Children by passing internet access rules
I want to allow internet access to specific Mac addresses only.
My WRT54GL router, firmware V4.30.5 currently has rules to "deny" access to my children's PC's during certain times.
I use the PC's Mac addresses to do this.
However, they have learned how to clone their Mac addresses, hence bypass the block (last time I looked each of their PC's had acquired three licences from the router under different Mac addresses!).
If I set the router to only "allow" access at certain times (again using the Mac address), would using another Mac address just gain access anyway?
Would I also have to set up rules for my other PC's (wife's and mine) to allow us to have internet access.....currently, as I us blocking, there are no rules to allow or block these other PC's, they just connect anyway.
Exactly my point! If the kids are getting too smart, they will do anything to get around your rules. It will reach a point where you will need to put a lock on the circuit breaker panel and turn the power breaker off that leads to the router. Then again, sneaky little b-tards may find an extnesion cord and power it while you are away anyhow!
You can't win unless you make it a house rule and stick to it hard. I know more than you realize the consequences of doing / not doing this. I had a child just like that, and when I finally cut him off completely because he was skipping homework
(failing in 2 classes) and playing online all night instead, he decided to smash my computer in retaliation. I really wish we had set those rules as unbreakable when they were younger before they decided to think they could pull one over on us as parents.
I'm not saying your kid will do something like that, but if you really care about what they are doing, you need to make rules NOW and make them follow them. Otherwise you might as well just set them free now, because they are half way out the door already.
There is no technical answer to your delimia. What I said about setting allow only on your computers MAC addresses will work until they learn what those addresses are and clone them too.
As for the functionality of the access restriction of linksys routers ... my opinion is not high right now. I am fighting with tech support to fix a problem I have. The ball is in my court right now. They want me to do a factory reset and start over from there. I just need at least a 2 hour window, because Murphy lives in my house. I know it won't be sweet and simple to reconfigure everything again.
I'll let you know if the factory reset fixes my problems. Better yet, upgrade your firmware to the latest, and then do the faactory reset and you'll be exactly where tech support has me at with fixing random bugs in the access restrictions arena.
Similar Messages
-
Airport Extreme - Remote is not passing internet access - help please
I have the following:
Cable modem - > WAN of Airport Extreme. - works perfectly - wireless clients in range get internet access and the network works.
Second Airpot Extreme set to relay this network. It connects, gets a "green" light - seems to be set up properly, but wireless clients in that area cannot get internet. Why is it not passing internet.
Can anyone explain step by step how to do this or post a link to an apple doc?
Thank you,
Miklos.Hi, actually this is still not working.
I got the second base station configured so that when it started up, it was working properly as a "remote" station, and I was getting internet fine through an ibook there (which is normally too far away from the main station to get any signal).
However, today, although the second "remote" station still has a green light and is connected to the network it is not getting an IP address from the main base station - and so I can't get any internet through that 2nd base station anymore.
Why was it working yesterday and not today when I've changed nothing?
Any help much appreciatd.
Miklos. -
How many ghz should I get if I plan on using my IPad2 for internet access, email, facebook and games for my daughters children?
Ghz is the CPU speed and that is fixed for each iPad model.
The GB is the number of Gigabytes of storage.
I had a 32G iPad1 and filled it up with 5000 songs, 20,000 photos and about 50 apps. It doesn't sound like you will need anything larger than that. If you are just talking about a few dozen apps and email, the 16G version should be adequate. -
Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. IddddddddHello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com -
Trying to pass internet with a Cisco ASA 5505
Hello,
I have not been having much success configuring my 5505 for Internet access, and I'm sure there are a few small things I'm missing. At times I believe I got it to the point where I could ping, but still not pass through the Internet traffic. At this point, I reset the 5505 and only changed a couple of settings.
I have an external range with these characteristics: Network Address 67.139.113.16 (.17 is Gateway), SM: 255.255.255.248, available IP: 67.139.113.218
The external connection is through a T1 modem, and when I put those settings in my laptop, I can access just fine.
When I went through the startup wizard in the ADSM, I maded the internal interface 10.209.0.3, subnet mask: 255.255.255.0
I selected PAT in the Wizard, but don't know if I should have, or if the NAT rules I tried to put in are fine.
Eventually I want to add a Site to Site VPN to the rest of the 10.0.0.0 network, but I can't even pass the Internet through to the inside.
Also, this will eventually be behind another hosted firewall, so I'm not worried about restricting access, even currently.
However, I suspect the problem is that traffic is being blocked with the NAT rules or Access rules.
I wish I could just disable those inherent deny rules
Outside of pings to 10.209.0.3, all pings come back as request timed out.
Can someone please review this, and see if they notice anything I can change?
I do appreciate it....
Config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 67.139.113.218 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 Local 255.255.255.0 any time-range Indefinite
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0 dns tcp 255 255 udp 255
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d3c4872f997a93984332213f98fbe12b
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm history enableUnfortunately that didn't work....
The new config:
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 Eventual
name 10.209.0.0 Local
name 67.139.113.216 T1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 0
ip address 10.209.0.3 255.0.0.0
interface Vlan2
nameif outside
security-level 0
ip address 67.139.113.218 255.255.255.248
time-range Indefinite
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 67.139.113.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Eventual 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.209.0.201-10.209.0.232 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:64bbf533cf1bd591e797c053ea9e107a
: end
asdm location Eventual 255.0.0.0 inside
asdm location Local 255.255.255.0 inside
asdm location T1 255.255.255.248 inside
asdm history enable
I am getting some more encouraging messages in the Syslog, but I still cannot bing 8.8.8.8 or the outside interface.
5
Aug 29 2008
01:42:55
8.8.4.4
53
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src inside:10.209.0.6/64477 dst inside:8.8.4.4/53 denied due to NAT reverse path failure
6
Aug 29 2008
01:42:54
10.209.0.6
1686
SSL session with client inside:10.209.0.6/1686 terminated.
6
Aug 29 2008
01:42:54
10.209.0.6
1686
10.209.0.3
443
Deny TCP (no connection) from 10.209.0.6/1686 to 10.209.0.3/443 flags FIN ACK on interface inside -
Open firewall Ports despite DENY- ALL access rule
Hi,
See below my firewall rules.
Despite the deny all, runnning nmap from outside still reveals open ports.
name 202.1.53.41 fw1.outside.irc.com
interface GigabitEthernet0/0
nameif inside
security-level 0
ip address fw1.inside.irc.com 255.255.252.0 standby 172.16.86.219
interface GigabitEthernet0/1
nameif SSN-DMZ
security-level 0
ip address 10.20.2.1 255.255.255.0 standby 10.20.2.2
interface GigabitEthernet0/2
nameif Outside
security-level 0
ip address fw1.outside.irc.com 255.255.255.248 standby NAT-202.1.53.45
interface GigabitEthernet0/3
description Internet Access for Wireless clients on the guest network
nameif GuestInternet
security-level 0
ip address 192.168.154.2 255.255.254.0
interface Management0/0
nameif management
security-level 10
ip address 10.10.200.14 255.255.255.0 standby 10.10.200.15
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host WWW.IRC.COM-PRIV
access-list inside_access_in remark Deny POP3, SSH, TELNET to Deny-Host-Group 172.16.86.246/249
access-list inside_access_in extended deny object-group DENY-HOST-GROUP object-group DENY-HOST-GROUP-1 any
access-list inside_access_in remark Allow SMTP external access to Mail Servers group
access-list inside_access_in extended permit tcp object-group MAIL-GW-GROUP any eq smtp
access-list inside_access_in remark Deny Any other Users from sending mails via smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended deny ip object-group Botnet_Blacklist any
access-list inside_access_in extended deny ip any SPAM_MACHINE 255.255.255.0
access-list inside_access_in extended deny ip any host SPAMIP
access-list inside_access_in extended permit ip object-group Socialsites_Allowed object-group Facebook
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_8 any object-group Facebook
access-list inside_access_in remark Rule to block Internal users from accessing youtube
access-list inside_access_in extended deny object-group DM_INLINE_SERVICE_9 any object-group YoutubeIPs
access-list inside_access_in remark Suspected Virus Ports
access-list inside_access_in extended deny tcp any any object-group DM_INLINE_TCP_17
access-list inside_access_in remark Ports Commonly used by Botnet and Malwares
access-list inside_access_in extended deny tcp any any object-group IRC
access-list inside_access_in remark Allow Access to External DNS to ALL
access-list inside_access_in extended permit object-group DNS-GROUP object-group DNS-SERVERS object-group External_DNS_Servers
access-list inside_access_in remark Allow Any to Any on Custom TCP/UDP services
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_12
access-list inside_access_in remark Allow Any to Any VPN Protocols group
access-list inside_access_in extended permit object-group VPN-GROUP any any
access-list inside_access_in extended permit ip any host pomttdbsvr
access-list inside_access_in remark Allow Access to DMZ from Inside
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_10
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 any 10.20.2.0 255.255.255.0
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit object-group Web-Access-Group any any
access-list inside_access_in remark DNS RATING SERVICE FOR BLUECOAT SG510 PROXY
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_4 eq www inactive
access-list inside_access_in extended permit tcp any host 202.165.193.134 object-group DM_INLINE_TCP_3
access-list inside_access_in remark Yahoo Messenger Test
access-list inside_access_in extended permit tcp any any object-group YahooMessenger
access-list inside_access_in extended permit ip host AVIRUSMAN 192.168.254.0 255.255.255.0
access-list inside_access_in extended permit tcp any any object-group smile
access-list inside_access_in extended permit udp any host smile.telinet.com.pg object-group smile-udp
access-list inside_access_in remark testing access for mobile phones behind wireless router
