Outbound network access limitations

Similar Messages

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• Cascading EA4500s and Guest Network access

  Hi, I hope esomone can help me here. I've got two EA4500 routers connected via ethernet. The primary router has DHCP enabled and the secondary has it disabled. IP address of primary is 192.168.1.1 and the secondary is 192.168.1.2.
  I have set up guest access on both routers however only the primary router allows users to connect. When out of range of the primary router but in range of the secondary router the network is visible but when you try to connect to it, it only gives limited or no connectivity message and can't connect to the internet.
  Is it possible for the guest network access to follow the same pattern as the secure network, i.e. the same network throughout the house?
  Regards
  Jon

  Cascading two routers should have correct parameters set. For instance, the Ethernet port of the secondary router should be connected to the ethernet port of the primary one, and the DHCP should be disabled on the second router. The ip address you've set are correct for the both routers. This thing shoud be done if the connection is LAN to LAN.
  By the way there are two types of cascading: Click here for info!
  For the Guest Network:
  Guest Network would only work if the the DHCP is enabled on your router. It means to say that on the type of setup you're doing which is LAN to LAN (DHCP disabled on the second router), Guest network would not work on the secondary router. If the connection is LAN to WAN, then both of the router should have Guest Network working.

• Network becomes limited or unavailable as soon as i connect to cisco anyconnect secure mobility client, version - 3.1.05170

  Hiee,
  I am using cisco anyconnect secure mobility client, version - 3.1.05170 , in my windows 8.1 PC to access vpn to my office desktop. But as soon as i connect cisco anyconnect client, my wifi networks becomes limited or unavailable. Thus, i am not able to get remote access to my office desktop. And not even able to access any other websites also. But as soon as i disconnect from the cisco anyconnect vpn client, every thing becomes normal, and the exclamation mark from the network icon also disappears.
  kindly help me in this regard.
  Thanks and regards
  Neeraj

  There are a few things to consider here:
  - The IPSec VPN client is EoL, so even if we consider this as a bug, it wouldn't be fixed
  - fixing the file server access would break the DHCP renew which means there is no completely clean way to fix this, at least not at the IP level since the client can't route to the same destination using 2 different paths.
  Is there any chance we could do a static policy NAT for the DHCP traffic so it appears to come from another IP? It's twisted and it may not work (the client might use the DHCP server IP embedded inside the payload and not the source IP) but if it does, then we'd fix the overlap.
  Could the server use another IP address for the DHCP service (much like using a loopback for a certain service on a router?)
  A third solution would be to NAT the destination server IP on the ASA for traffic from the IP pool going to the server. We'd need DNS doctoring as well to resolve the server's name to the NATted IP. This way the server would appear from the VPN client as being at a different IP, thereby fixing the overlap.
  All these potential solutions are quite involved... you may be better off wityh a simpler design: splitting of your server into 2 or using something else to do DHCP for the VPN clients.

• Microsoft Network Access Proctection setting

  Hi all,
               I been working on this project for nearly a moth now, but I still can't get it work. I am trying to use EAP/TLS, PEAP integration with Cisco 1100 Series AP using ACS Release 4.2(0) Build 124 Patch 5. And of course, I am integrate that with AD 2008. My ACS server is a member server. Have issued and signed for the ACS and the clients. I have configured EAP/TLS and PEAP in the ACS side and the suppliants. However, I am still getting EAP/TLS-PEAP fail during SSL handshake.
  One doc that I have read says that i need to enable Microsoft Network Access Proctection setting, but this feature is not the list under advance settings.
  Clients and AP are able to authenticate with another ACS server which has ACS Release 4.2(0) Build 124 Patch 10. This second ACS does not have Microsoft Network Access Proctection setting either. Beside different patches, both servers have been configured the same way.
  I am so lost now, I don't even know what to try anymore as i always changed all the settings.
  If you guys need more info in order to help get to the bottom of this, please let me know.
  Many thanks,
  Paul

  Obtaining NAC/NAP
  This initial NAC/NAP release is a limited offering from Cisco and Microsoft.
  If your organization has an immediate need to evaluate or deploy the NAC/NAP solution in your environment, contact your Cisco sales representative.
  Release Notes for NAC/NAP Interoperability Architecture 1.0
  http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1161060

• Wake for network access works over Wifi but ...

