SLM2024 ACL configuration
I have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
Thanks
I have a question on how to setup an ACL configuration on the SLM2024. I originally got this switch to just be able to monitor network ups/downs on the ports. and this has worked great in diagnosing the problems I was having originally. Now however I have to setup something on here that I have never had to do, and am unsure how to do it.
I have a computer that sends out a UDP broadcast that is causing our Xerox Phaser network printer to shutdown if it sees the broadcast. The Phaser is designed in a way that if it sees something on the network it thinks is harmful it will shut itself off to protect itself. and on startup if it sees something harmful it will not startup, it will go into an infinite restart loop.
After fully testing everything I can think of I got it down to a piece of software on the computer that sends the UDP broadcast. If this software is not running the printer works fine. Unfortunately the software needs to run 24/7, and we need to print.
Both the computer and printer have static ip addresses. and basically all I want to do is setup an ACL (at least thats what others have told me) to block communication between those two ip addresses so that the printer won't see the UDP broadcast anymore.
So my question is, would an ACL block that traffic? and if so how do I set it up? I looked in the manuals that came with the switch, and i'm not really seeing any information on how to do it. If anyone can give me some insight into what I need to do I would greatly appreciate it.
Thanks
Similar Messages
-
4500 IOS-XE: Crash on ACL configuration
Hi All ,
We have recently migrated from standalone to VSS on our C4500 switches with Sup 7-E.
but the switch crashes every time we edit or modify the ACL with below error message :
%SYS-3-BADBLOCK: Bad block pointer
%SYS-6-MTRACE: mallocfree: addr, pc
%SYS-6-BLKINFO: Corrupted next pointer blk
%SYS-6-MEMDUMP: 0x7E043FF8
We noticed that there is a new bug for this issue i.e
CSCun33897 Symptom:
A Catalyst 4500 series switch running IOS-XE may unexpectedly reboot when ACL configuration is applied to an interface.
but there is no fix available yet.
Please let me know if anyone had this kind of issue. Appreciate your suggestion and feedback on this issue .
Current used Image : cat4500e-universalk9.SPA.03.05.00.E.152-1.E.bin .
Thanks in advance .its seems to be closely matching to the bug you mentioned
If you upload crashinfo i can look it and try to confirm.
Regards
Naveen
***rate if it is helpful*** -
Hello everyone,
I have a doubt about the ACL configuring in my ASA
I have this acl witch it means that 10.10.11.2 can do www to the host 10.10.10.1
access-list 100 extended permit tcp host 10.10.11.2 host 10.10.10.1 eq www
and
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2 (hitcnt=31)
witch it means that the host 10.10.10.1 can make www to the host 10.10.11.2
the host 10.10.10.1 can't do www to the host 10.10.11.2, but the host 10.10.11.2 can do, and the second ACL have hits.
is ti right?
Thanks.If you want to allow hosts 10.10.10.1 to hit 10.10.11.2 on www then you should change the syntax to:
access-list 100 extended permit tcp host 10.10.10.1 host 10.10.11.2 eq www
Your original syntax:
access-list 100 extended permit tcp host 10.10.10.1 eq www host 10.10.11.2
By placing the "eq www" after the source IP, you are telling the ASA that the source port is 80/www. Instead, you want the destination port to be "80/www" and as a result, you need to place is after the destination IP.
Also, you can always use the "packet-tracer" command to see exactly what is blocking your traffic :)
Thank you for rating helpful posts! -
Hello I've a newly configured 5510 would appreciate a look over of the configuration and some questions I have: Its a long post and I appreciate anyone taking time to read through it.
My goals are the following:
to make the inside network 10.20.145.0 to allow internet access - as long as the connection starts inside
To allow neighbor network that comes in through outside interface origin 170.20.0.0/16 access to the 10.20.145.0 (bidirectional)
The tunnel from neighbor lan to inside lan happens through vpn concentrator that has external ip address and 77.76.19.35
Allow certain devices on the DMZ to access the internet and allow outside to inside connections on certain ports
Much of the settings I have configured are coming from juniper that is currently online but needs to be replaced.
