access-list with PAT

Hi guys,.

I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

example:

access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

If I won't 10.0.0.1 PATed.

Hello

It's perfectly legal and quite a common practice.

Hope that help - rate pls post if it does.

Paresh

Tags: Cisco Security

Similar Questions

Lock the AnyConnect VPN with broader access list

I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.

Configuration:

attributes Anyconnect-group policy

VPN-tunnel-Protocol svc webvpn

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list WebAccessVPN

WebVPN

list of URLS no

SVC request to enable default webvpn

WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace

External FTP FTP access WebAccessVPN-list comment

WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2

WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace

WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host

WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1

You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.

access crypto-list with several entries

Hello

I need establish a L2L tunnel from a remote location to an ASA5540.

Guide de Configuration ASA5500 educating to create an ACL extended to connections of control based on the source address and destination and gives the following example: "permit l2l_list of access list range 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0.

All ACL examples that I found is in one line. In addition, in ASDM you can only specify a local subnet and a remote subnet.

I can define an ACL includes several lines, one for each local subnet?

Example:

extended access list l2l_list allow 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0

extended access list l2l_list allow 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0

The problem I encounter is that users on the remote site should have access not only to the ASA 5540 local network 10.0.0.0/8, but also a few others like 172.16.0.0/16
```
albert_coll wrote:
Hello,
I need to establish a L2L tunnel from a remote site to an ASA5540.
The ASA5500 Configuration Guide instruct to create an extended ACL to control connections based on the source and destination address, and provides the following example: "access-list l2l_list extended permit 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0".
All the ACL examples i found consists in only one line.  Moreover, from ASDM you can only specify one local subnet and one remote subnet.
Can i define an ACL including several lines, one for every local subnet ?
Example:
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list l2l_list extended permit 192.168.33.0 255.255.255.0 172.16.0.0 255.255.0.0
The problem i face is that users at the remote site should not only access the ASA 5540 local network 10.0.0.0/8, but also some others like 172.16.0.0/16
```
You can specify the number of rows that you want in a crypto map access-list. If ASDM, which I use, does not let you then you can certainly do it from the CLI.

Jon

Cisco currently give money to call Haiti earthquake for each side of the sort it please consider note all useful messages.

New to pix, need help with "debug access list of all the" command

I have a pix 515 v6.3. I am tring to use then "debug access list of all the" command to see what traffic is stopped by my access list. However, I don't get any output. I turn execution of the command, but nothing happens. Other debug commands give the console. Perhaps, I do not understand what "debug to access list of all the" is used for. Any help that can be provided would be greatly appreciated.

Tim

Also try following the commands of logging

LOGG on

LOGG buff 7

term Lun

M.

VPN on ASA 5506 without internet access, help with NAT?

Hello

I have upgraded to a Cisco ASA 5505 to a 5506 X and as such have climbed to ASA 9.5

For this reason, I'm a bit stuck on how to implement the VPN. I followed the wizard and I can now establish inbound connections, but when connected (all traffic is tunnel) there is no internet connectivity.

Our offices internal (inside) network is 192.168.2.0/24

Our VPN pool is 192.168.4.0/24

I guess that I'm missing a NAT rule, but in all honesty, I'm a user ASDM and as everything is changed, I am struggling to recreate it?

Here is my config:

Result of the command: "sh run"

