Clienless webvpn and reflexive access list firewall

Similar Messages

• Questions on Reflexive Access Lists

  Hi Sir,
  I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
  The config on the core router is as follows:
  int Vlan10
  description *** Server Farm ***
  ip address 172.16.10.1 255.255.255.0
  ip access-group inboundfilters in
  ip access-group outboundfilters out
  int Vlan20
  description *** Marketing Department ***
  ip address 172.16.20.1 255.255.255.0
  int Vlan30
  description *** Engineering Department ***
  ip address 172.16.30.1 255.255.255.0
  ip access-list extended outboundfilters
  permit tcp any any eq telnet
  permit tcp any any eq smtp
  evaluate iptraffic
  ip access-list extended inboundfilters
  permit ip any any reflect iptraffic
  My questions:
  (1) I yet to test the above config on an actual router. However, is it correct theoretically?
  (2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
  (3) If you have other better feature options that meet my requirements, please do recommend.
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  Hi Lim,
  CBAC is good as well, considering the following features:
  1. Traffic Filtering:
  - filters TCP and UDP packets based on application-layer protocol session information.
  - permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
  2. Traffic Inspection
  - discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
  - Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
  3. Alerts and Audit Trails
  - can send real-time alerts and audit trails to syslog server (or buffer log)
  4. Intrusion Detection
  - Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
  Limitations:
  1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
  2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
  3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
  For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
  Cheers!

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• WAAS and SNMP access-list

  I am using 4.1.1c(build b16), and testing restricting access to the SNMP MIBS. we are running inline with a separate interface for mgmt. (gi1/0). with snmp access-list defined and snmp-server access-list set.
  snmp-server community public
  snmp-server access-list SNMP
  ip access-list standard SNMP
  permit 10.10.10.2
  when i walk the mib from 10.10.10.2, and then look at ACL, it doesn't show any access.
  CM#sh ip access-list SNMP
  Standard IP access list SNMP
  1 permit 10.10.10.2
  (implicit deny any: 0 matches)
  total invocations: 0

  To define an IP ACL from the CLI, you can use the ip access-list global configuration command, and to apply the IP ACL to an interface on the WAAS device, you can use the ip access-group interface configuration command. To configure the use of an IP ACL for SNMP, you can use the snmp-server access-list global configuration command. To specify an IP ACL that the WAE applies to the inbound WCCP GRE encapsulated traffic that it receives, you can use the wccp access-list global configuration command.

• Question on best practice for NAT/PAT and client access to firewall IP

  Imagine that I have this scenario:
  Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
  One of my users is complaining about the following:
  When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
  Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.

  Hi,
  Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
  This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
  For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
  And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
  Regards
  Bjornarsb

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

• Reflexive/established access list

  We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.
  Thanks.
  Said
  access-list 150 permit tcp any host <firewall outside IP>
  access-list 150 permit tcp any host <Exchange server translated public IP> eq www
  access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp
  access-list 150 permit tcp any host < Exchange server translated public IP> eq 22
  access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3
  access-list 150 permit tcp any any eq telnet
  access-list 150 permit icmp any any
  access-list 150 permit udp any eq domain any
  access-list 150 permit udp any any eq domain
  access-list 150 permit esp any any
  access-list 150 permit gre any any
  access-list 150 permit udp any any eq non500-isakmp
  access-list 150 permit udp any any eq isakmp
  access-list 150 permit tcp any any established
  access-list 150 deny ip any any log
  interface MFR0.724
  router(config-if)#ip access-group 150 in

  Have you considered using CBAC?
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
  I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.
  Reflex documentation
  http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

• TCAM and Access Lists

  Hi
  I am getting myself confused with the TCAM tables and access-lists. From reading the switching book I can see that the access-lists are compiled into the TCAM. What is confusing me is how a switch does a lookup in parallel when the access lists are written in a specific order. You can't parallel something which has to be done in sequence.
  Am I just misreading this part and the author means that each statement is looked up in a parallel table lookup, in serial order?
  Also how do we achieve the parrallelism, is there a multiprocessor asic doing something weird and wonderful in there with parallel code like OCCAM? (showing my age there :) )

  Hi Carl,
  As i mentioned eariler, we could say CBAC is a kind of Access list.
  Access list is just filtering some prefixes/ports. CBAC is the additional feature over ACL. We make use of the ACL in CBAC to inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions.
  Just go thro. this link for both ACL and CBAC,
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#cbac
  Rgs,
  Balaji. V

• How to find out list of users and their access on Sharepoint

  Hello Everyone
  How can i find out list of users and what access they have on SharePoint site? I want to create table with list of the users and their access?
  Thanks

  you can get the report using below powershell scripts. first one gives list of users in a site collection level.
  The second link generates the permissions reports for each user.
  http://techtrainingnotes.blogspot.com/2010/12/sharepoint-powershell-script-to-list.html
  https://sp2010userperm.codeplex.com/
  My Blog- http://www.sharepoint-journey.com|
  If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• Can a phisher gain access to my wifi and my macbook after I gave him access, but then changed my macbook's password and put up a firewall?

  I got a scam call from a phisher, but I didn't know it. I gave them access to my laptop, laptop password my phone number, address, and email address. They had remote control of my computer and they had me download a program called "Clean My Mac." Supposedly, it was cleaning my Macbook, but it was probably downloading other viruses? I finally realized what was going on, and I disconnected the internet and change my laptop password and turned on my firewall. If I reconnect to the internet again, with the information that they have, can they still gain remote access to my computer? Can they get info from my wifi? I am planning on doing a system restore on my computer, but should I get a new Wifi to be safe? I'm just not sure what these guys can do and access. HELP!

  I would:
  - Change ALL the passwords used on the computer. Like you Apple ID PW and bank PWs if you used those on the computer
  - Format your HD and reinstall the OS and restore from a backup made before the problem
  - Reset yur router by pressing the reset button, usually with a paper clip and re-setup the router using a different PW. No reason for a new router.

• Itunes will not connect to the internet or access store with working internet connection. ive already tried updating to latest version and turning off windows firewall. running a new dell computer w/ windows 7 with minimal programs installed

  Itunes will not connect to the internet or access store with working internet connection. ive already tried updating to latest version and turning off windows firewall. running a nItunes will not connect to the internet or access store with working internet connection. ive already tried updating to latest version and turning off windows firewall. running a new dell, windows 7 ultimate, no virus or firewall programs installed.

  This my sound too simple, but I just kept clikning on the arrow next to the selected music and it finally "Kicked" in.
  I live in Europe ,So Be persistent and don't give up !  Aug. 2013