Rate Shaping/Traffic Shaping 3750x Switch Internet Access Circuits
Hello, I have 3750x running c3750e-universalk9-mz.122-55.SE5 layer 3 capable. I have two internet access circuits on the switch both 100Mbps however there subrated down to 14Mbps by the ISP. Id like to rate shape out bound traffic toward the ISP so we dont drop traffic that exceeds the 14Mbps rate.
It appears this can be done at the layer 3 SVI or at the Layer 2 switch port level. Not sure which is the best way? Please could anyone show me the commands for acheiving the rate shaping?
Andy
Hey Andy,
i believe this is a good point to start:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swqos.html#wp1200681
HTH.
Regards,
RS.
Similar Messages
-
No internet access when "Send All Traffic" VPN Checked
Hi Ladies and Gents
Wonder if you can help me. These past few days I have been setting up a VPN on my DD-WRT enabled router. I have successfully accomplished such task, however when I'm connected to the VPN on my phone my public IP address does not change, after doing some reading I believe that is because "Send All Traffic" is unchecked in the VPN profile, but when I check "Send All Traffic" I get no internet access what so ever.
Any advice/input/solution to this would be greatly appreciated.
Cheers
CameronCammy1230 wrote:
when I'm connected to the VPN on my phone my public IP address does not
it's not supposed to. -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Setting up a Router & Switch for internet access
Hi all,
I need help setting up internet access on my cisco router.
It's a Cisco 2600, this is the setup.
I have a Cisco 3560 switch, and 5 clients connects to this switch.
I have one vlan defined VLAN 5.
I have a trunk port between the router and the switch.
My question is how to setup internet access between my switch and router?
Please if you can send config commands? I am not that fimiliar with router setup.
I know I need to setup a routing protocol, but need to know the command for that.Hi,
You need to nat on the 2600 router and you need a default route on the router.
How is router connected to WAN ?
Have you got multiple vlans on the switch? Is the switch doing routing or is it Layer2 ?
Post your config so that we can give you the missing commands
Regards
Alain
Don't forget to rate helpful posts. -
I upgraded to Mountain Lion, and when I started upgrading OS components and other apps, downloads would stop after about 50MB. Once this happens, all requests in internet browsers also lost internet access. If I turn Airport off and then on again, I can access the internet but the same problem occurs again once I continue other downloads.
I have other computers and they don't suffer from this problem, so I know if is not my internet provider or my wireless network.
Any ideas?Me too! I'm also getting display problems in emails where scrambled graphics are overlaid interactive parts of emails like dates telephone numbers!
-
Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. IddddddddHello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com -
No internet access for vlan devices
Hey folks,
I'm new to cisco and have only recently started study for my ccna. In preperation for this i've gotten my hands on a cisco emi 3550-48 port switch so i can play and test some scenario's.
Now, I've setup a couple of vlans (200,201 and 202) and i've assigned them to fa0/3, 0/5 a0/7 respectively. i suppose it's irrelevant which ports are assign, they are just the ports i've assigned while typing this.
I know the cisco forums are full of people saying the intervlan routing isnt working and it just turns out to be the static route on the router in the end but i have set all that up and i can not get internet access on my vlan networks. The wierd thing is the switch itself can ping the internet no problem.
Here is my setup :
I've assigned ip addresses as follows :
vlan 200 - 10.10.200.254/24
vlan 201 - 10.10.201.254/24
vlan 202 - 10.10.202.254/24
I then enabled intervlan routing by issueing "IP ROUTING"
At this point I configured the VDSL modem/router (zyxel F1000) on IP Address 192.168.1.2/30 and I configured interface fa0/1 with the following commands :
interface fa0/1
no switchport
ip address 192.168.1.1 255.255.255.252
no shutdown
I then set the default route using :
ip route 0.0.0.0 0.0.0.0 192.168.1.2
Finally I configured three static route's on my Zyxel F1000 modem/router to send traffic back to my three vlans using the gateway 192.168.1.1
As i said above, If I plug into fa 0/3 (vlan 200) and lets say I give myself an ip address of 10.10.200.20, 255.255.255.0 and gateway 10.10.200.254. I can ping the othe vlns and devices on the other vlans no problem but bot for love nor money can i get onto the internet. For clarifications sake my dns is set to 8.8.8.8
Stranger still is the fact that the switch can ping hostnames and ips on the internet no problem. Has anyone got any ideas what could possibly be wrong?? I'm completely stumped.
Regards,
Thomas QuigleyHey guys,
Thanks for the speedy replies. I have been trying this for about 2 weeks now and last night after posting this message to the cisco forums I got my hands on an old Sonicwall router. I decided to test the connection using this as I suspected that Zyxel router is buggy.
I setup a PPPoE connection on the sonicwall and set that up as my default route matching exactly the ip settings listed above and it worked immediately.
I knew the setup I had ran above was right it was just tormenting me that it wouldn't work. Turns out its the piece of crap Zyxek VDSL modem.
Thanks for taking the time to read my post and offer advice.
Cheers,
TQ -
Hi everybody,
I am unable to access internet with one of the vlan. i have two vlans
VLAN 2 192.168.1.0
VLAN 8 172.168.1.0
When i am on vlan 2 i can access to internet. when i work with vlan 8, i cannot access to internet. As a matter of fact VLAN 8 (172.168.1.0) is new. I need to know what else i need to configure to get access. the following is the configuration of my cisco ASA firewall. Any help will be apprieciated.