: Saved

:
: Serial Number: JAD194306H5
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1)
!
hostname ciscoasanew
domain-name work.internal
enable password ... encrypted
names
ip local pool RemoteVPNPool 192.168.4.1-192.168.4.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.3.4 255.255.255.0
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.2.197 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.2.199
 domain-name work.internal
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 173.0.82.0
 host 173.0.82.0
object network 173.0.82.1
 subnet 66.211.0.0 255.255.255.0
object network 216.113.0.0
 subnet 216.113.0.0 255.255.255.0
object network 64.4.0.0
 subnet 64.4.0.0 255.255.255.0
object network 66.135.0.0
 subnet 66.135.0.0 255.255.255.0
object network a
 host 192.168.7.7
object network devweb
 host 192.168.2.205
object network DevwebSSH
 host 192.168.2.205
object network DEV-WEB-SSH
 host 192.168.2.205
object network DEVWEB-SSH
 host 192.168.2.205
object network vpn-network
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.4.0_24
 subnet 192.168.4.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object-group network EC2ExternalIPs
 network-object host 52.18.73.220
 network-object host 54.154.134.173
 network-object host 54.194.224.47
 network-object host 54.194.224.48
 network-object host 54.76.189.66
 network-object host 54.76.5.79
object-group network PayPal
 network-object object 173.0.82.0
 network-object object 173.0.82.1
 network-object object 216.113.0.0
 network-object object 64.4.0.0
 network-object object 66.135.0.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp6
 service-object icmp alternate-address
 service-object icmp conversion-error
 service-object icmp echo
 service-object icmp information-reply
 service-object icmp information-request
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object DEVWEB-SSH eq ssh
access-list outside_access_in remark AWS Servers
access-list outside_access_in extended permit tcp object-group EC2ExternalIPs object devweb eq ssh log debugging inactive
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in remark Ping reply
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside
access-list outside_access_in remark Alarm
access-list outside_access_in extended permit tcp any interface outside eq 10001
access-list outside_access_in remark CCTV
access-list outside_access_in extended permit tcp any interface outside eq 7443
access-list outside_access_in extended deny ip any any
access-list workvpn_splitTunnelAcl_1 standard permit 192.168.2.0 255.255.255.0
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.130.12 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 162.13.133.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.128.200 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.16 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 164.177.132.72 255.255.255.252
access-list workvpn_splitTunnelAcl_1 standard permit 212.64.147.184 255.255.255.248
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.116 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.118 255.255.255.254
access-list workvpn_splitTunnelAcl_1 standard permit host 95.138.147.118
access-list workvpn_splitTunnelAcl_1 standard permit 95.138.147.120 255.255.255.254
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list workvpn2_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list workVPN2016_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 16000
logging asdm-buffer-size 512
logging asdm warnings
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 7200
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup
!
object network obj_any
 nat (any,outside) dynamic interface
object network DEVWEB-SSH
 nat (inside,outside) static interface service tcp ssh ssh
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.3.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.2.197,CN=ciscoasanew
 keypair ASDM_LAUNCHER
 crl configure

snip

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
group-policy workVPN2016 internal
group-policy workVPN2016 attributes
 dns-server value 192.168.2.199
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelall
 ipv6-split-tunnel-policy tunnelall
 default-domain value work.internal
 split-dns value work.internal
 split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:
: end

Hi Ben-

What you are trying to accomplish is called VPN crossed. Depending on your initial configuration, you have 2 NAT problems. The first has to do with the NAT you place your order. In the code later that we are dealing with two NAT ASA 8.3 times and who are ranked 2 sections going on before and after the device NAT. object

My general rule for control of NAT is like this:

Twice NAT (front) - use this section for exemptions from NAT or unusual configurations that have to go first
Purpose of NAT - Use this section to the static NAT instructions for servers
Twice NAT (after) - use this section to your global declarations of NAT, basically a catch-all

Then, never use 'all' as an interface for all training of NAT. This may seem like a good idea, but it will bite you. Remember, it is more the notion of control NAT, then 'all' interface is bit VPN configurations and similar DMZ. Always be specific about your interface for NAT pairs.

To this end, here is what I suggest that your NAT configuration should resemble:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.4.0_24 NETWORK_OBJ_192.168.4.0_24 no-proxy-arp route-lookup!object network DEVWEB-SSH nat (inside,outside) static interface service tcp ssh ssh !nat (inside,outside) after-auto source dynamic any interfacenat (outside,outside) after-auto source dynamic any interface

The key is that you need a NAT device explicitly reflecting the VPN traffic. PSC

837 to 837 VPN with PAT?

I have a working VPN connecting to of Cisco 837.

The client has a requirement for external access to RDP, POP3 and OWA... seemed pretty simple, just add:

IP nat inside source static tcp etc... but as soon as I add these PAT, internal access to these services fails immediately via the VPN to the other end (Site B).

Site to config following (Site B is running 192.168.42.x range with a virtually identical config (No. PAT of good)

!

version 12.3

no service button

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

hostname FNN0755241374

!

logging buffered debugging 10000

no console logging

Select the secret xxxxxxxx

!

xxxxx xxxxxxxx password username

clock timezone IS 10

summer clock-time DEST recurring last Sun Oct 02:00 last Sun Mar 02:00

No aaa new-model

IP subnet zero

no ip domain search

!

