ACL to allow SNMP traffic

Similar Messages

• Allow external traffic to access internal computers

  We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 152.18.75.132 255.255.255.240
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network a-152.18.75.133
  host 152.18.75.133
  object network a-10.2.1.2
  host 10.2.1.2
  object-group network ext-servers
  network-object host 142.21.53.249
  network-object host 142.21.53.251
  network-object host 142.21.53.195
  object-group network ecomm_servers
  network-object 142.21.53.236 255.255.255.255
  object-group network internal_subnet
  network-object 10.2.1.0 255.255.255.0
  access-list extended extended permit ip any any
  access-list extended extended permit icmp any any
  access-list extended extended permit ip any object-group ext-servers
  access-list acl_out extended permit tcp any object-group ecomm_servers eq https
  access-list outside_in extended permit ip any host 10.2.1.2
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any echo-reply inside
  icmp permit 10.2.1.0 255.255.255.0 inside
  icmp permit any echo-reply outside
  icmp permit any outside
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.2.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 10.2.1.2 255.255.255.255 inside
  ssh 122.31.53.0 255.255.255.0 outside
  ssh 122.28.75.128 255.255.255.240 outside
  ssh timeout 30
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.2.1.2-10.2.1.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
  : end
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 112
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 113
  ciscoasa(config)#

  Okay I will bite.
  Assuming you have
  a.  dynamic pat rule for lan users-devices to reach the internet
  (missing ???????????????
  (should look like a nat rule that makes two entries when you make the one rule)
  (with router set at defaults it may make this rule for you already in place)
  -object bit  
  object network obj_any_inside
  subnet 0.0.0.0 0.0.0.0
  and rule bit
  object network obj_any_inside
  nat (inside,outside) dynamic interface
  b.  route rule - tells asa next hop is IP gateway address
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  c.  Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
  object bit
  object network natforward4server
  host 10.2.1.2
  Nat bit
  object network natforward4server
  nat (inside,outside) static interface service tcp 443 443
  d. Nat for translated ort.
  If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
  object bitobject network natfortransl4server
  host 10.2.1.2
  Nat bit
  object network natfortransl4server
  nat (inside,outside) static interface service tcp 443 80

• Allow IPSEC traffic thru 871?

  I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
  How can I allow IPSEC traffic to pass thru the 871?

  If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
  try this on your 871 router.
  access-list 101 permit udp any any eq 500 log
  access-list 101 permit udp any any eq 4500 log
  access-list 101 permit esp any any log
  apply acl-101 to your outbound interface
  access-group 101 in
  HTH
  Jorge

• RV016 Router Allow All Traffic For Outside IP

  Hi,
  I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
  thanks.

  Hi Jonathan,
  I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
  I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
  The Aastra VOIP phones continually loose their  registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up,  and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
  We used to have an RV016 v2 router and VOIP traffic worked  OK,  with a similar Firewall Rule.  We replaced the v2 router  because its CPU crashed. 
  I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off.   We want to use the RV016 because it provides a larger number of ports for our LAN.
  Any suggestions ?
  Kirk

• Allow DNS Traffic

  Hi!
  We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
  Thanks.

  access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
  access-list 101 extended permit udp net_lan sub net_wan sub eq 53
  access-list 101 extended deny any any
  interface Serial 0/0
   ip access-group 101 out
  N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny  

• ACLs never apply to traffic generated by the router

  http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
  "Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
  Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

  Thanks Rick,,,I need some clarification about the below scenario please:
  suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
  the ip address for e0/0 172.16.0.1/16.
  R1(config)=access-list 101 deny ip any any
  R1(config)#interafec serial 0/0
  R1(config-if)#ip access-group out
  R1(config)=access-list 150 deny ip any any
  R1(config)#interafec fastethernet 0/0
  R1(config-if)#ip access-group in
  Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
  1- ((The inbound ACL will deny all traffic)).
  This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
  2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
  This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
  The source and destination ip addresses still matching the condition of ACL , why should't it be
  denied ?

• Firewall Allow all traffic on lan

  Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

  dtich wrote:
  thx dean, yes, i had certainly looked at the log, which shows these entries:
  Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
  but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
  traceroute gives me:
  traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
  1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
  so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
  if i allow 169.254.x.x, i still get no joy.
  mean anything else to you?
  yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
  Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

• ACLs to allow read/write to folders but prevent name changes folders

  Merger of two sites - need common file structure for storage - both differ at present
  I want to set up an initial number of departmental folders for clients to store files.
  Clients should not be able to rename any of these top level folders.
  They should not be able to add additional folders at the top level.
  But they should be able to write to the folders, and be allowed to create sub-folders within the toplevel folders.
  How do I set up ACLs to allow this...