Thanks
hostname abcASA1
domain-name abc.com
enable password .4rNnGSuheRe encrypted
passwd 2KFQnbNIdI.2K encrypted
names
name 192.168.1.3 Email_DNS
name 192.168.1.4 SQLServer
name 192.168.2.2 VPN_3005
name 192.168.2.0 DMZ_Subnet
name 192.168.3.0 VPN_Subnet
name 192.168.1.0 Inside_Subnet
name 192.168.3.5 VPNNET_DNS
name 128.8.10.90 D_Root
name 192.5.5.241 F_Root
name 198.41.0.10 J_Root
name 192.33.4.12 C_Root
name 193.0.14.129 K_Root
name 198.32.64.12 L_Root
name 192.36.148.17 I_Root
name 192.112.36.4 G_Root
name 128.63.2.53 H_Root
name 128.9.0.107 B_Root
name 198.41.0.4 A_Root
name 202.12.27.33 M_Root
name 192.203.230.10 E_Root
name 12.183.68.51 ATT_DNS_2
name 12.183.68.50 ATT_DNS_1
name 192.168.1.6 FileServer_NAS
name 192.168.2.6 abc_WEB
name 199.130.197.153 CA_Mgmt_USDA
name 199.130.197.19 CA_Roaming_USDA
name 199.130.214.49 CA_CRLChk_USDA
name 199.134.134.133 CA_Mgmt_USDA_
name 199.134.134.135 CA_Roaming_USDA2
name 192.168.2.9 PublicDNS2
name 192.168.2.8 PublicDNS
name 192.168.1.11 abc02EX2
name 162.140.109.7 GPO_PKI_DIR
name 162.140.9.10 GPO_PKI
name 192.168.1.12 Patchlink
name 192.168.1.10 abcSLIMPS1
name 192.168.1.7 FileServer_DNS
name 192.168.1.15 abc06ex2
name 192.168.101.0 NEW_VPN_SUBNET
name 192.168.77.0 NEW_VPN_POOL description NEW_VPN_POOL
name 192.168.1.16 VTC description LifeSize VTC
name 12.18.13.16 VTC_Outside
name 192.168.2.50 Email_Gateway
name 192.168.1.20 Exch10
name 192.168.1.8 SharePoint
name 192.168.1.19 abc09ic description Web Servr
name 192.168.1.180 ExternalDNS
name 192.168.2.223 abc11ids
name 192.168.50.0 inside_new_Network
dns-guard
interface Vlan1
nameif outside
security-level 0
ip address 12.18.13.20 255.255.255.0
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan3
nameif dmz
security-level 10
ip address 192.168.2.1 255.255.255.0
interface Vlan4
nameif vpnnet
security-level 75
ip address 192.168.3.1 255.255.255.0
interface Vlan5
nameif asainside
security-level 50
ip address 192.168.4.1 255.255.255.0
interface Vlan6
nameif testinside
security-level 50
ip address 192.168.5.1 255.255.255.0
ipv6 address 2001:ab1:5::/64 eui-64
interface Vlan7
description New Local Area Network for Server
nameif inside_new
security-level 50
ip address 192.168.50.1 255.255.255.0
interface Vlan8
description abcdone Server VLAN
nameif Internal_LAN
security-level 100
ip address 172.168.1.254 255.255.255.0
interface Vlan16
description out of band
nameif oobnet
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 7
interface Ethernet0/4
interface Ethernet0/5
switchport trunk allowed vlan 1-10
switchport mode trunk
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup vpnnet
dns server-group DefaultDNS
name-server 192.168.1.2
name-server Email_DNS
domain-name abc.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Inside_Server_Group
description EmailServer, FileServer, SQLServer
network-object Email_DNS 255.255.255.255
network-object SQLServer 255.255.255.255
network-object 192.168.1.2 255.255.255.255
network-object FileServer_NAS 255.255.255.255
network-object host abc02EX2
network-object host abc06ex2
object-group network Inside_Server_Group_ref
network-object 192.168.3.73 255.255.255.255
network-object 192.168.3.74 255.255.255.255
network-object 192.168.3.72 255.255.255.255
network-object 192.168.3.76 255.255.255.255
object-group service DNS tcp-udp
description DNS Service both TCP/UDP
port-object eq domain
object-group network InternetDNS
network-object A_Root 255.255.255.255
network-object B_Root 255.255.255.255
network-object C_Root 255.255.255.255
network-object D_Root 255.255.255.255
network-object E_Root 255.255.255.255
network-object F_Root 255.255.255.255
network-object G_Root 255.255.255.255
network-object H_Root 255.255.255.255
network-object I_Root 255.255.255.255
network-object J_Root 255.255.255.255
network-object K_Root 255.255.255.255
network-object L_Root 255.255.255.255
network-object M_Root 255.255.255.255
network-object ATT_DNS_2 255.255.255.255
network-object ATT_DNS_1 255.255.255.255
object-group network USDA-PKI-Users
description GAO PKI User Group
network-object 192.168.1.51 255.255.255.255
network-object 192.168.1.52 255.255.255.255
network-object 192.168.1.53 255.255.255.255
network-object 192.168.1.54 255.255.255.255
network-object 192.168.1.55 255.255.255.255
network-object 192.168.1.56 255.255.255.255
network-object 192.168.1.57 255.255.255.255
network-object 192.168.1.58 255.255.255.255
network-object 192.168.1.59 255.255.255.255
network-object 192.168.1.60 255.255.255.255
network-object host 192.168.1.61
network-object host 192.168.1.62
network-object host 192.168.1.63
object-group network CITABCDAS
network-object 192.168.3.241 255.255.255.255
network-object 192.168.3.242 255.255.255.255
network-object 192.168.3.243 255.255.255.255
network-object 192.168.3.244 255.255.255.255
network-object 192.168.3.245 255.255.255.255
network-object VPNNET_DNS 255.255.255.255
object-group service Virginia.edu tcp
description blackboard java classroom
port-object range 8010 8012
object-group network PDASB1-VPN-Inside
network-object host abcPLIasd1
network-object host 192.168.3.10
object-group service http-https tcp
port-object range https https
port-object range www www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VTC tcp-udp
description LifeSize
port-object range 60000 64999
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3268
port-object eq ldap
object-group service EmailGateway udp
description TrustManager
port-object eq 19200
port-object eq 8007
object-group service DM_INLINE_TCP_2 tcp
port-object eq 990
port-object eq ftp
port-object range 2000 5000
object-group service Barracuda tcp
port-object eq 5124
port-object eq 5126
object-group service barracuda udp
port-object eq 5124
port-object eq 5126
object-group service IMAP tcp
port-object eq 993
port-object eq imap4
object-group service DM_INLINE_SERVICE_0
service-object tcp eq domain
service-object udp eq domain
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 12.18.13.222
access-list outside_access_in remark Website
access-list outside_access_in extended permit tcp any host 12.18.13.19 eq 8090
access-list outside_access_in remark Allow ICMP replies to inside
access-list outside_access_in extended permit icmp any host 12.18.13.21 echo-reply
access-list outside_access_in remark VTC
access-list outside_access_in extended permit tcp any host VTC_Outside eq h323
access-list outside_access_in remark VTC
access-list outside_access_in extended permit object-group TCPUDP any host VTC_Outside eq sip
access-list outside_access_in extended permit icmp any host VTC_Outside
access-list outside_access_in remark Barracuda
access-list outside_access_in extended permit tcp any host 192.168.1.25 object-group Barracuda
access-list outside_access_in remark Barracuda
access-list outside_access_in extended permit udp any host 192.168.1.25 object-group barracuda
access-list outside_access_in remark VTC
access-list outside_access_in extended permit udp any host VTC_Outside range 60000 64999
access-list outside_access_in remark VTC
access-list outside_access_in extended permit tcp any host VTC_Outside range 60000 64999