!

IP cef

audit of IP notify Journal

Max-events of po verification IP 100

No ftp server enable write

!

!

!

!

crypto ISAKMP policy 10

md5 hash

preshared authentication

ISAKMP crypto key address 203.x.x.25 xxxxxxxxxxx

!

!

Crypto ipsec transform-set esp - esp-md5-hmac tweed_to_mur

!

tweed_vpn 10 ipsec-isakmp crypto map

defined by peer 203.149.73.25

Set transform-set tweed_to_mur

match address 102

!

!

!

!

interface Ethernet0

Description FNN0755241374 LAN

IP 192.168.40.254 255.255.255.0

IP nat inside

No keepalive

Hold-queue 100 on

!

ATM0 interface

no ip address

No atm ilmi-keepalive

DSL-ITU - dmt operation mode

!

point-to-point interface ATM0.1

Description 0755241374 (L2TP)

PVC 8/35

aal5mux encapsulation ppp Dialer

Dialer pool-member 1

!

!

interface FastEthernet1

no ip address

automatic duplex

automatic speed

!

interface FastEthernet2

no ip address

automatic duplex

automatic speed

!

interface FastEthernet3

no ip address

automatic duplex

automatic speed

!

interface FastEthernet4

no ip address

automatic duplex

automatic speed

!

interface Dialer1

Description 0755241374 (L2TP) PPPoa RRSM512

MTU 1400

the negotiated IP address

NAT outside IP

encapsulation ppp

Dialer pool 1

Dialer-Group 1

No cdp enable

PPP chap hostname xxxx

PPP chap password xxxx

tweed_vpn card crypto

!

overload of IP nat inside source list 103 interface Dialer1

IP nat inside source static tcp 192.168.40.1 21 203.149.71.130 21 expandable

IP nat inside source static tcp 192.168.40.1 20 203.149.71.130 20 expandable

IP nat inside source static tcp 192.168.40.1 80 203.149.71.130 80 extensible

IP nat inside source static tcp 192.168.40.4 25 203.149.71.130 25 expandable

IP nat inside source static tcp 192.168.40.4 110 203.149.71.130 110 extensible

IP nat inside source static tcp 192.168.40.4 143 203.149.71.130 143 extensible

IP nat inside source static tcp 192.168.40.4 80 203.149.67.193 80 extensible

IP classless

IP route 0.0.0.0 0.0.0.0 Dialer1

no ip address of the http server

no ip http secure server

!

Note access-list 11 * license end customer address space for NAT

access-list 11 permit 192.168.1.0 0.0.0.255

Journal of access list 99 license 203.149.69.5

Journal of access list 99 license 203.149.64.91

access-list 99 refuse any newspaper

access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 102 deny ip 192.168.40.0 0.0.0.255 any

access-list 103 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 103 allow ip 192.168.40.0 0.0.0.255 any

Dialer-list 1 ip protocol allow

Server SNMP community readstring RO

SNMP-Server RO community readwritestring

Enable SNMP-Server intercepts ATS

!

Line con 0

exec-timeout 0 0

password xxxx

opening of session

no activation of the modem

StopBits 1

line to 0

line vty 0 4

access-class 99 in

exec-timeout 2 0

password xxxx

local connection

!

max-task-time 5000 Planner

!

end

FNN0755241374 #.

Kind regards

MB

This is because have priority the static NAT NAT overload control and therefore access list 103 is no longer deny these packets to be NAT had

This example configuration you get:

http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080094634.shtml

Site VPN to IPsec with PAT through the tunnel configuration example

Hello

as I read a lot about vpn connections site-2-site
and pass by PAT through it I still haven't found an example configuration for it on e ASA 55xx.

now, I got suite facility with two locations A and B.

192.168.0.0/24 Site has - ipsec - Site B 192.168.200.0/24
172.16.16.0/24 Site has

---------------------------------------------------------------------------

Host--> participated in IP 192.168.0.4: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.129--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 192.168.0.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

Host 172.16.16.127--> participated in IP: 192.168.0.3-> to 192.168.200.20
Host 172.16.16.253--> participated in IP: 192.168.0.3-> to 192.168.200.20

---------------------------------------------------------------------------

Now that I have guests autour within networks 172.16.16.0 like 192.168.0.0,
witch need to access a server terminal server on the SITE b.