The network is set up as below for a chart of traffic:
ISP ---- Internet router ---- switch (3 active connections) 1. firewall 2. internet router 3. vpn concentrator
There is an internal 3750 that I have configured with ip 10.20.145.15 since it comes up often
I'm using pub IPs on the machines on the DMZ though I'm thinking of changing that to an internal vlan and than nating it out. Well here's what I have so far:
=================================================================================================
ASA Version 8.3(2)
hostname ASA
domain-name a.domain.com
enable password l4Tu/tqHeN0MdD7t encrypted
passwd dL9fmCBkHiwx4Iib encrypted
names
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface GigabitEthernet1/0
description outside-interface-connected-to-internet-switch
speed 1000
duplex full
shutdown
nameif outside
security-level 0
ip address 76.77.19.34 255.255.255.240
interface GigabitEthernet1/1
description inside-int-10.20.145-network
speed 1000
duplex full
shutdown
nameif inside
security-level 100
ip address 10.20.145.3 255.255.255.192
interface GigabitEthernet1/2
shutdown
nameif DMZ
security-level 50
ip address 76.77.19.49 255.255.255.240
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
lock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 76.77.6.11
name-server 66.72.76.84
name-server 4.2.2.1
name-server 8.8.8.8
domain-name a.domain.com
object network Inside_lan
subnet 10.20.145.0 255.255.255.0
object network NET-neighbor
subnet 170.20.0.0 255.255.0.0
description neighbor_LAN
object network 76.77.19.44_cake
host 76.77.19.44
description cake
object network 76.77.19.59
host 76.77.19.59
description streaming
object network 76.77.19.61
host 76.77.19.61
description streaming
object network cindy
host 50.56.249.224
description cindy
object-group network internal-LAN
network-object object Inside_lan
object-group service 3306 tcp
description 3306
port-object eq 3306
object-group service 4567 tcp
description 4567
port-object eq 4567
object-group icmp-type ICM
description ICM_basic
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Retriever_SVC tcp
description Retriever
port-object range 8000 8001
object-group service Production tcp
description PM
port-object range www www
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service Streaming tcp
description streaming server
port-object eq 7009
object-group service UDP123 udp
description 123
port-object eq ntp
object-group service affordable tcp
description affordable legacy
port-object eq 85
object-group service market tcp
description ports for market dmz
port-object eq 2189
port-object eq 2190
port-object eq 2192
port-object eq 2194
object-group service messenger tcp
description air messenger
port-object eq 444
object-group service traffic-701 tcp
description 701
port-object eq 701
object-group service ntp1 udp
description ntp-udp-1
group-object UDP123
object-group service payroll tcp
description payroll port
port-object eq 714
object-group service snmp-udp udp
description snmp udp 1
port-object eq snmp
object-group service vitrol tcp
description vitrol custom
port-object eq 5986
object-group service webconferrence tcp
description webconference legacy port
port-object eq 1417
port-object eq 407
object-group service webmail tcp
description webmail ports
port-object eq 2095
object-group service INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
object-group service INLINE_SERVICE_1
service-object tcp
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq echo
service-object udp destination eq ntp
service-object udp destination eq radius
service-object udp destination eq radius-acct
service-object udp destination eq syslog
object-group network INLINE_NETWORK_1
network-object host 76.57.19.53
network-object host 255.255.255.255
object-group service INLINE_TCP_2 tcp
group-object Streaming
group-object vitrol
object-group service INLINE_SERVICE_2
service-object ip
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ssh
access-list internet extended permit ip object Inside_lan interface outside
access-list internet extended permit object-group DM_INLINE_SERVICE_1 object Inside_lan any
access-list syndicaster extended permit tcp object Cindy object Inside_lan object-group INLINE_TCP_1
access-list streaming extended permit tcp interface DMZ any object-group Streaming
access-list streaming59 extended permit tcp object 76.77.19.59 interface outside object-group Streaming
access-list streaming_outside_in extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list neighbor extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
access-group neighbor in interface outside
access-group neighbor out interface inside
route outside 0.0.0.0 0.0.0.0 76.77.19.33 1
route inside 10.0.0.0 255.255.255.0 10.20.145.4 1
route inside 10.0.1.0 255.255.255.0 10.20.145.2 1
route inside 10.20.145.0 255.255.255.0 10.20.145.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.20.145.39 255.255.255.255 inside
telnet timeout 5
ssh 10.20.145.39 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd dns 76.77.6.11 64.22.16.84
dhcpd domain a domain
dhcpd option 6 ip 4.2.2.1
