ACL problem.
Hello everyone, for some reason any with this workshop of tracer of package I get the last piece of ACL incorrect.
This is the lab I've done so far (94%)
http://www.sendspace.com/file/gsnk07
They ask the following
Configure the standard named ACL on the vty lines R1 and R3, allowing the hosts directly connected to their Fast Ethernet subnets for Telnet access. Deny explicitly all other connection attempts. Name these ACLs VTY-Local standard.
They also ask that for the extended ACL
Name of the block of the ACL.
Ban traffic from the LAN R1 to reach the R3 LAN.
Ban traffic from the R3 LAN to LAN of R1.
Allow any other traffic.
Here's what I have on the Router 1 for the standard ACL
IP access-list standard VTY-Local
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
10.1.1.1 permit 0.0.0.255
I couldn't understand why my ACL is incorrect.
Host 1 IP (connected to R1 ip host) - 10.1.1.1
Connecting series between R1 and R2 ip subnet is
10.1.0.0 30
East of R2 to R3
10.3.0.0 / 30
Host 2 to R2
10.3.1.0 24
2 host address is 10.3.1.1/24
Can someone help me?
deny 10.1.0.0 0.0.0.3 - corresponds to the IP 10.1.0.x
deny 10.3.0.0 0.0.0.3 - corresponds to the IP 10.3.0.x
deny 10.3.1.0 0.0.0.255 - corresponds to the IP 10.3.1.x
10.1.1.1 permit 0.0.0.255 - match IP 10.1.1.0
ACL must be correct: -.
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
10.1.1.1 permit 0.0.0.0
or
10.1.1.1 permit 0.0.0.0
all refuse
HTH >
Tags: Cisco Security
Similar Questions
-
Need of the ACL kung fu for VPN from Site to Site ACL problem
Group,
Have a little problem I know is related to ACL. I wanted to have a few experts to take a look at my config please. Here's the question:
Attempt to create a site between two offices, but for some reason any that they cannot ping each other. It is a strange thing.
97.XX.231.22 <-->71.xx.160.123
I can ping both firewalls from the outside using a computer to another, but from the internal firewall utilities, they cannot ping each other. At the same time I can ping to their respective gateways.
Secondly, I did an interior outside translation as you can see here for 80 & 443 preventing me from browsing http and https via VPN for Remote LAN, can it be modified to allow access? I can access when I dial in via VPN client but not via permanent VPN tunnel. Here is the config.
no ip nat service sip 5060 udp port
IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/0 overload
IP nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extensible
IP nat inside source static tcp 10.41.14.103 71.xx.160.123 expandable 443 443
IP route 0.0.0.0 0.0.0.0 71.xx.160.121
IP route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent
IP route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent
IP route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent
IP route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent
IP route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent
IP route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent
IP route 208.67.188.32 255.255.255.224 10.41.14.99 2 Permanent
IP route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent
!
auto discovering IP sla
Logging trap errors
host 192.168.10.29 record
access-list 2 Note HTTP access class
Note access-list category 2 CCP_ACL = 1
Note access-list 2 Platinum LAN
access-list 2 permit 10.41.14.0 0.0.0.255
access-list 2 refuse any
Access-list 101 remark rules Master
Note access-list 101 category CCP_ACL = 1
Note access-list 101 FaxFinder WWW traffic
access-list 101 permit tcp any host 71.xx.160.123 eq www
Note access-list 101 traffic HTTPS FaxFinder
access-list 101 permit tcp any host 71.xx.160.123 eq 443
Note access-list 101 NTP Time Protocol
access-list 101 permit udp any host 71.xx.160.123 eq ntp
Access-list 101 remark IPSEC protocols
access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp
Access-list 101 remark IPSEC protocols
access-list 101 permit udp any host 71.xx.160.123 eq isakmp
Note access-list 101 traffic ESP
access-list 101 permit esp any host 71.xx.160.123
Note the access list 101 General License
access list 101 ip allow a whole
Note access-list 102 CCP_ACL category = 2
access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255
Note access-list 102 IPSec rule
access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255
Note access-list 102 IPSec rule
access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31
Access-list 102 remark Platinum LAN NAT rule
access-list 102 permit ip 10.41.14.0 0.0.0.255 any
Note category from the list of access-104 = 4 CCP_ACL
Note access-list 104 IPSec rule
access-list 104. allow ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31
Note access-list 108 CCP_ACL category = 4
access-list 108 allow ip 10.41.14.0 0.0.0.255 any
Note access-list 109 IPSec rule
Note access-list 109 CCP_ACL category = 4
access-list 109 allow ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255
Note access-list 110 CCP_ACL category = 4
Note access-list 110 IPSec rule
access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 102
There is more then one way how you can achieve this goal.