access-list inside_access_in extended permit ip host Wireless-Router any inactive
access-list inside_access_in extended permit tcp any any object-group FTP-Service-Group inactive
access-list inside_access_in extended permit ip host mailgate.irc.com any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 any object-group NTP
access-list inside_access_in extended permit tcp any any object-group web-email-services
access-list inside_access_in remark Murray PC
access-list inside_access_in extended permit ip host 10.100.20.36 any
access-list inside_access_in extended permit tcp any any object-group Itec-Citrix
access-list inside_access_in extended permit ip host EP200 any
access-list inside_access_in extended permit tcp any any object-group TCP-SMTP
access-list inside_access_in extended permit tcp any host 202.165.193.134 eq 3391
access-list inside_access_in extended permit ip object-group IT-Servers any
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_14 any inactive
access-list inside_access_in extended permit ip host 10.100.20.23 any
access-list inside_access_in extended permit tcp host NOC-NMS-CDMA host 202.165.193.134 object-group DM_INLINE_TCP_4
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_12 object-group Bluecoat-DNS-Rating eq www
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any
access-list inside_access_in extended permit udp host solarwinds-server any eq snmp
access-list inside_access_in extended permit tcp host kaikai any object-group test-u inactive
access-list inside_access_in extended permit tcp any host fw1.outside.irc.com object-group TCP-88
access-list inside_access_in extended permit udp host solarwinds-server any object-group DM_INLINE_UDP_1
access-list inside_access_in extended permit ip host IN-WEB-APP-SERVER any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host KMS-Server any object-group KMS
access-list inside_access_in extended permit tcp any any object-group TeamVIewer-TCP
access-list inside_access_in extended permit icmp any any traceroute
access-list inside_access_in extended permit ip host KMS-Server any
access-list inside_access_in extended deny ip any host 87.255.51.229
access-list inside_access_in extended deny ip any host 82.165.47.44
access-list inside_access_in extended permit ip host InterConnect-BillingBox any
access-list inside_access_in extended permit icmp any host fw1.outside.irc.com
access-list inside_access_in extended permit icmp any any
access-list inside_access_in remark For ACCESS MPLS team
access-list inside_access_in extended permit tcp any host 202.165.193.134 object-group RDP-MPLS-Huawei
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host mailgate.irc.com any eq domain
access-list inside_access_in extended permit tcp any host 66.147.244.58 object-group SMTP-26
access-list inside_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any any object-group Airfiji-SW
access-list inside_access_in extended permit tcp host chief.bula.irc.com any
access-list inside_access_in extended permit ip host Avabill86.181 any
access-list inside_access_in extended permit ip any object-group AVG
access-list inside_access_in extended permit ip host solarwinds-server any
access-list inside_access_in extended permit tcp host 172.16.87.219 any object-group TCP-4948
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_10 any host Avabill_Consultant_IP_Sri-Lanka
access-list inside_access_in extended permit tcp any host 69.164.201.123 eq smtp inactive
access-list inside_access_in extended permit tcp any any object-group GMAIL inactive
access-list inside_access_in extended permit tcp any any object-group NOC1
access-list inside_access_in extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
access-list inside_access_in extended permit tcp any host smile.telinet.com.fj object-group tcp-20080-30080
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any object-group SIP-5060-5062
access-list inside_access_in extended permit ip host LYNC-2013-SERVER any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_7 object-group Lync_Servers any
access-list inside_access_in extended permit object-group VPN-GROUP host 10.100.20.94 any inactive
access-list inside_access_in remark Pocket Solutions -TEMP
access-list inside_access_in extended permit ip host 10.100.20.121 any
access-list inside_access_in extended permit tcp host John_sibunakau any object-group JohnTESTPort inactive
access-list inside_access_in extended permit ip host CiscoRadiusTestPC any
access-list inside_access_in extended permit ip any host HungaryServer inactive
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com eq ssh
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host fw1.outside.irc.com object-group itec-support-tcp-udp
access-list Outside_access_in remark Allow All to NAT Address on SSL/SSH/SFTP(2222)
access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group DM_INLINE_TCP_9
access-list Outside_access_in remark Allow All to Outside On Fujitsu and 777-7778 ports
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_8
access-list Outside_access_in remark Allow all to Outside on Custom ports
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_7
access-list Outside_access_in remark Allow Inbound HTTP to WWW.IRC.COM
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com eq www
access-list Outside_access_in extended permit icmp any host fw1.outside.irc.com
access-list Outside_access_in extended permit object-group TCPUDP any host fw1.outside.irc.com object-group BrouardsGroup
access-list Outside_access_in remark Allow ALL to RealVNC ports
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group RealVNC-TCP5900
access-list Outside_access_in remark Allow ALL access to 202.1.53.43 on RealVNC ports
access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group RealVNC-TCP5900
access-list Outside_access_in remark Allow DNS queries from Internet to DNS server
access-list Outside_access_in extended permit object-group TCPUDP object-group ITEC-Group-Inbound host fw1.outside.irc.com object-group itec-sftp
access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group DM_INLINE_TCP_14
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host SkyTel host fw1.outside.irc.com
access-list Outside_access_in remark Telinet/Inomial temp access to test machine M.Orshansky
access-list Outside_access_in extended permit tcp host 203.92.29.151 host fw1.outside.irc.com eq 3390
access-list Outside_access_in extended permit tcp any host NAT-202.58.130.43 object-group RDP
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group ITEC-Group-Inbound host fw1.outside.telikompng.com.pg object-group INTEC-Service
access-list Outside_access_in extended permit tcp host 220.233.157.98 host fw1.outside.irc.com eq ssh inactive
access-list Outside_access_in extended permit ip any host fw1.outside.telikompng.com.pg
access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group CRM
access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group HTTP-8010-CRM
access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group HTTP-8005-CRM
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any object-group NTP
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host fw1.outside.irc.com object-group DNS
access-list Outside_access_in remark Ultra VNC connection to 172.16.84.34@nadi Exchange
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group UVNC
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group UVNC-HTTP
access-list Outside_access_in extended permit tcp any host fw1.outside.irc.com object-group POP3-SSL
access-list Outside_access_in extended permit object-group EMAIL-SMARTPHONES any host fw1.outside.irc.com
access-list Outside_access_in extended permit tcp any host fw1.outside.telikompng.com.pg object-group exchange-RPC
access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group exchange-RPC
access-list Outside_access_in extended permit icmp any host NAT-202.1.53.43
access-list Outside_access_in remark Access to Solarwinds Management box
access-list Outside_access_in extended permit tcp any host NAT-202.1.53.43 object-group Solarwinds
access-list SSN-DMZ_access_in remark Permit DNS Quiries out of DMZ
access-list SSN-DMZ_access_in extended permit object-group TCPUDP any any eq domain
access-list SSN-DMZ_access_in remark Allow SQL ports out of DMZ to Host 172.16.86.70
access-list SSN-DMZ_access_in extended permit tcp any host HOST-172.16.86.70 object-group SQL-Group
access-list SSN-DMZ_access_in remark Allow Custom protocols out of DMZ to host 172.16.86.27
access-list SSN-DMZ_access_in extended permit tcp any host HOST-172.16.86.27 object-group DM_INLINE_TCP_2
access-list SSN-DMZ_access_in extended permit tcp host suva-vdc-int2.suva.irc.com host WWW.IRC.COM=PRIV eq 3389
access-list SSN-DMZ_access_in extended permit object-group Web-Access-Group host WWW.IRC.COM-PRIV any
access-list SSN-DMZ_access_in extended permit tcp any host WWW.IRC.COM.-PRIV object-group DMZ-WebAccess
access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_access any
access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_webcon any
access-list SSN-DMZ_access_in extended permit ip host pomlynedsvr01_AV any
access-list inside_nat0_outbound extended permit ip any 192.168.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_6 host 10.10.200.1
access-list inside_nat0_outbound extended permit ip any host WWW.IRC.COM-PRIV
access-list inside_nat0_outbound extended permit ip host ns.irc.com any
access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list Outside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 any
access-list Outside_nat0_outbound extended permit ip mcr_Management 255.255.255.0 any
access-list alcatel-my remark Allow Alcatel-my access to TIRC(1)
access-list alcatel-my standard permit 172.16.24.0 255.255.252.0
access-list alcatel-my remark Allow Alcatel-my access to TIRC(2)
access-list alcatel-my standard permit 172.16.84.0 255.255.252.0
access-list 131 extended permit ip host MICHAEL any
access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 mcr_Management 255.255.255.0
access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_5
access-list management_access_in extended permit object-group Web-Access-Group host 10.10.200.1 any
access-list management_access_in extended permit ip host 10.10.200.1 host 172.16.87.47
access-list management_access_in extended permit ip host 10.10.200.1 host IN-WSC
access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_8
access-list management_access_in extended permit tcp host 10.10.200.1 object-group DM_INLINE_NETWORK_3 eq 3389
access-list management_access_in remark To BlueCaot Appliances
access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_1
access-list management_access_in extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_7
access-list management_access_in extended permit tcp 10.10.200.0 255.255.255.0 object-group Management_Hosts object-group RDP
access-list management_access_in extended permit icmp host 10.10.200.1 any traceroute
access-list management_access_in extended permit ip host 10.10.200.1 host NOC-NMS-CDMA
access-list management_access_in extended permit object-group DM_INLINE_SERVICE_3 host 10.10.200.1 any
access-list management_access_in extended permit tcp host 10.10.200.1 any eq ftp
access-list management_access_in extended permit tcp host bula host 10.10.200.1 object-group RDP inactive
access-list management_access_in extended permit tcp host 10.100.20.23 host 10.10.200.1 object-group RDP
access-list management_access_in extended permit ip host 10.10.200.1 any
access-list management_access_in extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 host solarwinds-server
access-list management_access_in extended permit ip any any