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username joe password m6OO.pH/13qc7ypS encrypted privilege 15
username bob password N./x1Ut.gM.QGZLa encrypted privilege 15
username bill password uZjIWeHtovCOweHJ encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:06eb82d8d8a3ae82352512cd707e7f4a
========================================================================================================================================================
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list internet; 14 elements; name hash: 0xb30cf7fe
access-list internet line 1 extended permit ip object Inside_lan interface outside 0xe073f975
access-list internet line 1 extended permit ip 10.20.1450 255.255.255.0 interface outside (hitcnt=0) 0xe073f975
access-list internet line 2 extended permit object-group INLINE_SERVICE_1 object Inside_lan any 0x2e33ca08
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any (hitcnt=0) 0xa576d14f
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any echo-reply (hitcnt=0) 0x15cccd5c
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any traceroute (hitcnt=0) 0x8aab2f53
access-list internet line 2 extended permit icmp 10.20.145.0 255.255.255.0 any unreachable (hitcnt=0) 0xe02606e1
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp (hitcnt=0) 0x6d0043b6
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq ftp-data (hitcnt=0) 0xce904411
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq www (hitcnt=0) 0x1ddebc69
access-list internet line 2 extended permit tcp 10.20.145.0 255.255.255.0 any eq https (hitcnt=0) 0x1a3b15bc
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq echo (hitcnt=0) 0xadc66030
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq ntp (hitcnt=0) 0xa67a4406
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius (hitcnt=0) 0x230419e6
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq radius-acct (hitcnt=0) 0xa8ae0824
access-list internet line 2 extended permit udp 10.20.145.0 255.255.255.0 any eq syslog (hitcnt=0) 0x051c7ef5
access-list cindy; 2 elements; name hash: 0x807c55e5
access-list cindy line 1 extended permit tcp object cindy object Inside_lan object-group DM_INLINE_TCP_1 0xe35e702c
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0x64b321cc
access-list cindy line 1 extended permit tcp host 50.56.249.224 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x55109118
access-list streaming; 1 elements; name hash: 0xfd34cf16
access-list streaming line 1 extended permit tcp interface DMZ any object-group Streaming_custom 0x8b2e87d1
access-list streaming line 1 extended permit tcp interface DMZ any eq 7009 (hitcnt=0) 0xb13a2776
access-list streaming59; 1 elements; name hash: 0x959c1f3b
access-list streaming59 line 1 extended permit tcp object 76.77.19.59 interface outside object-group Streaming_custom 0xc173840d
access-list streaming59 line 1 extended permit tcp host 76.77.19.59 interface outside eq 7009 (hitcnt=0) 0x84cd9084
access-list streaming_outside_in; 4 elements; name hash: 0x3f86c9d4
access-list streaming_outside_in line 1 extended permit tcp interface outside object-group INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 7009 (hitcnt=0) 0x06c04720
access-list streaming_outside_in line 1 extended permit tcp interface outside host 206.57.19.53 eq 5986 (hitcnt=0) 0x9ae9047e
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 7009 (hitcnt=0) 0x5e3553e8
access-list streaming_outside_in line 1 extended permit tcp interface outside host 255.255.255.255 eq 5986 (hitcnt=0) 0x1f5d8fd9
access-list neighbor; 7 elements; name hash: 0xc99eb2b4
access-list neighbor line 1 extended permit object-group INLINE_SERVICE_2 object NET-neighbor object Inside_lan 0xc9688a21
access-list neighbor line 1 extended permit ip 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0xe1e8b995
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 (hitcnt=0) 0x462beedc
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp (hitcnt=0) 0xf238c75e
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ftp-data (hitcnt=0) 0x266e675b
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq www (hitcnt=0) 0x8627ec0a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq https (hitcnt=0) 0x3cae424a
access-list neighbor line 1 extended permit tcp 170.20.0.0 255.255.0.0 10.20.145.0 255.255.255.0 eq ssh (hitcnt=0) 0xcb6666b3Hi,
For the Default Dynamic PAT rule that you are asking for the single "inside" network I would suggest the following
First remove the current NAT configurations
nat (inside,outside) source dynamic any interface
object network Inside_lan
nat (any,outside) dynamic interface
Then reconfigure the NAT in the following way
object-group network DEFAULT-PAT-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) after-auto sourece dynamic DEFAULT-PAT-SOURCE interface
This will create and "object-group" for the networks or hosts that should be PATed to the "outside" interface IP address when accessing the Internet. If you want more internal networks to get PATed the same way, you simply add the network under the "object-group" among the already existing "inside" network.
