ACL vs. Filters
I know I've seen this somewhere in the forums before, so forgive my redundant posting. While I'm fairly familiar with ACLs, I'm wondering if filtering at the AP will provide the same benefit. What I'm interested in doing seems to be fairly common:
I have two SSIDs/VLANs:
VLAN 84- Open, not authentication, for Internet usage
VLAN 88- LEAP authentication, full network access
I'd like to block all traffic coming from VLAN 84 to any other server but our DHCP server and the private interface of our firewall so these users can get an IP and get out to the Internet.
All traffic for VLAN 88 should flow as normal.
The AP connects to a 6509 switch w/ an MSFC. I could just write an ACL on the MSFC. Would it be easier/more secure to write a filter on the AP?
The following document should give you a better idea on filtering
http://www.cisco.com/en/US/products/hw/wireless/ps458/products_configuration_guide_chapter09186a0080104988.html
Similar Messages
-
Hi, how are you?. Sorry by my questions and thanks for the patience.
I have a doubt. CPU ACL affects only the traffic of the management interface?.
For example:
Controller WLC 5508 version 7.0.98.0
Interface management IP address 186.108.26.2/24
Interface XX IP address 190.139.109.101
I have configured the following ACL and applied to CPU ACL:
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >
(Cisco Controller) >show acl cpu
CPU Acl Name................................ ACL
Wireless Traffic............................ Enabled
Wired Traffic............................... Enabled
(Cisco Controller) >show acl summary
ACL Counter Status Enabled
ACL Name Applied
ACL Yes
(Cisco Controller) >show acl detailed ACL
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
1 In 1.1.1.0/255.255.255.0 1.1.1.115/255.255.255.255 6 0-65535 443-443 Any Permit 0
2 Any 0.0.0.0/0.0.0.0 100.100.100.100/255.255.255.255 6 0-65535 443-443 Any Permit 0
3 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny 51
DenyCounter : 27
(Cisco Controller) >
I have the following doubts
It is not necessary to allow the ports of tunnel capwap?.
I have applied this ACL and traffic from Interface XX to 190.139.109.101 is filter. If I remove CPU ACL traffic to interface XX is permit. Then CPU ACL affect all interfaces???.Hi,
better a late reply than no reply at all ...
The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.
So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.
Regards,
Nicolas -
For secuirty purposes I have created ACL for new SSIDs and looks like it does not work correctly.
10.2.25.0 is the interface of new SSID
trying to get access to 10.2.115.0 which are APPLE TVs
basically when I take off the ACL all is working, when I applied the ACL list I cannot conect from vlan 25 to 115.
Any help appreciated. Thank You.Hi,
better a late reply than no reply at all ...
The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.
So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.
Regards,
Nicolas -
Hi,
I am trying to lock groups to a specific tunnel group but unfortunitly no matter what I do the group-lock feature doesnt seem to work. Basically here is what I want to do:
1-Users detail is pulled from AD through LDAP
2-AD group is mapped to the appropriate group on the ASA using attribute mapping
3-user should only use the tunnel that he/she is locked to
4-this all should be done without the user needing to select a group the vpn portal
5-we will be using Any connect and VPN portal for communication
All works fine except the group-lock feature. If enabled and set to "group-lock value NET_ADMIN_G" I get the following error on debug webvpn and the user is not allowed in.
webvpn_auth.c:http_webvpn_post_authentication[1503]
WebVPN: user: (test) authenticated.
webvpn_auth.c:http_webvpn_auth_accept[2905]
User came in on group he wasn't supposed to come in on!
when removed no matter what I do the user is mapped to DefaultWEBVPNGroup tunnel group,
SSLVPN(config-group-policy)# sho vpn-sessiondb webvpn
Session Type: WebVPN
Username : test Index : 132
Public IP : 10.1.1.1
Protocol : Clientless
License : AnyConnect Premium
Encryption : Clientless: (1)AES256 Hashing : Clientless: (1)SHA1
Bytes Tx : 252897 Bytes Rx : 48894
Group Policy : NET_ADMIN Tunnel Group : DefaultWEBVPNGroup
Login Time : 11:18:13 EDT Fri Mar 22 2013
Duration : 0h:01m:12s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Asa is on 9.11.4.
group policy:
group-policy NET_ADMIN internal
group-policy NET_ADMIN attributes
wins-server none
dns-server value 2.2.2.2
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-session-timeout alert-interval 25
vpn-filter value VPN_SPLIT_TUNNEL
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
password-storage disable
ip-comp enable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT_TUNNEL
default-domain value brightstarcorp.com
split-dns value brightstarcorp.com
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn value svgmelb.au.brightstarcorp.com
leap-bypass disable
nem disable
backup-servers clear-client-config
msie-proxy method no-modify
vlan none
nac-settings none
address-pools value SSL_POOL
ipv6-address-pools none
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list value NETADMIN_BOOKMARK
filter value INTERNAL_WEBACL
homepage use-smart-tunnel
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression lzs
anyconnect dtls compression lzs
anyconnect modules value posture
anyconnect profiles value net_admin_p type user
anyconnect ask none default webvpn
customization value NETADMIN_PORTAL
hidden-shares visible
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
auto-signon allow uri * auth-type all
Tunnel Group:
tunnel-group NET_ADMIN_G type remote-access
tunnel-group NET_ADMIN_G general-attributes
address-pool SSL_POOL
authentication-server-group LDAP
authorization-server-group LDAP
accounting-server-group RGROUPADMIN
default-group-policy NET_ADMIN
authorization-required
tunnel-group NET_ADMIN_G webvpn-attributes
customization NETADMIN_PORTAL
group-alias infra_network enable
group-url https://x.x.x.x/network enable
dns-group DNSGROUP
Any ideas?
