Securing router with ACL

Similar Messages

• Secure wireless router with lost password

  I'm trying to secure our wireless router and not having any success. When I go to the 192.168.1.1 site and type in admin, the screen just pops up again. If I continue, after three tries I get a 404 screen. I'm guessing my husband added a password at some time, but he has no record of it and I've tried all of our passwords that I can think of and none of them work. Is there a way to get past this screen or recover the password somehow? Our network still shows up as unlocked and I'd like to get access to the account and get it locked. Thanks.

  Welcome to Cisco Home Community,
  What is the model number of your Linksys router? In this case, you may need to perform a reset on the router and you will lose all settings saved in it. You'll start from scratch of setting it up again for the internet both wired and wireless to work. Here are the links below that you may help you to get this issue resolve.
  Resetting the Linksys router to factory default
  Setting Up a Router with Cable Internet Service
  Setting up a Linksys router for DSL Internet connection

• How can I enable VPN passtrough with 881-K9 Security Router?

  Hi Space!
  I need help,  because I really cannot find the error in my configuration.
  What I want to do is, to enable simple VPN passtrough with a 881 K9 Security Router.
  So all VPN traffice travells directly from the internet trough the router (I don't need any inspection or else of this traffic) to a Windows Server behind (and back to the client of course).
  [ Internet -> Cisco 889 router -> Windows Server ]
  Enclosed you will find my configuration.
  The VPN connection cannot be established and the clients are getting connection error 800 most of the time.
  Thanks for any hint!
  Kind regards,
  Chris

  ActiveX is proprietary to IE and Firefox has never supported ActiveX.

• Accessing secure sites with 3rd party router

  I want to use my original router "Buffalo WBMR G54" with BT and have been for a short while but cannot access  online banking or barclaycard online, works ok with home hub. Tried both firefox and IE8, pages just hangs on both browsers.
  Any techies around know why this is please? My Buffalo worked fine as a 3rd party router with talktalk

  wehey23 wrote:
  Can you tell me how to change the MTU settings for the BT Hub pls?
  I have just moved home and have taken BT BB with me.....the internet is running fine but i cant connect to secure sites at all. Have tried contacting BT and they have tried everything but cant help!
  Thanks
  First check your Firewall is not blocking SSL port 443.
  This thread contains most of the information you may need to change you PC MTU value,  I don't think the Homehub MTU value can be easily changed?
  http://community.bt.com/t5/BB-in-Home/BT-Broadband-and-MTU/m-p/12660;jsessionid=F92D7A9C8D5A07CAE73C...
  "I have this awful feeling someone is watching every move I make (one of my pet hates is router location tagging)." Marvin (A paranoid Android)

• T1114 4g router with security camera setup?

  Has anyone been able to set up security cameras with the 4G LTE Broadband Router with Voice model T1114 ? I have been talking to Verizon, Foscam and Novotel and I am getting absolutely no where. I'd hate to have to keep my DSL service just because of my security cameras, but at this point it's looking like that may be a possibility. If anyone has a solution or guidance, I'd appreciate it.

  > is that a complicated work around or is it fairly simple?
  Its simple in design, but could be complicated to configure and maintain depending on your network comfort level.  Considering your goal is to access cameras and not a PC you will need the assistance of an additional VPN router.  Setup the Jetpack(or USB modem) to act like a modem and link him to a VPN router with a wireless bridging feature.  From there you configure the VPN router to automatically connect to your desired VPN server as long as the Jetpack is online and providing a connection.
  The setup would look something like this:
  - VZW ))) Jetpack ))) VPNRouter === Cam1
  - VZW ))) Jetpack ))) VPNRouter === Cam2
  - VZW ))) Jetpack ))) VPNRouter === Cam3
  - etc
  If the cameras happen to be wireless then the VPN router should be able to accommodate those connections too, but I wouldn't recommend relying on wireless any more than you need to considering how much is going on already.
  VPN connectivity is a feature on some more advanced home routers and can also be re-flashed on others with the use of custom firmware.  DD-WRT can enable this functionality for free if you happen to have a compatible router lying around that supports wireless bridging.  VZW does not offer any products for you that can do this so you will have to look elsewhere.
  Wireless bridging is the process of connecting one router to another over WiFi.  On devices that support this functionality there is generally a mode called "Bridge mode", "AP mode" or something along those lines that can enable the configurations for you.  From there you would need to decide if you want the device to perform only as a bridge and Ethernet cable connect the cameras or perform a "repeater" function and rebroadcast the Jetpacks signal to the cams.
  The goal being to get everything that requires remote access to automatically connect to the chosen VPN server.  That way whenever you want to remotely connect and view the cameras all you need is a way to connect to the VPN server where everything is resting.  All you should have to do from there is keep the Jetpack/USB modem online and everything else will take care of itself from there.

