RVS4000 IP Based ACL and NAT

Similar Messages

• WRVS4400N2 IP based ACL and Firewall not blocking WAN

  I'm trying to block all Internet access (except for 2 IPs) to my Windows Home Server 2011. I've tried blocking with IP based ACL on my WRVS4400N2 (bridged through a Ubee cable modem) without luck. Tried creating a Connection Security Rule with the server firewall...without luck. The following ports are forwarded in the router (7, 9, 80, 443, 3389, 4125).
  The latest IP based ACL settings I've used (enabled, listed by priority):
  ACTION -- SERVICE -- SOURCE -- SOURCE IP -- DESTINATION -- TIME -- DAY
  Allow -- All Protocal -- WAN -- XXX.XXX.XXX.XXX -- Any -- Any Time -- Any Day
  Allow -- All Protocal -- WAN -- YYY.YYY.YYY.YYY -- Any -- Any Time -- Any Day
  Deny -- All Protocal -- WAN -- Any -- Any -- Any Time -- Any Day
  How can I block access from the Internet?   

  Hi,
  Thank you for replying. However I have already tried as you have suggested and it is still not working.
  My Single Port Forwarding looks like this:
  Application: SMTP External Port: 25 Internal Port: 25 Protocol: TCP IP Address: 192.168.xxx.xxx Enabled: Yes
  My rules in IP Based ACL look like this (columns from left to right):
  1 YES Allow SMTP WAN 203.xxx.xxx.xxx 192.168.xxx.xxx Any Time Every Day  
  2 YES Deny SMTP WAN ANY ANY Any Time Every Day 
  My goal is to only allow 203.xxx.xxx.xxx to have access to port 25 on 192.168.xxx.xxx. However, even with the rules above enabled, all external hosts have access to port 25 on 192.168.xxx.xxx.

• Need help for ACL and NAT for VoIP

  Dear experts
  I configure my PBX server to work with one VoIP provider. When I put the server in blank network, mean that without VLANs.
  The IP PBX server can register to the VoIP provider system normally and I can make call out and receive calls normally.
  However, when I put the PBX behind the Cisco router with some configuration. The PBX cannot register with the VoIP provider system.
  Eventhough I can receive calls from outside but can not make a call from inside to outside, because of the PBX cannot register.
  Could you please help me to point out what is wrong with my Cisco router configuration.
  Thanks a lot
  Building configuration...
  Current configuration : 1982 bytes
  ! Last configuration change at 17:18:27 UTC Mon Feb 24 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$ZJEF$8np0QvQTD1nTaOosa9yGW1
  no aaa new-model
  memory-size iomem 20
  no ipv6 cef
  ip source-route
  ip cef
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  license udi pid CISCO2911/K9 sn FTX1603AH9C
  interface Embedded-Service-Engine0/0
  no ip address
  interface GigabitEthernet0/0
  description internal-LAN
  ip address x.x.x.4 255.255.0.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  encapsulation dot1Q 11
  ip address 172.x.x.1 255.255.240.0
  interface GigabitEthernet0/2
  description internet
  ip address 50.x.x.93 255.255.x.x
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface GigabitEthernet0/2 overload
  ip nat inside source static udp x.x.x.8 5060 50.x.x.93 5060 extendable
  ip route profile
  ip route 0.0.0.0 0.0.0.0 50.x.x.94
  ip route 172.16.240.0 255.255.x.0 x.x.x.5
  ip route 172.16.242.0 255.255.x.0 x.x.x.5
  access-list 100 permit ip x.x.0.0 0.0.255.255 any
  access-list 100 permit ip 172.16.240.0 0.0.0.255 any
  access-list 100 permit ip 172.16.242.0 0.0.0.255 any
  access-list 100 permit udp any any range 5004 5090
  access-list 100 permit udp any any range 10000 20000
  control-plane
  line con 0

  You really don't want to use NAT with SIP. Odds are it won't work. This is because SIP embeds hostnames/IP Addresses inside the packets, and standard NAT does not look inside packets.
  If you want a NAT-type functionality for SIP, you need something called a session border controller. Look up Cisco CUBE
  http://www.cisco.com/c/en/us/products/unified-communications/unified-border-element/index.html
  https://supportforums.cisco.com/docs/DOC-17964
  http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-border-element/99863-cube-config.html
  GTG
  Please rate all helpful posts.