access-list outside_access_in remark for Public DNS2
access-list outside_access_in extended permit udp any host 12.18.13.223 eq domain
access-list outside_access_in remark for Public DNS2
access-list outside_access_in extended permit tcp any host 12.18.13.223 eq domain
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.224 eq www
access-list outside_access_in remark NTP from Router to DMZ
access-list outside_access_in extended permit udp host 12.18.13.1 host 12.18.13.15 eq ntp
access-list outside_access_in remark Syslog from Router
access-list outside_access_in extended permit udp host 12.18.13.1 gt 1023 host 12.18.13.13 eq syslog
access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.50
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.13 eq smtp
access-list outside_access_in remark VPNNET IPSec ESP
access-list outside_access_in extended permit esp any host 12.18.13.31
access-list outside_access_in remark VPNNET IPSec AH
access-list outside_access_in extended permit ah any host 12.18.13.31
access-list outside_access_in remark VPNNET IPSec Port 4500
access-list outside_access_in extended permit udp any eq 4500 host 12.18.13.31 eq 4500
access-list outside_access_in remark VPNNET IPSec ISAKMP
access-list outside_access_in extended permit udp any eq isakmp host 12.18.13.31 eq isakmp
access-list outside_access_in remark VPNNET IPSec over UDP port 10000
access-list outside_access_in extended permit udp any eq 10000 host 12.18.13.31 eq 10000
access-list outside_access_in remark Sharepoint1
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq https
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.31 eq https
access-list outside_access_in remark Access Rule to Webmail
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.32 eq https
access-list outside_access_in remark SLIMPSdev
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.33 object-group http-https
access-list outside_access_in remark Inbound Website
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.19 eq www
access-list outside_access_in remark Inbound SharePoint
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq www
access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq www
access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS
access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq https
access-list outside_access_in remark Inbound FTP abc_web
access-list outside_access_in extended permit tcp any host 12.18.13.14 object-group DM_INLINE_TCP_2
access-list outside_access_in remark DNS1
access-list outside_access_in remark for Public DNS2
access-list outside_access_in remark for Public DNS2
access-list outside_access_in remark NTP from Router to DMZ
access-list outside_access_in remark Syslog from Router
access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.5
access-list outside_access_in remark VPNNET IPSec ESP
access-list outside_access_in remark VPNNET IPSec AH
access-list outside_access_in remark VPNNET IPSec Port 4500
access-list outside_access_in remark VPNNET IPSec ISAKMP
access-list outside_access_in remark VPNNET IPSec over UDP port 10000
access-list outside_access_in remark Inbound WEb Traffic to Facilitate Web Server in DMZ
access-list outside_access_in remark Inbound Secure Web Traffic to Facilitate Web Server in DMZ
access-list outside_access_in remark Access Rule to FE Server
access-list outside_access_in remark SLIMPSdev
access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS
access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS
access-list outside_access_in remark Inbound port 93 to ISA server-SLIMPS
access-list outside_access_in remark Explicit Deny All
access-list vpnnet_access_in remark Patrica RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.53 eq 3389
access-list vpnnet_access_in remark Berry RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.51 eq 3389
access-list vpnnet_access_in remark John Tsai RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.156 eq 3389
access-list vpnnet_access_in remark Chopper RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.128 eq 3389
access-list vpnnet_access_in remark Ms Ballard RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.58 eq 3389
access-list vpnnet_access_in remark Wakita
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.153 eq 3389
access-list vpnnet_access_in remark Amy RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.124 eq 3389
access-list vpnnet_access_in remark KC RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.57 eq 3389
access-list vpnnet_access_in remark Eyang RDP
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.161 eq 3389
access-list vpnnet_access_in remark SLIMPS doc
access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.13 eq 3389
access-list vpnnet_access_in extended deny ip any any
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark for SLIMPS APP
access-list vpnnet_access_in remark FOR SLIMPS Application
access-list vpnnet_access_in remark SLIMPS Production Workflow
access-list vpnnet_access_in remark SLIMPS
access-list vpnnet_access_in remark FOR SLIMPS Application
access-list vpnnet_access_in remark SLIMPS VPN access to SLIMPSTEST2 Alpha website
access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS1
access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS2
access-list vpnnet_access_in remark for abc06SLIMPS1
access-list vpnnet_access_in remark for abc06SLIMPS1
access-list vpnnet_access_in remark VPNNET Windows Port 135 Netbios
access-list vpnnet_access_in remark VPNNET Windows Port 137 Netbios Name Service
access-list vpnnet_access_in remark VPNNET Windows Port 138 Netbios Datagram
access-list vpnnet_access_in remark VPNNET Windows Port 139 Netbios Session Service
access-list vpnnet_access_in remark VPNNET Windows Port 445 Server Message Block
access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol
access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol
access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos
access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos
access-list vpnnet_access_in remark VPNNET Windows Port 1433 Windows Sql Server
access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port
access-list vpnnet_access_in remark VPNNET Windows Port 4000 Status NTDS Port
access-list vpnnet_access_in remark VPNNET Windows TCP Domain Name Service
access-list vpnnet_access_in remark VPNNET Windows UDP Domain Name Service
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS
access-list vpnnet_access_in remark VPNNET Outbound Web
access-list vpnnet_access_in remark VPNNET Outbound Secure Web
access-list vpnnet_access_in remark VPNNET Outbound FTP
access-list vpnnet_access_in remark VPNNET ICMP Echo
access-list vpnnet_access_in remark VPNNET ICMP Echo-Reply
access-list vpnnet_access_in remark RDP for ISA
access-list vpnnet_access_in remark Allow access after Exemption from nat to inside network
access-list vpnnet_access_in remark talin test
access-list dmz_access_in remark isa to SLIMPS1 vote portal
access-list dmz_access_in extended permit tcp host 192.168.2.20 host 192.168.2.10 eq 8200
access-list dmz_access_in extended permit udp host 192.168.2.101 host 12.18.13.1 eq ntp