As I have no influence on where and when guests pop up in my Site.
I would like to hide them behind a single ip address to SITE B.

If in the event that a new hosts need access, or old hosts can be deleted,
its as simple as the ACL or conviniently inlet remove the object from the network.

so I guess that the acl looks like this:

---------------------------------------------------------------------------

access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.4 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 192.168.0.129 192.168.200.20
access VPN-PARTICIPATED-HOSTS list allow ip 192.168.0.253 host 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.127 192.168.200.20
VPN-PARTICIPATED-HOSTS access list permit ip host 172.16.16.253 192.168.200.20

---------------------------------------------------------------------------

But, now, my big question is, how do I said the asa to use: 192.168.0.3 as the
address for the translation of PAT?

something like this he will say, it must be treated according to the policy:

NAT (1-access VPN INVOLVED-HOST internal list)

Now how do I do that?
The rest of the config, I guess that will be quite normal as follows:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of AA peers. ABM CC. DD
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

permit access list extended ip 192.168.0.3 outside_1_cryptomap host 192.168.200.20

---------------------------------------------------------------------------

On SITE B

the config is pretty simple:

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set of peer SITE has IP
card crypto outside_map 1 set of transformation-ESP-AES-256-SHA
outside_map card crypto 1 lifetime of security set association, 3600 seconds

outside_1_cryptomap list extended access allowed host host 192.168.200.20 IP 192.168.0.3

inside_nat0_outbound list extended access allowed host host 192.168.200.20 IP 192.168.0.3

---------------------------------------------------------------------------

Thank you for you're extra eyes and precious time!

Colin

You want to PAT the traffic that goes through the tunnel?

list of access allowed PAT ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

PAT 172.16.16.0 permit ip access list 255.255.255.0 192.168.200.0 255.255.255.0

NAT (inside) 1 access list PAT

Global (outside) 1 192.168.0.3 255.255.255.255

Then, the VPN ACL applied to the card encryption:

list of access allowed vpn host ip 192.168.0.3 192.168.200.0 255.255.255.0

Thus, all traffic from Site A will be PATed when you remotely 192.168.200.0/24

The interesting thing is that traffic can only be activated from your end.

The remote end cannot initialize traffic to 192.168.0.3 if there is not a version of dynamic translation on your side.

Is that what you are looking for?

Federico.

Ipv6 access list does not apply autonomous Aironet 3602I-E

As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic on

and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.

In addition, when creating a list like this ipv6 access:

guest_egress6 IPv6 access list
refuse an entire ipv6

The other is automatically created:

IPv6-guest_egress6 role-based access list
refuse an entire ipv6

A deletion also removes the other.

What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

Please rate helpful messages... :-)

Cisco 837 and access list

Hi all

Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

Here is my list of access

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

If I want to delete only this line

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

I do not know how, I if do:

no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

all the access-list 120 is removed!

Help, please!

Olivier

Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

You can create a named extended access-list and have the sequence number for each statements.

!

Standard IP access list note

permit 172.10.0.0 0.0.255.255

10.1.1.0 permit 0.0.0.255

permit 192.168.1.0 0.0.0.255

deny all

!

and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

Standard note of access-list (config) #ip

(config-std-nacl) #no 3

This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

regds

allow icmpv6 in ipv4-access list in the tunnel

Hello

I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

My tunnel works and is as follows:

interface Tunnel0

no ip address

IPv6 address

enable IPv6

source of tunnel

ipv6ip tunnel mode

tunnel destination

So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

Access list that I apply is the following:

allow tcp any a Workbench

allowed UDP any eq field all

allowed any EQ 67 udp no matter what eq 68

allowed UDP any eq 123 everything

allowed UDP any eq 3740 everything

allowed UDP any eq 41 everything

allowed UDP any eq 5072 everything

allow icmp a whole

deny ip any any newspaper

Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

I missed something?

sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

Hope someone can help me.