Thanks in advanceHi Portu,
Heres debug Ldap:
SLVPN#
[553] Session Start
[553] New request Session, context 0x00007fff33beb228, reqType = Authentication
[553] Fiber started
[553] Creating LDAP context with uri=ldap://1.1.1.13:389
[553] Connect to LDAP server: ldap://1.1.1.13:389, status = Successful
[553] supportedLDAPVersion: value = 3
[553] supportedLDAPVersion: value = 2
[553] Binding as bind
[553] Performing Simple authentication for test to 1.1.1.13
[553] LDAP Search:
Base DN = [OU=xx ENTERPRISE,DC=xxx,DC=com]
Filter = [sAMAccountName=test]
Scope = [SUBTREE]
[553] User DN = [CN=test,OU=Users,OU=xx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com]
[553] Talking to Active Directory server 1.1.1.13
[553] Reading password policy for test, dn:CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=ENTERPRISE,DC=xxx,DC=com
[553] Read bad password count 0
[553] Binding as test
[553] Performing Simple authentication for test to 1.1.1.13
[553] Processing LDAP response for user test
[553] Message (test):
[553] Authentication successful for test to 1.1.1.13
[553] Retrieved User Attributes:
[553] objectClass: value = top
[553] objectClass: value = person
[553] objectClass: value = organizationalPerson
[553] objectClass: value = user
[553] cn: value = test
[553] sn: value =
[553] c: value = AU
[553] l: value = xxx
[553] st: value = xxx
[553] title: value = test user / IT
[553] description: value = Network
[553] postalCode: value = xxx
[553] physicalDeliveryOfficeName: value = xxx
[553] telephoneNumber: value = xxx
[553] givenName: value = test
[553] distinguishedName: value = CN=test,OU=Users,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=br
[553] instanceType: value = 4
[553] whenCreated: value = 20110327224420.0Z
[553] whenChanged: value = 20130319223953.0Z
[553] displayName: value = test
[553] uSNCreated: value = 84454809
[553] memberOf: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=APAC.Cisco.Tel.Users,OU=Security Groups,OU=xxx,OU=Australia,OU=APAC,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] memberOf: value = CN=Networks,OU=Distribution Groups,OU=xxx,OU=Australia,OU=APAC,OU=
[553] mapped to IETF-Radius-Class: value = NET_ADMIN
[553] mapped to LDAP-Class: value = NET_ADMIN
[553] memberOf: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate
[553] mapped to IETF-Radius-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
[553] mapped to LDAP-Class: value = CN=Email Notify SG10,OU=Distribution Groups,OU=Corporate,OU=US & Canada,OU=BS ENTERPRISE,DC=xxx,DC=com
aaa common debug:
AAA API: In aaa_open
AAA session opened: handle = 3
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = ACCEPT
AAA_NextFunction: authen svr = BSTAR_LDAP, author svr = LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_USER_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating user group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
User Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_USER_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_AUTHORIZE,
AAA FSM: In AAA_InitTransaction
Initiating authorization query (Svr Grp: LDAP)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.13
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTHORIZE, auth_status = ACCEPT
AAA_NextFunction: author svr = BSTAR_LDAP, user pol = NET_ADMIN, tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_AUTH_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(NET_ADMIN)
Got server ID 0 for group policy DB
Initiating authorization group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: NET_ADMIN
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up NET_ADMIN
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authorization Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_AUTH_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_TUNN_GRP_POLICY,
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DfltGrpPolicy)
Got server ID 0 for group policy DB
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DfltGrpPolicy
Resp:
grp_policy_ioctl(0x00000000047eb0e0, 114698, 0x00007fff28d31c90)
grp_policy_ioctl: Looking up DfltGrpPolicy
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 3, pAcb = 0x00007fff3401b550
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
Class attribute created from LDAP-Class attribute
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