access-list dmz_access_in remark ISA to SLIMPS Dev
access-list dmz_access_in extended permit tcp host 192.168.2.14 host 12.18.13.33 eq www inactive
access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &
access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway
access-list dmz_access_in extended permit udp host Email_Gateway any eq 8007
access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &
access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway
access-list dmz_access_in extended permit udp host Email_Gateway any eq 19200
access-list dmz_access_in remark NTP Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host FileServer_DNS eq ntp
access-list dmz_access_in remark FTP
access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ftp
access-list dmz_access_in remark ldap
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host 192.168.2.78
access-list dmz_access_in remark ldap
access-list dmz_access_in extended permit udp host SharePoint gt 1023 host 192.168.2.78
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit object-group TCPUDP host Email_Gateway host FileServer_DNS object-group DNS
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ldap
access-list dmz_access_in remark HTTP for Email_Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 eq www inactive
access-list dmz_access_in remark HTTPS access to the Clearswift Update Server
access-list dmz_access_in extended permit tcp Inside_Subnet 255.255.255.0 gt 1023 host Email_Gateway eq https inactive
access-list dmz_access_in remark HTTP for SharePoint
access-list dmz_access_in extended permit tcp host SharePoint host FileServer_DNS eq ldap
access-list dmz_access_in remark LDAP Communication for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 object-group DM_INLINE_TCP_1
access-list dmz_access_in remark LDAP Communication
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.78 eq 3268
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host PublicDNS object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ ISA DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host 192.168.2.15 gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit udp host SharePoint gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit udp host abc_WEB gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 object-group InternetDNS object-group DNS inactive
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound https Web
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 object-group InternetDNS object-group DNS inactive
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in extended permit udp host PublicDNS gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark Public DNS server.
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 object-group InternetDNS object-group DNS
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq www
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq www
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS to Outside
access-list dmz_access_in remark DMZ DNS to Outside
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.75 eq www
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.75 eq www
access-list dmz_access_in remark DMZ DNS FTP for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq ftp
access-list dmz_access_in remark DMZ DNS Outbound Web for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq www
access-list dmz_access_in remark DMZ ISA DNS Outbound Web
access-list dmz_access_in extended permit tcp host 192.168.2.15 gt 1023 any eq www
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq www
access-list dmz_access_in remark For Email Gateway
access-list dmz_access_in extended permit icmp host Email_Gateway host 12.18.13.1
access-list dmz_access_in remark ISA
access-list dmz_access_in extended permit icmp host 192.168.2.15 host 12.18.13.1
access-list dmz_access_in extended permit icmp host SharePoint host 12.18.13.1
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq www
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq www
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq ftp inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq ftp
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq ftp inactive
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq ftp
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint host 192.168.2.73 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host 192.168.2.77 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host Exch10 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP
access-list dmz_access_in extended permit tcp host Email_Gateway host abc06ex2 eq smtp
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint host abc06ex2 eq smtp inactive
access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.75 eq smtp inactive
access-list dmz_access_in remark Mailsweeper access to FE Server
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.11 eq smtp inactive
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.73 eq smtp
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.75 eq smtp
access-list dmz_access_in remark DMZ EMail Gateway outbound delivery
access-list dmz_access_in extended permit tcp host Email_Gateway any eq smtp
access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery
access-list dmz_access_in extended permit tcp host SharePoint any eq smtp inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq https inactive
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway
access-list dmz_access_in extended permit udp host Email_Gateway object-group EmailGateway any eq 8007
access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway
access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq https
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq https inactive
access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq https inactive
access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet
access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq smtp inactive
access-list dmz_access_in remark for ISA
access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq www
access-list dmz_access_in remark for ISA
access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq https
access-list dmz_access_in extended permit object-group TCPUDP host SharePoint Inside_Subnet 255.255.255.0 eq domain
access-list dmz_access_in extended permit icmp host SharePoint Inside_Subnet 255.255.255.0
access-list dmz_access_in extended permit ip host abc11ids any
access-list dmz_access_in extended permit ip Inside_Subnet 255.255.255.0 any
access-list dmz_access_in remark Explicit Rule
access-list dmz_access_in extended deny ip any any
access-list dmz_access_in remark isa to SLIMPS1 vote portal
access-list dmz_access_in remark ISA to SLIMPS Dev
access-list dmz_access_in remark ldap
access-list dmz_access_in remark LDAP Communication
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Forwarding to Outside
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)
access-list dmz_access_in remark DMZ DNS Outbound https Web
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in remark Public DNS server.