(1) the best way is possible if the two VPN counterparts are IOS routers. Then you can migrate to virtual VPN - tunnel interfaces (VTI). With this, the external interface doesn't mix - and non-VPN-traffic VPN.
(2) if VTI is not possible, you can restrict the translation to only non - VPN traffic using a roadmap:
object-group network RFC1918
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
NAT-SERVER - 10.41.14.103 allowed 10 route map
corresponds to the TRAFFIC-NAT-SERVER IP - 10.41.14.103
TRAFFIC-NAT-SERVER extended IP access list - 10.41.14.103
deny ip host 10.41.14.103 object-group RFC1918
permit tcp host 10.41.14.103 eq 80 a
allow a host EQ 10.41.14.103 tcp 443
IP nat inside source static 10.41.14.103 71.xx... map route NAT-SERVER - 10.41.14.103
What makes that?
When your server communicates with a system with an address in the range RFC1918, then the road map does not correspond and the translation is not used. It is you, the VPN scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Currently, I am at a very basic level of agreement and have obtained internet access via binding of pep to the router and seem to have reached an active VPN connection. VPN connection is active, but the traffic counters are at 0. When I change the sequence of the ACL, it connects perfectly.
2800 router using
There is not enough information given here for us to understand the problem and propose solutions. If you change the sequence number of ACL and it connects perfectly then maybe the problem is solved?
HTH
Rick
-
Hello
I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.
1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.
2. on page authZ I configured a WEBAUTH as a default rule with the following:
Access type = ACCESS_ACCEPT
Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT
Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa
3. I've also configured this ACL to WLC to allow
permit any - any icmp and dns
allow all-to-the-ise-8443
ise-to-any license
This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.
4. on page authC, I use a dot1x wireless to use internal users
5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule
6 rule PROMPT resembles the following:
Access type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)
After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!
I have not one point what problem could be...
Any ideas?
P.S. see attach for authentication log Live
You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.
Looks like this for my license - all ACLs
* apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)
It must be near the bottom.
And then after all debug disable.
Another question, you can test internet but no web access, as well as the URL? Is DNS works after applying the last ACL?
On this line in the log:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I get that with CWA to work so I don't know which is linked. (for my setup)
Concerning
MikaelSent by Cisco Support technique iPad App
Post edited by: Mikael Gustafsson
-
Hello
I try to put an ACL on a group policy on my VPN Ipsec Lan to Lan.
My LCD does not work and blocking all traffic.
Since it does not work with the ACLs on group policy, I put an ACL on the interface inside but do not match.
To match, I must decline any all a put before a permit.
Thank you
Hello
The main problem when the configuration of IPSec filters is that people set up a descendant. You must specify the inbound traffic you want to allow or deny.
Here is the document that explains how to configure filters. Take a look and if you have any problems please contact your VPN configuration.
Have fun.
Raga
-
ACL problems after upgrade to 11.2.0.2 11.2.0.1, please help
After that we went from 11.2.0.1 to 11.2.0.2, we started having this problem:
ORA-24247: network access denied by the ACL access (ACL) ORA-06512: at "SYS." DBMS_LDAP_API_FFI', line 25 ORA-06512: at "SYS." DBMS_LDAP", line 57 ORA-06512: at"BANINST1. ZPGKOUSR', line 1606
1606 line is:
l_session: = dbms_ldap.init (host name = > l_host,)
PortNum = > v_ADConfig.zgpwdrecfg_port);
We have an ACL with * and NULL lower and upper ports and connected user a plug in and solve this ACL privileges.
What do we lack?
Thank you
Alex.Hi Alex
Please check these references:
notes 1317940.1 DBMS_LDAP fails to authenticate after the DB to 11.2.0.2
notes 1361247.1 ORA-24247 after application 11.2.0.2 group patchsee that if 10170706 Patch can help, it is a problem when not all authorisations valid acl has been verified
a correspondent in some scenarios,Greetings,
Damage ten Monkshood
-
I have a question, I am doing an ACL extended to deny HTTP, Telnet, and FTP internet traffic to PC1 in an exercise that I do.
I did the ACL following and applied to the loopback interface on R2 (where the ISP is the 'cloud') PC1 is connected to R1 that is obviously connected to R2.