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• 4 security level with 2 FWSM contexts

  Hello,
  I have to implement a DC with two 6509, ACE and FWMS with only a default license for 2 VFW.
  But the problem I have, is that I have 4 separate networks where I like to give a different security level.
  I'm using the FWSM in transparent mode.
  Any idea ? about using VRF ? ACE or something else ?
  Suggestions will be appreciated.
  Regards,
  Omar

  Hello Omar,
  Although I'm not familiar with the ACE blade we do run 2 X 6509s with FWSMs.
  In your case you could connect your 4 networks to a single context (VFW) since the max network connections per context is 8. You would create 4 BVIs (Bridge Virtual Interfaces.) Security levels in FWSMs don't have much meaning since you are required to specifically allow traffic to pass through the context regardless of which side of the BVI it comes from. By default no traffic flows at all. All traffic is filtered with ACLs.
  You could also create a VRF on the 6509 that could act as a central or core routing point for your networks. (We do this for 18 separate contexts and call it the fusion VRF.) However you would only use a VRF if you wanted to keep the routing table isolated from the global table running on the 6509's.
  Otherwise this is unnecessary.
  If you chose to run the FWSMs in multiple context mode you could have two networks per context, still connect them to a fusion VRF, and also run an Active/Active FWSM configuration which allows you to do a type of load sharing along with failover. One context is active and one context is standby on FWSM A and on FWSM B the roles reverse. This shares active traffic across the FWSM blades.
  Hope this brief description is helpful for you.
  Simon

• How to extend a wifi network of third party router with TC 4th generation?

  After searching the communities for a while, I did not find a definitive answer on the following question:
  - I recently bought a 4th generation Time Capsule 2TB (MD0322/A), that I also want to use as an extension for our existing wifi network.
  - This wifi network is maintained by a Sitecom Wireless 300N XR Gigabit Router. Router is set to work over 2.4 GHz (B+G+N) because of several non-N-wifi devices in the network. The channel in use is currently 11.
  - This router provides so called WDS functionality, i.e. the ability for other wifi access points to act as a seamless extension of the basic wifi network (using the same SSID).
  - The security settings in the router are WPA2 Mixed, with a password in plain ASCII.
  - There seems to be no way to set different security levels for WDS-connections versus normal AP (access point) connections. If WDS is enabled, the security settings of the AP-mode are extended to the WDS connection.
  I have set the Sitecom router to enable WDS, and added the MAC-address of the TC in the configuration of this router.
  When configuring the Time Capsule, with Airport Utility 5.5.3, I can select the option to use TC to extend an existing network, and I can select the network of choice using the WPA personal or WPA/WPA personal security. However, the TC does not succeed in extending the network, and reports this back. If I manually configure the TC and select the network of choice, Airport Utility reports back that the selected network cannot be extended.
  I have read several times in other posts that Time Capsule can only connect to third party routers via WDS using WEP-authentication, but these posts were quite old. I was wondering if this is still the case, or that Apple has updated this functionality in newer versions of TC, and thus there could exist a trick to connect to a WDS using WPA.
  I really would appreciate suggestions
  Bram Bos

  gilles13 wrote:
  I have a mac and pc (win7) both are connected thru a network with wifi and allready two access pt.
  Airport can not be used to extend a WiFi created by a non-Apple box.
  You need to turn off the radio in the router (shut down the existing WiFi).  Purchase TWO Airport Express units.  Connect one to the router with an Ethernet cable.  Configure that one as your primary WiFi network and then use the second Express as the extender.
  You need to locate the second Express where it receives a decent WiFi signal.  Too far away and it has nothing to extend.  Too close and it doesn't buy you anything.  Before you plug in the second Express, check to see where the primary WiFi disappears completely.  My personal WAG is that you want to locate the second Express 2/3 the distance to that point.
  If you use Airport Utility to configure the units, it's a snap.  In fact, if you configure the primary first and the extender second, AU will default to exactly the settings that you want.
  By the way, I refereed to the Express because it's less expensive than the Extreme and you didn't indicate any need for the Extreme features.