Checking simultaneous login restriction (max allowance=3) for user test
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 6 "test"
2 User-Password(2) 10 (hidden)
3 Group-Policy(4121) 9 "NET_ADMIN"
4 AAA-AVP-Table(4243) 11268 "[04],[00][00]t[00][00][00][F8][03][00][00][0F][04][00]"
5 LDAP-Class(20520) 10 "NET_ADMIN[00]"
6 LDAP-Class(20520) 11 "USERS[00]"
user policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff35d685e0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 3
6 Primary-DNS(4101) 4 IP: 1.1.1.13
7 Secondary-DNS(4102) 4 IP: 1.1.1.30
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 52
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
14 Default-Domain-Name(4124) 18 "xxxxcorp.com"
15 Secondary-Domain-Name-List(4125) 18 "xxxxcorp.com"
16 Nat-Enabled-IPSec(4130) 4 0
17 IPSec-UDP-Port(4131) 4 10000
18 IPComp(4135) 4 1
19 Authentication-On-Rekey(4138) 4 0
20 Required-Firewall-Vendor-Code(4141) 0 0x0000000002e006b0 ** Unresolved Attribute **
21 Required-Firewall-Product-Code(4142) 0 0x0000000002e006b0 ** Unresolved Attribute **
22 Required-Firewall-Description(4143) 0 0x00007fff35d687fa ** Unresolved Attribute **
23 Secure-unit-config(4144) 4 0
24 Individual-user-auth-config(4145) 4 0
25 User-auth-idle-timeout(4146) 4 0
26 Cisco-IP-telephony-config(4147) 4 0
27 Split-Tunneling-Policy(4151) 4 1
28 Required-Firewall-Capability(4152) 0 0x0000000002e006b0 ** Unresolved Attribute **
29 Client Firewall Optional(4154) 0 0x0000000002e006b0 ** Unresolved Attribute **
30 Backup-Ip-Sec-Peers-Enabled(4155) 4 2
31 Network-Extension-Mode-Allowed(4160) 4 0
32 URL list name(4167) 17 "NETADMIN_BOOKMARK"
33 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
34 Cisco-LEAP-Passthrough-config(4171) 4 0
35 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff35d68835 ** Unresolved Attribute **
36 IE-Proxy-Server-Method(4177) 4 1
37 The tunnel group that tunnel must be associated with(4181) 11 "NET_ADMIN_G"
38 User ACL for inbound traffic(4182) 8 ""
39 User ACL for outbound traffic(4183) 8 ""
40 Indicates whether or not PFS is required for IPSec(4184) 4 0
41 WebVPN URL Entry enable(4189) 4 1
42 WebVPN File Server Entry enable(4191) 4 1
43 WebVPN File Server Browsing enable(4192) 4 1
44 WebVPN SVC Keep enable(4201) 4 1
45 WebVPN SVC Keepalive interval(4203) 4 20
46 WebVPN SVC Client DPD period(4204) 4 30
47 WebVPN SVC Gateway DPD period(4205) 4 30
48 WebVPN SVC Rekey period(4206) 4 0
49 WebVPN SVC Rekey method(4207) 4 0
50 WebVPN SVC Compression(4208) 4 2
51 WebVPN Customization(4209) 15 "NETADMIN_PORTAL"
52 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
53 WebVPN SVC DTLS Compression(4213) 4 2
54 Extended Authentication-On-Rekey(4218) 4 0
55 WebVPN SVC DTLS enable(4219) 4 1
56 WebVPN SVC MTU(4221) 4 1406
57 CIFS hidden shares(4222) 4 1
58 CVC-Modules(4223) 7 "posture"
59 CVC-Profile(4224) 17 "net_admin_p#user,"
60 CVC-Ask(4227) 4 4
61 CVC-Ask-Timeout(4228) 4 0
62 WebVPN ActiveX Relay(4233) 4 1
63 VLAN ID(4236) 4 0
64 NAC Settings(4237) 0 0x00007fff35d68985 ** Unresolved Attribute **
65 WebVPN Session timeout alert interval(4245) 4 25
66 List of address pools to assign addresses from(4313) 13 "SSL_POOL"
67 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff35d68998 ** Unresolved Attribute **
68 Smart tunnel on home page enable(4324) 4 1
69 Disable Always-On VPN(4325) 4 0
70 SVC ignore DF bit(4326) 4 0
71 Client Bypass Protocol(4331) 4 0
72 Gateway FQDN(4333) 29 "xxx.xxxxcorp.com"
73 CA URL for SCEP enrollment(20530) 0 0x00007fff35d689c7 ** Unresolved Attribute **
tunnel policy attributes:
1 Filter-Id(11) 8 "VPN_SPLIT_TUNNEL"
2 Session-Timeout(27) 4 0
3 Idle-Timeout(28) 4 30
4 Access-Hours(4097) 0 0x00007fff351cddd0 ** Unresolved Attribute **
5 Simultaneous-Logins(4098) 4 0
6 Primary-DNS(4101) 4 IP: 10.125.3.7
7 Secondary-DNS(4102) 4 IP: 10.125.3.5
8 Primary-WINS(4103) 4 IP: 0.0.0.0
9 Secondary-WINS(4104) 4 IP: 0.0.0.0
10 Tunnelling-Protocol(4107) 4 124
11 Banner(4111) 446 "This is a PRIVATE computer system, which may be acces"
12 Store-PW(4112) 4 0
13 Group-Policy(4121) 13 "DfltGrpPolicy"
14 Split-Tunnel-Inclusion-List(4123) 8 "VPN_SPLIT_TUNNEL"
15 Default-Domain-Name(4124) 18 "xxxxcorp.com"
16 Secondary-Domain-Name-List(4125) 0 0x00007fff351cdfc7 ** Unresolved Attribute **
17 Nat-Enabled-IPSec(4130) 4 0
18 IPSec-UDP-Port(4131) 4 10000
19 IPComp(4135) 4 0
20 Authentication-On-Rekey(4138) 4 0
21 Secure-unit-config(4144) 4 0
