ACL for TFTP traffic
Hello
I need access to a different VIRTUAL LAN for TFTP traffic. So I ve created an ACL like this:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
I add this ACL to source (192.168.30.0) as INCOMING interface.
The request to the tftp server tftp is established and the tftp server responds with a random port for file transfer.
Here´s the problem. Because of the random port ACL blocks the transfer of files.
Any idea?
Grettings,
Rouven
Hi Ganesh,
Windows 2003, on which the tftp server resides, use the range 1025 to 5000 as ephemeral ports. So I´ve decited to use the following acl:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
This has the drawback you´ve already said. But actually I see no other way to solve the problem.
Thank you for your support!
Greetings,
Rouven
Hi Rouven,
As I said earlier, too, we need allow the transfer of data ports for tftp coming dynamically by the client and the server, depending on the traffic flow, try the following ACLs and share results
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
permit udp 192.168.30.0 0.0.0.255 lytic 192.168.40.10 1025-5000
Hope to help!
Ganesh.H
Don't forget to note the useful message
Tags: Cisco Network
Similar Questions
-
I have a client with an ASA 5505 who has several networks, he tries to communicate via a VPN tunnel with a desktop remotely. One of the networks does not work because it is also used on the other side of the tunnel management interface, and none of both sides seem ready to re - IP their interior space.
Their proposed solution is to NAT the contradictory network on this side to a different subnet firewall before passing through the tunnel. How to implement a NAT which only uses the VPN tunnel while the rest of the traffic that comes through this device of the United-NATted Nations?
The network in question is 192.168.0.0/24. Their target you want the NAT is 172.16.0.0/24. Config of the SAA is attached.
Hello
Basically, the political dynamic configuration PAT should work to connect VPN L2L because the PAT political dynamics is processed before PAT/NAT dynamic configurations.
Only NAT configurations that can replace this dynamic NAT of the policy are
- NAT0 / exempt NAT configuration
- Strategy static NAT/PAT
- Public static NAT/PAT
And because we have determined that the only problem is with the network 192.168.0.0/24 and since there is no static configuration NAT/PAT or static policy NAT/PAT, then PAT political dynamics should be applied. Unless some configurations NAT0 continues to cause problems.
The best way to determine what rules are hit for specific traffic is to use the command "packet - trace" on the SAA
Packet-trace entry inside tcp 192.168.0.100 12345 10.1.7.100 80
For example to simulate an HTTP connection at random on the remote site
This should tell us for example
- Where the package would be sent
- He would pass the ACL interface
- What NAT would be applied
- It would correspond to any configuration VPN L2L
- and many others
Then can you take a sample output from the command mentioned twice and copy/paste the second result here. I ask get exit twice because that where the actual VPN L2L negotiations would go through the first time that this command would only raise the L2L VPN while the second command could show already all the info of what actually passed to the package simulated.
In addition, judging by the NAT format you chose (political dynamics PAT), I assume that only your site connects to the remote site? Given that the political dynamics PAT (or dynamic PAT) normal does not allow creating a two-way connection. Connections can be opened that from your site to the remote site (naturally return traffic through automatically because existing connections and translations)
-Jouni
-
What is the correct way to PAT outbound on a 5540 for VPN traffic?
We lack 8.3 (2) in the ASA5540. Throughout our company, users connect to application of a business through the ASA/VPN partner. We have an address space of class b, and because users are spread in all directions, I have the entire space class b as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner is worried that our entire address space is available to access the VPN tunnel. So I thought, to help the aliviate concerns, PAT all our outbound connections to a single IP address.
How this is done in 8.3 (2)? ASDM to configure the 5540. For example, our class b is 159.12.0.0 and the PAT would have IP address will be 199.30.36.6.
You can try:
purpose of group 159.12.0.0_VPN
network-object 159.12.0.0 255.255.0.0
purpose of group 199.30.36.6_VPN_PAT
Home 199.30.36.6
object group remote_location
network-object
NAT (interface, interface) dynamic source 159.12.0.0_VPN destination 199.30.36.6_VPN_PAT static remote_location remote_location
I would only give it a shot... You would NATting twice he... (You should replace 'interface', 'interface' with the actual interface names. You probably already knew that.)
-
Satellite A110-195 PSAB0E crashes using NIC for network traffic
The problem is that my A110-195 crashes when you use the onboard LAN for network traffic.