  Create an ACL with a group containing all of your clients.
  At the top level of that folder, set the ACL and the Everyone group in POSIX permissions to Read Only.
  You can then change permissions on all the sub-folders as you wish. One easy example: let's say that this client has read/write access to all the subfolders, but you don't want them to have anything other than read access for the top folder. You can then set the ACL for the share point that the client group has read/write access, and propagate permissions for the ACL set.
  THEN, once you have done this, change the top folder to Read only. do NOT propagate permissions again. Then the top folder will have read-only access, clients can't change or create folders at this level, but have full access to all subfolders.

• ACL's for SNMP

  Our NMS is getting hit by lots of
  Authentication failure traps from our Cisco devices as IT insist on snmp polling our entire network.
  To stop this I have put an ACL on the snmp-server community line. ie
  access-list 58 permit z.z.z.z 0.0.0.255
  access-list 58 permit y.y.y.y 0.0.0.255
  access-list 58 permit x.x.x.x 0.0.3.255
  snmp-server community ****** RO 58
  snmp-server community ****** RW 58
  This seems to have stopped some of the devices from sending authentication failure traps to our NMS but others are still sending traps although the snmp requester should be getting dropped by the ACL.
  Is there any known reason why this would be happening

  Hi!
  You probably got a line in your config that looks like this:
  >snmp-server enable traps snmp authentication ...
  Simply take out the "authentication" part in this line and you won't get any more of those traps!
  Ciao,
  marco

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• ACL allowing some traffic with DENY

  Good day all,
  I have been trying to apply ACLs to a vlan interface and have not been able to make it work,
  I configured them as follows:
  Extended IP access list 160
      10 deny ip 10.0.0.0 0.0.255.255 10.0.24.0 0.0.0.255
      20 permit ip 10.0.24.0 0.0.0.255 host 8.8.8.8 log
      30 deny ip 10.0.24.0 0.0.0.255 any
      40 deny icmp 10.0.24.0 0.0.0.255 any
      50 deny ip any any
  Extended IP access list 161
      10 deny ip host 4.2.2.2 10.0.24.0 0.0.0.255
      20 deny ip host w.x.y.z 10.0.24.0 0.0.0.255 - firewall outside address
      30 permit icmp host 10.0.2.3 any
      40 deny icmp any any (5 matches)
      50 deny ip any any
      60 deny udp any any
  interface Vlan600
  ip address 10.0.24.3 255.255.255.0
  ip access-group 161 in
  ip access-group 160 out
  no ip route-cache cef
  no ip route-cache
  no ip mroute-cache
  end
  The problem is that i can still ping 4.2.2.2 and 8.8.8.8 which i only want to limit to 8.8.8.8. I was also able to ping yahoo.com and others The pings from the other subnets fails and any from the 24 subnet to the external address of the firewall fails which are both required results.
  I tried to debug the ping test with the debug ip packet command but didnt see anything show up on my log server. I then tried the same lines in a program called acl editor simulator and it comes up as a no match. Can someone please help me figure how to block all web and 4.2.2.2 traffic in and out.
  Thanks
  Michael

  Michael
  It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".
  So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.
  But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.
  HTH
  Rick

• No ACL deny logs for Traffic not matched by Static Object NATs and ACL. Need Help.

  I start noticing that I do not see any denied traffic coming in on my ACL.  To better explain, lets say I have this config.
  ### Sample Config ###
  object network webserver
  host 192.168.1.50
  nat (dmz, outside) static X.X.X.X service tcp www www
  access-list inbound extended permit ip any4 object webserver eq www
  If I generate a traffic from the outside let's say a traffic that is trying to access X.X.X.X via TCP Port 8080 which obviously does not have any NAT entry to it going to my DMZ, I don't see the ACL denies it anymore but instead comes back with a Drop Reason: (nat-no-xlate-to-pat-pool) . On the packet trace I got this. (Below) it seems that does not even hit the ACL as there is no xlate found for it, at least to what the drop reason says.
  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         Outside
  Result:
  input-interface: Outside
  input-status: up
  input-line-status: up
  output-interface: Outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
  Before, using a regular Static PAT on ASA Versions 8.2(5) below, I could get the deny logs (ASA-4-106023). Generally, I use these logs, and are quite important for us specially during auditing.
  My question is how can I generate logs for these type of dropped traffic on the ASA 9.1 Version? 
  Any comments/suggestions are gladly appreciated :)
  Regards,
  John