22 Individual-user-auth-config(4145) 4 0
23 User-auth-idle-timeout(4146) 4 30
24 Cisco-IP-telephony-config(4147) 4 0
25 Split-Tunneling-Policy(4151) 4 1
26 Client Firewall Optional(4154) 0 0x00007fff351cdfec ** Unresolved Attribute **
27 Backup-Ip-Sec-Peers-Enabled(4155) 4 1
28 Group-giaddr(4157) 4 IP: 0.0.0.0
29 Intercept-DHCP-Configure-Msg(4158) 4 0
30 Client-Subnet-Mask(4159) 4 IP: 255.255.255.255
31 Network-Extension-Mode-Allowed(4160) 4 0
32 WebVPN Content Filter Parameters(4165) 4 0
33 WebVPN Parameters configuration(4166) 4 1
34 URL list name(4167) 0 0x00007fff351ce008 ** Unresolved Attribute **
35 Forwarded ports(4168) 0 0x00007fff351ce009 ** Unresolved Attribute **
36 ACL-like filters(4169) 8 "INTERNAL_WEBACL"
37 Cisco-LEAP-Passthrough-config(4171) 4 0
38 Default WebVPN homepage(4172) 0 0x00007fff351ce016 ** Unresolved Attribute **
39 IKE Client Type and Version Limiting policy rules(4173) 0 0x00007fff351ce017 ** Unresolved Attribute **
40 Application Access Name(4175) 18 "Application Access"
41 IE-Proxy-Server(4176) 0 0x00007fff351ce02b ** Unresolved Attribute **
42 IE-Proxy-Server-Method(4177) 4 1
43 IE-Proxy-Server-Exceptions(4178) 0 0x00007fff351ce030 ** Unresolved Attribute **
44 IE-Proxy-Server-Bypass-Local(4179) 4 0
45 The tunnel group that tunnel must be associated with(4181) 0 0x00007fff351ce035 ** Unresolved Attribute **
46 Indicates whether or not PFS is required for IPSec(4184) 4 0
47 NAC Enable/Disable(4185) 4 0
48 NAC Status Query Timer(4186) 4 300
49 NAC Revalidation Timer(4187) 4 36000
50 NAC Default ACL(4188) 8 ""
51 WebVPN URL Entry enable(4189) 4 0
52 WebVPN File Server Entry enable(4191) 4 0
53 WebVPN File Server Browsing enable(4192) 4 0
54 WebVPN Port Forwarding enable(4193) 4 0
55 WebVPN Port Forwarding Exchange Proxy enable(4194) 4 0
56 WebVPN Port Forwarding HTTP Proxy enable(4195) 4 0
57 WebVPN SVC enable(4199) 4 0
58 WebVPN SVC Required enable(4200) 4 0
59 WebVPN SVC Keep enable(4201) 4 0
60 WebVPN SVC Keepalive interval(4203) 4 20
61 WebVPN SVC Client DPD period(4204) 4 30
62 WebVPN SVC Gateway DPD period(4205) 4 30
63 WebVPN SVC Rekey period(4206) 4 0
64 WebVPN SVC Rekey method(4207) 4 0
65 WebVPN SVC Compression(4208) 4 2
66 WebVPN Customization(4209) 0 0x00007fff351ce08a ** Unresolved Attribute **
67 Single Sign On Server Name(4210) 0 0x00007fff351ce08b ** Unresolved Attribute **
68 WebVPN SVC Firewall Rule(4211) 17 "private#,public#,"
69 WebVPN Deny message(4212) 180 "Login was successful, but because certain criteria ha"
70 WebVPN SVC DTLS Compression(4213) 4 2
71 HTTP compression method(4216) 4 0
72 Maximum object size to ignore for updating the session timer(4217) 4 4
73 Extended Authentication-On-Rekey(4218) 4 0
74 WebVPN SVC DTLS enable(4219) 4 1
75 WebVPN SVC MTU(4221) 4 1406
76 CIFS hidden shares(4222) 4 0
77 CVC-Modules(4223) 20 "dart,vpngina,posture"
78 CVC-Profile(4224) 15 "IPSEC_VPN#user,"
79 CVC-IKE-Retry-Timeout(4225) 4 10
80 CVC-IKE-Retry-Count(4226) 4 3
81 CVC-Ask(4227) 4 2
82 CVC-Ask-Timeout(4228) 4 0
83 IE-Proxy-Pac-URL(4229) 0 0x00007fff351ce1a4 ** Unresolved Attribute **
84 IE-Proxy-Lockdown(4230) 4 1
85 WebVPN Smart Tunnel(4232) 0 0x00007fff351ce1a9 ** Unresolved Attribute **
86 WebVPN ActiveX Relay(4233) 4 1
87 WebVPN Smart Tunnel Auto Download enable(4234) 4 0
88 WebVPN Smart Tunnel Auto Sign On enable(4235) 0 0x00007fff351ce1b2 ** Unresolved Attribute **
89 VLAN ID(4236) 4 0
90 NAC Settings(4237) 0 0x00007fff351ce1b7 ** Unresolved Attribute **
91 MemberOf(4241) 0 0x00007fff351ce1b8 ** Unresolved Attribute **
92 WebVPN Idle timeout alert interval(4244) 4 1
93 WebVPN Session timeout alert interval(4245) 4 1
94 Maximum object size for download(4253) 4 2147483647
95 Maximum object size for upload(4254) 4 2147483647
96 Maximum object size for post(4255) 4 2147483647
97 User storage(4256) 0 0x00007fff351ce1cd ** Unresolved Attribute **
98 User storage objects(4257) 19 "cookies,credentials"
99 User storage shared key(4258) 0 0x00007fff351ce1e2 ** Unresolved Attribute **
100 VDI configuration(4259) 0 0x00007fff351ce1e3 ** Unresolved Attribute **
101 NAC Exception List(4312) 4 0
102 List of address pools to assign addresses from(4313) 0 0x00007fff351ce1e8 ** Unresolved Attribute **
103 List of IPv6 address pools to assign addresses from(4314) 0 0x00007fff351ce1e9 ** Unresolved Attribute **
104 IPv6 filter-id(4315) 8 ""
105 WebVPN Unix user ID(4317) 4 65534
