Router NAT IP block using Access List
Hi All
Strange issue we have here. First time I've come across this.
Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
Thanks all!
Anyone?
Similar Messages
-
Static NAT using access-lists?
Hi,
i have an ASA5520 and im having an issue with static nat configuration.
I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
Thanks,
DesDes,
You need to create an access-list to be used with the nat 0 statement.
access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
then use NAT 0 statement:
nat (inside) 0 access-list inside_nonat
to permit outside users to see inside addresses without NAT, flip this logic.
access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
nat (outside) 0 access-list outside_nonat
you'll also have to permit this traffic through the ACL of the outside interface.
access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
- Brandon -
Access-list block range of hosts
cisco 2600 router with wic1-adsl card
I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
In the past I've been able to deny a host using:
access-list 105 deny ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
I tried:
access-list 10 deny 123.125.0.0 0.0.0.255
access-list 10 deny 220.181.0.0 0.0.0.255
access-list 10 deny 61.135.0.0 0.0.0.255
access-list 10 permit any
all web traffic comes via the adsl-wic card in the router so I put:
ip access-group 10 out
into the dialer0 config but this didn't work.
thanks for any help.it looks like I've done it. I was using the wrong subnet mask.
I changed the access list to:
access-list 10 deny A.B.0.0 0.0.255.255 and from that moment baidu disappeared from the web log. -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Port Forwarding & Access List Problems
Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-EvanHello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz -
Hi,
I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.
example
(primary blocking internet access access-list)
ip access-list extended http100
permit tcp host 10.99.100.1 host 10.108.20.1 eq 80
ip access-list extended http100
permit tcp host 10.99.102.1 host 10.108.20.1 eq 80
permit ip any any
would the commands above block the internet of the secondary IP 10.99.102.x?
thanks,
EduardHi Rick,
I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.
My question is how do i block secondary internet access by using an access-list?
I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.
Hope this is clearer.
oh,i think i missed typed something on the access-list, let me create another example:
ip access-list extended http101
permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)
permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)
deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80
deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80
permit ip any any
all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1
thanks,
Eduard -
Hello,
I have only 1 public IP on my router outside interface which is connected to ISP,
I wanna just confirm the below from u experts,
I want to create a site -to site VPN with other branches i have a proper IOS ------- I hope i can do it
The public IP on router outside interface,, can i use the same IP for static natting of web server (one to one) ????? If suppose i use in static natting and if i ping from internet to the public IP it will ping to router interface or it will ping to server IP ????-------- I hope we can't do it.
IF i m not wrong then,, i hope i can use service distrbution with that same public IP but not static natting (one to one).
i hope there is no concept of firewall that if we do natting we need a access-list, On router without an access-list also users from internet can access the inside servers only natting should be provided.
TxHello Estela,
1- Yes you can configure a VPN site to site as long as the router supports it
2-You cannot do a static one to one with the outside interface of the asa that will be used for other host to go to the internet., instead of that you can configure port-forwarding that will work for inbound connections ( Just TCP and UDP as these protocols use ports)
3-Yes, you can do it as I explained on previus answer
4-That is correct, without ACL everything is allowed.
Regards,
Julio
Rate helpful posts! -
Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.
a) sh access-list (name )
It will show you the hitcount
inet-FW# sh access-list no-nat-dmz
access-list no-nat-dmz; 2 elements
access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0
.0.0 (hitcnt=0)
access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255
.0.0.0 (hitcnt=0)
you can use the Pipe command for specifics such as
show access-list (name ) | include ftp
it will give you all lines containing deny -
Wi-Fi Card Access List no longer accessible
At Telstra's suggestion I recently upgraded to a Telstra Gateway Max router. I set it up in the same way as my previous router with a Wi-Fi Access list of MAC addresses of devices to which I chose to give access to my Wi-Fi network. Yes I know that is not absolutely necessary but the facility is there so why not use it. Some time in the past few weeks the firmware on the router has been updated to cater for the new Telstra Air function. At the same time the ability to maintain the Wi-Fi Card Access List has disappeared although it still shows on the Help screen for the W-Fi functions. So now I am no longer able to add new devices or delete old devices from my Wi-Fi card Access List which is still being recognised by the software. This is a little like buying a family-size car and then having the dealer weld the back doors shut. The Telstra support staff struggle to understand the problem and suugest I contact the higher level support area who will not charge me if they can not solve the problem. Why should I pay for Telstra to solve a problem they caused! Has anyone else had a similar issue and how was it resolved?