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in remark Public DNS Server
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark DMZ Public DNS to Outside
access-list dmz_access_in remark DMZ DNS to Outside
access-list dmz_access_in remark DMZ Public DNS Outbound Web
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in remark DMZ DNS Outbound Web
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in remark DMZ DNS Outbound FTP
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP
access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP
access-list dmz_access_in remark Mailsweeper access to FE Server
access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in remark DMZ DNS Outbound HTTPS
access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet
access-list dmz_access_in remark for ISA
access-list dmz_access_in remark for ISA
access-list dmz_access_in remark Explicit Deny All
access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ
access-list testinside_access_in remark Allow all other Traffic to Outside
access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ
access-list testinside_access_in remark Allow all other Traffic to Outside
access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 Inside_Subnet 255.255.255.0
access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway
access-list inside_nat0_outbound remark SharePoint
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint
access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list dmz_nat0_outbound remark For Email Gateway
access-list dmz_nat0_outbound extended permit ip host Email_Gateway Inside_Subnet 255.255.255.0
access-list dmz_nat0_outbound remark Sharepoint
access-list dmz_nat0_outbound extended permit ip host SharePoint Inside_Subnet 255.255.255.0
access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_SUBNET 255.255.255.0
access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0
access-list capture_acl extended permit ip host 12.18.13.33 host 12.18.13.180
access-list capture_acl extended permit ip host 12.18.13.180 host 12.18.13.33
access-list cap_acl extended permit ip host 192.168.2.14 host 12.18.13.180
access-list cap_acl extended permit ip host 12.18.13.180 host 192.168.2.14
access-list 213 extended permit ip host SharePoint host 192.168.2.21
access-list asainside_access_in remark permit traffic from the new ASA
access-list asainside_access_in extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_access_in extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list asainside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list acl_cap extended permit ip host 192.168.100.1 host 192.168.4.1
access-list acl_cap extended permit ip host 192.168.4.1 host 192.168.100.1
access-list abcdONE_splitTunnelAcl standard permit Inside_Subnet 255.255.255.0
access-list abcdONE_splitTunnelAcl standard permit DMZ_Subnet 255.255.255.0
access-list abcdONE_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list oobnet_access_in extended permit ip any Inside_Subnet 255.255.255.0
access-list VMman_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Inside_Subnet 255.255.255.0
access-list Internal_LAN_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS
access-list Internal_LAN_access_in extended permit ip any any
snmp-map mysnmpmap
pager lines 30
logging enable
logging timestamp
logging monitor informational
logging buffered informational
logging trap debugging
logging history warnings
logging asdm debugging
logging mail informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
logging device-id ipaddress outside
logging host vpnnet VPNNET_DNS
logging host inside abc09ic
logging host inside 192.168.1.60
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu vpnnet 1500
mtu asainside 1500
mtu testinside 1500
mtu inside_new 1500
mtu Internal_LAN 1500
mtu oobnet 1500
ip local pool VPNPOOL 192.168.101.1-192.168.101.254 mask 255.255.255.0
ip local pool NEW_VPN_POOL 192.168.77.10-192.168.77.240 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip verify reverse-path interface vpnnet
ip verify reverse-path interface asainside
ip audit name Outside attack action drop
ip audit interface outside Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
asdm history enable
arp outside 12.18.13.20 0024.c4e9.4764
arp timeout 14400
global (outside) 1 12.18.13.21 netmask 255.255.255.255
global (outside) 2 12.18.13.22 netmask 255.255.255.255
global (outside) 3 12.18.13.23 netmask 255.255.255.255
global (outside) 4 12.18.13.24 netmask 255.255.255.255
global (outside) 5 12.18.13.25 netmask 255.255.255.255
global (inside) 1 interface
global (dmz) 1 192.168.2.21 netmask 255.255.255.255
global (dmz) 3 192.168.2.23 netmask 255.255.255.255
global (dmz) 4 192.168.2.24 netmask 255.255.255.255
global (dmz) 5 192.168.2.25 netmask 255.255.255.255
global (vpnnet) 1 192.168.3.21 netmask 255.255.255.255
nat (outside) 1 NEW_VPN_POOL 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Inside_Subnet 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 DMZ_Subnet 255.255.255.0
nat (vpnnet) 0 access-list vpnnet_nat0_outbound
nat (vpnnet) 3 VPN_Subnet 255.255.255.0
nat (asainside) 0 access-list asainside_nat0_outbound
nat (asainside) 1 192.168.4.0 255.255.255.0
nat (oobnet) 0 access-list VMman_nat0_outbound
static (dmz,outside) 12.18.13.31 VPN_3005 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.72 FileServer_DNS netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.74 SQLServer netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.73 Email_DNS netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.76 FileServer_NAS netmask 255.255.255.255 dns
static (inside,vpnnet) 192.168.3.80 abcSLIMPS1 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.2.73 Email_DNS netmask 255.255.255.255
static (inside,dmz) 192.168.2.77 abc06ex2 netmask 255.255.255.255
static (dmz,outside) 12.18.13.13 Email_Gateway netmask 255.255.255.255
static (dmz,outside) 12.18.13.14 abc_WEB netmask 255.255.255.255
static (outside,inside) VTC VTC_Outside netmask 255.255.255.255
static (dmz,outside) 12.18.13.15 192.168.2.101 netmask 255.255.255.255
static (inside,outside) 12.18.13.19 abc09ic netmask 255.255.255.255
static (inside,outside) 12.18.13.42 SharePoint netmask 255.255.255.255
static (inside,dmz) 192.168.2.78 FileServer_DNS netmask 255.255.255.255
static (inside,outside) 12.18.13.32 Exch10 netmask 255.255.255.255
static (inside,dmz) 192.168.2.10 abcSLIMPS1 netmask 255.255.255.255
static (inside,dmz) 192.168.2.11 abc02EX2 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.11 abc02EX2 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.81 192.168.1.155 netmask 255.255.255.255
static (inside,vpnnet) 192.168.3.82 192.168.1.28 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.2.13 192.168.1.13 netmask 255.255.255.255
static (inside,outside) VTC_Outside VTC netmask 255.255.255.255
static (inside,outside) 12.18.13.33 192.168.1.13 netmask 255.255.255.255
static (inside,outside) 12.18.13.41 abcSLIMPS1 netmask 255.255.255.255
static (inside,outside) 12.18.13.222 ExternalDNS netmask 255.255.255.255
static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0