106 WebVPN Unix group ID(4318) 4 65534
107 Disconnect VPN tunnel when a Smartcard is removed(4321) 4 1
108 WebVPN Smart Tunnel Tunnel Policy(4323) 0 0x00007fff351ce1fe ** Unresolved Attribute **
109 Disable Always-On VPN(4325) 4 1
110 SVC ignore DF bit(4326) 4 0
111 SVC client routing/filtering ignore(4327) 4 0
112 Configure the behaviour of DNS queries by the client when Split tunneling is enabled(4328) 4 0
113 Client Bypass Protocol(4331) 4 0
114 IPv6-Split-Tunneling-Policy(4332) 4 0
115 Gateway FQDN(4333) 0 0x00007fff351ce217 ** Unresolved Attribute **
116 CA URL for SCEP enrollment(20530) 0 0x00007fff351ce218 ** Unresolved Attribute **
Auth Status = ACCEPT
AAA API: In aaa_close
AAA task: aaa_process_msg(0x00007fff28d327d0) received message type 3
In aaai_close_session (3)
Thanks, -
Using one controller as primary DHCP server for 2 or more controllers
Here's my setup
2 - 5508 controllers (40 APs per controller) running 6.0.196.0 (100 user license per controller)
about 80 mixed - 1142 and 1252 APs, trying to put 40 APs on each controller
One subnet connects two controllers together on the management interface on port 1 on both controllers. 10.x.x.x addresses.
Port 2 on each controller (LAG not used) connects to a DMZ via dynamic interfaces for user traffic, 172.x.x.x addresses.
I want to use one controller for all clients to get their DHCP addresses from (no matter what controller their AP is on)
as a primary DHCP server (controller A as primary), then i'd like to point the clients to the other controller (controller B) to be used as a backup DHCP server in case Controller A fails. Also, the APs are setup to have the correct primary and secondary controllers under their high availability setting as well as the mobility group information.
I want to avoid splitting my DHCP scopes between controllers, and I don't have a DHCP server dedicated to this project, so the 5508s should be able to do the job. Or at least I thought.
When configuring the controllers with the proper DHCP scopes, this only seems to work for clients connecting to controller A. Clients on controller B don't get an address from controller A when pointing to that controller, in fact, the wierd thing is that debugging shows DHCP requests going out of port 2 (DMZ traffic) instead of port 1 (management) on controller B. Shouldn't they be going out of the interface that is specified with the DHCP configuration in the dynamic interface? And I don't have "override" turned on in the WLAN configuration so the DHCP server should be taken from the dynamic interface that the user resides on.
Mobility groups are configured correctly between the two controllers and both the control and data paths are up between the two controllers. Another wierd thing, both controllers management interfaces are on the same subnet, no acls or filters, when the mobility groups are configured, controller A can ping controller B, but controller B cannot ping A. The status still shows as UP/UP in the mobility members windows, but they use mPing which seems to work fine. Remove the mobility group configuration and ping works just fine between the boxes. I don't know if this is related to my DHCP issues, but it would seem that if I put the controller A's management address in the dynamic interface configuration for DHCP on controller B, my clients on B should get an address from A's DHCP pool. Controller A's dynamic interfaces all point to controller A's management interface and they work just fine.
I'm trying to load ballance my AP distribution between two boxes, and I'm also trying to have some controller redundancy.
Controller A works just fine, it's in production. Trying to add another controller B to talk A for DHCP is the issue.
Anyone have any clues?
-BlairI guess i was under the impression that when mobility groups were cofigured, the lease time, along with other client information (mac address, IP address and such), would replicated from one controller to the other controller over the EoIP tunnel. If that's not the case, then obviously I'll have to look elsewhere.
Also, does this mean that it will not work, or just that it's not recommended. If it does work and I have to fix something, at least I can move on with my testing, all while pursuing a DHCP server. It doesn't sound like using an AP as a DHCP server is any better than using the controllers for that same purpose.