IP-access-list scope ACL_TCP
TCP 209.165.200.160 refuse 0.0.0.31 10.0.0.0 0.0.0.127 put in place
allow tcp any a Workbench
Is there a better way to do it? This ACL scope works for my purpose?
Tell R2 address is 192.168.1.2, and you only want to allow this address. You create the acl on R1 and R3, and they would look like:
R1: 192.168.1.1
R3: 192.168.1.3
access-list 23 allow host 192.168.1.2
You can apply this to your line on R1 and R3:
line vty 0 4
access-class 23 in
HTH,
John
-
Problems with UTL_HTTP and problems of access to the network
I have a similar problem to what is already on the next thread
https://forums.Oracle.com/thread/2454508
But were unable to come to any solution so more need help!
I have this all works well from my local laptop, but I am not able to run our test (behind a layer switch 7) Server
-- Testing for google.com BEGIN DBMS_NETWORK_ACL_ADMIN.create_acl ( acl => 'google.xml', description => 'Google ACL Control List', principal => 'TEST_USER', is_grant => TRUE, privilege => 'connect'); / BEGIN DBMS_NETWORK_ACL_ADMIN.assign_acl ( acl => 'google.xml', host => 'google.com'); END; / COMMIT; END; /
Run the following as TEST_USER
SQL> select utl_http.request('google.com') from dual 1 select utl_http.request('google.com') from dual * ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1722 ORA-24247: network access denied by access control list (ACL) ORA-06512: at line 1which suggests that the ACL is the problem, but if I use the tcpportping function
SQL> select tcpportping('google.com',80) from dual TCPPORTPING('GOOGLE.COM',80) ---------------------------- 0 1 row selected Elapsed time: 00:00:00.424It works very well. If I tried tcpportping with a different host...
SQL> select tcpportping('google.co.uk',80) from dual 1 select tcpportping('google.co.uk',80) from dual * ORA-29260: network error: not connected ORA-06512: at "SYS.UTL_TCP", line 212 ORA-06512: at "SYS.UTL_TCP", line 432 ORA-06512: at "TEST_USER.TCPPORTPING", line 47 ORA-24247: network access denied by access control list (ACL) ORA-06512: at line 1which makes me think that ACL is not the real issue for "select utl_http.request ('google.com') from dual" as tcpportping does not an ACL problem, but it does for a (supposed) different host.
I can run nslookup to user o/s DB
[oracle@test2 ~]$ nslookup google.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: google.com Address: 173.194.34.98 Name: google.com Address: 173.194.34.100 Name: google.com Address: 173.194.34.102 Name: google.com Address: 173.194.34.99 Name: google.com Address: 173.194.34.97 Name: google.com Address: 173.194.34.103 Name: google.com Address: 173.194.34.104 Name: google.com Address: 173.194.34.96 Name: google.com Address: 173.194.34.101 Name: google.com Address: 173.194.34.110 Name: google.com Address: 173.194.34.105
and telnet ok
[oracle@test2 ~]$ telnet google.com 80 Trying 173.194.34.103... Connected to google.com (173.194.34.103). Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 302 Found Location: http://www.google.co.uk/?gws_rd=cr&ei=aKlKUvKDH8K80QXM1oGABg Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=636a9a715d3e713a:FF=0:TM=1380624744:LM=1380624744:S=UmAm64le9UZRtDQE; expires=Thu, 01-Oct-2015 10:52:24 GMT; path=/; domain=.google.com Set-Cookie: NID=67=vydxBJQUOyjK20AY5G_h7yd23MWHY9L1dxCNRTnkwaVilDsEdMViDB9bbkecMILO7U9SBpTQqGpwBR9y0pL1qcdj0Mx_Rdh_Gu0D3KiunmSIV1nrRdV4Q3T3Y4MKDFLz; expires=Wed, 02-Apr-2014 10:52:24 GMT; path=/; domain=.google.com; HttpOnly P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." Date: Tue, 01 Oct 2013 10:52:24 GMT Server: gws Content-Length: 261 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Alternate-Protocol: 80:quic <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.co.uk/?gws_rd=cr&ei=aKlKUvKDH8K80QXM1oGABg">here</A>. </BODY></HTML> Connection closed by foreign host. [oracle@test2 ~]$
Then nslookup/ping/telnet of o/s DB user is ok - UTL_TCP (using the TcpPortPing function) is ok - but UTL_HTTP returns errors in the ACL?
Help please?