static (Internal_LAN,inside) 172.168.1.0 172.168.1.0 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group vpnnet_access_in in interface vpnnet
access-group asainside_access_in in interface asainside
access-group Internal_LAN_access_in in interface Internal_LAN
access-group oobnet_access_in in interface oobnet
route outside 0.0.0.0 0.0.0.0 12.18.13.1 1
route asainside 192.168.100.0 255.255.255.0 192.168.4.2 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server abc.com protocol nt
aaa-server abc.com (inside) host 192.168.1.2
nt-auth-domain-controller abc12dc1
aaa-server abc.com (inside) host Email_DNS
nt-auth-domain-controller abc12dc2
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 outside
http Inside_Subnet 255.255.255.0 outside
http Inside_Subnet 255.255.255.0 inside
http VPN_Subnet 255.255.255.0 vpnnet
snmp-server group Authentication_Only v3 auth
snmp-server group Authentication&Encryption v3 priv
snmp-server user mkaramat Authentication&Encryption v3 encrypted auth md5 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4 priv aes 128 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4
snmp-server host inside 192.168.1.60 version 3 mkaramat udp-port 161
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
no service resetoutbound interface outside
no service resetoutbound interface inside
no service resetoutbound interface dmz
no service resetoutbound interface vpnnet
no service resetoutbound interface asainside
no service resetoutbound interface testinside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map oobnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map oobnet_map interface oobnet
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable inside_new
crypto isakmp enable oobnet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 12.18.13.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh Inside_Subnet 255.255.255.0 inside
ssh VPN_Subnet 255.255.255.0 vpnnet
ssh timeout 30
ssh version 1
console timeout 0
dhcpd auto_config inside
dhcpd dns 192.168.1.2 Email_DNS interface oobnet
dhcpd domain abc.com interface oobnet
dhcpd option 3 ip 172.16.0.1 interface oobnet
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside prefer
tftp-server vpnnet 192.168.3.10 /
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 60
group-policy abcdONEVPN internal
group-policy abcdONEVPN attributes
dns-server value 192.168.1.7 192.168.1.3
vpn-tunnel-protocol IPSec
default-domain value abc
group-policy abcdONE internal
group-policy abcdONE attributes
dns-server value 192.168.1.7 192.168.1.3
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value abcdONE_splitTunnelAcl
default-domain value abc.com
service-type remote-access
service-type remote-access
tunnel-group abcdONE type remote-access
tunnel-group abcdONE general-attributes
address-pool NEW_VPN_POOL
default-group-policy abcdONE
tunnel-group abcdONE ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group abcdONE ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ipsec-pass-thru VPN
parameters
esp
ah
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect icmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
service-policy global_policy global
prompt hostname context
Cryptochecksum:02e178404b46bb8758b23aea638d2f24
: end
asdm image disk0:/asdm-621.bin
asdm location NEW_VPN_POOL 255.255.255.0 inside
asdm location abc09ic 255.255.255.255 inside
asdm location VTC 255.255.255.255 inside
asdm location Email_Gateway 255.255.255.255 inside
asdm location Exch10 255.255.255.255 inside
asdm location ExternalDNS 255.255.255.255 inside
asdm location abc11ids 255.255.255.255 inside
asdm history enableHi,
Could you let me know if you have tried the configuration I originally suggested. I mean creating a "nat" statement for the "Internal_LAN" thats ID number matches one of the existing "global" or make a new "global" for it. And also if the "Internal_LAN" needs to access "inside" you could have added the "static" command suggested.
It seems there has been some other suggestions in between that have again suggested completely different things. I would have been interested to know what the situation is after the suggested changes before going and doing something completely different.
If you are changing a lot of NAT configurations for the new "Internal_LAN" interface I would suggest checking the output of
show xlate | inc 172.168.1
To see if you need to use some variant of the "clear xlate" command to clear old translations still active on the firewall. You should not use the "clear xlate" without additional parameters as otherwise it clears all translations on the firewall in the mentioned form of the command
You can use
clear xlate ?
To view the different optional parameters for the command
- Jouni -
No Internet access after cisco vpn client connection
Hi Experts,
Kindly check below config.the problem is vpn is connected but no internet access
on computer after connecting vpn
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa#Hi Harish,
Please check the o/ps below and route print in attached file
Latest ASA Config
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.15.240-192.168.15.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dubai_splitTunnelAcl
username testuser password IqY6lTColo8VIF24 encrypted privilege 15
username testuser attributes
vpn-group-policy mphone
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khans attributes
vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
: end
ciscoasa#
Route Print after vpn connection
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
Packet Scheduler Miniport
0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.211 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.211 192.168.10.211 20
192.168.10.211 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.211 192.168.10.211 20
192.168.14.0 255.255.255.0 192.168.15.1 192.168.15.240 1
192.168.15.0 255.255.255.0 192.168.15.240 192.168.15.240 20
192.168.15.240 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.15.255 255.255.255.255 192.168.15.240 192.168.15.240 20
213.42.233.97 255.255.255.255 192.168.10.1 192.168.10.211 1
224.0.0.0 240.0.0.0 192.168.10.211 192.168.10.211 20
224.0.0.0 240.0.0.0 192.168.15.240 192.168.15.240 20
255.255.255.255 255.255.255.255 192.168.10.211 192.168.10.211 1
255.255.255.255 255.255.255.255 192.168.15.240 192.168.15.240 1
Default Gateway: 192.168.10.1
===========================================================================
Persistent Routes:
None
C:\>
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : asu
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
dapter
Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.211
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 213.42.20.20
195.229.241.222
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.15.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : -
Rate limiting on Catalyst 2950T switches
Hi,
I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 any
class-map match-all Internet-Class
match access-group 112
policy-map Internet
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
interface FastEthernet0/1
service-policy input Internet
interface FastEthernet0/24
service-policy input Internet
Any help would be very appreciated!