Thank you for the quick response. -
SF300-24P technical specifications
I am looking for some technical specs on the SF300 series which I can't seem to find in the 300 series data sheet:
the maximum delay for traffic through the switch
buffer size for each switchport
whether or not the ports are suitable for shielded cable and connectors
Regards,
Erik de JongI believe this switch should be able to do all ports full speed non blocking.
I don't know if there are actual delay numbers in the DataSheet.
is there a profinet certification or standard, if there is it should be in the sheet.
I would suggest getting a demo unit from your partner or distributor and see if it meets your time sensitivity.
if it's real time and super critical. you might want to run a hard line/crossover cable.
What is the application? real time NC, Video? ?
To get best perf on this switch, turn on QOS for the application you are using, use layer 2, don't have many ACLs or filters.
The switch datasheet with lots of number is here.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html
Cisco 300 Series Switches include embedded QoS intelligence to prioritize delay-sensitive services such as voice and video, simplify unified communications deployments, and help ensure consistent network performance for all services. For example, automated voice VLAN capabilities let you plug any IP phone (including third-party phones) into your IP telephony network and receive an immediate dial tone
dlm... -
How to block foreign countries?
Is there a simple way to block ip addresses by foreign countries? There is so many network addresses needs to be blocked, it seems it is not practical on the ASA. Can someone give me some suggestions on this?
You would need to gather info on Public IP block assigments by country, based on gather IP block assigments you can block the entrirely ip blocks at an edge router outside your firewall, you can create a deny acl, summarize ip blocks assigememst using wildcard mask and apply it to your inbound interface.
Database search for IP blocks by countries
http://www.countryipblocks.net/
Info on IANA, global coordination of IP global addressing.
http://www.iana.com/
Follow similar example on bellow link acls but use unwanted public IP blocks in acls.
Filtering at the edge
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Rgds
Jorge -
Slow Windows 7 PC with SCCM - WMI...?
Hi All,
We use System Center Configuration Manager 2007 R3 to provide on demand applications and software metering to Windows 7 SP1 X86 (we use <acronym title="Windows Server Update Services">WSUS and WDS </acronym>entirely independently
of SCCM 2007 R3).
This year, we had a progressive slowdown of PCs. I've eliminated hardware, software, networking, the base image, home directory shares, <acronym title="Windows Server Update Services">WSUS</acronym>/updates, etc. Users don't
have admin rights. If I deploy an identical image into a .VHD on the same physical computer (using native .VHD boot), it performs as expected. With hardware, networking, AD, etc being identical, This leaves with applications and printer drivers.
We did discover the service hosting WMI was very busy, then discovered the WMI database
C:\Windows\System32\wbem\Repository\OBJECTS.DATA
was large - 500Mb. (by contrast, out-of-the-box Windows 7 SP1 x86 is about 15Mb). Microsoft's WMIDIAG
Download The WMI Diagnosis Utility -- Version 2.1 from Official Microsoft Download Center considers +300MB as very large.
Sure you're all familiar WMI is queried by and published to by lots of different parts of the system; slow WMI, slow system.
We have some PCs with SSDs, but the WMI file is some sort of database that I don't think was ever engineered to scale to these sizes. Hence even a fast physical disk won't resolve this.
I've been doing some deeper analysis based on
Troubleshooting WMI Repository Bloat - System Center Blog by Russ Slaten - Site Home - MSDN Blogs
Troubleshooting WMI Repository Bloat - System Center Blog by Russ Slaten - Site Home - MSDN Blogs
I've gathered some data and wondered if I could share it with colleagues, with the hope that if I show you mine you'll show me yours...
Have put up my own data, and methods to gather the data, at
http://sdrv.ms/15VGdUM
Would *really* appreciate replies. Am not familiar with this stuff, and only done it at my current employer, so I have no "context" of what's OK and what's not.
Thanks in advance.
Kind regards,
AnwarHi Jason,
Thanks for your reply.
We have a large fleet of PCs. On 4 of them (in fact, the 4 from the spreadsheet!) I
- applied KB2775511
- configured WMI to run in a separate process (as recommended by a Microsoft SCCM guru - forget who, where and when)
- initiated a reset of the repository (winmgmt /resetrepository) (as NOT recommended by a Microsoft SCCM guru - forget who, where and when, but which appears to be common (routine?) practice; we've also observed Windows PCs will do this themselves
when they've decided enough is enough).
- waited while SCCM 2007 R3 client relearnt about all of the advertisements (300+ advertisements, but because each may contain multiple programs, the CCM_SoftwareDistribution class has in excess of 700 records).
I've configured the computers to
- logon
- wait 60 seconds
- restart
and repeat this endlessly with a set of 5 different IDs each. I did this before and after the actions I mentioned above.
I'm using a simple metric - how long from the previous logoff to the current logon (as recorded by actions performed in logon/logoff scripts. This is a good metric for us because it covers the "Please wait..." [startup] and "Welcome" [logon] delays
that most affect users.
I saw average improvements of about 10 seconds on two of the PCs, and around 90 seconds on two other PCs. Which is definitely good!
HOWEVER, this isn't very dissimilar to re-imaging the PC, which I *know* resets performance back to "acceptable". I expect performance to degrade again. However, I don't know precisely how or when or why.