PS - If I run as user SYS utl_http it fails also
SQL> Session [1] SYS@ORACLE_TEST SQL> select utl_http.request('google.com') from dual 1 select utl_http.request('google.com') from dual * ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1722 ORA-12543: TNS:destination host unreachable ORA-06512: at line 1Hey guys,.
Problem solved! Thanks a lot to Billy, thomaso and Anar for help.
It turns out that the problem was a whole linux http_proxy variable incorrect! I could find that by using curl on the linux command line and send the trace to a file "curl--trace-ascii debugdump.txt http://www.google.co.uk. The trace file showed a misuse of the http_proxy variable. Once I disconnected the variable and restarted the database - everything was fine. Just a shame it wasn't better logging of oracle - error message was really a Kipper.
* Embarrassed * sorry guys!
See you soon,.
Brent
-
Hello
I have problems with the AD. My environment is a hybrid of Server 2003 in place with several domain controllers. Whats happening is when a user, regardless of the PC operating system, will open a file on a share on the network, it is impossible to open the folder or list on; is a partial list of their records. The strangeness comes here: if they go through the computer or post work and access to their folder with the drive listed, complete will appear (sometimes the PC must be restarted and after performing the "fix"). Now, when the user goes in to open a file via Office or a shortcut to the most complete list appears or in the case by using a shortcut, the file opens. Also, before making the fix mentioned, databases (SQL and owner) do not work. PC operating systems are mostly XP and Windows 7. The PC will behave as if it is not connected to the network, even if it is good because the user can use the mail and the Internet. Is it perhaps an ACL problem or something else? In 18 years, I never seen this type of behavior network/PC...
Any help or an explanation of what is going on would be very appreciated.
This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers) -
Hi all. I have a 5510 I use for tunneling ipsec l2l as remote access. I've been watching this thing so long as I'm goofy.
My tunnel l2l is up and happy. Hosts can talk to each other.
My RA is happy that I can connect with a vpn client. Unfortunately, I can't access anything other than the SAA itself when I am connected. I can't ping the host inside.
I need to be able to access the host of 10.0.5.10/26 inside the interface which is 10.0.5.1/26. I have attached the config.
Can we see some glaring problems? I think its likely an ACL problem, I'm kinda new to this kind of things well and I don't know if I'm doing things.
One thing I noticed, is that when I check my ipconfig after the connection to the vpn. I get this...
IP address: 10.0.5.20
Subnet mask: 255.255.255.192
Default gateway: 10.0.5.20
This seems like a strange gateway...
Thank you!
Add...
ISAKMP nat-traversal
In addition, changing your vpn to another subnet client pool. It should not be on the same subnet as your interior.
IP local pool gsa 10.0.6.0 - 10.0.6.254 mask 255.255.255.0
inside_nat0_outbound to access extended list ip 10.0.5.0 allow 255.255.255.192 10.0.6.0 255.255.255.0
Please rate helpfulp messages.
-
Hi all
I have two firewalls that I'm trying to implement VPNs l2l between them. Once of them is an old wall of sonic and the other 5505.
I put in all and ends the phase 1/2 and the tunnel rises however no traffic passes through
Here is my configuration
ASA (outside, 192.168.30.1) asa internal 192.168.10.0/25
(Outside 192.168.30.2) SonicWALL sonicwall 192.168.20.0/24
I have an accesslist that is configured on the asa and applied to the cypto card using card crypto XXXX 1, atch address YYY
However when I watch the news ebugging on the console it says: "cannot locate the output for UDP of XXXX interface: 192.168.10.10/1 to 192.178.20.1/0.
any ideas why this is?
I just need a static route to say all traffic on asa with 192 source... 10.0 should go through 192.168.30.2?
I guess it's the work of crypto card
Am I wrong?
Hello
Begins to seems to me you have a filter ACL configured for your L2L VPN VPN and also the ACL filter of VPN and Crypto ACLs are the same things, which means you use a simple both ACL.
Why I think it's like this is the fact that you say that your VPN L2L cross trading in the "packet-tracer" VPN Phase means Crypto VPN L2L ACL was correct. At the same time say you that the connection was stopped to the Phase of the VPN USER. He points to a VPN filter ACL being configured.
In view of the foregoing, I also know that the ACL of filter for the L2L VPN behave with a logic different than typical ACL interface. In VPN L2L the ACL filter ALWAYS mention the remote network as the source ALWAYS and your Local network as the destination.