Regards,
HaraldThanks again for the reply!
My "working" configuration is as follows:
access-list 111 remark [ Traffic not to be rate limited ]
access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 112 remark [ Traffic to be rate limited ]
access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
class-map match-all Local-Class
match access-group 111
class-map match-all Internet-Class
match access-group 112
policy-map Internet-Policy
description [ Rate limit Internet access ]
class Internet-Class
police 2000000 65536 exceed-action drop
class Local-Class
police 98000000 65536
interface FastEthernet0/1
description [ Local LAN facing interface ]
service-policy input Internet-Policy
interface FastEthernet0/24
description [ Internet facing interface ]
service-policy input Internet-Policy
However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
Regards,
Harald -
FlexConnect local/central switched and Access-Accept Packets
For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
• Full network access, local switched.
• Limited network access, central switched:
◦ To isolate traffic from the branch’s LAN.
◦ To force traffic through a firewall at the central site.
▪ To ease access rules management.
◦ Internet access only by default.
▪ Internet access is located at the central site.
▪ We expect to manage some exceptions to the rule.
We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
Authentication Attributes Honored in Access-Accept Packets (Airespace)
VAP ID
This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
Source:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
We then made an assumption that the following was possible:
• Create a second SSID
◦ Broadcast not enabled
◦ Central Switched
• Users would authenticate using the first SSID
• In it’s access-accept packet, the RADIUS server would return an
Airespace-WLAN-Id attribute with the value of the second SSID.
• The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
So far, our tests showed no results.
• Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
• If not, what would you recommend?
For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
Thank you very much,Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value. AAA attributes can change a users vlan, acl and QoS. The other attributes are intended to use for rules... example:
Is the user part of this AD group and is this user on WLAN ID=1.
You will not be able to go from centrally switched to locally swithed and vice versa. I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest. -
Query: Best practice SAN switch (network) access control rules?
Dear SAN experts,
Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
regards,
Will.Hi William,
That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
for zones there are a few best practices:
* Default Zone: Don't use it. unless you're running Ficon.
* Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
* Don't mix zoning types: You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
* Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
* LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
* Read-Only exists, but again any modern array should be able to make a lun read-only.
* QoS on Zoning: Isn't really an ACL method, more of a congestion control.
VSANs are a way to separate your physical fabric into several logical fabrics. There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other. A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
They are quite logical to use and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
That's a very brief summary of the most important access-control-related Best Practices that come to mind. If any of this isn't clear to you or you require more detail, let me know. HTH! -
BTHH5 connected, but no internet access
Hi! I've got BT Infinity on my HomeHub 5A. Here is the problem. When I connect to my wifi everything is good, but after a while I lose internet connection. I am still connected to my wifi, but the wifi sign shows a yellow triangle with an exclamation point and says I dont have internet access.
If I disconnect and then connect again everything goes back to normal and I can browse again. This is just a temporary fix because after some time I lose access again. This can happen after an hour or just after a minute of browsing, so it can be very frustrating if it happens often.
After reading some threads on the forum I tried assigning a static DNS adress, that didnt help. Then I tried switching of the 5GHz network, that didnt help either. I have downloaded inSSIDer and changed the chanell of my wifi to a less busy one, that didnt help as well.
This happens on both Windows 7 laptops, on the PS4 and an iPhone, so the problem is not in them. Also it happens when just one laptop is connected, so the number of connected devices is not a problem also.
I dont have any options to try now, so any suggestions will help.
1. Product name:
BT Home Hub
2. Serial number:
+068543+NQ42644460
3. Firmware version:
Software version 4.7.5.1.83.8.204 (Type A) Last updated 20/01/15
4. Board version:
BT Hub 5A
5. DSL uptime:
1 days, 07:20:19
6. Data rate:
9995 / 39993
7. Maximum data rate:
27205 / 81597
8. Noise margin:
21.7 / 17.7
9. Line attenuation:
12.6 / 12.3
10. Signal attenuation:
12.4 / 12.3
11. Data sent/received:
11.9 GB / 20.2 GB
12. Broadband username:
[email protected]
13. BT Wi-fi:
Yes
14. 2.4 GHz Wireless network/SSID:
BTHub5-Q3ZK
15. 2.4 GHz Wireless connections:
Enabled (802.11 b/g/n (up to 144 Mb/s))
16. 2.4 GHz Wireless security:
WPA2
17. 2.4 GHz Wireless channel:
5
18. 5 GHz Wireless network/SSID:
BTHub5-Q3ZK5
19. 5 GHz Wireless connections:
Enabled (802.11 a/n/ac (up to 1300 Mb/s))
20. 5 GHz Wireless security:
WPA2
21. 5 GHz Wireless channel:
44
22. Firewall:
Default
23. MAC Address:
c8:91:f9:1d:f6:78
24. Modulation:
G.993.2 Annex B
25. Software variant:
AA
26. Boot loader:
1.0.0Hi cgleb1,
Welcome to the community forum. I'll be able to take a look at your connection and run a few checks on your line.
Send me in your details using the "Contact The Mods" link found in my profile.
Thanks
PaddyB
BTCare Community Mod
If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
We are sorry but we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-) -
HT5413 Help filtering internet access
+PAX
Greetings all, and a Merry Christmas!
We're a small monastery. And due to this, we need to implement some Internet filtering. Unfortunately, it's not the basic kind of filtering. Frankly, I'm not sure that all of what we're looking to do can be done. But I'm at a loss about where I can look for this information.