access-list management_access_in extended permit ip host 10.10.200.1 host bula inactive
access-list management_access_in extended permit ip any host solarwinds-server
access-list management_access_in extended permit ip host solarwinds-server any
access-list management_access_in extended permit ip object-group PacketFence-Servers 10.10.200.0 255.255.255.0
access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 object-group PacketFence-Servers
access-list management_access_in extended permit ip object-group 3750-Switches host solarwinds-server
access-list management_access_in extended permit ip 10.10.200.0 255.255.255.0 host 10.10.200.1
access-list management_access_in extended permit ip host 10.10.200.1 10.10.200.0 255.255.255.0
access-list Outside_access_in_1 extended permit ip any any
access-list management_access_in_1 extended permit ip mcr_Management 255.255.255.0 any
access-list inside-networks remark internal tpng corporate subnetwork
access-list inside-networks standard permit 172.16.84.0 255.255.252.0
access-list inside-networks remark dms10
access-list inside-networks standard permit host 10.10.0.0
access-list 84-subnet remark 84 subnet
access-list 84-subnet standard permit 172.16.84.0 255.255.252.0
access-list 84-subnet remark 4 subnet
access-list 84-subnet standard permit inside-network-extra-subnet 255.255.252.0
access-list split-tunnel remark 84 subnet
access-list split-tunnel standard permit 172.16.84.0 255.255.252.0
access-list split-tunnel remark 4 subnet
access-list split-tunnel standard permit inside-network-extra-subnet 255.255.252.0
access-list split-tunnel remark Access to internal POP3 server
access-list split-tunnel standard permit host neptune.waigani.telikompng.com.pg
access-list split-tunnel remark Access to internal SMTP server
access-list split-tunnel standard permit host minerva.suva.irc.com
access-list split-tunnel remark Allow access to the 24 subnet
access-list split-tunnel standard permit 172.16.24.0 255.255.252.0
access-list split-tunnel standard permit Cisco-VLans 255.255.0.0
access-list inside_authentication extended permit tcp any object-group DM_INLINE_TCP_11 any object-group DM_INLINE_TCP_13 time-range WorkingHours inactive
access-list itsupport standard permit NOC 255.255.252.0
access-list itsupport standard permit 172.16.96.0 255.255.252.0
access-list itsupport standard permit 10.20.2.0 255.255.255.0
access-list itsupport standard permit 10.10.200.0 255.255.255.0
access-list itsupport standard permit 172.16.84.0 255.255.252.0
access-list itsupport standard permit inside-network-extra-subnet 255.255.252.0
access-list itsupport standard permit 10.2.1.0 255.255.255.0
access-list itsupport standard permit 172.16.88.0 255.255.252.0
access-list itsupport standard permit Cisco-VLans 255.255.0.0
access-list itsupport remark Access to IT-LAN-UPGRADE Network
access-list itsupport standard permit IT-NETWORK-NEW 255.255.0.0
access-list itsupport remark KWU Exchange subnet
access-list itsupport standard permit 172.16.188.0 255.255.252.0
access-list itsupport standard permit ATM-Network 255.255.0.0
access-list global_mpc extended permit ip any any
access-list management_nat0_outbound extended permit ip any inside-network-extra-subnet 255.255.252.0 inactive
access-list management_nat0_outbound extended permit ip mcr_Management 255.255.255.0 any
access-list management_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_9
access-list management_nat0_outbound extended permit ip host 10.10.200.1 object-group Management_Hosts
access-list management_nat0_outbound extended permit ip any 172.16.84.0 255.255.252.0
access-list management_nat0_outbound extended permit ip any MCR_POM 255.255.255.0
access-list management_nat0_outbound extended permit ip host 10.10.200.1 object-group DM_INLINE_NETWORK_10
access-list management_nat0_outbound extended permit ip any Cisco-VLans 255.255.0.0
access-list management_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 host solarwinds-server
access-list management_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list Capture extended permit ip any host 192.118.82.140
access-list Capture extended permit ip host 192.118.82.140 any
access-list Capture extended permit ip host 192.118.82.160 any
access-list Capture extended permit ip any host 192.118.82.160
a
access-list inside-network-access-only remark Allow Maggie Talig access to the 84 subnet only
access-list inside-network-access-only standard permit 172.16.84.0 255.255.252.0
access-list inside-network-access-only remark Allow Maggie Talig access to the 4 subnet only
access-list inside-network-access-only standard permit inside-network-extra-subnet 255.255.252.0
access-list SSN-DMZ_nat0_outbound extended permit ip host WWW.IRC.COM-PRIV object-group Internal-Networks
access-list inside_nat0_outbound_1 extended permit ip host AVIRUSMAN 192.168.254.0 255.255.255.0
access-list NETFLOW extended permit tcp any any
access-list NETFLOW extended permit object-group DNS-GROUP any host fw1.outside.irc.com
access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_6 any host fw1.outside.irc.com
access-list NETFLOW extended permit udp any host fw1.outside.irc.com
access-list NETFLOW extended permit tcp any host fw1.outside.irc.com eq smtp
access-list NETFLOW extended permit tcp any host fw1.outside.irc.com object-group DM_INLINE_TCP_5
access-list NETFLOW extended permit tcp any host fw1.outside.irc.com object-group TCP-8080
access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_4 any host NAT-202.58.130.43
access-list NETFLOW remark Reverse Proxy Inbound Rules from Internet- Lync 2013 Project - Lync Simple URLs
access-list NETFLOW extended permit tcp any host 202.58.130.69 object-group DM_INLINE_TCP_6
access-list NETFLOW remark Lync Edge Access Inbound Rule - Restricting Inbound
access-list NETFLOW extended permit object-group pomlynedsvr01_access_Outside_to_DMZ any host 202.58.130.66
access-list NETFLOW remark Lync Edge Outside to Inside for AV Interface
access-list NETFLOW extended permit object-group pomlynedsvr01_webcon_outside_to_DMZ any host 202.58.130.67
access-list NETFLOW extended permit object-group pomlynedsvr01_AV_Outside_to_DMZ any host 202.58.130.68
access-list NETFLOW extended permit object-group DM_INLINE_SERVICE_11 any host NAT-fijiircdata
access-list NETFLOW extended deny ip host SPAMIP any
access-list NETFLOW extended deny ip SPAM_MACHINE 255.255.255.0 any
access-list NETFLOW extended deny ip host 220.233.157.99 any log debugging
access-list Huawei-Access-Networks remark HUawei-Network-Elements
access-list Huawei-Access-Networks standard permit 192.168.200.0 255.255.255.0
access-list Huawei-Access-Networks remark Access to Ela Beach MPLS network
access-list Huawei-Access-Networks standard permit 10.100.70.0 255.255.255.0
access-list Huawei-Access-Networks remark Huawei Network elements
access-list Huawei-Access-Networks standard permit 192.168.210.0 255.255.255.0
access-list Huawei-Access-Networks remark Huawei network elements
access-list Huawei-Access-Networks standard permit 192.168.213.0 255.255.255.0
access-list management_nat0_outbound_1 extended permit ip host solarwinds-server 10.10.200.0 255.255.255.0
access-list Alcatel-NMS-ACL remark Access allowed to Alcatel NMS devices in NOC
access-list Alcatel-NMS-ACL standard permit 10.2.1.0 255.255.255.0
access-list Business-Systems-Access remark Mail Server 1
access-list Business-Systems-Access standard permit host neptune.waigani.telikompng.com.pg
access-list Business-Systems-Access remark Mail Server 2
access-list Business-Systems-Access standard permit host minerva.waigani.telikompng.com.pg
access-list Business-Systems-Access remark SAP PROD
access-list Business-Systems-Access standard permit host SAP-SAPPROD
access-list Business-Systems-Access remark Avabill Application Server
access-list Business-Systems-Access standard permit host Avabill86.177
access-list Business-Systems-Access remark Backup Avabill Application Server
access-list Business-Systems-Access standard permit host Avabill84.170
access-list Business-Systems-Access remark HRSelfcare
access-list Business-Systems-Access standard permit host HOST-172.16.86.248
access-list Business-Systems-Access remark Intranet Server
access-list Business-Systems-Access standard permit host 172.16.85.32
access-list IT-Systems-Support remark Access to inside network
access-list IT-Systems-Support standard permit 172.16.84.0 255.255.252.0
access-list IT-Systems-Support remark Access to IN netwwork
access-list IT-Systems-Support standard permit 172.16.88.0 255.255.252.0
access-list IT-Systems-Support standard permit Cisco-VLans 255.255.0.0
access-list Systems-XS remark Access to 84 subnet
access-list Systems-XS standard permit 172.16.84.0 255.255.252.0
access-list Systems-XS remark Access to .4 subnet
access-list Systems-XS standard permit inside-network-extra-subnet 255.255.252.0
access-list Systems-XS remark Access to 10.100.x.x/24
access-list Systems-XS standard permit Cisco-VLans 255.255.0.0
access-list Huawei-NOC standard permit 172.16.84.0 255.255.252.0
access-list Huawei-NOC standard permit Cisco-VLans 255.255.0.0
access-list Huawei-NOC standard permit HASUT 255.255.255.0
access-list Huawei-NOC standard permit IT-NETWORK-NEW 255.255.0.0
access-list efdata remark Allow efdata access to above device as per request by chris mkao
access-list efdata standard permit 172.16.92.0 255.255.252.0
access-list test standard permit 172.16.92.0 255.255.252.0
access-list Ghu_ES_LAN remark Allow efdata access to fij ES LAN
access-list Ghu_ES_LAN extended permit ip any 172.16.92.0 255.255.252.0
access-list GuestInternet_access_in extended permit ip any any
global (inside) 1 interface
global (SSN-DMZ) 1 interface
global (Outside) 1 interface
global (management) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (SSN-DMZ) 0 access-list SSN-DMZ_nat0_outbound
nat (SSN-DMZ) 1 WWW.IRC.COM-PRIV 255.255.255.255
nat (Outside) 0 access-list Outside_nat0_outbound
nat (GuestInternet) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 0 access-list management_nat0_outbound_1 outside
nat (management) 1 10.10.200.1 255.255.255.255
static (inside,Outside) tcp interface 10103 mailgate.irc.com 10103 netmask 255.255.255.255
static (SSN-DMZ,Outside) tcp interface www WWW.IRC.COM-PRIV www netmask 255.255.255.255
static (inside,Outside) tcp interface smtp mailgate.irc.com smtp netmask 255.255.255.255
static (inside,Outside) tcp interface telnet HOST-172.16.84.144 telnet netmask 255.255.255.255
static (inside,Outside) tcp interface pcanywhere-data HOST-192.168.1.14 pcanywhere-data netmask 255.255.255.255
static (inside,Outside) udp interface pcanywhere-status HOST-192.168.1.14 pcanywhere-status netmask 255.255.255.255
static (inside,Outside) tcp interface ssh InterConnect-BillingBox ssh netmask 255.255.255.255
static (inside,Outside) udp interface ntp confusious.suva.irc.com ntp netmask 255.255.255.255
static (inside,Outside) tcp interface 10002 HOST-172.16.200.121 10002 netmask 255.255.255.255
static (inside,Outside) tcp interface 10003 HOST-172.16.200.122 10003 netmask 255.255.255.255
static (inside,Outside) tcp interface 10004 HOST-172.16.41.26 10004 netmask 255.255.255.255
static (inside,Outside) tcp interface 10005 HOST-172.16.41.27 10005 netmask 255.255.255.255
static (inside,Outside) tcp interface https Avabill86.181 https netmask 255.255.255.255
static (inside,Outside) tcp interface 7778 Avabill86.181 7778 netmask 255.255.255.255
static (inside,Outside) tcp interface 8080 Avabill86.181 8080 netmask 255.255.255.255