I discovered that each user logging on to SCCM-managed PCs will get their *OWN* set of WMI classes [not just records - actual classes, whose name includes their RID] created. As a University, we provide a set of PCs for many thousands of students to
use at "random". Our most popular PCs may have hundreds of different students logging on. Their WMI repository will accummulate large numbers of WMI classes.
I've since discovered that we perform a hardware and software inventory everyday. I don't think this will be helping.
Under the hood, it seems that
- the SCCM server hosts policies, and the server will evaluate the *actual* set of policies to apply to each PC (taking into account inheritance, exceptions, ACLs, WMI filters, etc, etc, etc)
- the SCCM client will replicate these policies locally
- the SCCM client will then endeavour to implement these policies, keeping a record of results in WMI
- the SCCM client will replicate results back to the SCCM server
Hence the SCCM client (itself - excluding servers) appears to be, in effect, a 3 tier application server in itself
- the database tier is provided by WMI
- the application tier is CCM Exec
- the database and application tiers are available via the WinRM service
- the client tier is more-or-less Windows itself
These are merely my observations of what I've uncovered over the last few days. I could be completely wrong :-)
Kind regards,
Anwar -
Verizon MI424WR router and Netgear WN1000RP wifi range extender
Not sure if anyone has configured this before. At face value, it's simple but I cannot get it to work. I'm able to creat a new SSID <AccessPointName_EXT> and connect to it. But once I connect to it, I can't get any Internet activity at all. I don;t have any ACL\MAC filtering set. I'm sure I need to change something on my verizon router but haven't figured it out yet. This is becoming the bane of my exstence! I've tried seeting things up through the wizard and manually...same exact results. Ugh!
FOUND THIS IN THE WN1000RP wi-fi range extender manual.
http://www.downloads.netgear.com/files/GDC/WN1000RP/WN1000RP_UM_9Nov12.pdf
Could this have a bearing on your situation ?
Interference Reduction Table
The table below shows the recommended minimum distance between NETGEAR equipment and household
appliances to reduce interference (in feet and meters).
Table 4. Interference reduction table
Household Appliance Recommended Minimum Distance
Microwave ovens 30 feet / 9 meters
Baby Monitor – Analog 20 feet / 6 meters
Baby Monitor – Digital 40 feet / 12 meters
Cordless phone - Analog 20 feet / 6 meters
Cordless phone – Digital 30 feet / 9 meters
Bluetooth devices 20 feet / 6 meters
ZigBee 20 feet / 6 meters
Tom
Freedom Essentials, QIP 7100 1,Bose SOLO TV Sound System,,QIP 7216 P2,M1424WR Rev F, iPad 2 WiFi,iPhone 5,TV SYST INFO Release 1.9.5 Build No. 17.45
Data Object 39.45 -
DAP ACL filters - why only 'all allow' or 'all deny'
Hi folks.
I'm doing DAP (dynamic Access policies) on an ASA 8.0 for SSL VPN via the AnyConnect client.
Could someone explain the requirement that ACLs used for Network or Web filters must consist of either all permit or all deny statements (i.e. no mixing permit/denys)
Also, I'm trying to wrap my head around Downloadable ACLs in general. Do people actually use these (either local to the ASA or downloaded from an ACS, for example)?Hi, Troubleshooting is like trying to find a needle in a haystack, right? LOL I'm always amazed computers work at all:-)
Hats off to the Microsofts, the Apples, the Adobes and all of the others that do all they do, so I don't mind a glitch here and there.
You are probably correct about the allow/deny selection for Zone Alarm. I used it at one time and I had a hard time with it due to not understanding what an allow or deny would do:-) Glad you were able to see that.
The FF vs 3.6.9 from what I have read was all about Security. I was over there late last night reading. Link here:
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.9
Also, here is some additional info and it covers the DLL preloading attack that is going on:
http://www.informationweek.com/news/smb/security/showArticle.jhtml?articleID=227400031&cid =nl_IW_SMB_2010-09-09_h
Microsoft came out on 8/23 on the latter link.
Thanks for the appreciation:-) There are many other volunteers on the other Adobe Forums as well and I'm sure they are all appreciated. Many have been on the other Forums for a very long time. I'm always amazed at the number of posts they have accumulated over the years! Very Hi-Tech people over there!
Regards,
eidnolb -
Configure IPv6 ACL Extensions for Hop by Hop Filtering
I have IPv6 ACL questions and concerns. The following code is an example:
ipv6 access-list inbound-to-enclave
remark block IPv6 DO Invalid Options
deny 60 any any dest-option-type 5
deny 60 any any dest-option-type 194
deny 60 any any dest-option-type 195
I see that dest-option-type became available in IOS release 12.4(2)T. I can't tell if this option was added to later releases of 12.2. Also, is it available in all releases of 15.x.
I am guessing that if a version of the IOS that is used is prior to 12.4(2)T that the default action will be to pass this traffic, correct? Thank you for any assistance that you can provide.Hi Forrest,
This is correct. By default, this traffic would be allowed.
Regards -
ACL filtering icmp ECHO-Reply Behavior
Hello Guys....