  I want to wake my iMac over Wifi. I have followed all steps described in http://support.apple.com/kb/HT3774 and it works great: I can wake up my sleeping iMac from my macbook and using the Remote.app on my iPhone. Nice!
  However, it only works if my Mac is not locked. If I'm away from my iMac, I usually set in on the login screen (with my account still being logged in). But then my iMac won't wake up. Why?
  I could understand this not working when not being logged. I'm logged in however. Is this a limitation of the Wake for Network Access feature? I have not found any info on this yet...
  thanks

  I have the same problem and I don't set it on the login screen.
  It seems that wake on lan works the first minutes my iMac has gone to sleep. But thereafter it seems to be in 'deep sleep' and I'm not able to wake it.
  I also followed all the steps in the Apple web page and I'm also using the Remote app on my iPhone.
  Anyone any ideas?

• LAN settings for HP LaserJet 500 Color MFP M575: printing OK, network access NO

  Printing OK but Network access NOI have a M575 in office LAN.IP 169.254.204.142Subnet 255.255.255.000Router 169.254.204.1Other computers 169.254.204.2-100Everything was good. But couple days ago I was not able to connect to my HP from browser. I was check settings and: IP address on screen HP - 0.0.0.0 I can printing on my HP!!! (destination of printing is: HPLaserJet500ColorMFPM575)but can’t to change settings. I can't change IP adres in JETDIRECT printer's menu. In command prompt PING of 169.254.204.142 is OK… Hand settings IP on start (1/8 click ), searching in administrative menu, cold reset… nothing I don’t know what I can to do else.

  This is my IPConfig screen:C:\>IPConfig /all
  Windows IP Configuration
  Host Name . . . . . . . . . . . . : T420
  Primary Dns Suffix . . . . . . . :
  Node Type . . . . . . . . . . . . : Peer-Peer
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Bluetooth Network Connection 2:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
  #2
  Physical Address. . . . . . . . . : 60-D8-19-D8-A4-3B
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Ethernet adapter Local Area Connection 6:
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connecti
  on
  Physical Address. . . . . . . . . : 00-21-CC-66-CA-38
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::385f:1def:62ae:8cd5%75(Preferred)
  IPv4 Address. . . . . . . . . . . : 169.254.204.2(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : 29 xxxxxxxxxxx 2015 15:25:46
  Lease Expires . . . . . . . . . . : 30 xxxxxxxxxxx 2015 15:25:46
  Default Gateway . . . . . . . . . : 169.254.204.1
  DHCP Server . . . . . . . . . . . : 169.254.204.1
  DHCPv6 IAID . . . . . . . . . . . : 1610621388
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-69-54-50-00-1E-37-1A-5A-E8
  DNS Servers . . . . . . . . . . . : fe80::5ef9:6aff:fedf:5f3b%75
  169.254.204.1
  169.254.204.1
  NetBIOS over Tcpip. . . . . . . . : Enabled
  Wireless LAN adapter Wireless Network Connection 2:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6205
  Physical Address. . . . . . . . . : A0-88-B4-D2-3E-B0
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 57:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft 6to4 Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{32EA8AA7-0304-411D-9B3C-9BE6D6E53F7D}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Local Area Connection* 135:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{0E880DF2-FD27-4BF8-BBD9-EA726316C1FE}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter isatap.{FFBD17DC-A12B-469A-8135-C63D9BBEBB31}:
  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix . :
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  C:\>

