access-list on a 2500 series router
Hello
I want to deny traffic from a concrete what IP connected to the 2500 series router and I want to do it in the router. Is there enough adding a 'access-list 6 refuse 192.168.148.13' command to drop packets from that address or it is necessary to other statement?
Thanks in advance.
You must also use the ACL on the interface in which the traffic is delivered.
Use "ip access-group in 6" on the interface.
in specified packets entering this interface must be inspected.
Tags: Cisco Security
Similar Questions
-
The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).
Router (works)
access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80
PIX (does not work)
access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80
I get the error on the PIX:
ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair
Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?
Thank you!
Domo Arigato!
You can use
192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.
Of course you can refuse the host 192.168.1.49 and
Let the others allow 192.168.1.48 255.255.255.248
-
Hello
I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.
The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.
I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Can I change the subnet mask in the first line and put the second line first?
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255
Or should I let the deny at the end statement, and add a line for each of the other remote sites:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255
... (others)
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Thank you.
John
John
Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?
In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.
Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.
According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:
IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255
ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255
This would allow 1 to 47 but not others.
HTH
Rick
-
Router Access List - where it is applied?
I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":
R - H1BR1 #sh run
Building configuration...Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
endR H1BR1 #.
I guess you are looking for
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY?
Best regards
Milan
-
An access list has been configured on a router to block an IP address. Can can additional IPS added to the original access list at a later date?
ex.
(config) #access - list 5 deny 10.10.117.0 0.0.0.255
(config) #access-list 5 permit one
Can use us the access list 5 to block additional IP addresses or to create a new access list?
of course, you can
lets take this example
R2 #sh - ip access lists
IP access list 5 standard
10 deny 10.10.117.0 0.0.0.255
20 allow a
You can do like
R2 (config) #ip - 5 standard access list
R2 (config-ext-nacl) #no 20 allowed any R2 (config-ext-nacl) #end
then start putting the statements refuse you want
as
(config) #access - list 5 deny 10.10.118.0 0.0.0.255
(config) #access - list 5 deny 10.10.119.0 0.0.0.255
then put your license
(config) #access-list 5 permit one
Remember that without the permit, everything in the end something not permitted by the ACL will be denied because there is no default all refuse (implicit deny) at the end of each ACL
If the permit all it will solve
Good luck
Please, if useful rates
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
800 series Router and ASA will not create a tunnel
Hey everybody, what had confused me for a week now, and I feel that it is something small that im overlooking. My 800 router and my ASA will not pass traffic through a VPN. Here are my configs (less sensitive data of course). I also removed irrelevant data to narrow down the config.
800 series router:
DHCP excluded-address 192.168.2.1 IP 192.168.2.100
!
IP dhcp pool internaldhcp
network 192.168.2.0 255.255.255.0
x.x.x.x where x.x.x.x DNS server
default router 192.168.2.1
!
!
IP cef
no ip domain search
domain IP (domain here)
Server name x.x.x.x IP
Server name x.x.x.x IP
No ipv6 cef
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
address key (password) crypto isakmp (ip WAN of ASA)
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha
Crypto ipsec transform-set esp-3des esp-md5-hmac 3des-md5
Crypto ipsec transform-set esp-3des esp-md5-hmac distance
!
!
map KentonMap 1 ipsec-isakmp crypto
defined peer (ASAs WAN IP)
the value of the transform-set 3des-sha
match address 110
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
Description outside the int
(Local WAN) 255.255.255.252 IP address
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
card crypto KentonMap
service-policy output VoiceLLQ
!
interface Vlan1
IP 192.168.2.1 255.255.255.0
IP nat inside
IP virtual-reassembly in
Fair/fair-queue
!
!
IP nat pool insidepool (WAN IP) (WAN IP) netmask 255.255.255.252
IP nat inside source list 100 insidepool pool overload
IP route 0.0.0.0 0.0.0.0 (Next Hop)
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
Note access-list 110 VPN ACL
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.24.0 0.0.0.255
!