• Need help for ACL and NAT

  Hi all
  I setup a router 2911 with the configuration below for the phone system inside handle all calls in and out from and to the outside provider VoIP.
  I can receive the calls from outside all time but I cannot make the call from the inside to outside.
  I think that I miss some configuration in router.
  The 172.a.b.c is the IP phone system.
  Please give me any advice
  Thanks a lot.
  The router configuration:
  interface Embedded-Service-Engine0/0
  no ip address
  interface GigabitEthernet0/0
  description internal-LAN
  ip address 172.x.x.4 255.255.x.x
  ip accounting output-packets
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  encapsulation dot1Q 11
  ip address 172.16.208.1 255.255.240.0
  interface GigabitEthernet0/2
  description internet
  ip address 50.x.x.93 255.255.x.240
  ip accounting output-packets
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 100 interface GigabitEthernet0/2 overload
  ip nat inside source static udp 172.a.b.c 5060 50.x.x.93 5060 extendable
  ip route profile
  ip route 0.0.0.0 0.0.0.0 50.240.226.94
  ip route 172.16.240.0 255.255.254.0 172.10.0.5
  ip route 172.16.242.0 255.255.254.0 172.10.0.5
  ip access-list extended VLAN-voice
  access-list 100 permit ip 172.x.0.0 0.0.255.255 any
  access-list 100 permit ip 172.16.240.0 0.0.0.255 any
  access-list 100 permit ip 172.16.242.0 0.0.0.255 any
  control-plane
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  login
  transport input all
  scheduler allocate 20000 1000
  end

  You really don't want to use NAT with SIP. Odds are it won't work. This is because SIP embeds hostnames/IP Addresses inside the packets, and standard NAT does not look inside packets.
  If you want a NAT-type functionality for SIP, you need something called a session border controller. Look up Cisco CUBE
  http://www.cisco.com/c/en/us/products/unified-communications/unified-border-element/index.html
  https://supportforums.cisco.com/docs/DOC-17964
  http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-border-element/99863-cube-config.html
  GTG
  Please rate all helpful posts.

• Move interface ACL's, NAT's from one interface to another

  Hi
  I have a Cisco ASA 5515-x with IOS 9.1.
  My problem is i have 6 interfaces (1 failover, 2 dmz, 1 outside, 1 inside and 1 spare) and I need to create new:
  DMZ - for new LAN (subnet).
  Outside interface - for new Site to Site VPN peer, there is a requirement to use a different public address rather than the one on the existing outside interface.
  There is no budget to purchase additional interfaces at the present.
  The solution i have come up with is to:
  Divide the spare interface into 3 sub-interfaces for the 2 existing DMZ's and the new DMZ.
  Use either of the spare 2 interfaces (from existing DMZ's) as the new outside interface.
  Still leaving me with a spare interface for future expansion.
  I have 2 questions:
  Firstly, is this an acceptable solution and if not what would be a better solution?
  Secondly, in my proposed solution, i will have to move all the ACLs and NATs from the existing DMZ's to the new sub-interfaces DMZ's (also one of the DMZ's is accessed by a site to site VPN on the existing outside interface). Is there an easy way to move this rules/NAT/etc or does it require going through the entire configuration renaming all the changes?
  Any help would be much appreciated.
  Chris

  Hi,
  Well I dont know why the requirement is to use a different public IP address for the L2L VPN connection then this seems to be the only way (use another interface). I assume then that you have another ISP link there or from same ISP but with IP from different public subnet than your current "outside"?
  If you decide to use 2 WAN links on the ASA then for the L2L VPN purpose WAN link you need to configure static "route" for the remote VPN gateway and possibly also for the remote networks behind the L2L VPN unless the ASA installs those routes automatically based on the "crypto map" configurations.
  With regards to moving the configurations around it seems to me that there is no easy/automatic way to migrate these configurations.
  What you can essentially do atleast is
  Collect all the configurations that reference the interfaces "nameif" value. These usually contains commands like "nat" , "access-group" , "route" and naturally some others
  Remove the existing interfaces which means that all configurations that reference the "nameif" are removed. Notice that the ACL is not removed, only the "access-group" command
  You then reconfigure the same interface somewhere else. In your case it seems to be an subinterface in some cases.
  After the new interface is configured you should be able to drop the configurations that you collected earlier. What I would keep in mind in this situation is that you should keep track of the original order of the "nat" configurations (if using Manual NAT) and make sure you enter the "nat" commands in the same places they were. Depending on your current NAT configuration this might either be really simple (Mostly Auto NAT configurations) or something required a bit more planning (Manual NAT)
  The above should be the main things to do on the ASA to migrate the configurations.
  Naturally this is just a general description without taking into account everything that you might have in your environment.
  - Jouni