At the moment, we've got a basic network, that you'd find a family home: DSL modem-router, a bunch of Ethernet hubs, and a whole bunch of cables.
The computers are mainly running Fedora Linux. There are 3 windows statioins, and 2 OS X stations.
The perfect solution is to be able to have 1 network, where there are 2 or 3 rooms where the Internet is accessible. And, those who have laptops, that they can bring their laptop to these rooms, and have Internet access, but NOT have access while connected to the network in other places. (Complicated, I know).
If that's not possible, ok. (Frankly, I don't think it is, but am very open to suggestions).
What really do need is to be able to allow an Internet connection, restrict bascially all web-surfing, while allowing e-mail, skype, and updates. The updates are my biggest problem. We already have a rule established on the modem-router that blocks surfing activity at night, but still allows e-mail and skype. Yet, this rule also blocks the apple AppStore updates.
So, I'm wondering if we get OSX server, would this help the situation? Where can I get more info about OSX server's filtering capabilities?
If we can't establish all the blocking that we need, then it'd be great if we could have some type of report of each person's activity.
Thanks for the help!IMO, OS X Server won't be a good solution as a network filter. It might be useful here, but it very likely won't be your most appropriate choice as a network-gateway-router system.
FWIW, I'd suggest pursuing this in a Fedora-focused networking forum, in general. This given that's your most common platform.
Assuming wired networks, you can divide up the access via managed switches and a VLAN, or via physical network segmentation. WiFi is somewhat harder to segment, short of having a guest network and a private network; you'd need access points (APs) with two networks configured, one of which allows a little more access, and the other that's presumably restricted to the local IP address space.
There are gateway routers around which allow several different segments to be maintained, but they're generally starting in the ~US$250 range and upwards, and usually expect a little more knowledge of IP networking and related topics than the residential routers that are in common use.
Here is Apple's network port list.
As for the updates, OS X Server can cache those, as can the Reposado tool on a Fedora system.
A common solution involves a web proxy filter, where all connections must pass through that device. The connections used for the OS X Server or Reposado server itself to download updates would need to be programmed to allow access, but the other local OS X clients could be aimed at the local server. In your case, your filter can block all outbound connections to TCP 80 and TCP 443 entirely, save for the specified servers loading updates from their respective upstream sources.
Email is fairly easy, as you'll probably want to block outbound TCP 25, but allow POP via SSL and IMAP via SSL and allow the submission ports (TCP 486 and TCP 587).
Now for the somewhat bad news: these general approaches can often be bypassed using VPNs and tunnels, so somebody that's knowledgeable can generally get around simple-minded network filters. Which means you can end up blocking more than a little outbound traffic; more than TCP 80 and TCP 443.
Now for somewhat more bad news: Skype uses TCP 80 and TCP 443 (or requires a whole lot of open ports), and specifically to work around filters and blocks and firewalls and related "defenses". Whether you can get that to work by excepting the supernodes, I don't know.
I'd probably sort out what you do and do not want to allow access to as a more general problem, as getting an update server into a DMZ with exceptions enabled is a comparatively small problem — once you achieve the sorts of network blockages you're seeking. None of this stuff is particularly specific to OS X or OS X Server, either.
This configuration will probably involve installing a network gateway with internal filtering capabilities and a network nanny implementation, as well as some work on the internal network configuration. That may well be possible with Fedora, DD-WRT, Tomato or some other similar open source (it's likely best to ask for discussions and tradeoffs of those options elsewhere), and can be implemented with a commercial offering. Your needs here are probably even a little simpler in some ways, as you want and need just a few web connections. -
RV180w / QuickVPN Internet Access
I am planning to purchase a VPN router for our new remote site office, which allow remote site desktop fully access our local LAN and even Internet just as our other remote office does.
As i check RV180w with QuickVPN support which provide VPN connection.
I would like to know if it can support Internet access via VPN.
We would like to limit remote site desktop to reach our HQ and using HQ internet line to get onto Internet.
Can rv180w and quickvpn achieve this?
ThanksHi ,
As I understand you need to connect remote users to your office site and accessing all the LAN resources and also Internet traffic which it means Full Tunneling
For QVPN is always split tunnel it means you have access to your local resources but all the rest of the traffic including Internet is not passing through VPN
For RV180 we have PPTP we can have it as full tunnel VPN up tp 10 users
if you looking for IPsec protocol for VPN, we can go for RV300 series (RV320,RV325) where supporting Cisco Client VPN Software which from WebGui you can configure your VPN as Split or Full tunneling
for more details about other routers regarding your VPN need please call technical support line :
http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html
Please rate the post or marked as answer to help other Cisco Customers
Greetings
Mehdi
Maybe you are looking for
-
Prompt for Directory Selection when deploying in WEB
I have created a Java code to prompt for directory selection and it works when alone. When I get the code with the JavaBean in the forms 6i application, no dialog prompt appears when clicking the "Get_directory" button. The Java code is listed below.
-
Can I use imessage with an apple ID which is not connected to any iphone / iPad ?
Hay dude. I have just upgraded to Mavericks in my macbookpro. I have used an apple ID to log in to my imessage. That Apple ID is not connected to any iphone/iPad. Can I still use that apple ID to use my imessage feature and send free message to my fr
-
Handsfree Functions not supported in the current hardware environment
Hello, I have a generic Bluetooth headset and a PCMCIA bluetooth card that came with the newest Toshiba Drivers. The card detects the headset, and other bluetooth devices but it won't allow me to pair the headset with my computer. I am running XP wit
-
How do I merge 2 folders in my photo stream
I have two folders of photos in my photo stream that I want to merge. Does anyone know how to do this please Thanks
-
How will Creative Cloud affect labs beta versions?
I was wondering if Creative Cloud will be used for beta testing on http://labs.adobe.com? Or are the beta test versions still going to be stand alone applications?