The "after-auto" parameter also makes sure that this NAT rule doesnt override any other future rules. The parameter in question moves the NAT rule at the bottom of the NAT rules so its one of the last matched agains when traffic arrives on the firewall from behind "inside"
With regards to the neighbor network of 172.20.0.0/16, is this some network that is going to be behind a L2L VPN or is simply almost directly behind the "outside" interface?
In general the NAT format for this kind NAT is
object network NEIGHBOR
subnet 172.20.0.0 255.255.0.0
object-group network NEIGHBOR-SOURCE
network-object 10.20.145.0 255.255.255.0
nat (inside,outside) source static NEIGHBOR-SOURCE NEIGHBOR-SOURCE destination static NEIGHBOR NEIGHBOR
I basically use an "object network" to define the remote network and "object-group network" to define the source network for this NAT. I use "object-group" for the source again because it leaves us room to add more networks under it if needed. Notice that "object network" can only hold one subnet/range/host while "object-group network" can hold pretty much as many as you want.
I think the ACL configurations will have to be looked through also.
Notice that if you want to control traffic from a behind "outside" for example, then you can only use 1 interface bound ACL to control that traffic. So every rule from "outside" to "inside" or to "dmz" has to be in the same ACL. Also this ACL would be attached to the "outside" interface in "in" direction. For example "access-group OUTSIDE-IN in interface outside"
If we are talking about VPN connections configured directly to the ASA there are some other options compared to the above.
But as I said its better that your needs regards the ACL rules are gone through more in depth to really know how we should configure them as I am myself not sure what all the above ACL are supposed to do.
One final question for you. You have this network directly on the "inside" interface 10.20.145.3 255.255.255.192. But you also talk about it with mask /24. Is the ASA "inside" connected to some internal L3 device which hosts rest of the segments of this whole /24 network as currently the "inside" interface holds /26.
Is ANY users/networks behind the ASA "inside" interface using the ASA directly as their gateway? I noticed that you setup would seem to have (as I mentioned in another thread to you) several devices on connected by the same LAN network (Router,VPN,firewall). What I fear will happen is that IF any "inside" users uses the ASA as their gateway and has to be routed back through the ASA "inside" interface to some other gateway that this will result in asymmetric routing and the ASA doesnt really handle that kind of situation that well.
- Jouni -
Clearing an Dynamic Cluster -HSRP and Dynamic Cluster -NAT ACL configuration
I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT ACL as shown in the following extract below.
I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please help
=========================================================
SW1#show access-list
Extended IP access list CMP-NAT-ACL
Dynamic Cluster-HSRP deny ip any any
Dynamic Cluster-NAT permit ip any any
=========================================================
interface Vlan1
ip address 192.168.87.2 255.255.255.0
no ip route-cache
ip http server
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
line con 0
exec-timeout 0 0
line vty 0 4I am trying to upgrade a 2950-24 Catalyst Switch that wa previously configured with both Dynamic HSRP and NAT ACL as shown in the following extract below.