• Acs 5.3 and wlc 2504 config with restricted network access

  Hello,
  i submit you the following issue that i'm actually facing:
  i must configure a secured wireless network with access restriction based on SSID. the equipements are : cisco wlc 2504 (soft 7.3) cisco secure acs aplliance 1121 (soft 5.4) .
  the users that will connect to the network are regrouped by identity groups, each identity group having it's own SSID. Clearly each group of users must access only one SSID.
  i followed the procedure below to configure it:
  -- creating user identity groups;
  -- creating users and assigning them to the groups;
  --- creating authorization profiles for each SSID under policy element/ authorization and permission/network access/authorization profiles and putting the Airespace-Wlan-Id(the SSID number) in the radius tab.
  --- assigning the authorization profiles to the identity groups under access policies.
  after all these config the users can access the network using there userid/password configured. But the problem is Every user can access every SSID, seems like the restriction is so not very well configured.
  i found some documentation on this kind of config but the version of ACS used seems older than the one that i use, so menu are very different.
  Please can someone provide with the right steps to follow to achieve this kind of config.
  tkx in advance

  Yes.. you only have to add the end filter like what I posted... as far as the calling station id in the WLC security tab, it doesn't matter because that is not used when using 802.1x.  I would also try to not enable everything that you have just to start from the basic and make sure it works first.  The WAP Authentication Method might or might not work for you.  Uncheck that for now and when you have a successful authentication, look at the monitor log and see what radius attributes are being sent, because those attributes is what you can use to build your policies.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• ACS 5.3 - 11033 Selected Service type is not Network Access

  I have some older devices on the network that only support RADIUS (not TACACS) for authentication and would like to have them use SecureACS 5.3 
  I understand that by default, ACS only supports TACACS for device administration.  So I'll get this error when trying RADIUS:
  11033 Selected Service type is not Network Access
  Description:
  RADIUS requests can only be processed by Access Services that are of type Network Access
  Resolution Text:
  Verify that the Service Selection Policy rules are correct
  However, even after adjusting the Service Selection rules and seeing hits, I still see the same message in the logs, as if it has no affect.  Any Ideas?

  If you use the protocol as radius you can not use a device admin service. You can only use network access. That will allow you for authentication to the devices.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS 5.3 cannot create default network access authorization rule

  Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

  Looks like you are using chrome amd it's not a supported browser.
  Supported Web Client/Browsers
  You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
  •Windows 7 32 bit
  •Windows XP Professional (Service Pack 2 and 3)
  •Windows Vista
  •Internet Explorer version 7.x
  •Internet Explorer version 8.x
  •Internet Explorer version 9.x
  •Mozilla Firefox version 3.x
  •Mozilla Firefox version 4.x
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
  Jatin Katyal
  - Do rate helpful posts -

• Network access and internet

  Is it possible to allow network acces to devices and to internet only for domain clients? So if someone brings his personal laptop to work and connect it by cable to network he can not acces nothing on network or internet?
  Solution with proxy is not good for me, so I am searching for something else.
  I never left an open problem....I search, dig and ask, until it's solved....

  Hi,
  >>Is there a way to lock just DNS to AD clients?
  Before going further, how was our network set up? Do we use DHCP to automatically assign IP addresses to clients? If we use DHCP server to automatically assign IP addresses, the computers connected to the network will automatically get
  their IP address and DNS server IP address if we don't have a network protection mechanism to restrict which computer can get IP address from DHCP server. In this situation, although we know that you don't want to use Network Access Protection to do this,
  as far as I know, this should be the solution which can best meet our target.
  Besides, for this is more related to network, in order to get better help, we can also ask for suggestions in the following network forum.
  Network Access Protection Forum
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Airport Extreme 802.11AC + 5th Gen and guest network access

  I have the current gen Airport Extreme 802.11AC with a 5th Gen extending the network. With this setup, I am unable to login using our guest network setup. I have tried using guest network with a password and one without but its the same results. When a guest logins, it stuck attempting to login with no error messages.
  So is it possible to have this configuration and still have guest network access?