static (inside,Outside) tcp interface 7777 Avabill86.181 7777 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.45 https Avabill86.177 https netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 2222 daywalker.suva.irc.com 2222 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 ftp waigani-pdc-int2.suva.irc.com ftp netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 www neptune.suva.irc.com www netmask 255.255.255.255
static (inside,Outside) tcp interface 5900 Primary1352CM 5900 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 5900 Backup1352CM 5900 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 https neptune.suva.irc.com https netmask 255.255.255.255
static (inside,Outside) tcp interface 24 HOST-172.16.86.87 24 netmask 255.255.255.255
static (inside,Outside) udp interface domain ns.irc.com domain netmask 255.255.255.255
static (inside,Outside) tcp interface pop3 neptune.suva.irc.com pop3 netmask 255.255.255.255
static (inside,Outside) tcp interface 7780 Apache-WebServer 7780 netmask 255.255.255.255
static (inside,Outside) tcp interface 8000 CRM-SERVER2 8000 netmask 255.255.255.255
static (inside,Outside) tcp interface 8010 CRM-SERVER4 8010 netmask 255.255.255.255
static (inside,Outside) tcp interface 8005 CRM-SERVER3 8005 netmask 255.255.255.255
static (inside,Outside) tcp interface 123 confusious.suva.irc.com 123 netmask 255.255.255.255
static (inside,Outside) tcp interface imap4 neptune.suva.irc.com imap4 netmask 255.255.255.255
static (inside,Outside) tcp interface domain ns.irc.com domain netmask 255.255.255.255
static (inside,Outside) tcp interface ftp telitgate.irc.com ftp netmask 255.255.255.255
static (inside,Outside) tcp interface 5901 uvnc-server 5901 netmask 255.255.255.255
static (inside,Outside) tcp interface 5801 uvnc-server 5801 netmask 255.255.255.255
static (inside,Outside) tcp interface 5902 172.16.84.200 5902 netmask 255.255.255.255
static (inside,Outside) tcp interface 5802 172.16.84.200 5802 netmask 255.255.255.255
static (inside,Outside) tcp interface 995 neptune.suva.irc.com 995 netmask 255.255.255.255
static (inside,Outside) tcp interface 993 neptune.suva.irc.com 993 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 6001 neptune.suva.irc.com 6001 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 6002 neptune.suva.irc.com 6002 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 6004 neptune.suva.irc.com 6004 netmask 255.255.255.255
static (inside,Outside) tcp interface 6001 minerva.suva.irc.com 6001 netmask 255.255.255.255
static (inside,Outside) tcp interface 6002 minerva.suva.irc.com 6002 netmask 255.255.255.255
static (inside,Outside) tcp interface 6004 minerva.suva.irc.com 6004 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 8720 solarwinds-server 8720 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 9000 solarwinds-server 9000 netmask 255.255.255.255
static (inside,Outside) tcp interface 2055 solarwinds-server 2055 netmask 255.255.255.255
static (inside,Outside) tcp interface 88 A-10.100.20.250 88 netmask 255.255.255.255
static (inside,Outside) tcp interface 10000 ns.irc.com 10000 netmask 255.255.255.255
static (inside,Outside) udp Ext-R2-Outside-Interface 2055 solarwinds-server 2055 netmask 255.255.255.255
static (inside,Outside) udp Ext-R2-Outside-Interface snmp solarwinds-server snmp netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 135 neptune.suva.irc.com 135 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 3389 BT-DesktopPC 3389 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.65 www IN-WSC www netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.65 https IN-WSC https netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 ssh Avabill86.176 ssh netmask 255.255.255.255
static (Outside,inside) tcp 10.100.20.36 5432 smile.telinet.com.pg 5432 netmask 255.255.255.255
static (inside,Outside) tcp interface 222 chief.suva.irc.com ssh netmask 255.255.255.255
static (inside,Outside) tcp interface 5061 LYNC-2013-SERVER 5061 netmask 255.255.255.255
static (inside,Outside) tcp interface 5432 10.100.20.36 5432 netmask 255.255.255.255
static (inside,Outside) tcp NAT-202.58.130.43 182 dadbsvr www netmask 255.255.255.255
static (SSN-DMZ,Outside) 202.58.130.69 pomlynrprx01 netmask 255.255.255.255
static (SSN-DMZ,Outside) 202.58.130.66 pomlynedsvr01_access netmask 255.255.255.255
static (SSN-DMZ,Outside) 202.58.130.67 pomlynedsvr01_webcon netmask 255.255.255.255
static (SSN-DMZ,Outside) 202.58.130.68 pomlynedsvr01_AV netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group SSN-DMZ_access_in in interface SSN-DMZ
access-group Outside_access_in_1 in interface Outside control-plane
access-group NETFLOW in interface Outside
access-group GuestInternet_access_in in interface GuestInternet
access-group management_access_in_1 in interface management control-plane
access-group management_access_in in interface management
route Outside 0.0.0.0 0.0.0.0 Ext-R1-Inside-Interface 1
route inside 10.2.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.8.0.0 255.255.255.0 VPNGATE 1
route inside 10.9.254.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.2.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.3.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.4.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.5.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.10.10.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 10.15.100.0 255.255.255.0 fw1.outside.irc.com 1
route inside Cisco-VLans 255.255.0.0 Cisco7200 1
route inside VLan20-2F 255.255.255.0 Cisco7200 1
route inside 10.100.67.0 255.255.255.0 IPVPN-Router 1
route inside 10.100.74.0 255.255.255.0 172.16.86.0 1
route inside 10.100.75.0 255.255.255.0 172.16.86.0 1
route inside 10.100.76.0 255.255.255.0 172.16.86.0 1
route inside LAE 255.255.255.0 172.16.86.0 1
route inside 10.100.91.0 255.255.255.0 172.16.86.0 1
route inside 10.100.110.0 255.255.255.0 172.16.86.0 1
route inside 10.100.111.0 255.255.255.0 172.16.86.0 1
route inside 10.100.114.0 255.255.255.0 172.16.86.0 1
route inside 10.200.200.0 255.255.255.0 Cisco7200 1
route inside A-10.250.0.0 255.255.0.0 Cisco7200 1
route inside 10.254.2.0 255.255.255.252 IPVPN-Router 1
route inside 11.11.3.0 255.255.255.0 172.16.86.0 1
route inside 11.11.4.0 255.255.255.0 172.16.86.0 1
route inside 11.11.8.0 255.255.255.0 172.16.86.0 1
route inside 11.11.9.0 255.255.255.0 172.16.86.0 1
route inside 20.200.200.0 255.255.255.0 172.16.86.17 1
route inside inside-network-extra-subnet 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.8.0 255.255.252.0 Cisco7200 1
route inside 172.16.12.0 255.255.252.0 172.16.86.197 1
route inside 172.16.24.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside NOC 255.255.252.0 172.16.87.187 1
route inside 172.16.48.0 255.255.252.0 172.16.84.41 1
route inside 172.16.52.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.56.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.60.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.64.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.68.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.72.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.76.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.80.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.84.185 255.255.255.255 172.16.86.217 1
route inside CRM-SERVER1 255.255.255.255 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.88.0 255.255.252.0 Cisco7200 1
route inside 172.16.92.0 255.255.252.0 Cisco7200 1
route inside 172.16.96.0 255.255.252.0 172.16.87.172 1
route inside 172.16.104.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.108.0 255.255.252.0 IPVPN-Router 1
route inside 172.16.112.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.120.0 255.255.252.0 TFIJIG-CORE-INT-ROUTER 1
route inside 172.16.124.0 255.255.252.0 IPVPN-Router 1
route inside 172.16.128.0 255.255.252.0 172.16.86.185 1
route inside 172.16.132.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.136.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.140.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.144.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.148.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.152.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.156.0 255.255.252.0 IPVPN-Router 1
route inside 172.16.160.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.164.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.168.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.172.0 255.255.252.0 172.16.87.172 1
route inside 172.16.180.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.184.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.188.0 255.255.252.0 172.16.86.85 1
route inside 172.16.188.0 255.255.252.0 Cisco7200 1
route inside 172.16.192.0 255.255.252.0 172.16.86.194 1
route inside 172.16.200.0 255.255.252.0 172.16.87.11 1
route inside 172.16.204.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.208.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.212.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.220.0 255.255.252.0 IPVPN-Router 1
route inside 172.16.224.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.236.0 255.255.252.0 172.16.87.254 1
route inside 172.16.240.0 255.255.252.0 TFIJI-CORE-INT-ROUTER 1
route inside 172.16.248.0 255.255.252.0 IPVPN-Router 1
route inside 172.17.84.0 255.255.255.224 IPVPN-Router 1
route inside 172.18.252.0 255.255.252.0 172.16.84.15 1
route inside 172.20.0.0 255.255.252.0 172.16.87.11 1
route management 172.20.1.32 255.255.255.240 10.10.200.18 1
route inside 192.167.5.0 255.255.255.0 172.16.86.42 1
route inside 192.168.1.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.1.0 255.255.255.0 HOST-172.16.84.144 1
route inside 192.168.1.96 255.255.255.224 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.1.128 255.255.255.224 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.2.0 255.255.255.0 172.16.87.192 1
route inside 192.168.5.0 255.255.255.0 HOST-172.16.84.144 1
route inside 192.168.11.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.150.0 255.255.255.0 IPVPN-Router 1
route inside 192.168.200.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.201.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.202.0 255.255.255.0 TFIJI-CORE-INT-ROUTER 1
route inside 192.168.210.0 255.255.255.0 Cisco7200 1
route inside 192.168.213.0 255.255.255.0 Cisco7200 1
route inside 192.168.254.0 255.255.255.0 fw1.outside.irc.com 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
class-map inspection_default
match default-inspection-traffic
class-map flow_export_class
match access-list global_mpc
policy-map global_policy
class inspection_default
inspect dns
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect icmp error
inspect ipsec-pass-thru
inspect mgcp
inspect rsh
inspect sip
inspect skinny
inspect snmp
inspect tftp
inspect ftp strict
inspect icmp
class flow_export_class
flow-export event-type all destination solarwinds-server
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
smtp-server 172.16.86.16
prompt hostname context
Cryptochecksum:24270eebd6c941fb7b302b034e32bba1
: endHi,
NMAP gives the report for the first firewall interface it hits. In your case you have allowed tcp any any where it allows all the ports. I have mentioned only one example.... There are many in your case....
Also NMAP results will be effective once when you directly connect to outside interface or directly on to the outside LAN.
Regards
Karthik -
Hi everybody,
I am unable to access internet with one of the vlan. i have two vlans
VLAN 2 192.168.1.0
VLAN 8 172.168.1.0
When i am on vlan 2 i can access to internet. when i work with vlan 8, i cannot access to internet. As a matter of fact VLAN 8 (172.168.1.0) is new. I need to know what else i need to configure to get access. the following is the configuration of my cisco ASA firewall. Any help will be apprieciated.