I would like to remove this configuration but it is proving so difficult, this is because, I dont understand how the configuration got here in the first place, please help
=========================================================
SW1#show access-list
Extended IP access list CMP-NAT-ACL
Dynamic Cluster-HSRP deny ip any any
Dynamic Cluster-NAT permit ip any any
=========================================================
interface Vlan1
ip address 192.168.87.2 255.255.255.0
no ip route-cache
ip http server
ip access-list extended CMP-NAT-ACL
dynamic Cluster-HSRP deny ip any any
dynamic Cluster-NAT permit ip any any
line con 0
exec-timeout 0 0
line vty 0 4 -
Hello everyone,
I use ACLs on a daily basis and every now and then I need to insert a remark above a particulare line.
As of today I do the following:
Step 1: Creating a temp. copy of the desired ACL and bind it to the Interface to ensure functionality while editing the original ACL
Step 2: Delete the original ACL and then recreate it with the added line(s)
Step 3: Bind the newly created ACL to the Interface, delete the temp. created ACL
Is there a way similar to include new lines by useing the sequence numbers to insert a remark above a specific line?
thanks in advance
MarcelHi Marcel
you didn't mentioning about what kind of device (model, firmware/ios version) you are writing.
ACL's can be done on variety of devices with very different forms of configuration, moreover you are writing inside Small Business section of this forum (related to specified group devices without using IOS software). -
I have a c2950 and want to config acl. I enter INTERFACE MODE and issue IP ACCESS-GROUP command ,But system prompt no this command . how can I do. Please help me . Issuing show ver command.Message as fallows.
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 21-Oct-05 02:22 by yenanh
Image text-base: 0x80010000, data-base: 0x80676000
ROM: Bootstrap program is C2950 boot loader
tycib_sw29_f2office2 uptime is 3 minutes
System returned to ROM by power-on
System image file is "flash:/c2950-i6k2l2q4-mz.121-22.EA6.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco WS-C2950-24 (RC32300) processor (revision R0) with 19973K bytes of memory.
Processor board ID FOC0935Z7SN
Last reset from system-reset
Running Standard Image
24 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:15:62:63:5D:C0
Motherboard assembly number: 73-5781-13
Power supply part number: 34-0965-01
Motherboard serial number: FOC09343GDK
Power supply serial number: DAB0930DP48
Model revision number: R0
Motherboard revision number: A0
Model number: WS-C2950-24
System serial number: FOC0935Z7SN
Configuration register is 0xFHi There,
Your switch WS-C2950-24, is a switch with standard image i.e SMI. This image doenot support ACL's and that's why its not working. You should have a 2950 with EMI to run ACLs. This switch is not upgradable to EMI so you really cannot use ACLs on this :(.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb71.html
regards,
-amit singh -
What is the maximum MAC ACL Configuration?
We are to implement MAC ACL on ME3400 with version 12.2. I just want to know what is the maximum permit/deny statements can be configured and what is the impact?
External Resolution
Up to 2560 by 1600 (Thunderbolt) or 1920 by 1200 (HDMI), so, no, it does not support 4k displays. -
Cisco ASA 8.6 configuration issues
Hello all ,
internet router-----------outside------------- ASA -------inside-------------cisco 3750 (----A----)
|
|
DMZ
|
|
Cisco 3750 (-----B---)
1- switch A -- wireless User + Cisco Wireless Ip phones
2- Switch B -- CUCM
Problem discriptiom :
--- from switch A i can not ping SwitchB (DMZ) so ip phones can not reached to CUCM
--- on switchA 4 VLANS are configured with Different SSIDs and internet is working fine .