• SG300-10p MAC based ACL

  I try to limit the access of a printer to one computer and define a MAC based ACL and a corresponding ACE. I set the destination MAC address of the printer (mask 000000000000) and the source MAC address of the computer (mask also 00000000000) and the VLAM ID to 1. The other parameters seem not important? Then I add the ACL to the port where the printer is connected. Unfortunately the printer is not accessible now. What do I forget?

  Hi  Andrey
  thank you for your lines.
  What I did blocks all computers, even this one I want to be allowed to print.
  I agree, when I want other computers to be able to print, then I have to add other ACE to the ACL and allow these computers as well.
  I had the idea that the masks are wrong and set them to FFFFFFFFFFFF. This however allows all computers to print...
  Any other ideas
  Thanks in advance
  Leo

• RVS4000 Can't access the IP Based ACL feature

  We had the default ACL allow any-any ever since we've had the RVS4000. Then today I tried to create a simple ACL to deny a LAN IP from accessing all destinations. After restarting the router, I cannot access that feature any more. I can access everything else but when if I go to IP Based ACL, it gives me the "Page cant be displayed error". I've tried accessing from 3 different browsers.
  Any clues why this might be happening?

  Hello, 
  I'm sorry you are having issues with the devices and I can honestly say I have no idea why it is behaving like this, but I do have a few suggestions that may help getting the device to work correctly again.
  1- I will consider upgrading the firmware if it is not on the latest. If your device is hardware version 1, the latest available firmware is 1.3.3.6, if it is hardware version 2 then you will need to be on 2.0.3.4. 
  Here is a link to the firmware download page for the device.
  https://software.cisco.com/download/release.html?mdfid=282414013&softwareid=282465789&release=1.3.3.6&relind=AVAILABLE&rellifecycle=&reltype=latest
  2- After the firmware upgrade or if you are already running the latest firmware, try to access the device using Internet Explorer 11 and enable the Compatibility View Option. For you to do this, just go to the gear icon on the right hand side at the top f the page, then select Compatibility View and add the IP address of the router to the list.
  I hope this helps. Please let us know.

• Who needs the ACLs and static NAT?

  I came apon a job whose network layout is kind of tricky. Here is the skinny:
  2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
  All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
  Now heres what I am trying to accomplish:
  The customer wants to be able to telnet into one machine in the private network from her house.
  Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
  Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
  I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
  Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
  Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!

  I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
  Here's what I have right now:
  SBC router is configured to allow Telnet traffic in.
  The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
  Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in.

• SRW2024 - ip and Mac based ACL

  Hi!
  I'm trying to set up MAC and IP based ACl on our switches with no success.
  Port 22 is our wan port
  i'm trying to stop ip 192.168.0.53 reaching internet.
  but i need to let all other traffic to pass.
  with ip rule with Deny 192.168.0.53 wild card mask 0.0.0.0
  and acl bound to port g22.
  the problem is that it stop all traffic.
  What am i missing?  i'm trying to do this with MAC ACL too with same results.
  /J

  Hi!
  Ok, i placed a new rule after the block rule.
  permit any  ip 192.168.0.0  Wild card mask 255.255.255.255
  now it lets all traffic pass including the the one i  blocked in the first rule!
  i'm still missing something!
  /J

• Asr1000 and time-based acl

  Hi
  We use 7206 as a PPPoE BRAS. All user sessions are rate limited using MQC on virtual-access interfaces.
  Rate changes dependng of the time of day. It's imlemented using time-based acl. Now we want to migrate to asr1000,
  but that router doesn't support time-based acl according to Cisco FN.
  Question is how to change user traffic rates on asr1000 on time of day basis?

  radius attribute nas-port-type through rate-limit (firewall)
  http://conft.com/en/US/docs/ios/security/command/reference/sec_r1.html#wp1062750

• ZBF and NAT

  Hello.
  as I studied,  Interface ACLs and Zone based Firewall should not be applied at the same time. This it means that every packet is processed by the router (I'm thinking NAT).
  For example, an unwanted traffic is processed by NAT before is it drop by ZBF. Do you think is it optimal ?