If add you an ACL rule with order switched networks appears this fixes the VPN filter ACL problems and finally allowed traffic. Naturally I can only guess that I saw actual configurations at this point (which, usually with release "packet - trace", help to solve a problem faster just guessing)
If you indeed filter VPN, you may be able to track him down with the following commands
See the tunnel-group race
Check if a "group policy" is defined then the command
See establishing group policy enforcement
This output should list the name of the ACL filter VPN if its game
Regarding the installantion auto road. The default setting for ASA, is that it will create NO static routes automatically depending on the VPN configurations. This must be enabled manually in "crypto map" configurations, or you can configure static routes manually.
ASA tracking to default TCP and UDP connections. ICMP is inspected only if his permit. By default, it is NOT inspected.
Hope this helps
Remember to mark a reply as the answer if it answered your question.
Feel free to ask more if necessary.
-Jouni
-
Speaking of talk (VIGOR to CISCO) routing
Hi all
I have a problem with my config, it's a 7 rays star configuration. The address of the network hub is the 192.168.6.0.
I wish that sites spoke to communicate to other rays through the hub. The site talks are the routers of the force and the hub is a cisco 1842, the routing table is present on the vigors. I assume it's an ACL problem, but I've spent the last 3 hours trying figure this one and got no where, can anyone help?
I also nat has ports 80, 443, that work very well from outside the local network, but do not work inside? Anyone got any suggestions?
Thank you
Mark
192.168.6.0 HUB
192.168.18.0 TALK
192.168.23.0 TALK
192.168.28.0 SPEAKS
192.168.48.0 TALK
192.168.78.0 TALK
192.168.88.0 TALK
192.168.108.0 TALK
10.0.0.0 SPEAKS
Current configuration: 4558 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
BURTON hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
activate the password xxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
name of the server IP 62.XX.x.2
name of the server IP 195.xxx.xxx.10
!
!
Crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 692553461
revocation checking no
rsakeypair TP-self-signed-692553461
!
!
TP-self-signed-692553461 crypto pki certificate chain
certificate self-signed 01
308201A 5 A0030201 02020101 3082023C 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 36393235 35333436 31301E17 313031 31323530 39353934 0D 6174652D
315A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3639 32353533 642D
06092A 86 4886F70D 01010105 34363130 819F300D 0003818D 00308xxx 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A 36630 03551 D 13 64300F06 0101FF04 05300301 01FF3011 0603551D
11040A 30 08820642 5552544F 4E301F06 23 04183016 03551D 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 3A300D06 01040500 03818100 86F70D01 82123899 092A 8648
914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02
1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B
9AF1E4CA 49067084 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B
FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8
quit smoking
!
!
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
Group 2
life 3600
!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxxxxxxxxx address 77.xxx.xxx.176
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.85
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.9
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.81
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.228
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.153
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.10
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.61
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-SHA
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set compression-SHA-3DES esp-3des esp-hmac-sha-comp-lzs
Crypto ipsec transform-set AES-SHA-compression, hmac-sha-esp esp - aes comp-lzs
Crypto ipsec transform-set esp cm-transformset-1-esp-sha-hmac
Crypto ipsec transform-set esp - esp-sha-hmac this_should_work
!
card card-VPN-1 10 ipsec-isakmp crypto
the value of 77.xxx.xxx.176 peer
Set transform-set this_should_work
match the stores addresses
!
card crypto ipsec VPN - card - 1 isakmp 11
the value of 85.xxx.xxx.85 peer
Set transform-set this_should_work
match address dalby
!
card card-VPN-1 12 ipsec-isakmp crypto
the value of 85.xxx.xxx.9 peer
Set transform-set this_should_work
match address braintree
!
card card-VPN-1 13 ipsec-isakmp crypto
the value of 85.xxx.xxx.81 peer
Set transform-set this_should_work
match address corby
!
card card-VPN-1 14 ipsec-isakmp crypto
the value of 85.xxx.xxx.228 peer
Set transform-set this_should_work
match against glasgow
!
card card-VPN-1 15 ipsec-isakmp crypto
the value of 85.xxx.xxx.153 peer
Set transform-set this_should_work
match address hadleigh
!
card card-VPN-1 16 ipsec-isakmp crypto
the value of 85.xxx.xxx.10 peer
Set transform-set this_should_work
northwich match address
!