--- on Switch A i want 2 VLANs (vlan60 and vlan 80) to communicate with DMZ also (Not working )
## some relevent Config is as under :
SWITCH A CONFIG
===============
vlan internal allocation policy ascending
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
shutdown
interface GigabitEthernet1/0/1
switchport access vlan 60
switchport mode access
spanning-tree portfast
|
|
|
|
|
|
interface GigabitEthernet1/0/23
description **connected to ASA-Inside**
switchport access vlan 100
switchport mode access
interface Vlan10
ip address X.X.100.5 255.255.255.0
interface Vlan50
ip address X.X.6.12 255.255.255.0
interface Vlan60
ip address X.X.8.251 255.255.255.0
interface Vlan80
ip address X.X.10.251 255.255.255.0
interface Vlan100
ip address X.X.20.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.20.2
=========================================
ASA CONFIG
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address X.X.20.2 255.255.255.0
|
|
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address X.X.21.2 255.255.255.0
|
|
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address 192.168.2.5 255.255.255.0
|
|
object network IN-OUT
subnet 0.0.0.0 0.0.0.0
object network W-PHONE
subnet X.X.10.0 255.255.255.0
object network BECA-WIRELESS-USER
subnet X.X.8.0 255.255.255.0
pager lines 24
|
|
nat (inside,outside) source dynamic IN-OUT interface
nat (inside,DMZ) source dynamic W-PHONE interface
nat (inside,DMZ) source dynamic BECA-WIRELESS-USER interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside X.X.6.0 255.255.255.0 X.X.20.1 1
route inside X.X.7.0 255.255.255.0 X.X.20.1 1
route inside X.X.8.0 255.255.255.0 X.X.20.1 1
route inside X.X.10.0 255.255.255.0 X.X.20.1 1
timeout xlate 3:00:00
============================================
switch B
interface GigabitEthernet1/0/17
switchport access vlan 50
switchport mode access
switchport voice vlan 20
spanning-tree portfast
interface GigabitEthernet1/0/18
switchport access vlan 50
switchport mode access
interface Vlan10
ip address X.X.100.1 255.255.255.0
interface Vlan20
ip address X.X.7.1 255.255.255.0
ip helper-address X.X.6.6
interface Vlan50
ip address X.X.6.30 255.255.255.0
ip helper-address X.X.6.6
interface Vlan60
ip address X.X.8.252 255.255.255.0
interface Vlan101
ip address X.X.21.1 255.255.255.0
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.6.4
ip route X.X.6.0 255.255.255.0 X.X.21.2
ip route X.X.7.0 255.255.255.0 X.X.21.2We would also need to see the ACL configuration of the ASA as this is what actually controls the flow of traffic, that is if routing is correct which it seems to be from your configuration.
What you can do is run a packet-tracer on the ASA to see if the packet is allowed through the ASA:
packet-tracer input inside tcp 12345 detail
This should give you an indication where or if there is a misconfiguration on the ASA.
Please post the output here if you require further assistance. Also a full ASA configuration (remove public IPs and passwords) would help to identify the issue.
Please remember to rate and select a correct answer -
NAT configuration on PIX to ASA
Hi,
I have below configuration on my PIX 8.0 which I want to convert into ASA 9.1 :
nat (Cust-DMZ) 0 access-list Cust-DMZ_nat0_outbound
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.2.1.175 host 10.10.49.30
access-list Cust-DMZ_nat0_outbound extended permit ip host 1.1.1.58 host 1.1.1.57
access-list Cust-DMZ_nat0_outbound extended permit ip host 172.29.83.2 host 172.29.83.1
access-list Cust-DMZ_nat0_outbound extended permit ip host 202.138.123.75 host 10.10.11.20
access-list Cust-DMZ_nat0_outbound extended permit ip host 10.14.1.11 host 10.10.50.150
And, there is no "NAT (global) 0 " command in PIX for this configuration.
How can I use this in ASA..?
Regards,
NinadHi,
The configurations is going to be bigger atleast. I did like the NAT0 more in the old software when you could use the ACL configuration to handle it and not bloat the NAT configuration needlesly.
There are some strange ACEs in that ACL. I mean the rules where the source and destination seem to be either from the same subnet or just simply host address (perhaps loopback interface IP addresses somewhere in the network?) that wouldnt expect to use the firewall to communicate? Though I will assume those configurations are needed.