  Hi,
  It is not something to be optimal or not. Packets processed by Zone-Based are either fast switched or processed switched so that's probably why NAT is processed before the Zone-based Firewall.
  On the other hand inbound ACLs (if no further processing is necessary for other features) are processed by CEF so the packets don't go to the router's CPU and are processed before NAT.
  I hope it makes sense.

• I don't understand correlation between ACL and dACL. If dACL is downloaded to the Catalyst switch what is the status of the ACL

  Understanding  ISE and dACL.
   I don't understand correlation between ACL and dACL.
   If dACL is downloaded to the Catalyst switch what is the status of the ACL attached to physical port. Is dACL appended to the existing ACL? When I typed ‘sh ip access-list int fa0/1’ I can see only dACL for access domain and dACL for voice domain appended to the previous dACL and no ACL lines.
   Regards,
  Vice

  Hi,
  Downloadable ACLs (dACL) are applied from your RADIUS server based on authentication and authorization policies.  It overrides any standard interface ACL.
  Standard interface ACLs are in place to limit traffic on the port before 802.1x or MAB authentication.
  When an authenticated session terminates on the interface the standard ACL will be re-applied until the next authentication.

• SRW2024 MAC based ACL

  Hello
  I have srw2024 switch and (3 access point , dsl line cable pluged in )
  and few users accessing network and internet thro that switch , when i try to make ACL Mac-based to deny requests from certian MAC address and bind it with the dsl port, rule is applying on all users not only the one i made rule for
  how could i set rules without effecting on the other users!!
  i want disallow certain users only
  thank you

  Hi Sahar, thank you for using our forum, my name is Luis I am part of the Small business Support community. I found some articles that could help you with your configuration, below you will find the steps to configure the access list and the admin guide.
  MAC Based Access Control List (ACL) and Access Control Entry (ACE) Configuration on 300 Series Managed Switches
  Defining ACL Binding
  You will find the information to bind the ACL to the port interface in page 409.
  I hope you find this answer useful
  Greetings,
  Luis Arias.
  Cisco Network Support Engineer.

• Introduce second default gateway into policy-based routing and optimization

  Questions:
  1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
  2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
  Address range A.B.0.0/16 represents assigned Internet-routable addresses.
  Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
  DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
  PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
  ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.

  Ok I will see if I can run out to work and try this today..
  After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
  for instance
  # Access to one of my local networks
  access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
  # Send Internet traffic to ASA/PIX
  access-list 172 permit ip 172.20.200.0 0.0.0.255 any
  route-map pix-172-20-200 permit 10
  match ip address 101
  set ip next-hop 172.20.200.1
  route-map pix-172-20-200 permit 20
  match ip address 172
  set ip next-hop 172.20.200.2
  and so on?
  I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
  I wantto make sure I can still get to the local networks I need to get to.
  I appreciate all your help, and I will test this later on today..
  Thanks
  Don Hickey

• MAC-based ACL in wireless router

  Hi,
  I have a AIR-AP1262N wireless rotuer. I have implemented many mac based ACL in it. A sample looks like this.
  access-list 715 permit 6427.37e0.8379   0000.0000.0000
  access-list 715 permit e006.e933.901d   0000.0000.0000
  access-list 715 permit 88cb.8278.40e8   0000.0000.0000
  access-list 715 permit 6427.37e0.d1ng   0000.0000.0000
  access-list 715 deny   0000.0000.0000   ffff.ffff.ffff
  Now what ever new mac I want to allow, the acl that I configure is going below the deny rule and it is not working.
  Is there any way to move it before the deny rule or should I delete the whole config and re-enter it every time.

  Please try the below commands and update that it is working or not
  show mac access-lists name
  and then
  resequence mac access-list name starting-sequence-number increment/decrement