I have search the forum for this kind of problems and I found two themes on this topic.http://forums.computers.Toshiba-Europe.com/forums/thread.jspa?MessageID=93924
There's no solution for my problem in both entities.
I tried a lot of pilots of different sources and developers but the problem remains.It is really very annoying. Please help me with this.
Hello
You have a Realtek Lan card?
If Yes, then you should contact the ASP in your country for a fix.I had a similar problem with my card Realtek Lan on a Satellite A110. From time to time my system locked up for the big copy via the port LAN Realtek.
I talked to a local technician and he said to a patch.Unfortunately, I put t know what he did, but after the update (or install the fix) I didn't noticed the same problem again.
So I recommend to contact the authorized service partner and request the hotfix.
Good bye
-
Downloadable ACLs for users of VPN
Hello
I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.
Hello
Check out this point,
In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".
Kind regards
Prem
-
Downloadable ACLs for users?
Hi all
5.4 ACS, I need ACL customized for users.
My scenario:
There is a way to use some "downloadable ACL" profile of permission but I want to set specific ACLs for some exceptions. For example: the user A and user B obtain permission profile 'X '. But user B is not allowed to access a host. This 'refusal rule' I will configure with custom in the internal user store attributes.
Is this possible? How can I implement this rule?
Best regards
Stefan
Hello
You can do this by following these steps:
1. define a user attribute of Dictionary defined under the Administration of the system > dictionary > identity > internal users call him what you want and make sure that the value is a string
2. create the DACL in the objects of the Authority appointed under section of the political elements
3. under the user account you will see now one filed for the dictionary name you call in step 1, make sure that the domain is the DACL, that you created in step 2
4. create your dynamic authorization under "common tasks" defined profile as the decline of the low DACL select internal users and set the value to the attribute that you created in step 1.
5 card authorization policy to the access policy using the conditions that will give you these results.
6 test and you should have what you are looking for.
Thank you
Tarik Admani
* Please note the useful messages *. -
How a policy without moving can be configured for iSCSI traffic in Nexus 5548UP? Are there side effects?
Hello
Side effect depends on your network config, but I can tell you how config no iscsi traffic reduction policy...
We have three-stage configuration in link below is image...
1. QOS class - for the first traffic ranking
2 queue (INPUT/OUTPUT) - this is where you book or traffic police
3 Netwrok QOS - where you key or setting MTU for classified traffic at the bottom of the basket which tissue in the nexus program
(config) # class-map type qos myTraffic / / traffic ISCSI of Match
(config-WCPA-qos) # match iscsi Protocol#policy - type myQoS-QoS policy map / / qos Set group 2 ISCSI traffic so that it can be recognized
class myTraffic
the value of qos-Group 2(config-WCPA-may) # class-map type networks myTraffic
(nq-WCPA-config) # match qos-Group 2(nq-WCPA-config) # type network-qos policy-map myNetwork-QoS-policy
(nq-pmap-config) # class type networks myTraffic
(config-pmap-nq-c) # break without moving
(config-pmap-nq-c) # mtu 2158
(config-pmap-nq-c) # sh type of network-qos policy-map myNetwork-QoS-policy(config-pmap-c-qos) # class-map type myTraffic queues
(config-WCPA-may) # match qos-Group 2(config-pmap-nq-c) # policy - map type queues myQueuing-policy
(config-pmap-may) # class type myTraffic queues
% of bandwidth (config-pmap-c-only) # 50
(config-pmap-c-only) # class type class default queues
% of bandwidth (config-pmap-c-only) # 25
(config-pmap-c-only) # sh policy-map type myQueuing-policy Queuing(config-sys-qos) # type of service-QoS policy entry strategy myQoS
(config-sys-qos) # type of service-network-qos myNetwork-QoS-policy policy
-service policy (qos-sys-config) # type myQueuing-policy input queues
(config-sys-qos) # type of service-policy output myQueuing-policy queuingLet me know your concerns
-
What Oracle network uses for CAR traffic? where you get the Info?