You could try the following configuration though I naturally suggest perhaps coming with some other naming policy for the "object" configuration if needed.
object network HOST-10.2.1.175
host 10.2.1.175
object network HOST-10.10.49.30
host 10.10.49.30
object network HOST-1.1.1.58
host 1.1.1.58
object network HOST-1.1.1.57
host 1.1.1.57
object network HOST-172.29.83.2
host 172.29.83.2
object network HOST-172.29.83.1
host 172.29.83.1
object network HOST-202.138.123.75
host 202.138.123.75
object network HOST-10.10.11.20
host 10.10.11.20
object network HOST-10.14.1.11
host 10.14.1.11
object network HOST-10.10.50.150
host 10.10.50.150
nat (Cust-DMZ,any) source static HOST-10.2.1.175 HOST-10.2.1.175 destination static HOST-10.10.49.30 HOST-10.10.49.30
nat (Cust-DMZ,any) source static HOST-1.1.1.58 HOST-1.1.1.58 destination static HOST-1.1.1.57 HOST-1.1.1.57
nat (Cust-DMZ,any) source static HOST-172.29.83.2 HOST-172.29.83.2 destination static HOST-172.29.83.1 HOST-172.29.83.1
nat (Cust-DMZ,any) source static HOST-202.138.123.75 HOST-202.138.123.75 destination static HOST-10.10.11.20 HOST-10.10.11.20
nat (Cust-DMZ,any) source static HOST-10.14.1.11 HOST-10.14.1.11 destination static HOST-10.10.50.150 HOST-10.10.50.150
Notice that I configured the destination interface as "any". With that setting it should define the destination interface based on your ASAs routing table. I personally tend to define that interface but can't do that in this case as I cant see your routing configuration or routing table.
If you want to read up some on the new NAT configuration format you can check a document that I wrote in 2013.
Sadly the update to these forums also changed the layout of the document a bit some things aren't really as I wish them to be.
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Hope this helps :)
- Jouni -
ISE Node Failure & Pre-Auth ACL
Hi All,
I would like to know that, what should be the best practice configuration for following points,
1) Network access for end users/devices if both ISE nodes become unreachable ? how we can make sure that full network access should be granted if both ISE nodes become unavailable.
2) What is the best practice for pre-auth ACL configuration if IP Phones are also in the network ?
Here is the port configuration and pre-auth ACL which I am using in my network,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30
authentication event server dead action authorize vlan 30
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks & Regards,
MujeebHi,
I am using following configuration on the ports,
Interface Fa0/1
switchport access vlan 30
switchport mode access
switchport voice vlan 40
ip access-group ISE-ACL-DEFAULT in
authentication event fail action authorize vlan 30 ----> What would be the behaviour due to this command ?
authentication event server dead action authorize vlan 30 ---> So in case if ISE nodes are unavailable then this port will be in VLAN 30 which is the actual VLAN ?
authentication event server alive action reinitialize ---> This command will re-initialize the authentication process if ISE nodes becomes available ?
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout tx-period 5
Since I am using following ACL on the ports then user will have network access according to following ACL in case ISE nodes are unavailable ??
ip access-list extended ISE-ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS and Domain Controllers
permit ip any host 172.22.35.11
permit ip any host 172.22.35.12
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Deny All
deny ip any any log
Thanks -
Basic configuration on ASA 5520
i am runnig ASA in GNS3
am confused a little bit....by default ip traffic is allowed from higher to lower security level....i had just configured interfaces with security level, name and ip address and no shutdown....the traffic will pass throught the asa or not....no NAT , ACL or Routes are configured....I am not sure I understand your question correctly. Do you mean that you have configured the interfaces and traffic is not passing?
If you configure one interface with security level 100 and another with a security level lower than 100 (lets say 0 for simplicity) then, as of version 8.3, traffic will pass through the ASA from the higher security level to the lower security level without the need of further configuration. That is assuming that on the lower security level interface is not connected to the internet where private IP address range is not routable. In this case traffic will pass through the ASA, you will just not get any return traffic.
Prior to 8.2 you had to configure a NAT statement or issue the no nat-control command in order for traffic to be allowed through the ASA but as of 8.2 that feature was disabled by default and in 8.3 (or perhaps 8.4) it was removed completely.
If you add an ACL to the ASA interface then the security levels have nothing to say in the way traffic flows. The security levels only come into play if there are no ACLs configured on the interface.