The ASA config:
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
(LOCAL WAN) 255.255.255.252 IP address
!
permit same-security-traffic intra-interface
IP 192.168.24.0 allow Access - list extended sheep 255.255.255.0 192.168.2.0 255.255.255.0
Access extensive list ip 192.168.24.0 LimatoKenton allow 255.255.255.0 192.168.2.0 255.255.255.0
OutsideIn list extended access permit tcp any interface outside eq 3389
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.24.0 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 (Next Hop) 1
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des-sha
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto LimaMap 1 corresponds to the address LimatoKenton
card crypto LimaMap 1 defined peer (800 WAN router)
card crypto LimaMap 1 the value transform-set 3des-sha
LimaMap interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
tunnel-group (800 WAN router) type ipsec-l2l
tunnel-group (800 WAN router)
IPSec-attributes
pre-shared key *.
ISAKMP crypto release:
ASA
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Router
DST CBC conn-State id
(Local WAN) (ASA WAN) ACTIVE QM_IDLE 2003
Hello, Benjamin.
I guess that your router does NAT same for site traffic to site.
So, you have to deny traffic between ACL 100 sites.
PS: If this does not resolve your problem, could you please share isakmp/ipsec its on both sides?
-
Ipv6 access list does not apply autonomous Aironet 3602I-E
As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.
Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).
The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.
This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.
Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:
interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic onand these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.
No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:
000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.In addition, when creating a list like this ipv6 access:
guest_egress6 IPv6 access list
refuse an entire ipv6The other is automatically created:
IPv6-guest_egress6 role-based access list
refuse an entire ipv6A deletion also removes the other.
What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?
Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)
PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.
You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.
Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.
Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?
Please rate helpful messages... :-)
-
Everyone;
I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.
Thanks in advance;
gmaurice
No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)
-
allow icmpv6 in ipv4-access list in the tunnel
Hello
I have a little problem with an access list ipv4 blocking my ipv6 tunnel.
My tunnel works and is as follows:
interface Tunnel0
no ip address
IPv6 address
enable IPv6
source of tunnel
ipv6ip tunnel mode
tunnel destination
So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel (
). Access list that I apply is the following:
allow tcp any a Workbench
allowed UDP any eq field all
allowed any EQ 67 udp no matter what eq 68
allowed UDP any eq 123 everything
allowed UDP any eq 3740 everything
allowed UDP any eq 41 everything
allowed UDP any eq 5072 everything
allow icmp a whole
deny ip any any newspaper
Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?
TCP 3874 TIC.sixxs.net IPv4 ICT (Information Tunnel & Control Protocol) Used to retrieve the information of tunnel (for instance AICCU) Uses the TCP protocol and should work without problems UDP 3740 PoP IPv4 Heartbeat Protocol Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive the user only to pop out Protocol 41 PoP IPv4 IPv6 over IPv4 (6 in 4 tunnel) Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat) We have to appoint the internal host as the DMZ host that leaves usually passes the NAT UDP 5072 PoP IPv4 AYIYA (anything in anything) Used for tunneling IPv6 over IPv4 (AYIYA tunnels) Must cross most NAT and even firewalls without any problem ICMPv6 echo response. Tunnel endpoints IPv6 Internet Control Message Protocol for IPv6 Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel No, because it is happening inside the tunnel I missed something?
sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).
Hope someone can help me.
Hello
In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports
If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.
Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?
But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.
-Jouni
-
Hello
I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.
It looks like this when it did not work:
(outside interface incoming traffic)
access list 100 permit tcp any any established journal
access-list 100 permit udp any any eq field journal
access list 100 permit tcp any any eq field journal
access-list 100 deny ip any any newspaper
To make this work, I had to add these two lines:
access-list 100 permit udp any eq field no matter what newspaper
access list 100 permit tcp any eq field no matter what newspaper
I do not understand the difference between
access-list 100 permit udp any eq field all
and
access-list 100 permit udp any any eq field
If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.
Hello
Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.
When we look at how DNS works now in what concerns this ACL
- DNS lookup is usually made at the port of destination UDP/53
- PC uses the random source for the DNS lookup port
- Responses from DNS server for research with source UDP/53 port
- Responses from DNS server to the computer on the port that the source PC search DNS
So naturally you'll see responses from the host source and source UDP/53 port DNS
If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.
Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port
Hope this helps
Be sure to mark it as answered in the affirmative.
-Jouni
-
bug in iOS? startup-config + command access-list + an invalid entry detected
I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.