  Please review what I said originally.......that the guest network function on the AirPort Extreme is designed to work with a simple modem......so the AirPort acts as the main router for the network..
  Another way of saying the same thing is that the AirPort needs to be "in charge" of your network for the guest feature to work correctly. The AirPort cannot be in charge if it is connected to another device that is already configured to be the main router on your network.....your Actiontec modem/router.
  The Actiontec device combines the functions of a separate modem and a separate router in one package. This type of device is known as a modem/router, or also known as a gateway.
  Some folks call a modem/router or a gateway......a modem. So, things can get confusing.
  I do not know if it is possible for the Actiontec device that you have to be configured to act as a simple modem.....so the routing functions of the device are completely turned off. (Turning off the wireless on the Actiotec does not turn off the routing function).
  If you turn off the wireless on the Actionec, it becomes a modem and a wired router. And that wired router is still in charge of your network.
  The guest network feature will not work correctly unless the AirPort is in charge of your network.
  My suggestion was for you to ask your Internet Service Provider (ISP), if they could supply you with a simple modem.  That is all that you need. You don't need two routers....and the Actiontec that you have now is not allowing the guest feature to work correctly.

• RemoteApps Error "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator."

  Hello All,
  Good day. May I ask if anyone experienced this error when trying to access remoteapps in Azure? We are using IaaS and set-up RDS using Windows 2012 R2 but we are getting an error below.
  "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator.
  Various roles and services (Broker, Session Host, RD Gateway and Web Access are installed on each VMs).
  Please advise.
  Thanks,
  Glenn

  Hi Glen;
  Looks like the set up was not done correctly. Please follow the guidelines given on this
  blog by Keith Mayer.
  Regards;
  Prasant

• How do i turn on network access protection on windows 8.1 with an hp p6-2326S pc?

  i got a phone call from a unknown source today  at around  3 pm they said  that hackers where trying to access my computer . they  ran a scan  and it showed thre things one was  my network access protection was turned off .  2 hackers were trying to hack into my computer  i cant remember the 3rd one its in my note pad  but  then i got this big run around and i told them from the start that i had no money and that i had just buried my mom on the 2nd of this month after a long battle   and that i had just had a bad episode with my blood pressure wasnt feeling god  and so on ,all of which are true  once i finally convinced the  worker of the fact i had no money he put his super visor on the line .the supervisor was stalling i could tell im no dummy when it comes to software and computers i taught myself  xp professional and the windows 8.1 which im still learning   i finally got tired of his super visor retstartd my computer and got control uninstalled skype  mozilla nightly and mozilla experimental  and several other prorams  with my revo pro uninstaller  my computer is rinning smooth now but i have seen .that ny network access protection is turned off ,how do i turn this on and is it neccasary i have malware bytes new 2.7. something full time  bought and paid for protection and windows defender .i run  a discclean every day and my mal;ware bytes and windows defender any thoughts and ideas would be appreciated i do have HP SUPPORT ASSISTANT AND MY  WARRANTY IS UP TO DATE AND PAID FOR .. sincerely donald hutchison

  dhutch1 wrote:
  i got a phone call from a unknown source today  at around  3 pm they said  that hackers where trying to access my computer . they  ran a scan  and it showed thre things one was  my network access protection was turned off . ...
  Hi,
  Now the trouble may start, you did allow people to logon to your computer and you believe them !  HP Support Assisstant is there to support your technical problems it does not know you will open the door of your house for someone to comes in to steal your money.
  Now, please change all your passwords to logon to email, bank account(s) ..... before too late. Also please download the following tool nd run on your computer, hope it can remove the nasty bits.
  Good luck.
  BH
  **Click the KUDOS thumb up on the left to say 'Thanks'**
  Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

• Is it possible that network access permission control in acs 5.1

  Hello
  We have ACS5.1, WLC 7.0 and using 802.1x to authentication users.
  Anybody know how I can configure network access restriction with using internal user group information.
  For example, under the same SSID(like that "test") , same VLAN ID.
  But two different user group has a different network access permission.
  One group has full permission and the other has a limit network access permission.
  Is it possible?

  The equivalent of a NAR would be ACS 5.1 returning an authorization profile after authentication. Just configure your authorization policy to return one profile for one group of user and the other profile for the others.
  Now to restrict access to the network, I think you're best with an ACL ? So link ACLs to your profiles.
  Nicolas