card card-VPN-1 17 ipsec-isakmp crypto
the value of 85.xxx.xxx.61 peer
Set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
Description $ETH - LAN$
IP 192.168.6.40 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
no ip mroute-cache
No atm ilmi-keepalive
Bundle-enable
DSL-automatic operation mode
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
ATM0/1/0 interface
no ip address
no ip mroute-cache
No atm ilmi-keepalive
Bundle-enable
DSL-automatic operation mode
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP reliable link
Authentication callin PPP chap Protocol
PPP chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PPP chap password 0 xxxxxxxx
PPP ipcp dns request
reorganizes the PPP link
multilink PPP Panel
PPP multilink sliding 16 mru
period of PPP multilink fragment 10
Panel multilink PPP interleave
multiclass multilink PPP
card crypto card-VPN-1
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
IP http server
IP http secure server
overload of IP nat inside source list 100 interface Dialer0
!
corby extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
northwich extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
wycombe extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
hadleigh extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
extended IP access list stores
ip licensing 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
dalby extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
glasgow extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
braintree extended IP access list
ip licensing 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
IP Internet traffic inbound-ACL extended access list
permit any isakmp udp host 77.xxx.xxx.176 eq
allow a host 77.xxx.xxx.176 esp
permit any isakmp udp host 85.xxx.xxx.85 eq
allow a host 85.xxx.xxx.85 esp
permit any isakmp udp host 85.xxx.xxx.9 eq
allow a host 85.xxx.xxx.9 esp
permit any isakmp udp host 85.xxx.xxx.81 eq
allow a host 85.xxx.xxx.81 esp
permit any isakmp udp host 85.xxx.xxx.228 eq
allow a host 85.xxx.xxx.228 esp
permit any isakmp udp host 85.xxx.xxx.153 eq
allow a host 85.xxx.xxx.153 esp
permit any isakmp udp host 85.xxx.xxx.10 eq
allow a host 85.xxx.xxx.10 esp
permit any isakmp udp host 85.xxx.xxx.61 eq
allow a host 85.xxx.xxx.61 esp
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
Dialer-list 1 ip protocol allow
public RO SNMP-server community
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
password: xxxxxxxxxxxxxxx
opening of session
!
Scheduler allocate 20000 1000
end
Also check this important Information on Vigor holding ipsec his.
https://supportforums.Cisco.com/thread/257320?decorator=print&displayFullThread=true
Manish
-
Client VPN access to VLAN native only
I have a router 2811 (config below) with VPN set up. I can connect through the VPN devices and access on the VLAN native but I can't access the 10.77.5.0 (VLAN 5) network (I do not access the 10.77.10.0 - network VLAN 10). This question has been plagueing me for quite a while. I think it's a NAT device or ACL problem, but if someone could help me I would be grateful. Client VPN IP pool is 192.168.77.1 - 192.168.77.10. Thanks for the research!
Current configuration: 5490 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
2811-Edge host name
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXX
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
AAA - the id of the joint session
!
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.77.5.1 10.77.5.49
DHCP excluded-address IP 10.77.10.1 10.77.10.49
!
dhcp Lab-network IP pool
import all
Network 10.77.5.0 255.255.255.0
router by default - 10.77.5.1
!
pool IP dhcp comments
import all
Network 10.77.10.0 255.255.255.0
router by default - 10.77.10.1
!
domain IP HoogyNet.net
inspect the IP router-traffic tcp name FW
inspect the IP router traffic udp name FW
inspect the IP router traffic icmp name FW
inspect the IP dns name FW
inspect the name FW ftp IP
inspect the name FW tftp IP
!
Authenticated MultiLink bundle-name Panel
!
voice-card 0
No dspfarm
!
session of crypto consignment
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
life 7200
!
Configuration group customer isakmp crypto HomeVPN
key XXXX
HoogyNet.net field
pool VPN_Pool
ACL vpn
Save-password
Max-users 2
Max-Connections 2
Crypto isakmp HomeVPN profile
match of group identity HomeVPN
client authentication list userauthen
ISAKMP authorization list groupauthor
client configuration address respond
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpn
!
Crypto-map dynamic vpnclient 10
Set transform-set vpn
HomeVPN Set isakmp-profile
market arriere-route
!
dynamic vpn 65535 vpnclient ipsec-isakmp crypto map
!
username secret privilege 15 5 XXXX XXXX
username secret privilege 15 5 XXXX XXXX
Archives
The config log
hidekeys
!