I needed some help here.....i have attached the topology with this in case you dont get what iam trying to ask
i have just 2 routers connected directly like this...... R1<------------> R2, The network between them is 10.1.12.0/24, R1 has an ip address of
10.1.12.1 & R2 has an ip address of 10.1.12.2.....Well so far so good hmmm
Now the Question is simple i want to block ICMP echo-reply's coming from R1 to R2 simple as that But it only works if i apply an ACL on R2's
Interface in the INBOUND Direction why on earth it dosent work if i apply the ACL on R1's interface in the OUTBOUND direction ???
THE ACL is this one# access-list 100 deny icmp host 10.1.12.1 host 10.1.12.2 echo-reply
access-list 100 permit ip any any
It works if i apply this in the inbound direction of R2 but why dosen't it work if i apply this in the OUTBOUND direction of R1?
Please do help me out thanks :)Hi,
I believe that's because "Access lists that are applied to interfaces do not filter traffic that originates from that router."
See http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacls.html#wp1001135
for details.
Best regards,
Milan -
CSS ACL URL Parameter filtering
Hi all,
I have a pair of redundant CSS11503 load-balancing two HTTP servers. Recentyly the webserver is being attacked by some malicious script that run through the web server to go to other place.
I need to deny the parameter of the url that attacking the web server.
Example:
http://www.cisco.com/ciscobb/?CPURL=http://gamedl.qq.com/
I need to block the "http://gamedl.qq.com/" parameters.
Anybody can shed some light into this issue?
Thanksthat won't be possible.
The CSS doesn't parse url after the '?'
You'll to bock this traffic somewhere else.
Gilles. -
VPN split tunneling does not work with filtering enabled
I restricted our Windows VPN clients to reach only certain IPs and ports using filtering in their group policy. It works but I would like to add split tunneling for client's local Internet access. I temporary disabled filtering, unchecked the 'user default gateway on remote' box in properties of Windows VPN client, configured networks to be tunneled and it works. The moment I configure filters, my split tunneling does not tunnel the networks - they are not listed in Windows 'route print'. I change filtering to inherit or NONE and reconnect VPN and the tunneled networks show up again. I change filtering to a simple testing ACL/ACE and reconnect and they are gone again. Can I have split tunneling and filtering working simultaneously? Any help would be appreciated.
I'm not aware of any method named tokenize and there isn't one listing in
the alphabetic list of methods in the J2SE API. Perhaps you were thinking
of java.util.StringTokenizer, whose API contains this note:
StringTokenizer is a legacy class that is retained for compatibility reasons
although its use is discouraged in new code. It is recommended that anyone
seeking this functionality use the split method of String or the java.util.regex
package instead. -
VPN remote site tunnel-all with web and email filtering at core
I'm helping a client setup a 'tunnel-all' VPN from remotes to the core. That's not difficult - there's enough commentary in the community and I can set it up in the lab. The rub comes with the location of the web filter box in particular - it's currently in-line with the inside interface of the ASA.
What does the topology for a typical tunnel-all VPN with web filtering at the core look like? Can't put my hands on any quickly.
We only have one ISP conn at this time. I have a layer-3 switch at the core too.
ThxHi,
Thats a good question.
I haven't thought about this part of VPN filtering much as I've usually had to open only a few ports. But if you really need to open all traffic from local to remote, you will also be doing the same for the other direction in the same ACL ACE rule.
The only thing I can come up with right now is to stop using VPN Filter list and change the "sysopt" setting so that ASA wont let VPN traffic past the outside interface without checing the outside interface ACL
The Configuration command (8.2) is the following:
sysopt connection permit-vpn
For traffic that enters the adaptive security appliance through a VPN tunnel and is then decrypted, use the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. To disable this feature, use the no form of this command. sysopt connection permit-vpn no sysopt connection permit-vpn
Though if you change this setting, you will have to take this into account with every VPN Client or L2L VPN you have configured so far.
After this you can create rules on your outside interface access-list to limit remote user access to your local network. From local to remote networks you can use the access-lists assigned to each interface in question.
Hope this helps
- Jouni
Maybe you are looking for
-
I need to do live streaming with a Mac Book Pro 2011, using a new model of Sony HD camcorder (http://store.sony.co...ber=HDRAX2000/H) ..this camcorder model does not have firewire out/input ..it comes only with a component video output, USB, HDMI and
-
i tried to update my ipad but during the process an unknown error ocurred and the update was failed so now my ipad is as if its tring to turn on but at the same time its loading something and i can"t do anything please help me with any tips or should
-
Webcenter PS5 - 11.1.1.6.0 Patchset Released
Hi All , Webcenter PS5 - 11.1.1.6.0 Patchset MLR 10 has been released on MyOracleSupport portal . Patch 15922432: WCC 11.1.1.6.0 BUNDLE (MLR 10)JAN 17 2012 https://support.oracle.com/epmos/faces/PatchDetail?patchId=15922432 This would include patches
-
I listen to a lot of live performances (house sets that are from 1 hour to 3 hours long) when I start to listen to a set and then stop to do something else on the iPhone when I go back to start to listen to the track it has started from the beginning
-
Hi, I want to implement "copy to clipboard" functionality,but functionality this dose not work because of some security risks. Is there any way to copy data to clipboard using ExtJs? Or any plug-in which might help. Thanks for your help in advance.