• Frustrated - Can't connect to router with laptop after disconnect, other devices work fine.

  I have a RevI Actiontec router with dual antennas(not sure of firmware as I am not at home). My wife can be on her laptop all day, then when I come home with my IPad, it make her lose connection to the router. The router still connects to my iPhone 4 and iPad (both with iOS 6.0.1), but she is unable to connect to router at all. Everything continues to function normally on my Apple devices, so we are still connected to the internet. I have a laptop as well, and when this is happening, both of the laptops stop connecting, but the apple devices and our Toshiba TV and BluRay players continue to function normally. As a temp fix, I disconnect internet from my iPad and restart the router. It works until we try to run both at the same time.
  I am mildly computer literate, though I know little about network setups beyond security, MAC filtering, and other slightly advanced setup stuff.
  This is really frustrating and seems to be getting worse. We used it like this in our new house for several months before this started happening.

  Also check to make sure neither of the devices are set to use a static IP address.
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.
  "All knowledge is worth having."

• RA VPN into ASA5505 behind C871 Router with one public IP address

  Hello,
  I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
  PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
  The  public IP address is assigned to the outside interface of the C871. The  C871 forwards incoming traffic UDP 500, 4500, and esp to the outside  interface of the ASA that has a private IP address. The PC1 can  establish a secure tunnel to the ASA. However, it is not able to ping or  access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets  to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand  removing C871 and just use ASA makes VPN much simpler and easier, but I  like to understand why it is not working with the current setup and  learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
  version 15.0
  no service pad
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname router
  boot-start-marker
  boot-end-marker
  enable password 7 xxxx
  aaa new-model
  aaa session-id common
  clock timezone UTC -8
  clock summer-time PDT recurring
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 192.168.2.1
  ip dhcp excluded-address 192.168.2.2
  ip dhcp pool dhcp-vlan2
     network 192.168.2.0 255.255.255.0
     default-router 192.168.2.1
  ip cef
  ip domain name xxxx.local
  no ipv6 cef
  multilink bundle-name authenticated
  password encryption aes
  username xxxx password 7 xxxx
  ip ssh version 2
  interface FastEthernet0
  switchport mode trunk
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  description WAN Interface
  ip address 1.1.1.2 255.255.255.252
  ip access-group wna-in in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  interface Vlan1
  no ip address
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Vlan10
  description router-asa
  ip address 10.10.10.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list nat-pat interface FastEthernet4 overload
  ip nat inside source static 10.10.10.1 interface FastEthernet4
  ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
  ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
  ip nat inside source static esp 10.10.10.2 interface FastEthernet4
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  ip route 10.10.10.0 255.255.255.252 10.10.10.2
  ip route 192.168.2.0 255.255.255.0 10.10.10.2
  ip access-list standard ssh
  permit 0.0.0.0 255.255.255.0 log
  permit any log
  ip access-list extended nat-pat
  deny   ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  permit ip 192.168.2.0 0.0.0.255 any
  ip access-list extended wan-in
  deny   ip 192.168.0.0 0.0.255.255 any
  deny   ip 172.16.0.0 0.15.255.255 any
  deny   ip 10.0.0.0 0.255.255.255 any
  deny   ip 127.0.0.0 0.255.255.255 any
  deny   ip 169.255.0.0 0.0.255.255 any
  deny   ip 255.0.0.0 0.255.255.255 any
  deny   ip 224.0.0.0 31.255.255.255 any
  deny   ip host 0.0.0.0 any
  deny   icmp any any fragments log
  permit tcp any any established
  permit icmp any any net-unreachable
  permit udp any any eq isakmp
  permit udp any any eq non500-isakmp
  permit esp any any
  permit icmp any any host-unreachable
  permit icmp any any port-unreachable
  permit icmp any any packet-too-big
  permit icmp any any administratively-prohibited
  permit icmp any any source-quench
  permit icmp any any ttl-exceeded
  permit icmp any any echo-reply
  deny   ip any any log
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  no modem enable
  line aux 0
  line vty 0 4
  access-class ssh in
  exec-timeout 5 0
  logging synchronous
  transport input ssh
  scheduler max-task-time 5000
  end
  ASA:
  ASA Version 9.1(2)
  hostname asa
  domain-name xxxx.local
  enable password xxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxx encrypted
  names
  ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
  interface Ethernet0/0
  switchport trunk allowed vlan 2,10
  switchport mode trunk
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  no ip address
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.2 255.255.255.0
  interface Vlan10
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.255.255.252
  ftp mode passive
  clock timezone UTC -8
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name xxxx.local
  object network vlan2-mapped
  subnet 192.168.2.0 255.255.255.0
  object network vlan2-real
  subnet 192.168.2.0 255.255.255.0
  object network vpn-192.168.100.0
  subnet 192.168.100.0 255.255.255.224
  object network lan-192.168.2.0
  subnet 192.168.2.0 255.255.255.0
  access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
  object network vlan2-real
  nat (inside,outside) static vlan2-mapped
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 10.10.10.1 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpool policy
  crypto ikev1 enable outside
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.2.0 255.255.255.0 inside
  ssh 10.10.10.1 255.255.255.255 outside
  ssh timeout 20
  ssh version 2
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  anyconnect-essentials
  group-policy vpn internal
  group-policy vpn attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn-split
  default-domain value xxxx.local
  username xxxx password xxxx encrypted privilege 15
  tunnel-group vpn type remote-access
  tunnel-group vpn general-attributes
  address-pool vpn-pool
  default-group-policy vpn
  tunnel-group vpn ipsec-attributes
  ikev1 pre-shared-key xxxx
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
  : end