IP port ssh XXXX 1 rotary
!
interface Loopback0
IP 172.17.1.10 255.255.255.248
!
interface FastEthernet0/0
DHCP IP address
IP access-group ENTERING
NAT outside IP
inspect the FW on IP
no ip virtual-reassembly
automatic duplex
automatic speed
No cdp enable
vpn crypto card
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
No cdp enable
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
IP 10.77.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
IP 10.77.5.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
IP 10.77.10.1 255.255.255.0
IP access-group 100 to
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/0/0
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet0/1/0
no ip address
Shutdown
automatic duplex
automatic speed
!
router RIP
version 2
10.0.0.0 network
network 172.17.0.0
network 192.168.77.0
No Auto-resume
!
IP pool local VPN_Pool 192.168.77.1 192.168.77.10
no ip forward-Protocol nd
!
IP http server
no ip http secure server
overload of IP nat inside source list NAT interface FastEthernet0/0
!
IP extended INBOUND access list
permit tcp any any eq 2277 newspaper
permit any any icmp echo response
allow all all unreachable icmp
allow icmp all once exceed
allow tcp any a Workbench
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
allow an esp
allowed UDP any eq field all
allow udp any eq bootps any eq bootpc
NAT extended IP access list
IP 10.77.5.0 allow 0.0.0.255 any
IP 10.77.10.0 allow 0.0.0.255 any
IP 192.168.77.0 allow 0.0.0.255 any
list of IP - vpn access scope
IP 10.77.1.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
IP 10.77.5.0 allow 0.0.0.255 192.168.77.0 0.0.0.255
!
access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps
access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.77.5.1 eq bootps
access-list 100 permit udp 10.77.10.0 0.0.0.255 eq bootpc host 10.77.5.1 eq bootps
access-list 100 deny tcp 10.77.10.0 0.0.0.255 any eq telnet
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.5.0 0.0.0.255
access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.1.0 0.0.0.255
access ip-list 100 permit a whole
!
control plan
!
Line con 0
session-timeout 30
password 7 XXXX
line to 0
line vty 0 4
Rotary 1
transport input telnet ssh
line vty 5 15
Rotary 1
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
WebVPN cef
!
end
If you want to say, that after the way nat rules which I have proposed, you lost the connection to the VLAN native, so yes, it's because the subnet VLANs native has not been included in this acl with Deny statement. So that the ACL should look like this:
NAT extended IP access list
deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255
deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //This is not respected
allow an ip
In addition, if you want to go throug the other tunnel inside the subnet not listed above, then you should include that subnet to the NAT exemption rule with Deny statement.
-
AnyConnect VPN access from inside
Hello
I have an ASA 5540 + SSM-40 on which I have configured webvpn and is listening for connections on the external interface.
It is accessible from outside (internet) network and works just fine. The problem is, I want to access it from inside the network as well, but it does not work. I can't ping or connect somehow to the IP address of the external interface of the inside (so I guess that it is not strictly bound to the webvpn configuration).
I don't think it's an ACL problem because ACL filtering only that I do is on the OUTSIDE / inside (to the internet), the rest are defined to allow a.
Can someone please tell me what I need to do to be able to access the IP address of the external interface of the network behind the inside interface?
Thank you
Yes, you can
Under the webvpn configuration, just "allow inside" as well.
-
I have a problem with the ACL I have FTP transmitted by PAT to an internal server on my border router. I have a pretty extensive ACLs that refuses the spider servers and some beaches I know senders of junk e-mail. The problem in FTP. When the ACL is applied to my external interface (fa0/1) I can not connect via FTP. When I drop the group access, I can connect to FTP a-okay. When the ACL is applied all my other services work as well (http on port 1337, ssh, PPTP, IRC and teamspeak - 9987 UDP). Here is my config. Any help will be highly appreciated:
Building configuration...
Current configuration: 6674 bytes
!
! Last configuration change at 11:07:17 PST Sunday, December 30, 2012, by admin
! NVRAM config last updated at 19:12:53 PST Sunday, December 30, 2012, by admin
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 *.
!
No aaa new-model
clock timezone PST - 8
clock to summer time recurring CDT
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!
IP domain name * *.net
IP-server names 4.2.2.2
inspect the IP log drop-pkt
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
user admin name secret 5 *.
!
!
!
!
!
!
!
interface FastEthernet0/0
Description main switch Port
IP 172.16.0.254 255.255.255.252
IP nat inside
no ip virtual-reassembly
Speed 100
full-duplex
!
interface FastEthernet0/1
Description Internet Port
DHCP IP address
IP access-group WANACL in
NAT outside IP
no ip virtual-reassembly
automatic duplex
automatic speed
!
router ospf 100
Log-adjacency-changes
passive-interface FastEthernet0/1
network 172.16.0.252 0.0.0.3 area 0
default information are created
!