Cisco 827
IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE
SOFTWARE (fc1)
I'm looking to use a host named in a more extended access list. The
script I copy startup-config contains the following entries:
! the 2 following lines appear at the top of the script
123.123.123.123 IP name-server 123.123.123.124
IP domain-lookup
! the following line appears at the bottom of the script
120 allow host passports - 01.mx.aol.com one ip access-list
When I reboot the router, I saw the following message:
Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)
120 allow host passports - 01.mx.aol.com one ip access-list
^
Invalid entry % detected at ' ^' marker.
It seems as if the entrance to the server name of the router is not processed
prior to the access list. I can not even check with
router02 access lists 120 #sh
makes the access list entry * not * exist.
But when I manually type the entry in the router I see the
Next:
router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host
any
Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)
[OK]
and I can confirm its creation:
router02 access lists 120 #sh
Extend the 120 IP access list
allow the host ip 64.12.137.89 one
I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)
Any help is very appreciated.
Hello
Currently IOS does not use DNS - names in the ACL for the saved configuration / running.
When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.
Router (config) #access - list 187 ip allow any host www.cisco.com
Router (config) #^ Z
router #show run | 187 Inc
IP access-list 187 allow any host 198.133.219.25
router #show worm | split 12
IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE
-
I want that no package would leave f0/0 (R2).
Here is my configuration:
R1:
!
interface FastEthernet0/0
IP 192.168.1.1 255.255.255.0
!
R2:
!
interface FastEthernet0/0
IP 192.168.1.2 255.255.255.0
IP access-group 101 out
!
access-list 101 deny ip any one
!
Given the configs shown in the original post R2 will be able to ping to R1 and I guess this (or something very similar) is what brings the original poster said that the ACL does not work.
The problem here is that a list of access applied on an interface will not process the traffic generated by the router itself. The illustrious ACL will be very effective in preventing transit traffic (traffic that came from somewhere to R2 and must be DISPATCHED f0/0). But it will not work on the packages generated by R2.
HTH
Rick
-
Restrict access to the network on 871 router via mac address
Hello
I have a Cisco 871 router and I am trying to allow only specific MAC addresses access to the network. Is there a way to specify that only specific MAC addresses are allowed to access? Any other MAC access will be denied?
I can either have static IP or DHCP for local machines.
Can I use this "secure DHCP IP address assignment" details found here... http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftdsiaa.html ?
I use these...
static Mac address table
OR
Security table of Mac addresses
... to achieve this?
Thank you.
You can use "mac-address-table static" If you know all the mac addresses that will be connected.
If the router is by distributing ip addresses so you can indeed do secure IP DHCP address assignment.
Note that you can make a 'mac access-list' switch and aplly in any vlan you want.
Alternatively, you can do "dhcp snooping" allowing guests who got a dhcp ip addresses and are not identity theft.
I hope it helps.
PK
-
access list for traffic crossing and IPSEC
Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.
I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.
Thank you
David
I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
address of examplekey key crypto isakmp 2.3.4.5
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
tunnel mode
!
cust_map 10 ipsec-isakmp crypto map
defined peer 2.3.4.5
game of transformation-AES256SHA
match the address crypto_acl
!
interface GigabitEthernet8
cust_map card crypto
!
crypto_acl extended IP access list
host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
!HTH
Rick
Maybe you are looking for
-
This e-mail from the thunderbird support team or a fake email?
I received an email informing me that my account is almost full and giving me instructions on how to renew my account. I just want to check if this e-mail is really a mozilla thunderbird support or is a fake email. the content of the email: Subject:
-
MIDI synth external record while monitoring its audio to an audio track
Here's what I'm trying to do: Remove my material mixer and jack my remaining external hardware Synths directly in my I/O. In PD, it's easy. Just "of entry monitor", the audio track the synth is connected, create a midi for the external synthesizer tr
-
I want to buy you 1360t but I will change the hard drive for an SSD and I need support SATA 3 to get the maximum speed on the SSD. The 1360t supports SATA 3?
-
CVS-1457RT engine of analysis?
I can configure the CVS-1457RT for the scan engine? or do I need to compile a bit to access I/O? Best regards Henrik Ehlert
-
Hello, I received my dazzle DVC 100 today and I downloaded the disc and stuff... I then plugged everything to record from my xbox. On all the programs I tried it does not work. (this is Windows 7 64 bit) Ive tried Ulead VideoStudio SE DVD and the pro