  Hi,
  I think, that you want control all outbound traffic from the LAN to the outside by ASA.
  I suggest some modifications as shown below.
  C871:
  interface Vlan2
  description LAN-192.168.2
  ip address 192.168.2.2 255.255.255.0
  no ip nat inside
  no ip proxy-arp
  ip virtual-reassembly
  ip access-list extended nat-pat
  no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
  no permit ip 192.168.2.0 0.0.0.255 any
  deny ip 192.168.2.0 0.0.0.255 any
  permit ip 10.10.10.0 0.0.0.255 any
  ASA 5505:
  interface Vlan2
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  Try them out and response.
  Best regards,
  MB

• Can i setup a wifi router with my IPad2 without using a computer ?

  Can i setup a wifi router with my IPad2 without using a computer ?

  This is going to depend on what wireless router got get. Some want to do all administration functions via a ethernet cable connection for security reasons.
  Once the router is configured, you will no longer need a computer.
  Try looking for a router that configures through a web browser & allows administration from a wifi connections.
  I think the easiest thing will be to have a friend come over & configure with a laptop.  I believe that you can configure the router without have a broadband connection.  You could configure it at a friends house. Might not want to connect to the friends broadband so not to confuse your friends broadband.  ( this is only a worry if the router also includes the broadband model.  Just a wireless router without a modem is not worry ).
  Robert

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• Security Router: Best and cheap recommendation for a home router (security bundled)

  Security Router: Best and cheap recommendation for a home router (security bundled), to practice commands and all CCSP configurations.
  Wireless needed, 802.11N preferred
  Looking for the all in an appliance solution, and maybe compatible with future Unified Communications acquisition like a UC500 maybe...
  Please, please, please...

  At the moment checking these two options:
  SR520W-FE-K9
  CISCO881W-GN-A-K9
  Fast Ethernet

• Airport Extreme as a router with an existing wireless DSL

  can someone tell me how to set up my Airport Extreme to use as a wireless router with an existing wireless ATT DSL modem?

  Hi - can you clarify what you mean by "use a wireless router" - you cannot use it as an addtional router without causing a "double NAT" condition which is not recommended - you can only do this if you change the DSL modem to a "dumb" modem like a cable modem - you also cannot wirelessly extend the network of a non Apple product - you can however can use it in bridge mode via ethernet to create a wireless network with the same name, security and password as the DSL modem in a different location - you can also use it to join your existing network as a wireless access point and provide ethernet to a remote location but not provide a wireless signal.

• Need help replacing a Netgear router with my old used wrt54g from another house.

  I had a WRT54G at my old house that was working great. Now the renters moved out and I got the router back. I have been having some issues with the netgear router Im using now so I would like to replace it with the Linksys. How do I do this? Do I need to hit the reset button? What do I set the settings at and how do I set up security so others can't access my network.

  Whoaw! Take it easy Ragnar....
  It is easy to setup the router with your existing network. I'd like to know your ISP. In a way, you can have the router set up manually according to your ISP settings, whether it is cable or DSL.
  For setting up the wireless to be secured, you can check this link.
  for heads up! <<<call_me_jam_>>>