Thanks
hostname abcASA1
domain-name abc.com
enable password .4rNnGSuheRe encrypted
passwd 2KFQnbNIdI.2K encrypted
names
name 192.168.1.3 Email_DNS
name 192.168.1.4 SQLServer
name 192.168.2.2 VPN_3005
name 192.168.2.0 DMZ_Subnet
name 192.168.3.0 VPN_Subnet
name 192.168.1.0 Inside_Subnet
name 192.168.3.5 VPNNET_DNS
name 128.8.10.90 D_Root
name 192.5.5.241 F_Root
name 198.41.0.10 J_Root
name 192.33.4.12 C_Root
name 193.0.14.129 K_Root
name 198.32.64.12 L_Root
name 192.36.148.17 I_Root
name 192.112.36.4 G_Root
name 128.63.2.53 H_Root
name 128.9.0.107 B_Root
name 198.41.0.4 A_Root
name 202.12.27.33 M_Root
name 192.203.230.10 E_Root
name 12.183.68.51 ATT_DNS_2
name 12.183.68.50 ATT_DNS_1
name 192.168.1.6 FileServer_NAS
name 192.168.2.6 abc_WEB
name 199.130.197.153 CA_Mgmt_USDA
name 199.130.197.19 CA_Roaming_USDA
name 199.130.214.49 CA_CRLChk_USDA
name 199.134.134.133 CA_Mgmt_USDA_
name 199.134.134.135 CA_Roaming_USDA2
name 192.168.2.9 PublicDNS2
name 192.168.2.8 PublicDNS
name 192.168.1.11 abc02EX2
name 162.140.109.7 GPO_PKI_DIR
name 162.140.9.10 GPO_PKI
name 192.168.1.12 Patchlink
name 192.168.1.10 abcSLIMPS1
name 192.168.1.7 FileServer_DNS
name 192.168.1.15 abc06ex2
name 192.168.101.0 NEW_VPN_SUBNET
name 192.168.77.0 NEW_VPN_POOL description NEW_VPN_POOL
name 192.168.1.16 VTC description LifeSize VTC
name 12.18.13.16 VTC_Outside
name 192.168.2.50 Email_Gateway
name 192.168.1.20 Exch10
name 192.168.1.8 SharePoint
name 192.168.1.19 abc09ic description Web Servr
name 192.168.1.180 ExternalDNS
name 192.168.2.223 abc11ids
name 192.168.50.0 inside_new_Network
dns-guard
interface Vlan1
nameif outside
security-level 0
ip address 12.18.13.20 255.255.255.0
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan3
nameif dmz
security-level 10
ip address 192.168.2.1 255.255.255.0
interface Vlan4
nameif vpnnet
security-level 75
ip address 192.168.3.1 255.255.255.0
interface Vlan5
nameif asainside
security-level 50
ip address 192.168.4.1 255.255.255.0
interface Vlan6
nameif testinside
security-level 50
ip address 192.168.5.1 255.255.255.0
ipv6 address 2001:ab1:5::/64 eui-64
interface Vlan7
description New Local Area Network for Server
nameif inside_new
security-level 50
ip address 192.168.50.1 255.255.255.0
interface Vlan8
description abcdone Server VLAN
nameif Internal_LAN
security-level 100
ip address 172.168.1.254 255.255.255.0
interface Vlan16
description out of band
nameif oobnet
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 7
interface Ethernet0/4
interface Ethernet0/5
switchport trunk allowed vlan 1-10
switchport mode trunk
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup vpnnet
dns server-group DefaultDNS
name-server 192.168.1.2
name-server Email_DNS
domain-name abc.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside_Server_Group
description EmailServer, FileServer, SQLServer
network-object Email_DNS 255.255.255.255
network-object SQLServer 255.255.255.255
network-object 192.168.1.2 255.255.255.255
network-object FileServer_NAS 255.255.255.255
network-object host abc02EX2
network-object host abc06ex2
object-group network Inside_Server_Group_ref
network-object 192.168.3.73 255.255.255.255
network-object 192.168.3.74 255.255.255.255
network-object 192.168.3.72 255.255.255.255
network-object 192.168.3.76 255.255.255.255
object-group service DNS tcp-udp
description DNS Service both TCP/UDP
port-object eq domain
object-group network InternetDNS
network-object A_Root 255.255.255.255
network-object B_Root 255.255.255.255
network-object C_Root 255.255.255.255
network-object D_Root 255.255.255.255
network-object E_Root 255.255.255.255
network-object F_Root 255.255.255.255
network-object G_Root 255.255.255.255
network-object H_Root 255.255.255.255
network-object I_Root 255.255.255.255
network-object J_Root 255.255.255.255
network-object K_Root 255.255.255.255
network-object L_Root 255.255.255.255
network-object M_Root 255.255.255.255
network-object ATT_DNS_2 255.255.255.255
network-object ATT_DNS_1 255.255.255.255
object-group network USDA-PKI-Users
description GAO PKI User Group
network-object 192.168.1.51 255.255.255.255
network-object 192.168.1.52 255.255.255.255
network-object 192.168.1.53 255.255.255.255
network-object 192.168.1.54 255.255.255.255
network-object 192.168.1.55 255.255.255.255
network-object 192.168.1.56 255.255.255.255
network-object 192.168.1.57 255.255.255.255
network-object 192.168.1.58 255.255.255.255
network-object 192.168.1.59 255.255.255.255
network-object 192.168.1.60 255.255.255.255
network-object host 192.168.1.61
network-object host 192.168.1.62
network-object host 192.168.1.63
object-group network CITABCDAS
network-object 192.168.3.241 255.255.255.255
network-object 192.168.3.242 255.255.255.255
network-object 192.168.3.243 255.255.255.255
network-object 192.168.3.244 255.255.255.255
network-object 192.168.3.245 255.255.255.255
network-object VPNNET_DNS 255.255.255.255
object-group service Virginia.edu tcp
description blackboard java classroom
port-object range 8010 8012
object-group network PDASB1-VPN-Inside
network-object host abcPLIasd1
network-object host 192.168.3.10
object-group service http-https tcp
port-object range https https
port-object range www www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VTC tcp-udp
description LifeSize
port-object range 60000 64999
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3268
port-object eq ldap
object-group service EmailGateway udp
description TrustManager
port-object eq 19200
port-object eq 8007
object-group service DM_INLINE_TCP_2 tcp
port-object eq 990
port-object eq ftp
port-object range 2000 5000
object-group service Barracuda tcp
port-object eq 5124
port-object eq 5126
object-group service barracuda udp
port-object eq 5124
port-object eq 5126
object-group service IMAP tcp
port-object eq 993
port-object eq imap4
object-group service DM_INLINE_SERVICE_0
service-object tcp eq domain
service-object udp eq domain
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 12.18.13.222
access-list outside_access_in remark Website
access-list outside_access_in extended permit tcp any host 12.18.13.19 eq 8090
access-list outside_access_in remark Allow ICMP replies to inside
access-list outside_access_in extended permit icmp any host 12.18.13.21 echo-reply
access-list outside_access_in remark VTC
access-list outside_access_in extended permit tcp any host VTC_Outside eq h323
access-list outside_access_in remark VTC
access-list outside_access_in extended permit object-group TCPUDP any host VTC_Outside eq sip
access-list outside_access_in extended permit icmp any host VTC_Outside
access-list outside_access_in remark Barracuda
access-list outside_access_in extended permit tcp any host 192.168.1.25 object-group Barracuda
access-list outside_access_in remark Barracuda
access-list outside_access_in extended permit udp any host 192.168.1.25 object-group barracuda
access-list outside_access_in remark VTC
access-list outside_access_in extended permit udp any host VTC_Outside range 60000 64999
access-list outside_access_in remark VTC
access-list outside_access_in extended permit tcp any host VTC_Outside range 60000 64999
access-list outside_access_in remark for Public DNS2
access-list outside_access_in extended permit udp any host 12.18.13.223 eq domain
access-list outside_access_in remark for Public DNS2
access-list outside_access_in extended permit tcp any host 12.18.13.223 eq domain
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.224 eq www
access-list outside_access_in remark NTP from Router to DMZ
access-list outside_access_in extended permit udp host 12.18.13.1 host 12.18.13.15 eq ntp
access-list outside_access_in remark Syslog from Router
access-list outside_access_in extended permit udp host 12.18.13.1 gt 1023 host 12.18.13.13 eq syslog
access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.50
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.13 eq smtp
access-list outside_access_in remark VPNNET IPSec ESP
access-list outside_access_in extended permit esp any host 12.18.13.31
access-list outside_access_in remark VPNNET IPSec AH
access-list outside_access_in extended permit ah any host 12.18.13.31
access-list outside_access_in remark VPNNET IPSec Port 4500
access-list outside_access_in extended permit udp any eq 4500 host 12.18.13.31 eq 4500
access-list outside_access_in remark VPNNET IPSec ISAKMP
access-list outside_access_in extended permit udp any eq isakmp host 12.18.13.31 eq isakmp
access-list outside_access_in remark VPNNET IPSec over UDP port 10000
access-list outside_access_in extended permit udp any eq 10000 host 12.18.13.31 eq 10000
access-list outside_access_in remark Sharepoint1
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq https
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.31 eq https
access-list outside_access_in remark Access Rule to Webmail
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.32 eq https
access-list outside_access_in remark SLIMPSdev
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.33 object-group http-https
access-list outside_access_in remark Inbound Website
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.19 eq www
access-list outside_access_in remark Inbound SharePoint
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq www
access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq www
access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq https
access-list outside_access_in remark Inbound FTP abc_web
access-list outside_access_in extended permit tcp any host 12.18.13.14 object-group DM_INLINE_TCP_2
access-list outside_access_in remark DNS1
access-list outside_access_in remark for Public DNS2
access-list outside_access_in remark for Public DNS2
access-list outside_access_in remark NTP from Router to DMZ
access-list outside_access_in remark Syslog from Router
access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.5
access-list outside_access_in remark VPNNET IPSec ESP
access-list outside_access_in remark VPNNET IPSec AH
access-list outside_access_in remark VPNNET IPSec Port 4500
access-list outside_access_in remark VPNNET IPSec ISAKMP
access-list outside_access_in remark VPNNET IPSec over UDP port 10000
access-list outside_access_in remark Inbound WEb Traffic to Facilitate Web Server in DMZ
access-list outside_access_in remark Inbound Secure Web Traffic to Facilitate Web Server in DMZ
access-list outside_access_in remark Access Rule to FE Server
access-list outside_access_in remark SLIMPSdev
access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS
access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS
access-list outside_access_in remark Inbound port 93 to ISA server-SLIMPS
access-list outside_access_in remark Explicit Deny All
access-list vpnnet_access_in remark Patrica RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.53 eq 3389
access-list vpnnet_access_in remark Berry RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.51 eq 3389
access-list vpnnet_access_in remark John Tsai RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.156 eq 3389
access-list vpnnet_access_in remark Chopper RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.128 eq 3389
access-list vpnnet_access_in remark Ms Ballard RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.58 eq 3389
access-list vpnnet_access_in remark Wakita
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.153 eq 3389
access-list vpnnet_access_in remark Amy RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.124 eq 3389
access-list vpnnet_access_in remark KC RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.57 eq 3389
access-list vpnnet_access_in remark Eyang RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.161 eq 3389
access-list vpnnet_access_in remark SLIMPS doc
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.13 eq 3389
access-list vpnnet_access_in extended deny ip any any
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark FOR SLIMPS Application
access-list vpnnet_access_in remark SLIMPS Production Workflow
access-list vpnnet_access_in remark SLIMPS
access-list vpnnet_access_in remark FOR SLIMPS Application
access-list vpnnet_access_in remark SLIMPS VPN access to SLIMPSTEST2 Alpha website
access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS1
access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS2
access-list vpnnet_access_in remark for abc06SLIMPS1
access-list vpnnet_access_in remark for abc06SLIMPS1
