
Your switch WS-C2950-24, is a switch with standard image i.e SMI. This image doenot support ACL's and that's why its not working. You should have a 2950 with EMI to run ACLs. This switch is not upgradable to EMI so you really cannot use ACLs on this :(.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html
regards,
-amit singh -
Windows 2008 Server Configuration - Help
Hello All,
I am not an expert in configuring servers and I have just started to learn. Please forgive me if I am doing something funny!
I have a router with static IP address and DHCP enabled on the router. The router had the following configuration as shown below and the clients were obtaining IP address from the router and using the internet without a problem.
Router Configutaion:
Basic Setting:
IP Address : 122.165.60.160 (My Wan Static IP)
IP Subnet Mask : 255.255.252.0
Gateway IP: 122.165.60.1
DNS Address:
Primary DNS : 203.145.184.32
Secondary DNS: 203.145.184.13
Lan TCP/IP Setup:
IP Address: 192.168.2.1 (Router IP)
IP Subnet Mask: 255.255.255.0
DHCP Enabled:
Statring IP : 192.168.2.11
Ending IP: 192.168.2.100
Now, I have installed Windows 2008 R2 Server with Active Directory, DNS and DHCP, IIS. I have created a few users and did nothing more than that in the server.
Server IP Settings
Server IP: 192.168.2.5
Subnet : 255.255.255.0
Gateway : 192.168.2.1
DNS: 127.0.0.1
And when I tried to join the domain i created... corp.globe.com the clients were not able to find the domain I therefore changed the following settings in the router.
DNS Address:
Primary DNS : 203.145.184.32
Secondary DNS: 192.168.2.5 (Server IP)
After this change the clients were able to join the domain and login as well. However the clients were getting the IP from the router. I am facing a lot of problems as listed below.
1. I am not able to ping the clients using the computer name from the server.
2. Clients cannot ping other clients or server using name. (Suppose if I try... PING SYS1 .... It looks like it is trying to ping some 92.x.x.xx IP address) even if SYS1 IP address is 192.168.2.13
3. Clients can access Internet, but I cannot browse anything in the server.
Please help me in the configuration, or point me to some guide which describes the same. I tried to set up and enable the DHCP server using Windows 2008 machine and I disabled it DHCP on the router, clients where able to get the IP address from Windows 2008
server, but they were not able to use internet. Please advise.
Thanks for your time.Hi,
And you cannot ping the clients using the computer name from the server?
Did you turn off the firewall on server and client?
If you are having problems connecting to Active Directory and you have already successfully verified network connectivity, there might be a name resolution problem. For more and detail information, please refer to:
http://technet.microsoft.com/en-us/library/cc961921.aspx
Regards.
Vivian Wang -
Automatic payment program configuration help u0096 Very urgentu0085
Hi all,
We have couple of house banks for a company code and have ranked them as 1 and 2 for the payment method (example: Check) so, how would or where can the user has an option to choose a house bank to pay his vendors. I saw that in the vendor master we can maintain the house bank however, that ignores the ranking maintained in the configuration and will always pick that back for processing the payments for that vendor but, we do not want to maintain in the vendor master.
Hence, can anyone tell me how that ranking thing works meaning how would SAP or why would SAP choose the second or third ranked bank in processing the payments? As far as I know we do not use the parameter house bank in F110 then where can we control what bank to use to process the payments for the vendors?
Your help in this regard is highly appreciated and rewarded with points
Thanks in advance
KumarHi Kumar,
I think this setting is given in the T.Code "FBZP" under the heading Bank determination, wherein you have a selection "Available Amounts", I think if the amounts in that particular House Bank is exhausted, it will shift to the next House Bank in the Ordering level. You can just give it a try.
Regards
Sridhar -
SFTP adapter Configuration help:
Dear All,
I am trying to configure SFTP (seeburger) in sap PI.
I want to know how to connect SFTP adapter of seeburger with an SSH sever. (I have installed free SSH Server in my laptop).
How to connect using SFTP SETTING as
AUTHENTICAION Method: Private Key authorisation
how to generate/use private key.
Please Advice,
Prakash
Edited by: senthilprakash selvaraj on Jan 20, 2010 6:42 AMDear All,
I have installed SSH server and genreated the RSA key in Visual admin and i have configured the SFTP adater properly.
Now i have a different issue.
In Communication channel monitoring once i start the channel(SFTP) i am not getting any message. Its just saying Channel started and thats it. nothin else is coming. not even throwing any error. what should i do. why its happing like that.
I Tried with Authentication mode as Private Key as well as Password. in both configurations are proper.
also i tried refreshing the cache..no use.
Please help,
Senthilprakash -
HI!
I have a small network. I have 3 300-28 cisco switches. I already connected my 3 servers and clients with the switch 1 and now I want to add more clients and I need to add my other two switches in the network. Please guide me with the simple configuration So I can connect them all and avoid loop (stp). ThanksHi Nagaraja Thanthry!
Thanks for your reply. I am implementing it tomorrow. By just conecting the switches together at trunk ports will there be no loop? I don't want my network chowk. I hope it will work well. I might need further help, please reply.
1. I will do setting on all switches. Assign IP addresses to switches (to Vlan 1 default).
2. Set one port (e.g 28) as trunk and all others as Access on all three switches.
3. Then I will connect the switches with each other at trunk ports. Hope there will be no loop in this setting.
4. Do I need to set any setting for stp in switches ?
Please reply one by one thanks.
I am using 192.168.0.1 255.255.255.0 IP range.
Best Regards,
Maybe you are looking for
-
Boot Camp Assistant creates non bootable Windows drive
Hello all I've been trying, for the last 8 hours to install Windows via Boot Camp without any success Some information: MacBook Pro (13-inch, Early 2011) OS X Yosemite Windows source file: en_windows_7_professional_x64_dvd_X15-65805.iso 1. The first
-
How to get facetime on my mac?
how to get facetime on my mac?
-
How get the metadata with intermedia?
Hi all, In my application I record Microsoft Word documents into a blob column, but before record this file I need to verify the version of Microsoft Word who created this file. Anyone can help me with this? Tks, Everson
-
Need to Price control in Sale order(debit Order)
HI Friends i Having the requirement, i maintain the material BM_BOMHD01 Price is Rs 100 and second material BM_BOMIT01 is Rs .01 , so total net value is 100.01. i dont want to add the price of BOM_IT01 to total net value ... How i do this requirement
-
Loading xml data into the datagrid
Hi all, I'm trying to learn Flex. I have a small doubt in loading the datagrid from the xml response (from php script) mxml code: <mx:DataGrid id="dataGrid" x="69" y="250"> <mx:columns> <mx:DataGridColumn headerText="Name" dataField="name"/> <mx:Data