  I believe, but am not 100% sure, that the reason you are not seeing the ACL drop but a no NAT matched is because of the changes from 8.2 to 8.3 in the order of how things are done.  In 8.3 and later you need to secify the real IP address when allowing packets in, and this is because NAT happens before the ACL is matched.  So since there is no match on the NAT the packet is dropped then and there, never reaching the stage where ACLs are checked.
  As to seeing drops in the ACL log...You might want to try adding an ACL that matches the NATed IP...but I don't think you will have much success with that either.  My guess is that there is no way around this...at least no way I know of.
  Please remember to select a correct answer and rate helpful posts

• WLC web authentication ACL to allow internet surfing only

  Hi forumers'
  I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
  according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
  i also try on this ACL at my core switch but seem not success.
  ip access-list extended ACL-VLAN-20
  permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
  permit tcp 172.16.20.0 0.0.0.255 any eq 80
  permit tcp 172.16.20.0 0.0.0.255 any eq 443
  deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
  deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
  int vlan 20
  ip access-group ACL-VLAN-20 in
  any problem with it?
  well, as long as can block web authenticaiton user only goto internet then serve my purpose
  thanks
  Noel

  This should work
  deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31    (deny all IP traffic from guest to internal)
  permit udp 172.16.20.0 0.0.0.255 any eq 53              (or list the specific servers you want them to use)
  permit tcp 172.16.20.0 0.0.0.255 any eq 80               (allows HTTP but only outside as the deny stops internal)
  permit tcp 172.16.20.0 0.0.0.255 any eq 443             (allows HTTPS but only outside as the deny stops internal)
  but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above.  I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers.  If you want to allow that, it's better to permit the explicit servers
  You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
  When you do the ACL on the WLC, you need to do the inverse ACL as well.  So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
  But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
  HTH,
  Steve

• ACL to secure SNMP - I need help on this please

  Hi,
  I have addedd the following standard ACL to my router to limit SNMP access only to my Ciscoworks LMS server or SNMP Server but I don't know if I need to enforce it with an access group or not? i beleive that i need but I am not sure how?
  access-list 90 permit host 10.1.1.139
  access-list 90 deny any log
  snmp-server community XXXXXXX ro 90
  please help me understand the need for the access-group and if I need it, would it be sonething like this:
  access-grup 90 in
  applied to ether Interface?
  this is my Internal gateway router. all of the users have the ether0 address of this router as their default gateway.
  Thx,
  Masood

  I believe that Masood starts from a valid understanding of an important principle of access lists: after you create an access list you must assign it (creating an access list without assigning it does not affect any traffic). If you want the access list to filter packets on an interface you use the access-group command to assign the access list to the interface.
  And Tim is correct that to use an access list to control SNMP access to the router all you need to do is to add the access list number on the command that defines the community string. This is the assignment of the access list. So Masood does not need to take any additional action.
  HTH
  Rick

• SFE2000 & ACL to stop VLAN traffic

  Hi All,
  I have setup a new SFE2000 switch to work in Layer 3 mode using the IP address 192.168.100.254 on VLAN 1
  Additional VLAN's are:
  VLAN2     192.168.102.x     To be used for guest wireless access
  VLAN3     192.168.103.x
  VLAN4     192.168.104.x
  I would like VLAN1, 2, 3 and 4 to be able to communicate with each other while VLAN2 (Guest) needs to be restricted from everything except web access and dhcp assignment from our server.
  I have been playing with various ACL's in an effort to accomplish this but so far I have drawn a blank in getting this working.
  Can any one draw any light to a managed switch newbie
  Thanks in advance
  James

  I was able to get this working with ACLs and setting a static route from the router (in my case Sonicwall TZ 180) back to the SG300 network. I have enclosed screen shots of the config from the GUI. You need to bind the ACL to whatever
  ports you want to filter the guest traffic either where they would connect a hard wired connection or where you would connect your Wireless AP. The ACL I have created allows VLAN 13 to get a DHCP address and communicate through DNS but nothing else. 192.168.9.254 is the Sonicwall router which I wanted on a different VLAN.
  Hope this helps others with their setup.