Nexus1000v : ip access-list with port range
Hi,
I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
Can any body verify the scirpt and tell whats the problem with the script?
vm x.x.x.x is on Veth2
config t
ip access-list Veth2_rc_vmfw_acl_in
deny tcp any host x.x.x.x eq 3389
exit
ip access-list Veth2_rc_vmfw_acl_out
deny tcp host x.x.x.x any eq 3389
exit
interface Veth2
ip port access-group Veth2_rc_vmfw_acl_in in
ip port access-group Veth2_rc_vmfw_acl_out out
exit
exit
Thanks
License? Check Data Features
Similar Messages
-
Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
NAM 5.1 How to create Application with port range from cli?
Hello,
I can create new Applicaion with port range from GUI, but I can not do it from CLI
If I do it by CLI as a:
nam# application
nam# name mkst-cur-A
nam# match udp 16001-16009
nam# exit
then
nam# show application app-tag 268435576
custom:120 (268435576) mkst-cur-A
udp 16001
nam#
But if I do it by GUI and than
nam# show application app-tag 268435576
custom:120 (268435576) mkst-cur-A
udp 16001 - 16009
nam#
How to do it by CLI?Hi Alexey,
Sure, the function you're looking for is in the ANALYSIS panel under the "CUrve Fitting" palette-- it's called "Linear Mapping". You will need to create the desired X channel prior to calling this function, though, so you will probably need to use the ANALYIS function "Generate Numeric Channel" in the "Channel Functions" palette.
Brad Turpin
DIAdem Product Support Engineer
National Instruments -
APEX Pages - User Access List with NTLM
Hi,
I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
1. users (hold user name, and user data)
2. pages (hold APEX Applications pages)
3. access_list (hold combined data of users and pages and access flag)
The last table will give me an SQL that can be used to create page level Authorization Scheme.
The problem is:
I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
Your helps will really help me, and thanks in advance.
Regards,
AuliaThis is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum. -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni -
ACE FTP inspect with port range
Hi everyone,
I have a problem with passive FTP with fixed port range.
I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.
And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.
A tcpdump on server I can see that the server uses the portrange in response packet.
(x,x,x,x,34,195) = 60099
But on client I can see that the port on packet is change to another port. The ace is between server and client.
On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.
I don't understand why the ace change the port in ftp payload.
Is it possible to create the same port range on ace configuration of connectio to client?
Thanks
RenéYou don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.
Gilles. -
Problem with Port Range Forwarding WRV54G
I have configured my WRV54G to do the following, in this order, on the Port Range Forwarding page of the router:
1. Forward port 3389 to LAN Static IP x.x.x.100, a desktop PC. I have confirmed this works, a port scan shows this port is open and I can remote desktop into x.x.x.100
2. Forward port 443 to LAN Static IP x.x.x.101. I have confirmed this works, a port scan shows this port is open I can VPN to an SSL concentrator at x.x.x.101
3. Forward port 3390 to LAN Static IP x.x.x.102, a desktop PC. THIS DOES NOT WORK. A port scan shows that this port is not open. I have configured the remote desktop host at x.x.x.102 to use port 3390. Netstat shows that x.x.x.3390 is listening on this port. I can remote desktop to x.x.x.102 from inside the LAN, no problem, so it's not an issue with the PX configuration.
So, then I switched the order of the port forwarding instructions, in this order, as follows:
1. Forward port 3389 to LAN Static IP x.x.x.100, a desktop PC. I have confirmed this works, a port scan shows this port is open and I can remote desktop into x.x.x.100
2. Forward port 3390 to LAN Static IP x.x.x.102, a desktop PC. I have confirmed this
works, a port scan shows this port is open and I can remote desktop into x.x.x.102
3. Forward port 443 to LAN Static IP x.x.x.101. THIS DOES NOT WORK. Port scan shows this port is not open.
It looks like the WRV54G is only recognizing the first two entries in the Port Range Forwarding table and IGNORING the third entry. HELP??!!
I have the latest firmware installed: v2.39.2e
Anyone have a solution? Thanks in advance!
Message Edited by crescendi on 07-19-2008 11:53 AMAre you still using the DHCP server range of x.x.x.100 through x.x.x.149 ? If so, then your problem may be that you are using illegal fixed LAN IP addresses.
With Linksys routers, any fixed LAN IP address must be outside the DHCP server range, and it cannot end in 0, 1, or 255.
I would suggest that you fix the illegal addresses, then see if that resolves your problem.
Here is the full set of rules for using fixed LAN IP addresses:
With Linksys routers, a fixed (static) LAN IP addresses must be assigned in the device that is using the address. So you need to enter the fixed address in the computer or printer, not in the router.
When using a Linksys router, any fixed LAN IP address must be outside the DHCP server range (typically 192.168.1.100 thru 192.168.1.149), and it cannot end in 0, 1, or 255.
Therefore any fixed LAN IP address would normally need to be in the range of
192.168.1.2 thru 192.168.1.99 or
192.168.1.150 thru 192.168.1.254
assuming you are still using the default DHCP server range.