access-list vpnnet_access_in remark VPNNET Windows Port 135 Netbios
access-list vpnnet_access_in remark VPNNET Windows Port 137 Netbios Name Service
access-list vpnnet_access_in remark VPNNET Windows Port 138 Netbios Datagram
access-list vpnnet_access_in remark VPNNET Windows Port 139 Netbios Session Service
access-list vpnnet_access_in remark VPNNET Windows Port 445 Server Message Block
access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol
access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol
access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos
access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos
access-list vpnnet_access_in remark VPNNET Windows Port 1433 Windows Sql Server
access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 4000 Status NTDS Port
access-list vpnnet_access_in remark VPNNET Windows TCP Domain Name Service
access-list vpnnet_access_in remark VPNNET Windows UDP Domain Name Service
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET Outbound Web
access-list vpnnet_access_in remark VPNNET Outbound Secure Web
access-list vpnnet_access_in remark VPNNET Outbound FTP
access-list vpnnet_access_in remark VPNNET ICMP Echo
access-list vpnnet_access_in remark VPNNET ICMP Echo-Reply
access-list vpnnet_access_in remark RDP for ISA
access-list vpnnet_access_in remark Allow access after Exemption from nat to inside network
access-list vpnnet_access_in remark talin test
access-list dmz_access_in remark isa to SLIMPS1 vote portal
access-list dmz_access_in extended permit tcp host 192.168.2.20 host 192.168.2.10 eq 8200
access-list dmz_access_in extended permit udp host 192.168.2.101 host 12.18.13.1 eq ntp
access-list dmz_access_in remark ISA to SLIMPS Dev
access-list dmz_access_in extended permit tcp host 192.168.2.14 host 12.18.13.33 eq www inactive
access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &
access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway
access-list dmz_access_in extended permit udp host Email_Gateway any eq 8007
access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &
access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway
access-list dmz_access_in extended permit udp host Email_Gateway any eq 19200
access-list dmz_access_in remark NTP Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host FileServer_DNS eq ntp
access-list dmz_access_in remark FTP
access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ftp
access-list dmz_access_in remark ldap
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host 192.168.2.78
access-list dmz_access_in remark ldap
access-list dmz_access_in extended permit udp host SharePoint gt 1023 host 192.168.2.78
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit object-group TCPUDP host Email_Gateway host FileServer_DNS object-group DNS
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ldap
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 eq www inactive
access-list dmz_access_in remark HTTPS access to the Clearswift Update Server
access-list dmz_access_in extended permit tcp Inside_Subnet 255.255.255.0 gt 1023 host Email_Gateway eq https inactive
access-list dmz_access_in remark HTTP for SharePoint
access-list dmz_access_in extended permit tcp host SharePoint host FileServer_DNS eq ldap
access-list dmz_access_in remark LDAP Communication for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 object-group DM_INLINE_TCP_1
access-list dmz_access_in remark LDAP Communication
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.78 eq 3268
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host PublicDNS object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ ISA DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host 192.168.2.15 gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host SharePoint gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit udp host abc_WEB gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 object-group InternetDNS object-group DNS inactive
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound https Web
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 object-group InternetDNS object-group DNS inactive
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in extended permit udp host PublicDNS gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark Public DNS server.
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq www
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq www
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS to Outside
access-list dmz_access_in remark DMZ DNS to Outside
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.75 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.75 eq www
access-list dmz_access_in remark DMZ DNS FTP for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq ftp
access-list dmz_access_in remark DMZ DNS Outbound Web for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq www
access-list dmz_access_in remark DMZ ISA DNS Outbound Web
access-list dmz_access_in extended permit tcp host 192.168.2.15 gt 1023 any eq www
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq www
access-list dmz_access_in remark For Email Gateway
access-list dmz_access_in extended permit icmp host Email_Gateway host 12.18.13.1
access-list dmz_access_in remark ISA
access-list dmz_access_in extended permit icmp host 192.168.2.15 host 12.18.13.1
access-list dmz_access_in extended permit icmp host SharePoint host 12.18.13.1
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq www
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq www
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq ftp inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq ftp
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq ftp inactive
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq ftp
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint host 192.168.2.73 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host 192.168.2.77 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host Exch10 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host abc06ex2 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint host abc06ex2 eq smtp inactive
access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.75 eq smtp inactive
access-list dmz_access_in remark Mailsweeper access to FE Server
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.11 eq smtp inactive
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.73 eq smtp
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.75 eq smtp
access-list dmz_access_in remark DMZ EMail Gateway outbound delivery
access-list dmz_access_in extended permit tcp host Email_Gateway any eq smtp
access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery
access-list dmz_access_in extended permit tcp host SharePoint any eq smtp inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq https inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway object-group EmailGateway any eq 8007
access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq https inactive
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq https inactive
access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq smtp inactive
access-list dmz_access_in remark for ISA
access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq www
access-list dmz_access_in remark for ISA
access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq https
access-list dmz_access_in extended permit object-group TCPUDP host SharePoint Inside_Subnet 255.255.255.0 eq domain
access-list dmz_access_in extended permit icmp host SharePoint Inside_Subnet 255.255.255.0
access-list dmz_access_in extended permit ip host abc11ids any
access-list dmz_access_in extended permit ip Inside_Subnet 255.255.255.0 any
access-list dmz_access_in remark Explicit Rule
access-list dmz_access_in extended deny ip any any
access-list dmz_access_in remark isa to SLIMPS1 vote portal
access-list dmz_access_in remark ISA to SLIMPS Dev
access-list dmz_access_in remark ldap
access-list dmz_access_in remark LDAP Communication
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Outbound https Web
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in remark Public DNS server.
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS to Outside
access-list dmz_access_in remark DMZ DNS to Outside
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP
access-list dmz_access_in remark Mailsweeper access to FE Server
access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet
access-list dmz_access_in remark for ISA
access-list dmz_access_in remark for ISA
access-list dmz_access_in remark Explicit Deny All
access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ
access-list testinside_access_in remark Allow all other Traffic to Outside
access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ
access-list testinside_access_in remark Allow all other Traffic to Outside
access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 Inside_Subnet 255.255.255.0
access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway
access-list inside_nat0_outbound remark SharePoint
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list dmz_nat0_outbound remark For Email Gateway
access-list dmz_nat0_outbound extended permit ip host Email_Gateway Inside_Subnet 255.255.255.0
access-list dmz_nat0_outbound remark Sharepoint
access-list dmz_nat0_outbound extended permit ip host SharePoint Inside_Subnet 255.255.255.0
access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_SUBNET 255.255.255.0
access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list capture_acl extended permit ip host 12.18.13.33 host 12.18.13.180
access-list capture_acl extended permit ip host 12.18.13.180 host 12.18.13.33
access-list cap_acl extended permit ip host 192.168.2.14 host 12.18.13.180
access-list cap_acl extended permit ip host 12.18.13.180 host 192.168.2.14
access-list 213 extended permit ip host SharePoint host 192.168.2.21
access-list asainside_access_in remark permit traffic from the new ASA
access-list asainside_access_in extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_access_in extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list acl_cap extended permit ip host 192.168.100.1 host 192.168.4.1
access-list acl_cap extended permit ip host 192.168.4.1 host 192.168.100.1
access-list abcdONE_splitTunnelAcl standard permit Inside_Subnet 255.255.255.0
access-list abcdONE_splitTunnelAcl standard permit DMZ_Subnet 255.255.255.0
access-list abcdONE_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list oobnet_access_in extended permit ip any Inside_Subnet 255.255.255.0
access-list VMman_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list Internal_LAN_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS
access-list Internal_LAN_access_in extended permit ip any any
snmp-map mysnmpmap
pager lines 30
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap debugging
logging history warnings
logging asdm debugging
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging device-id ipaddress outside
logging host vpnnet VPNNET_DNS
logging host inside abc09ic
logging host inside 192.168.1.60
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpnnet 1500
mtu asainside 1500
mtu testinside 1500
mtu inside_new 1500
mtu Internal_LAN 1500
mtu oobnet 1500
ip local pool VPNPOOL 192.168.101.1-192.168.101.254 mask 255.255.255.0
ip local pool NEW_VPN_POOL 192.168.77.10-192.168.77.240 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpnnet
ip verify reverse-path interface asainside
ip audit name Outside attack action drop
ip audit interface outside Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
asdm history enable
arp outside 12.18.13.20 0024.c4e9.4764
arp timeout 14400
global (outside) 1 12.18.13.21 netmask 255.255.255.255
global (outside) 2 12.18.13.22 netmask 255.255.255.255
global (outside) 3 12.18.13.23 netmask 255.255.255.255
global (outside) 4 12.18.13.24 netmask 255.255.255.255
global (outside) 5 12.18.13.25 netmask 255.255.255.255
global (inside) 1 interface
global (dmz) 1 192.168.2.21 netmask 255.255.255.255
global (dmz) 3 192.168.2.23 netmask 255.255.255.255
global (dmz) 4 192.168.2.24 netmask 255.255.255.255
global (dmz) 5 192.168.2.25 netmask 255.255.255.255
global (vpnnet) 1 192.168.3.21 netmask 255.255.255.255
nat (outside) 1 NEW_VPN_POOL 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Inside_Subnet 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 DMZ_Subnet 255.255.255.0