Please remember to rate and select a correct answer -
Hi all,
I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.Hi,
Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
interface Vlan2
description For Mail
ip address 1.1.1.129 255.255.255.0
ip access-group 2002 in
end
C6500#sh access-li 2002
Extended IP access list 2002
10 permit icmp any any (272 matches)
20 permit tcp host 1.1.1.0 any syn (10467 matches)
30 permit tcp host 1.1.1.0 any ack (781 matches)
40 permit tcp host 1.1.1.190 eq smtp any
50 permit tcp host 1.1.1.190 eq pop3 any
60 permit tcp host 1.1.1.192 eq smtp any
70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well. -
FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC
Hi Chaps,
I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
ACL-WEBAUTH-REDIRECT
ACL-PERMIT-CORP-TRAFFIC
ACL-PERMIT-GUEST-TRAFFIC
Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
Cheers,
NI believe you need to create Flex ACLs on the fWLC. These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.
-
Hi,
I have had a guest VLAN running for a few weeks and today after a scheduled reload of our systems we had a wireless problem.
Our configuration has clients authentication on the WLC web portal, and then have access to Internet only. This access is controlled with an ACL on the core switch.
The only change to the system that we know of is that the WLC was reloaded over the weekend, and then this morning users are unable to access the net, although they get an IP from DHCP.
After some troubleshooting I suspected an ACL, so I took out the ACL on the core switch, to no effect. So I looked at the WLC, and I found an unused ACL that I created a few weeks ago - I verified that both our WLANs have no ACL configued (in pre-auth and in override ACL) but I wasn't able to remove the ACL totally as the system says "Error! ACL is in use".
So I created an ACL on the WCL for open access, and applied it to the guest WLAN and users were then able to have access.
I suspect that somehow the WLC was applying this old ACL, even though the interface did not display this. This is going to be a bit of a tricky one to reproduce, but I'll try when I get some time and then I will report it to TAC.
PaulI believe this will only delete an individual rule in the ACL.
Even in the CLI I get the error message "Error! ACL is in use" which confirms the systems behavior, that the ACL is in fact in use.
It seems pretty clear, I have to take the ACL out of use before I can remove it - but unfortunately the web management tools report that there is no ACL configured for any interface.
The CLI disagrees:
interface acl WLAN Student_Internet_Access_Only
What I suspect is required, is a way to remove the above line - but there seems to be no syntax to do this.
(QCA-WLC1) >config interface ?
acl Configures an interface's Access Control List.
address Configures an interface's address information.
ap-manager Disables AP Manager features on a dynamic
interface.
create Adds a new dynamic interface.
delete Deletes a dynamic interface.
dhcp Configures DHCP options on an interface.
hostname Configures the virtual interface's virtual DNS
host name.
port Assign interface to physical port.
vlan Configures an interface's VLAN Identifier.
quarantine Configure quarantine vlan
(QCA-WLC1) >config interface acl ?
ap-manager Configures the AP Manager interface.
management Configures the management interface.
Enter interface name.
(QCA-WLC1) >config interface delete ?
Enter interface name.
Paul
Maybe you are looking for
-
Adobe Photoshop CS2 has encountered a problem and needs to close.
Just starting to get this error on open in CS2 after a few months of smooth sailing on a new system (below). CS2 now cannot open. It started occasionally and increased. Tried reinstalling. Tried deleting the PS config files and same error. Any sugges
-
Need suggestion for "hourly reservation" program
I'm using classic ASP. I will have multiple rooms and the rooms can be reserved for various hours in the day i.e. 2:00-4:00pm and 6:00-8:00 pm. My thought is a table with each column representing an hour, and then changing the background color if tha
-
Help Flash player will not run in Internet Explorer 11?
I have downloaded Adobe Flash Player and it will not run in Internet Explorer 11. I have done the things suggested in the help/forum section. What else can I try?
-
Iphoto book no longer shows pictures
Opened a previously completed iphoto book. Immediate message "book has been successfully upgraded". Not sure what this means but when opening the book all of the placed pistures were not on th respective pages although the narrative was. Pictures
-
Max heap limited when running with a JVMTI agent?
Running an app with a JVMTI agent, I cannot specify a max heap greater than 320Mb, even on a 1Gb machine with hardly anything running. Specifying for example -Xms256m -Xmx512m results in following error: Error occurred during initialization of VM Cou