Hello

In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

-Jouni

Order of access-list syntax

Hello

I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

It looks like this when it did not work:

(outside interface incoming traffic)

access list 100 permit tcp any any established journal

access-list 100 permit udp any any eq field journal

access list 100 permit tcp any any eq field journal

access-list 100 deny ip any any newspaper

To make this work, I had to add these two lines:

access-list 100 permit udp any eq field no matter what newspaper

access list 100 permit tcp any eq field no matter what newspaper

I do not understand the difference between

access-list 100 permit udp any eq field all

and

access-list 100 permit udp any any eq field

If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

Hello

Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

When we look at how DNS works now in what concerns this ACL
- DNS lookup is usually made at the port of destination UDP/53
- PC uses the random source for the DNS lookup port
- Responses from DNS server for research with source UDP/53 port
- Responses from DNS server to the computer on the port that the source PC search DNS
So naturally you'll see responses from the host source and source UDP/53 port DNS

If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

Hope this helps

Be sure to mark it as answered in the affirmative.

-Jouni

bug in iOS? startup-config + command access-list + an invalid entry detected

I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

Cisco 827

IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

SOFTWARE (fc1)

I'm looking to use a host named in a more extended access list. The

script I copy startup-config contains the following entries:

! the 2 following lines appear at the top of the script

123.123.123.123 IP name-server 123.123.123.124

IP domain-lookup

! the following line appears at the bottom of the script

120 allow host passports - 01.mx.aol.com one ip access-list

When I reboot the router, I saw the following message:

Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

120 allow host passports - 01.mx.aol.com one ip access-list

^

Invalid entry % detected at ' ^' marker.

It seems as if the entrance to the server name of the router is not processed

prior to the access list. I can not even check with

router02 access lists 120 #sh

makes the access list entry * not * exist.

But when I manually type the entry in the router I see the

Next:

router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

any

Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

[OK]

and I can confirm its creation:

router02 access lists 120 #sh

Extend the 120 IP access list

allow the host ip 64.12.137.89 one

I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

Any help is very appreciated.

Hello

Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

Router (config) #access - list 187 ip allow any host www.cisco.com

Router (config) #^ Z

router #show run | 187 Inc

IP access-list 187 allow any host 198.133.219.25

router #show worm | split 12

IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE

How PIX cross access lists?

I'm new with PIX.

I would like to know how this fw through access lists. I mean, it's in what order it checks the rules. I guess it can be quite an important issue if you want to keep performance with more than 400 rules and a flow of traffic.

I thank the of for any comment.

Hello

the pix treats the ACL from top to bottom. Put the rules used most frequently at the top. After a match, the pix stop processing the ACL.

Kind regards

Tom

Access-list group policy and IPSec tunnel.

I have an IPSec Site to Site VPN tunnel that ends on the external interface of the firewall. My ftp server is located in a demilitarized zone. The DMZ has an access list applied to the interface. When I created the Group of the tunnel for the Site to Site, I create a group of tunnel with group policy and manage the policy with filters. The filter looks like an access list. Are the filter and the ACL interface work together? The one replace the other? How they work together.

Once traffic ipsec, acl interface is not used until you have enabled "sysopt conn allowed-/ ipsec vpn. When you add a vpn-filter, it is what will filter the ipsec traffic.

FWSM firewall context Access-List entry Limitation

We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.

Hello

This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

If you run the command (syntax may be different in 3.x code):

See the np 3 acl County property

You get a result that looks like this:

-CLS rule current account-

CLS filter rule Count: 0

CLS rule Fixup count: 11

CLS is Ctl rule Count: 0

CLS AAA rule count: 2187

CLS is given rule Count: 0

CLS Console rule count: 7

Political CLS NAT rule Count: 0

County of CLS ACL rule: 3491

Add CLS uncommitted ACL: 0

CLS ACL Del uncommitted: 0

-CLS rule MAX - account

CLS filter MAX: 3584

CLS Fixup MAX: 32

CLS is Ctl rule MAX: 716

CLS is given rule MAX: 716

AAA CLS MAX rule: 5017

CLS Console rule MAX: 2150

Political CLS NAT rule MAX: 3584

CLS ACL rule MAX: 56627

The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

I'll try to find the syntax 7.x and post here later.

-Jason

Rate if this can help.

access-list with PAT

Similar Questions

Maybe you are looking for