It is something which has come up a few times since the release of the new Firmware update, it looks like it might be something to do with making Air work... but a number of features of the device in its initial state as intended by the manufacturer have been removed or limited by the Firmware in order to ensure the system runs as Telstra intend it to run... it is a matter of give and take... you have less features but it makes it simpler for the 'average user'...
-
WRT54Gv3 Looses/Blocks Internet Access
After installing version 4.21.1 of the Linksys frimware on my router WRT54Gv3 it will loose and/or block access to the internet. It will do it at random times usually weeks apart. All the lights on the router look normal, my modem still shows a connection to the router. My computers will connect to the router wired or wireless and I can also login to the config page of the router. Visually everything looks fine. Power cycling the modem and router does not fix the problem. I have to perform a factory reset on the router before it will work again. Is anyone having this problem with v4 or below of the WRT54G router after installing 4.21.1 of the linksys firmware? My friends router does the same thing and he has v4. I have v3.
ThanksWell my router has always had the default IP address.
I also noticed that when the internet is being block that i can use the diagnostic tab and get a response using ping and perform trace routes.
I can also release and renew my IP info from Comcast's DHCP Server.
I've never had a signal issue with the router. I'm always able to connect to it using a wireless or wired connection. I connect successfully to the router it's that it blocks access to the internet to all the connected computers.
I'm at a loss and so it seems with Linksys tech support. I had a chat with them and they made me do a factory reset then update the firmware and then perform a factory reset again. They felt that the firmware may have been somehow damaged when I previously updated the router. I feel like my router will start blocking internet access again by the end of the month. If not I'll let you know if resetting, flashing, and resetting thing worked.
Message Edited by phoenixms on 06-05-200703:40 PM -
Hello,
Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
Thanks,The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
MAC-Adress Filtering vs. Access - Lists
We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
Anyone an other good Idea how to solve this issue?Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.
-
WRT1900AC does not block internet access in Parental Control
Hi,My router does not block internet access on my other PC. I tryed "Always" tryed specific addresses, tryed IP addresses and everything tech support suggested. I even replaced the router at their advise. Nothing helped. I realize that the problem is not the router but probably my home network configuration, but I can't figure out what is it. To my defence, so couldn't they Does anybody have or had such a problem?Thank you
What Firmware version is currently loaded?Can you post screen shots of how you have the controls configured?Does the User Manual give any configuration help? Internet Service Provider and Modem Configurations
What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have? Router and Wired Configurations
Setup DHCP reserved IP addresses for all devices ON the router. This ensures each devices gets its own IP address when turned on and connected, eliminates IP address conflicts and helps in troubleshooting and maintain consistency for applications that need to connect as well as mapped drives. -
ASA5520 access-list configuration?
I have two asa5520s, version 7.2(2).
I have use access-list for the firewall as:
access-list outside extended permit ip object-group mydomain any
access-list outside extended permit icmp object-group mydomain any
access-group outside in interface outside.
I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
(private) AA->asa5520->BB (public)
However, it seems works for most of case, but, it do not work for certain port.
telnet AA 80 -> it seems working fine
telnet AA 3816 -> it is not work.
when I do the packet trace on asa5520, it said access-list not allowed.
Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
any comments will be appreciated
Thanks in advanceplease upload/copy your config so we can see
-
Access list for ACS 3.3
i wish to secure my ACS using access-list. however, allowing just tcp port 49 and/or tcp/udp port 65 doesnt seem to work. is there any other ports i need to open?
When you say "it doesn't seem to work", what are you refering to, TACACS authentication or access to the ACS server for admin purposes?
Can you add a "deny ip any any log" rule to the bottom of your access-list and check which protocols are being dropped?
Thanks
PD
Maybe you are looking for
-
[SOLVED] Only HDMI/Displayport audio outputs; no sound from speakers
I have a Dell XPS14 running Arch, which has worked fine for a while, but now has suddenly stopped detecting the internal speakers and headphones, so it will not play sound. I have tried a few things to narrow down the problem, but I've had no luck
-
Hi, In the below code i am using an option input on ,where the user has to give the inputs manually. After giving the input,if i give save the values which are fetched from itab are saved in ztable. wa_new-idrum1 which is given by user is not
-
What font is used on the mozilla website?
Would love to use this for my website. Please help :)
-
Screen Capture for Droid Incredible 2
I have been trying to figure out how to do the screen capture on my Droid Incredible 2. I accidently did it last night but I'm not sure what I pressed. Does anyone have any idea how to do it?
-
So I've recently upgraded to a new iMac...it's great, but... Ever since I've upgraded OSX to 10.4.5, randomly apps will refuse to open. I get an error reading something along the lines of "_____.app cannot open. Error -10810". The application will re