nat (vpnnet) 0 access-list vpnnet_nat0_outbound
nat (vpnnet) 3 VPN_Subnet 255.255.255.0
nat (asainside) 0 access-list asainside_nat0_outbound
nat (asainside) 1 192.168.4.0 255.255.255.0
nat (oobnet) 0 access-list VMman_nat0_outbound
static (dmz,outside) 12.18.13.31 VPN_3005 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.72 FileServer_DNS netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.74 SQLServer netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.73 Email_DNS netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.76 FileServer_NAS netmask 255.255.255.255 dns
static (inside,vpnnet) 192.168.3.80 abcSLIMPS1 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.2.73 Email_DNS netmask 255.255.255.255
static (inside,dmz) 192.168.2.77 abc06ex2 netmask 255.255.255.255
static (dmz,outside) 12.18.13.13 Email_Gateway netmask 255.255.255.255
static (dmz,outside) 12.18.13.14 abc_WEB netmask 255.255.255.255
static (outside,inside) VTC VTC_Outside netmask 255.255.255.255
static (dmz,outside) 12.18.13.15 192.168.2.101 netmask 255.255.255.255
static (inside,outside) 12.18.13.19 abc09ic netmask 255.255.255.255
static (inside,outside) 12.18.13.42 SharePoint netmask 255.255.255.255
static (inside,dmz) 192.168.2.78 FileServer_DNS netmask 255.255.255.255
static (inside,outside) 12.18.13.32 Exch10 netmask 255.255.255.255
static (inside,dmz) 192.168.2.10 abcSLIMPS1 netmask 255.255.255.255
static (inside,dmz) 192.168.2.11 abc02EX2 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.11 abc02EX2 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.81 192.168.1.155 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.82 192.168.1.28 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.2.13 192.168.1.13 netmask 255.255.255.255
static (inside,outside) VTC_Outside VTC netmask 255.255.255.255
static (inside,outside) 12.18.13.33 192.168.1.13 netmask 255.255.255.255
static (inside,outside) 12.18.13.41 abcSLIMPS1 netmask 255.255.255.255
static (inside,outside) 12.18.13.222 ExternalDNS netmask 255.255.255.255
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
static (Internal_LAN,inside) 172.168.1.0 172.168.1.0 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group vpnnet_access_in in interface vpnnet
access-group asainside_access_in in interface asainside
access-group Internal_LAN_access_in in interface Internal_LAN
access-group oobnet_access_in in interface oobnet
route outside 0.0.0.0 0.0.0.0 12.18.13.1 1
route asainside 192.168.100.0 255.255.255.0 192.168.4.2 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server abc.com protocol nt
aaa-server abc.com (inside) host 192.168.1.2
nt-auth-domain-controller abc12dc1
aaa-server abc.com (inside) host Email_DNS
nt-auth-domain-controller abc12dc2
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 outside
http Inside_Subnet 255.255.255.0 outside
http Inside_Subnet 255.255.255.0 inside
http VPN_Subnet 255.255.255.0 vpnnet
snmp-server group Authentication_Only v3 auth
snmp-server group Authentication&Encryption v3 priv
snmp-server user mkaramat Authentication&Encryption v3 encrypted auth md5 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4 priv aes 128 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4
snmp-server host inside 192.168.1.60 version 3 mkaramat udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface outside
no service resetoutbound interface inside
no service resetoutbound interface dmz
no service resetoutbound interface vpnnet
no service resetoutbound interface asainside
no service resetoutbound interface testinside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map oobnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map oobnet_map interface oobnet
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable inside_new
crypto isakmp enable oobnet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 12.18.13.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh Inside_Subnet 255.255.255.0 inside
ssh VPN_Subnet 255.255.255.0 vpnnet
ssh timeout 30
ssh version 1
console timeout 0
dhcpd auto_config inside
dhcpd dns 192.168.1.2 Email_DNS interface oobnet
dhcpd domain abc.com interface oobnet
dhcpd option 3 ip 172.16.0.1 interface oobnet
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
tftp-server vpnnet 192.168.3.10 /
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
group-policy abcdONEVPN internal
group-policy abcdONEVPN attributes
dns-server value 192.168.1.7 192.168.1.3
vpn-tunnel-protocol IPSec
default-domain value abc
group-policy abcdONE internal
group-policy abcdONE attributes
dns-server value 192.168.1.7 192.168.1.3
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value abcdONE_splitTunnelAcl
default-domain value abc.com
service-type remote-access
service-type remote-access
tunnel-group abcdONE type remote-access
tunnel-group abcdONE general-attributes
address-pool NEW_VPN_POOL
default-group-policy abcdONE
tunnel-group abcdONE ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group abcdONE ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ipsec-pass-thru VPN
parameters
esp
ah
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:02e178404b46bb8758b23aea638d2f24
: end
asdm image disk0:/asdm-621.bin
asdm location NEW_VPN_POOL 255.255.255.0 inside
asdm location abc09ic 255.255.255.255 inside
asdm location VTC 255.255.255.255 inside
asdm location Email_Gateway 255.255.255.255 inside
asdm location Exch10 255.255.255.255 inside
asdm location ExternalDNS 255.255.255.255 inside
asdm location abc11ids 255.255.255.255 inside
asdm history enableHi,
Could you let me know if you have tried the configuration I originally suggested. I mean creating a "nat" statement for the "Internal_LAN" thats ID number matches one of the existing "global" or make a new "global" for it. And also if the "Internal_LAN" needs to access "inside" you could have added the "static" command suggested.
It seems there has been some other suggestions in between that have again suggested completely different things. I would have been interested to know what the situation is after the suggested changes before going and doing something completely different.
If you are changing a lot of NAT configurations for the new "Internal_LAN" interface I would suggest checking the output of
show xlate | inc 172.168.1
To see if you need to use some variant of the "clear xlate" command to clear old translations still active on the firewall. You should not use the "clear xlate" without additional parameters as otherwise it clears all translations on the firewall in the mentioned form of the command
You can use
clear xlate ?
To view the different optional parameters for the command
- Jouni -
RV016 Protocol Binding & Access Rules do not work on PPTP
Hi
I am Enabled PPTP Server and connection success, but can’t block the internet service by Protocol Binding and Access Rules for PPTP client.
The PPTP Server:
192.168.1.150~160
Protocol Binding:
HTTP [TCP/80~80] -> 192.168.1.150~160(0.0.0.0~0.0.0.0)
Access Rules:
1; Enable; Deny; HTTP [80]; LAN; 192.168.1.150~160; Any; Always
Firmware Version: 3.0.0.19-tm
I tried to test the setting by local PC connect the router directly. The rule is running.
But by PPTP, it can go to internet. And confirmed the VPN IP is 192.168.1.150st1\:*{behavior:url(#ieooui) }
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:表格內文;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
HI Mr Krastew.
Thank you for your reply.
But i am not looking stop internet web service on my client side only.
May be I explain more here.
The client PC is running on intranet, that mean client network stopped all service [1~65535: TCP/UDP] pass through WAN. At this moment, the client network allows the PPTP Port 1723 pass through it only. And the Client PC is running on manual configure No DNS.
And the client requests that client PC NO intranet service when PPTP VPN connected. So I can't Disable Using Remote Network Default Gateway on TCP/IP Configure.
And Server (RV016), half of pc allow connect to internet.
The Local PC in server LAN can control by ACL.
The client connected by PPTP and the IP still within the ACL. But it can access internet all service. (e.g. FTP, HTTP).
So I want to know it is my configure problem? Or the router own problem? Or my design problem?
Now, I key in wrong DNS on client PC to Cheat the user for temporary.
Best regards,
Joe Wong -
HT5413 Help filtering internet access
+PAX
Greetings all, and a Merry Christmas!
We're a small monastery. And due to this, we need to implement some Internet filtering. Unfortunately, it's not the basic kind of filtering. Frankly, I'm not sure that all of what we're looking to do can be done. But I'm at a loss about where I can look for this information.
At the moment, we've got a basic network, that you'd find a family home: DSL modem-router, a bunch of Ethernet hubs, and a whole bunch of cables.
The computers are mainly running Fedora Linux. There are 3 windows statioins, and 2 OS X stations.
The perfect solution is to be able to have 1 network, where there are 2 or 3 rooms where the Internet is accessible. And, those who have laptops, that they can bring their laptop to these rooms, and have Internet access, but NOT have access while connected to the network in other places. (Complicated, I know).
If that's not possible, ok. (Frankly, I don't think it is, but am very open to suggestions).
What really do need is to be able to allow an Internet connection, restrict bascially all web-surfing, while allowing e-mail, skype, and updates. The updates are my biggest problem. We already have a rule established on the modem-router that blocks surfing activity at night, but still allows e-mail and skype. Yet, this rule also blocks the apple AppStore updates.
So, I'm wondering if we get OSX server, would this help the situation? Where can I get more info about OSX server's filtering capabilities?
If we can't establish all the blocking that we need, then it'd be great if we could have some type of report of each person's activity.
Thanks for the help!IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.
FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.
Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.
There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.
Here is Apple's network port list.
As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.
A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.
Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).
Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.
Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.
I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.
This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections. -
For our only internet access we have a 3G wireless modem. I have since purchased a WiFi printer and router to connect all the comptuters to in the house. The PCs have no problem with using both the 3G connection and the WiFi signal at the same time to print, however, the MacBook Pro will not connect to the 3G network and the router, it will drop the internet access from the modem and attempt to connect via WiFi (which has no internet access). Is there a solution that is available to remedy this? I attempted to create an adhoc printer network, however, the macbooks again will not print off of this, only the PCs. And I'm getting a bit frustrated overall with this.
The 3G wireless modem is on one of the PC's correct?
Why don't you pass the Internet through the Ethernet port to the router via Cat5 cable, then have that transmit a Wifi signal that everything else can use, then connect the printer to the router for print sharing?
You would have to turn off the wifi on the comptuer with the 3G modem as it's physically connected to the router and can't connect to the other machines as they are all connected to the router for sharing.
The Mac has the ability to pass, Internet Sharing in the System Preferences.
Do you have software for the Mac to run the 3G modem? -
ASA 5505, error in Access Rule
Hello.
Tha ASA 5505 is working, but I try to allow http and https from internet to a server running 2012 Essentials. The server has the internal IP 192.168.0.100. I have created an Object called SERVER with IP 192.168.0.100
The outside Interface is called ICE
I have configured NAT:
I have also configured Access Rules:
But when I test it With the Packet Tracer I get an error:
Whats wrong With the Access Rule?