IP forward-Protocol ND
!
!
no ip address of the http server
no ip http secure server
overload of IP nat inside source list 101 interface FastEthernet0/1
IP nat inside source static tcp 10.50.0.250 1723 interface FastEthernet0/1 1723
IP nat inside source static tcp 10.20.0.200 22 interface FastEthernet0/1 22
IP nat inside source static tcp 10.20.0.100 6667 interface FastEthernet0/1 6667
IP nat inside source static tcp 10.20.0.200 80 interface FastEthernet0/1 1337
IP nat inside source static udp 10.20.0.100 9987 interface FastEthernet0/1 9987
IP nat inside source static tcp 10.20.0.250 21 interface FastEthernet0/1 21
IP nat inside source static tcp 10.20.0.250 20 interface FastEthernet0/1 20
!
WANACL extended IP access list
Note * established connections permit *.
allow tcp any a Workbench
Note * Immediate deny forbidden beaches *.
----------------------------------------------------
* Lost prohibited beaches *.
----------------------------------------------------
Note * deny spiders *.
----------------------------------------------
* Ranges of Spider lost *.
-----------------------------------------------
Note * DHCP allow *.
allow udp any any eq bootpc
Note * specific permit ICMP *.
permit any any icmp echo response
Note * deny bogon beaches *.
deny ip 127.0.0.0 0.255.255.255 everything
deny ip 169.254.0.0 0.0.255.255 everything
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
Note * allow all UDP traffic *.
allow a udp
Note * NAT services permit (recorded in SNMP) *.
permit tcp any any eq ftp log
permit tcp any any eq 1723
permit tcp any any newspaper of ftp - data eq
permit tcp any any eq 22 log
permit tcp any any eq 6667 newspaper
allow a gre
allow udp any any eq newspaper 9987
permit tcp any any eq 1337
refuse an entire ip
!
record 10.50.0.250
access-list 101 permit any one
access list 101 ip allow a whole
!
!
!
control plan
!
!
!
!
!
!
!
!
!
!
access controller
Shutdown
!
exec banner ^ C
WARNING: Unauthorized access to this system is prohibited and will be
pursued by the law. By accessing this system, you agree that your
actions can be monitored if you suspect unauthorised use.
^ C
connection of the banner ^ C
*************************************************************
WARNING - PRIVATE - ACCESS FORBIDDEN ELECTRONIC DEVICE
This device is a private network device. Access to this device is
not allowed. Any attempt of unauthorized access will be connected
and appropriate legal action will be taken.
*************************************************************
^ C
!
Line con 0
password 7 *************************************
Synchronous recording
local connection
line to 0
password 7 *************************************
Synchronous recording
local connection
line vty 0 4
password 7 *************************************
Synchronous recording
local connection
length 0
preferred transport ssh
line vty 5 15
password 7 *************************************
Synchronous recording
opening of session
preferred transport ssh
!
NTP-period clock 17180466
NTP 184.105.192.247 Server
!
end
is your server FTP active or passive?
ACL will change you accordingly. try to capture the transaction successful with FTP in wireshark and analyze the source and destination ports.
Maybe you are looking for
-
IT IS THERE OF NO LIBRARY IN MY FIREFOX 7
My Firefox 7 - Windows 7 doesn't have a library tab, so I can't use its features. How install/recover the library?
-
Satellite P30 - after cleaning screen stops working
Hi guys,. I have a Satellite p30. I opened the computer to clean... as she held off on switching. I cleaned and were back together... the screen is not displayed. I took apart checked all connections... so good... the computer loads and this sound, e
-
Maximum Ram to Hp Pavilion 15 n202nx
I would like to know what is the maximum memory that can handle my laptop (15 n202nx) currently installed memory is 6 GB of Ram and want to upgrade. Thanks in advance
-
Conflict with MSE and Windows Defender didn't let me stop the automatic opening programs.
I am running MS Security Essentials (on a Vista system) which has disabled Windows Defender. Now when I try to stop a program open automatically at startup, I get the prompt of Windows Defender has been turned off. The dialog box crashes when I cli
-
Hi guys IM new UCS and I need help lift network connectivity and running of my servers blade of UCS. I have a Nexus 5 K connected to a 6248FI. Nexus Port config is: interface Ethernet1/8Description Portchannel interconnect fiber hasswitchport mode tr