Hello
I use two-node RAC on Oracle 10 g R2 (10.2.0.3.0) version on SUN Solaris 10. I want to know "what Oracle network uses for CAR traffic? where you'll Info»
-KumarHi Kumar,
In 10g, you can query x$ ksxpia. If the cluster_interconnect is stored in the OCR (by default), you will get
SQL > select INST_ID select, PUB_KSXPIA, PICKED_KSXPIA, NAME_KSXPIA, IP_KSXPIA, x$ ksxpia;
If you have specified the cluster_interconnects parameter in your init.ora:
Columns to look in: INST_ID select PICK NAME_KSXPIA IP_KSXPIA P
And also you can use 'CPI oradebug' to see who connects the database uses:
SQL > setmypid oradebug
SQL > oradebug CPIIt could be that useful...
Thank you
LaserSoft -
Installation of physical switches for ISCSI traffic
Is that all I need to know from a networking perspective to configure ISCSI switches dedicated to support my ISCSI SAN on the left?
I do not plan on switches connected to the prod network. I only plan on using these switches for ISCSI traffic.
LeftHand supports LACP, if your supprt of switches that you should consider using the trunk mode. In my SAN P4300, I have two 3750's stacked. Each SAN node will connect to each switch and is located in a LACP/etherchannel link. All this is condensed to a single virtual IP address which is presented to ESX/i. don't forget to create a vmk for each dedicated vmware iscsi connection and bind according to this pdf.
-
Counters of ACL for group VPN indicates zero even if there are traffic
Hi all
I use a PIX 515E. I defined a remote user VPN, its pool of addresses and also set several ACLs that apply to traffic originating from this address pool of servers on the inside network.
Does anyone have ideas why the ACL hitcounts remain at zero, even if my remote users always access the servers?
Thanks for the wisdom!
Joe
Joe,
Your probably using the command "sysopt connection permit-ipsec.
As quoted in the PIX guide on cisco.com:
"Use the sysopt connection permit-ipsec command in IPSec configurations to allow IPSec traffic to pass through the PIX firewall without a verification of statements of led command or access-list"
The list located on the external interface is bypassed by this feature.
-
General ACL for traffic cleaning / security
I started to apply the acl attached in an attempt to clean up our WAN traffic. We work with each site to clean things up in the source, but in order to be proactive, we thought that the clip is a good start. It also helps children issue on LANs. It essentially restricts these troublesome protocols (port 137, 138, 139, etc) for only our address space. In order to reduce the traffic "wandering" of virui, worms and others. Any recommendations on improving this list? We look at the deployment of a system IDS, but it will probably be only in the kernel to start. I know this is not a large ACL but is a start, and is better than nothing. Just try to be proactive and keep things a secure as possible.
Hi bberry.
don't really know why you allow netbios ports 137 445, 138 139 inside your network to any... I hope that private networks 192.168.0.0/172.16.x.x etc. are your inside networks... Am I wrong? in any case, apart from these ports, make sure you also block the ports given below:
79 TCP - finger, UDP 161/162 - / SNMP, TCP 513 - Rlogin, UDP 513 trap - which TCP/UDP 514 - syslog
you need to block all these out if not necessary... This is really vulanarable...
You must also disable unnecessary services on the router as CDP, small servers TCP/UDP, finger, http server, a bootp server, routing source ip, proxy arp, ip directed broadcasts etc. If they are not needed...
If the WAN link is an internet link, ask the service provider to apply these rules of access. Apply too many lists of access on your side will eat a lot of resources on the router.
I hope this helps... all the best...
REDA
-
The interface VLAN ACL of inbound traffic?
Hi, I may be over thinking this, but I have an ACL that is applied when entering an interface vlan. I have a line to allow udp any any newspaper which is temporary. I see hits, but the source ip address is outside the network to the ip address of the destination interface vlan. I expect to see ip source addresses only in the range of ip addresses of 192.168.1.128/25. What do you think? Thank you
Interface vlan 100
IP 192.168.1.132 255.255.255.128
IP access-group ACL_IN in
Hit of the ACL
% S: SW1-6-IPACCESSLOGP: list of the allowed ACL_IN 192.168.6.100 (137) udp-> 192.168.1.132 (137), 1 packet
Hello
That looks like to me WINS navigation, a response packet.
And as MS navigation works at level 2, it sends a response to the IP of the router where he sees demand for travel coming - maybe your customers have a configured WINS server address?
Do not forget
allow udp any any newspaperwill match ANY ip src, not only your local subnet and is why your journal entries show the traffic in both directions.
