Securing Vlans by access lists
Hi,
I have configured some vlans using a cisco catalyst 2950 switch and a cisco 2611 XM router. I configurated the router for intervlan routing with encapsulation 802.1q and all is running good. Now I started with introducing some access policies between vlans by the use of acls but it seemed to me I have not clear the packet filtering mechanism (e.g. inbound versus outbound packets, etc.). I succeded in stopping access between 2 vlan in bidirectional way, but I don't know the best way to permit traffic from vlan1 to vlan2 while stopping traffic from vlan2 to vlan1.
Help me please!
check out the following link for information on Securing Networks with Private VLANs and VLAN Access Control Lists :
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
Similar Messages
-
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
WCS Error when clicking on Access List
When I log into the WCS and under Security open up Access List and then click on one of the Access List to edit it I get the error message Attached. And this is also causing an Audit mismatch too. Any ideas?
Is your WCS version equal to or higher than the wlc? Make sure all the services are running fine, but I get errors when te command fails due to the fact that something else has to be disabled or removed first.
Thanks,
Scott Fella
Sent from my iPhone -
VLAN's, subinterface, access-lists and 3560 catalyst switch?
Hi,
How can I isolate VLAN 121 from all others?
I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
The following VLANs configured on the switch:
VLAN 0 192.168.132.0 /24
VLAN 135 ..135.0 /24
VLAN 137 ..137.0 /24
VLAN 139 ..139.0.24 and lastly,
VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
I need some advice please. Here is my plan: to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
Thank you!I will have to assume VLAN 0 is the native VLAN / default interface on the router? All VLANs are numbered native or not. Just ensure the VLAN numbering matches between the router and the trunking on the switch.
Yes, you could create a sub interface on the 2811 and use the router to route the VLAN. Apply an access list on the other interfaces to block access to the VLAN you want to protect. If you have routing enabled on the 3560 as well you would complicate the situation a bit more.
Please rate helpful posts! :-) -
MAC access-list on switching platforms
Please advise if I am in the worng group, and I'll move the post.
I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
Here is the link I am looking at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtmlMac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface. -
Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's. The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
dot11 association mac-list 701
I just can't figure out where to move it and how. Any help would be great.
Here is my config:
BER-AP18#show running-config
Building configuration...
Current configuration : 11695 bytes
! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname BER-AP18
enable secret 5 SECRET
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip domain name domain.com
ip name-server 10.0.36.73
ip name-server 10.0.36.38
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 association mac-list 701
dot11 vlan-name Wireless vlan 22
dot11 ssid SWLAN
vlan 36
authentication open mac-address mac_methods
dot11 ssid WSLAN
vlan 22
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 SECRET
crypto pki trustpoint TP-self-signed-689020510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-689020510
revocation-check none
rsakeypair TP-self-signed-689020510
username WirelessAdmin privilege 15 password 7 SECRET
username 00166f44ec4f password 7 075F711D185F1F514317085802
username 00166f44ec4f autocommand exit
username 00166f46e83c password 7 15425B5D527C2D707E366D7110
username 00166f46e83c autocommand exit
username 00166f6bc2be password 7 091C1E584F531144090F56282E
username 00166f6bc2be autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 128bit 7 SECRET transmit-key
encryption mode wep mandatory
encryption vlan 2 mode ciphers tkip
encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
encryption vlan 36 mode wep mandatory
encryption vlan 22 mode ciphers tkip
broadcast-key change 30
ssid SWLAN
ssid WSLAN
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
power local 1
no power client local
power client 100
channel 2427
station-role root
rts threshold 2312
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 block-unknown-source
no bridge-group 22 source-learning
no bridge-group 22 unicast-flooding
bridge-group 22 spanning-disabled
interface Dot11Radio0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
bridge-group 36 subscriber-loop-control
bridge-group 36 block-unknown-source
no bridge-group 36 source-learning
no bridge-group 36 unicast-flooding
bridge-group 36 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
no bridge-group 22 source-learning
bridge-group 22 spanning-disabled
interface FastEthernet0.36
encapsulation dot1Q 36
no ip route-cache
bridge-group 36
no bridge-group 36 source-learning
bridge-group 36 spanning-disabled
interface BVI1
ip address 10.0.0.18 255.255.255.0
no ip route-cache
interface BVI22
no ip address
no ip route-cache
ip default-gateway 10.0.0.1
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
access-list 701 permit 0016.6f38.5a75 0000.0000.0000
access-list 701 permit 0016.6f47.2f5a 0000.0000.0000
access-list 701 permit 0016.6f72.8730 0000.0000.0000
access-list 701 permit 0016.6f6b.c156 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
line vty 5 15
access-class 111 in
sntp server 10.0.36.38
endthat looks good. I always get input vs output backwards. If it doesn't block the correct traffic, reverse the direction.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Hello,
There has been an access list in place where I work since well before I arrived and it doesn't quite work. I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches. It is also used to help in the baselining of pcs.
The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive. This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it. I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
Here is access list:
ip access-list extended Quarantine_IN_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit upd any any eq domain
permit tcp any eq 3389 any
permit ip any host x.x.x.x (baseline server)
permit ip any host x.x.x.x (share drive)
permit ip any host x.x.x.x (domain controller)
permit ip any host x.x.x.x (domain controller)
ip access-list extended Quarantine_Out_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any an any eq domain
permit tcp any any eq 3389
permit ip host (baseline server) any
permit ip host (share drive) any
permit ip host (domain controller) any
permit ip host (domain controller) any
As I said, I tried changing the permit ip host (baseline server) any and ip any host (baseline server) to permit tcp statements. That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements. That also didn't work.
Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
Thanks,
KileyPaul,
When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL. I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume. The ACL is applied to the L3 interface for baselining:
int vlan 500
description BASELINE VLAN
ip addres x.x.x.x x.x.x.x
ip access-group Quarantine_IN_L1 in
ip access-group Quarantine_Out_L1 out
ip helper-address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
Thanks,
Kiley -
A possible bug related to the Cisco ASA "show access-list"?
We encountered a strange problem in our ASA configuration.
In the "show running-config":
access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in extended permit ip object 172.31.254.2 any log
access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in extended permit ip object windowsusageVM any log
access-list inside_access_in extended permit ip any object testCSM-object
access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in extended permit ip host 172.31.254.2 any log
access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
In the "show access-list":
access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a 3bacc1
access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06 85254a
access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0 x7e7ca5a7
access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn t=0) 0x02a111af
access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt =0) 0x19244261
access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn t=0) 0x0dbff051
access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7 b798b0e
access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
There is a comment in the running config: (line 26)
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
Thanks in advance.
show version:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.1(3)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fmciscoasa up 1 hour 56 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1Could be related to the following bug:
CSCtq12090: ACL remark line is missing when range object is configured in ACL
Fixed in 8.4(6), so update to a newer version and observe it again.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Access-list in Cisco 3560 Series Switch
Guys,
I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
Hope you can help me guys.
Thanks,
Johnand then dont forget to call this access-list on the interface or vlan you want to apply it.
You can use a number for the ACL > 100 or a name as indicated earlier.
If you go with just a number :
access-list 100 permit tcp any any eq 80 81 ...
access-list 100 permit udp any any eq 23
int g1/0/1
ip access-group NAME in
OR
ip access-group 100 in
As for example :
NMS-3750-A(config-if)#ip acc
NMS-3750-A(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name -
Cisco ISE and WLC Access-List Design/Scalability
Hi,
I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
User group 1 -- Apply ACL 1 --On Vlan 1
User group 2 -- Apply ACL 2 -- On Vlan 1
User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
Any suggestion is appreciated.
Thanks.Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues.
Overall, I see three ways to overcome your current issue:
1. Shrink the ACLs by making them less specific
2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
3. Use SGT/SGA
Hope this helps!
Thank you for rating helpful posts! -
Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
endHello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help ! -
Unknown devices appearing in my access list
I have a WPN824 wireless router and in the last two weeks, I've found three devices in the access list that I didn't put there. I first found the three devices last week and deleted them from the list. Tonight, I found them again. All three devices have different MAC address, but use the same device name: "NMADDR." My access list has 12 devices that I added for all the devices I've want to connect
The router is connected to a broadband cable (ComCast) modem.
I manage the router and am the only one with the password. The passsword is a strong 10 character password.
I use Cisco's Network Magic Pro v5.5.9 to manage my home network.
I was wondering if anyone else has run across something like this and can explain how these devices can be "automagically" added to what I thought was a secure router?
Thanks.May I suggest that this could be either a PDA device, an Apple iTouch or perhaps a WiFi mobile - I had a similiar issue a little time back and this was the ghost in the system.
-
Access List and Conflict Resolution Problem!
My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
Setting the Conflict Resolution Level
You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
So, I've set up my Access List services as follows:
o URL Deny is blank on all Access Lists
o URL Allow set as follows
---- isp
------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
---- acme.com organization
------- Conflict Resolution: Highest
------- http://portal.acme.com/portal/* (same as above)
---- Acme Customers Role - shared role for all Acme customers
------- Conflict Resolution: Medium
------- http://www.acme.com/*
------- http://support.acme.com/*
------- http://support2.acme.com/*
---- RoadRunner role - specific role for a specific customer
------- Conflict Resolution: Medium
------- http://roadrunnerinfo.acme.com/*
The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
Thanks!
-mattDid you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.
Maybe you are looking for
-
Set up Oracle 8.1.7 Client on Redhat 7.3
First of all, I want to thank the people who gave out the hints of downgrading Redhat from 7.x to 6.x. The problem I had was run into by many people on this forum: the Oracle Universal Installer window just doesn't pop up. In my case, I took out most
-
I have a client who needs to be able to search through a huge number of video clips via keywords in metadata but i've hit a huge wall when it comes to .mts files. I am unable to write any metadata to these files, i'm seeing various reasons as to why
-
Air won't install, XP machine, "Installation may not be allowed by your administrator"
Issue: An error occurred while installing Adobe AIR. Installation may not be allowed by your administrator. Please contact your administrator. I encountered an error saving my password in the air program Twhirl so I uninstalled that. And then unins
-
How do I set screen resolution?
I need to check and reset screen resolution on my MacBook in order to connect it to a new TV. Thanks
-
Original airport card connection to Belkin Wireless G Plus router
I have an iBook G3 with an original airport card in it. The card works because I can acess the internet at school or the local Wi-Fi hotspots. I cannot however connect to my own network at home. The computer will pick up my network but when I try to