I do prefer the ASDM :)
Best regards AndreasHello Jeevak.
This is the running config (Vlan 13 (Interface ICE) is the one in use:
domain-name DOMAIN.local
names
name 192.168.0.150 Server1 description SBS 2003 Server
name 192.168.10.10 IP_ICE
name x.x.x.0 outside-network
name x.x.x.7 IP_outside
name 192.168.0.100 SERVER description Hovedserver
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
description Direct Connect
backup interface Vlan13
nameif outside
security-level 0
pppoe client vpdn group PPPoE_DirectConnect
ip address pppoe
interface Vlan3
description Gjestenettet
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
interface Vlan13
description Backupnett ICE
nameif ICE
security-level 0
ip address IP_ICE 255.255.255.0
interface Vlan23
description
nameif USER
security-level 50
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
switchport access vlan 23
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup dmz
dns server-group DefaultDNS
domain-name DOMAIN.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host IP_outside eq https
access-list outside_access_in extended permit tcp any host IP_outside eq www
access-list outside_access_in extended permit icmp any host IP_outside echo-reply
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list outside_access_in remark For RWW
access-list DOMAINVPN_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.192
access-list DOMAIN_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list ICE_access_in extended permit tcp any host IP_ICE eq https
access-list ICE_access_in extended permit tcp any host IP_ICE eq www
access-list ICE_access_in extended permit icmp any host IP_ICE echo-reply
access-list ICE_access_in remark For RWW
access-list ICE_access_in remark For RWW
access-list USER_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu ICE 1500
mtu USER 1500
ip local pool VPNPool 192.168.10.210-192.168.10.225 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface ICE
monitor-interface USER
icmp unreachable rate-limit 1 burst-size 1
icmp permit outside-network 255.255.255.0 outside
icmp permit 192.168.10.0 255.255.255.0 ICE
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (ICE) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.0.0.0 255.255.255.0
nat (USER) 1 10.1.1.0 255.255.255.0
static (inside,ICE) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,ICE) tcp interface https SERVER https netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group ICE_access_in in interface ICE
access-group USER_access_in in interface USER
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1 track 123
route ICE 0.0.0.0 0.0.0.0 192.168.10.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho x.x.x.1 interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 123 rtr 1 reachability
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 10.0.0.10-10.0.0.39 dmz
dhcpd dns y.y.y.2 z.z.z.z interface dmz
dhcpd lease 6000 interface dmz
dhcpd enable dmz
dhcpd address 10.1.1.100-10.1.1.120 USER
dhcpd dns y.y.y.2 z.z.z.z interface USER
dhcpd lease 6000 interface USER
dhcpd domain USER interface USER
dhcpd enable USER
ntp server 64.0.0.2 source outside
group-policy DOMAIN_VPN internal
group-policy DOMAIN_VPN attributes
dns-server value 192.168.0.150
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DOMAIN_VPN_splitTunnelAcl
default-domain value DOMAIN.local
class-map inspection_default
match default-inspection-traffic
class-map imblock
match any
class-map P2P
match port tcp eq www
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im impolicy
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_gnu-http-tunnel_arg
drop-connection log
policy-map IM_P2P
class imblock
inspect im impolicy
class P2P
inspect http P2P_HTTP
service-policy global_policy global
service-policy IM_P2P interface inside
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location Server1 255.255.255.255 inside
asdm location IP_ICE 255.255.255.255 inside
asdm location outside-network 255.255.255.0 inside
asdm location SERVER 255.255.255.255 inside
no asdm history enable
What is wrong? Everything Works well except port forwarding.
Andreas -
Kernel panic / Internet access with a bad AirPort card
My iBook G4 started suffering kernel panics just over a week ago. They have rapidly increased in frequency to the extent that it can take several attempts to boot up because they have started occurring during the boot up process (originally they occurred after the iBook had been on for a while).
I've looked through the forum and have seen that there seem to be some common causes -RAM, AirPort card, or something to do with the HD. I ran disk utility on the HD and it didn't find any problems and I also successfully ran the 'repair disk permissions'. I have tried taking out the RAM -that didn't do anything. The kernel panic does frequently occur when I am either using Mail or Safari, but as I've said, it also occurs when I'm booting up -does the fact that it happens when I boot up mean that it cannot be the AirPort card (which incidentally is not under the keyboard -so it must be inside)?
Earlier today I switched off AirPort and was able to work on the computer for almost three hours without any kernel panic (but also without internet access). Less than a minute after switching it back on, it froze again.
If this does mean that the problem is with the AirPort card, I have a question about internet access. I use the iBook on a wireless network that stems from a modem with a Mac downstairs and I do not have any internet cables, or a phone line, in the room where the iBook is used. Is it possible to use something like AirPort Express even with a bad AirPort card? And does AirPort Express connect to the iBook, or to the main modem downstairs?
Apologies for so many questions and many thanks for any help you are able to give -this has been driving me around the bend for the past week?Update:
An acquaintance who works for Apple suggested that before assuming that the problem was the AirPort card / buying further equipment, I should boot up with the original installation disk in and use the disk utility function to 'repair disk'. I did that and got a 'Volume Header needs minor repair' message. It repaired that & I restarted the iBook. I was able to do an update back-up to my external hard drive & all was fine until I switched AirPort back on -there was an instant kernel panic.
I figured that it couldn't hurt to run the Apple Hardware Test -did that and restarted again. Was able to open Mail (AirPort was on) but then the AirPort connection disappeared and the pointer froze, but there was no kernel panic screen. I had to force quit -restarted again. This time I was able to use Mail, downloaded a song on iTunes, and was on the internet for about 45mins before the connection disappeared and the pointer froze again. I could force quit the app but with a frozen pointer I ended up having to force quit again.
I waited a while and then booted up again (without problem) but this time I was told that there was no Airport card present! Shut down and reran the Hardware Test (which said that AirPort 'Passed'). When I restarted AirPort was briefly there but disappeared when I opened AirPort Utility and at this point the pointer also froze. I did force quit to get out of the app and then there was a kernel panic. Is this now pretty conclusive that the AirPort card is the problem?
I would appreciate any feedback -I've had a very frustrating week with this.
Thanks. -
I have a 1st generation Time Capsule with current firmware. Can I define the time periods when my children's devices have access to the wi-fi network?
Can I define the time periods when my children's devices have access to the wi-fi network?
Yes, using the Timed Access feature in AirPort Utility, you can setup specific rules for each wireless device which define the exact timeframe each day that the device will be allowed to connect to the wireless network.
Example....junior's iPhone can connect.....
Everyday......Between.....9 AM and 10:00 PM
or
Weekdays.......Between......4 PM and 9 PM
and Weekends.....Between......9 AM and 11 PM
At the same time, your own personal devices will have Unlimited Access at all times. -
Internet Access through TMG for all HO & Branch office
Dear Experts!,
I am new to the Forefront TMG 2010. Have requirement to implement internet access.
Head office : 192.168.11.x/24 (192.168.11.1 is the TMG server)
Branch Office 1: 192.168.12.x/24
Branch Office 2 : 192.168.14.x/24
Branch Office 2 : 192.168.16.x/24
Forefront TMG 2010 standard edition.
Having 3 NIC's two have different ISP network addresses and one has 192.168.11.1.
Branch office are connected using MPLS network, the requirement is all branch site internet must be accessed through TMG 2010 server which is homed in Head Office. How to achieve ?
What needs to be done in external firewall and in TMG for enabling internet access.
Thanks!
Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.Hi Ganesh,
Hope this helps
1 - If you wish to give internet as Proxy to users.
Ensure the Below subnet is able to reach TMG Internal Interface that is 192.168.11.1
Subnet
Branch Office 1: 192.168.12.x/24
Branch Office 2 : 192.168.14.x/24
Branch Office 2 : 192.168.16.x/24
Configuration
Enable Proxy in TMG and configure Proper Ports as per your requirements
On the Client IE – Ensure you put Proxy IP as TMG and Port configured in TMG configuration.
Enable a Rule
Access Rule
Source : Internal
Destination : External
Ports : HTTP / HTTPS
Users : Authenticated Users
2 As normal Internet as Gateway to users
You need to request your MPLS provider to change the Default Route of below subnet to 192.168.11.1. By doing this, all the internet request from the below subnet to internet will hit TMG.
Subnet
Branch Office 1: 192.168.12.x/24 Default Route 192.168.11.1
Branch Office 2 : 192.168.14.x/24 Default Route 192.168.11.1
Branch Office 2 : 192.168.16.x/24 Default Route 192.168.11.1
IF you have any L3 Switch then you can also make Default gateway as L3 for all the subnet and from L3 device point it to TMG
Enable a Rule
Access Rule
Source : Internal
Destination : External
Ports : HTTP / HTTPS
Users : All Users ( Important )
Two ISP
In network Rules : You need to use NAT
You will have a Rule which NATS internal to External
On external - Choose which ISP interface should be used and Apply NAT rule -
Control Internet access using machines names
Hello to all, I have some machines (> 100) that are DHCP client and are on different subnets. I need that users that work on these machines don't access Internet. Is a there a way on TMG 2010 to create any
kind of control to accomplish this need?
Regards, EEOC.Hi,
You can only control the traffic with IP addresses not computer names. A other way to limit internet access is to use users and groups in TMG firewall policy rules. The clients must be Webproxy or TMG clients
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote
Maybe you are looking for
-
Can I transfer my passbook boarding pass onto a new handset?
My new iphone 5 handset is being delivered today and I'm worried that the boarding passes for tomorrow's holiday will not transfer from my old handset to my new one via itunes. Or can I just go to the airlines website and download the same passes ont
-
Hard Drive and RAM upgrade gone wrong - please help!
I have a 2+ year old Mac Mini Core Solo that I recently decided to upgrade. Originally it had a 80GB hard drive and 512MB of RAM and I installed a 250GB Western Digital drive and upgraded to 2GB of RAM. Everything went smooth with the reinstall of OS
-
Create PDF desktop printer being retired. Where is the forum article on uninstalling printer?
Create PDF desktop printer is being retired. Where is the forum article on uninstalling printer?
-
Flash Template Modifications for Character Font
I have a modest understanding of Flash as I had developed a website last year. It has been about nine months since I've opened the tool. Recently my girlfriend had asked me to develop a website for her personal business. Yesterday I was browsing t
-
Hi, Our customer runs a Tomcat 4.1 in a JDK 1.4.2 on Windows 2K. Frequently (once a day) Tomcat seems to hang and the Java process consumed all CPU. We did a thread dump and identified the Thread named "VM Thread" as the cause. Here is the snippet fr