Rgds
Ian
-
All,
First thanks for all assistance.
I am trying to configure my ASA5505 to accept SMTP relay and the ACL\Static I have created does not work.
Here is the config:
ASA Version 8.2 (2)
!
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 12.12.12.1 255.255.255.248--> deleted
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
Speed 100
full duplex
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface
access-list 101 extended permit tcp any host 12.12.12.1 eq smtp
inside_access_in of access allowed any ip an extended list
access-list sheep extended 10.10.10.0 any allowed ip 255.255.255.0
pager lines 24
Enable logging
debug logging in buffered memory
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 0.0.0.0 0.0.0.0
public static tcp (indoor, outdoor) interface smtp 192.168.1.5 netmask 255.255.255.255 smtp
inside_access_in access to the interface inside group
Access-group outside_in in external interface
Route outside 0.0.0.0 0.0.0.0 12.12.12.2 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Telnet timeout 5
SSH timeout 5
Console timeout 0
management-access inside
dhcpd outside auto_config
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
World-Policy policy-map
class inspection_default
inspect the icmp
class class by default
!
context of prompt hostname
Please help me :-(
Thank you very much!
Hi Jim,.
The configuration guide will provide a few basic examples for setting up groups of items:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/objectgroups.html
Single network objects are only available in 8.3 and higher. However, a group of objects to 8.2 can certainly contain a single member.
-Mike
-
2821 ACL for the range of IP addresses
We use an old Cisco 2821 on the edge of the internet for the initial incoming traffic filtering. To try to block some networks of suppliers that are a source of SPAM, we have tried to apply an ACL that included a range of addresses as follows:
access-list 110 deny host ip 198.20.160.0 0.0.31.255 255.255.255.255
This command has been shorted to what follows in the running configuration:
access-list 110 deny host ip 198.20.160.0 all
The ACL doesn't seem to work, as we have always received spam through on this range.
Any help is greatly appreciated.
Thank you for your time.
Hello
Your syntax ACL deny only the host 192.20.160.0.
If you look below
access-list 110 deny ip host 198.20.160.0 0.0.31.255 255.255.255.255
You have the source specified as host (198.20.160.0 host)
destination like any other host (network mask and subnet inalid - 0.0.31.255 255.255.255.255)
You want to block what subnet or network, gave me a source and destination subnet? . Will be recorrect the ACL
HTH
Sandy
-
Capture packets for VPN traffic
Hi team,
Please help me to set the ACL and capture for remote access VPN traffic.
To see the amount of traffic flows from this IP Source address.
Source: Remote VPN IP (syringe) 10.10.10.10 access
Destination: any
That's what I've done does not
extended VPN permit tcp host 10.10.10.10 access list all
interface captures CAP_VPN VPN access to OUTSIDE gross-list data type
Hello
If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:
list of allowed extended VPN ip host 10.10.10.10 access everything
Capture interface outside access, VPN CAP_VPN-list
Then with:
See the capture of CAP_VPN
You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:
Maybe you are looking for
-
Hello I have a TouchSmart from HP Envy 15-j020eb laptop. But it doesn't have an SSD, so I want to replace the SSD HARD drive. You can do this without losing your warranty? Or not? Welcome them
-
CVI2015 IDE Application Hang at exit
Hello The CVI2015 IDE Hangs sometimes at the exit. I'm still trying to figure out when. Meanwhile, I can give you the event data are recorded in the event log: 0000: 43 00 72 00 6F 00 73 00 C.r.o.s. 0008: 73 00 2D 00 74 00 68 00 s. -.t.h. 0010: 72 00
-
Original title: mail attachment programs I put my e-mail *.docx word perfect x 5 program. Now, I have installed Ms word 2010. How define the default read *.docx on Ms word and no word perfect? When I click on an attachment with a *.docx happens in wo
-
Bought a charger car Macally, model USBCIG2, that lists all compatible iPod and iPhone models. My question is that will work with my Clip charger, it is standard 5v usb output. MacAlly also has a model for Sansa, but good luck to find in a store. I
-
Best sound quality (Fuze / Clip / Clip +)
Hi people, I want to buy a new mp3 player for my Um1 receiver, but I'm not the one who got the best sound quality. In the internet, I searched a lot of comments on these mp3 players. For example; http://www.Trustedreviews.com/MP3/review/2008/06/22/Sa