Also, in the computer, when you set up a static LAN IP address, you would need to set the "Subnet mask" to 255.255.255.0 and the "Default Gateway" to 192.168.1.1 and "DNS server" to 192.168.1.1
It is also important that no two devices on your network be set to the same static LAN IP address. -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Show ip access-lists with remarks?
We have a 6509E and use ACLs for our SVIs. When viewing specific ones created I use "show ip access-lists NAME" and when finding remarks I have to constantly go back to the "show run | b NAME" but its seems clunky. Is there way to see the view of the first with the sequence numbers but show the remarks that I can only find in the show run?
Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.
If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????
And one more question.
I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???
how does this affect my ACLs. Is there a way around this ????
Thanks,
George -
Cascading Pick List with date range as first, second pick list is dynamic
Specifically, how is this accomplished?
It does not seem possible to make first pick list static. If allowed this would be perfect.
The system seems to only allow the first parameter to be dynamic if the second parameter is dynamic. No range seems to be available for date when second parameter is dynamic.Consider a 3rd-party tool as a solution (for a list of such tools, see http://www.kenhamady.com/bookmarks.html).
There is at least one Crystal report viewer with its own special implementation of dynamic & cascading parameters. It would allow you to use any type of parameter within the cascade. However, you will need to create a separate rpt to implement each dynamic parameter. So in your case, you will have one main report, using a dynamic parameter that's implemented as a separate rpt, which has a date range parameter.
Cheers,
- ido -
Where Used List with multiple/range of material
Hi there Gurus!
We have requirement to have multiple material on CS15(Where-used List Single-Level Material).
IW13 won't work since there are spares/eqpmnt that has no PM Order yet.
We are looking at developing SAP Query for this using but I am reluctant if this will work since it's from bottom going up.
Has anyone tried this? Any tip/watchout?
Your very valuable input is highly regarded and will be rewarded.
Thanks a lot in advance!Hello Thyagarajan,
Thanks for clarifying the requirement.
Can only input one material in selection screen of CS15 and what we want is functionality to enable multiple material entry. Thanks!
Hi Pete,
Thanks for your input.
When you copy CS15 and modify to enable multiple material entry, what other options did you consider before deciding on copying CS15? Does your other options include SAP Query? Do you think it will meet our reqmnt? Thanks! -
Help.....Creating ACL with time-range
Hello Everybody,
I have Cisco AP 1200 router....I have to block all wi-fi traffice from 9:00 morning to 3:30 evening so i created an Extended access-list with time-range 09:00 to 15:00 & implemented on dot11radio0 but it did not work........
I created the access-list as follows.......
#ip access-list 101 deny tcp any any www established log time range XYZ{name of time range}
can any one tell me what is the problem here & how to create the accesslist which blocks wi-fi traffic for certain time of period.Hi Sudip,
Access Point ACL Filter Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml
Hope this helps!
Rob -
Port Forwarding & Access List Problems
Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-EvanHello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz -
Applying access-list to 2950 ethernet port
When applying the following accesslist to port 22 on my 2950 I get the following message:
access-list 101 permit tcp host 192.168.31.250 any eq www
access-list 101 permit tcp host 192.168.31.250 any eq 443
access-list 101 permit tcp host 192.168.31.250 any eq domain
access-list 101 permit tcp host 192.168.31.250 any established
access-list 101 deny ip any any
crete-sw01(config-if)#ip access-group 101 in
%Error: Access-list with 'TCP flags' keyword is not supported on Ethernet Interf
ace.
Please refer to the Software Configuration Guide for all the supported keywords
Is it possible to get around this?Hello Andy,
my mistake, it looks like the 2950 does not accept the ´established´ keyword...
I guess you need to apply the access list inbound to the Ethernet interface on your router.
Cisco 2950 Switches
Configuring Network Security with ACLs
Unsupported Features
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm#wp1043901
Regards,
GP -
Hello,
Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
Thanks,The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
Daniel Dib
CCIE #37149
Please rate helpful posts.
Maybe you are looking for
-
I Just bought an iTunes card from the store and I went to go buy a game and it's saying my purchase can not be made please go to iTunes support. But this keeps happening and I can only download free apps no apps that cost money and I did looked it up
-
Index Does Not Exist In Database System MSSQL
Hello, I have an Index that has this message: " Index Does Not Exist In Database System MSSQL" Can someone guide me how to update Index to the database? Thank you.
-
Mouse Scroll is not working in safari
Hi After instlling Safari on my Win 7, could not use mouse scroll to navigate through the pages (scroll up and down). Went through few posts and found the solution by installing "Microsoft Intellipoint latest software ver." Downloaded directly from M
-
How to Run Allocation in Outlooksoft Everest 4.2 or SAP BPC 5.1
Hello, Currently we use OS Everest 4.2 and we are in the Process of installing SAP BPC 5.1. We haven't used OS or BPC for allocation. I am trying to find a document that helps us guide through the process of creating a Allocation rules / formulas. We
-
I want to unlock the iphone 4 it was used in USA , presently i want to use in INDIA pls advice how to unlock