ACLs on Cisco router - block outside traffic, allow all inside

Hello

I am creating the ACL on the router Cisco that will allow all traffic within internet and don't allow specific traffic on the internet inside.

This is what I have configured and puted on the interface of the router connected to the ISP:

10 permits all icmp (411 matches)
20 permit tcp "my public IP address" no matter what eq 3389 (46400 matches)
30 permit tcp "my public IP address" no matter what eq 22 (9185 matches)
40 "my public IP address" ip allow match any (3207)
50 permit tcp any any eq smtp (11 matches)
60 permit tcp any any eq www (56 matches)
70 permit tcp any any eq 443 (29 items)
80 permit tcp any any eq field (5 matches)
allowed 81 UDP everything no matter what field of eq (7 matches)
allowed 82 UDP any eq (10564 matches) field
83 permit tcp any what eq field everything (10 matches)
90 permit udp any any eq ntp (13317 matches)
95 permit tcp 192.168.0.0 0.0.0.255 any

Dialer interface 1

IP Access-group 101 IN

So I can connect to my public IP to the LAN of the customer via RDP and SSH (which is OK), but users of the client cannot access Internet (which is not OK.)!

Users are all in the same Vlan. Between the interface Vlan and outside interface (dialer 1) Pat.

There is no other ALC on the router except for PAT.

What I'm missing here?

Thank you.

Is this why 192.168.0.0/24 is present in the list of ACL 101? What is the remote subnet that you connect to port 3389?

If your local subnet interior is a soldier of the C class, it must be your global external address you want to add to the ACL 101.

Better yet, run an IPSec tunnel between the sites.

Tags: Cisco Security

Similar Questions

Cisco router access outside the local network interface

Hi all!

I have Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) with firewall area and based on routing strategies.

Everything works fine, but now I need to have the ability to access external router interface IP LAN addresses.

For example, I PAT 192.168.4.1 port 8443 to the outside interface IP (93.93.93.2 for example) and I need to check LAN 93.93.93.2:8443.

! PAT:

IP nat inside source static tcp 192.168.4.1 8443 93.93.93.1 - extensible 8443 SDM_RMAP_1 road map

! DynNat to the internet:

IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

! Routing policy

SDM_RMAP_1 allowed 10 route map
corresponds to the IP 101
match interface GigabitEthernet0

! ACL 101 for routing policy

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any

! ACL on the external interface:

plug-in software component gi0 extended IP access list
allow an ip
allow icmp a whole

! External interface

interface GigabitEthernet0
Description $ETH - WAN$
IP 93.93.93.1 255.255.255.240
IP access-group gi0-in in
NAT outside IP
IP virtual-reassembly in
EXTENT of the Member's area network security
IP tcp adjust-mss 1452
automatic duplex
automatic speed
card crypto SDM_CMAP_2

! Inside DMZ interface vlan:

interface Vlan4
IP 192.168.4.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the members of the DMZ
IP tcp adjust-mss 1452

! Allow outbound traffic to DMZ to Internet:

Allow_All_ACL-DMZ extended IP access list
allow an esp
permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
refuse the 192.168.4.0 ip 0.0.0.255 192.168.111.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 172.17.19.0 0.0.0.255
allow icmp 192.168.4.0 0.0.0.255 any
ip licensing 192.168.4.0 0.0.0.255 any

! Allow incoming traffic from the Internet to DMZ:

WAN_DMZ_ACL extended IP access list
allow tcp any a Workbench
permit tcp any any eq ftp
permit tcp any any eq 990
permit tcp everything any 51000 53000 Beach
permit tcp any any eq 995
permit tcp any any eq 465
permit tcp any any eq www
permit any any eq 443 tcp
allow icmp a whole
allow an esp
permit any any eq non500-isakmp udp
host ip 212.98.162.139 permit 192.168.4.0 0.0.0.255
IP 81.30.80.0 allow 0.0.0.255 any
IP 192.168.111.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
IP 172.17.19.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
host ip 172.16.194.100 permit 192.168.4.0 0.0.0.255
host ip 172.31.255.1 permit 192.168.4.0 0.0.0.255
permit ip host 172.31.255.1 172.17.193.100
refuse an entire ip

! Focus on the area of firewall:

type of class-card inspect entire game DMZ_WAN_CLASS
match the group-access name DMZ Allow_All_ACL

type of class-card inspect entire game WAN_DMZ_CLASS
match the name of group-access WAN_DMZ_ACL

type of policy-card inspect DMZ_WAN_POLICY
class type inspect DMZ_WAN_CLASS
inspect
class class by default
drop

type of policy-card inspect WAN_DMZ_POLICY
class type inspect WAN_DMZ_CLASS
inspect
class class by default
drop

the DMZ security

area WAN security

Security WAN_DMZ of the pair area source destination WAN DMZ
type of service-strategy inspect WAN_DMZ_POLICY
destination of DMZ_WAN source DMZ area pair WAN security
type of service-strategy inspect DMZ_WAN_POLICY

Maybe someone can help me to make Cisco to allow ports outside LAN using a NAT?

I did this on Mikrotik easily = |

It is due to the fact that they do not allow "hair pinning" by default, once this is configured, it will work.

Martin

Blocking ICQ traffic on router 2620

I needed to block all ICQ traffic coming out of my network. Did a search on the Internet and found that ICQ uses two port numbers as possible for the 4000 and 5190. I set up both of these ports and it seemed to do the trick BUT... I discovered that ICQ can also use HTTP, HTTPS, SOCKS4 and SOCKS5 as transport protocol and now I would like to know how to block these "extra" ICQ traffic I thought about:

1 block TCP traffic on port 80/8080 with the string "http://login.icq.com".

2. block ALL outgoing to www.icq.com, login.icq.com IP traffic (they can be resolved through DNS)

Can someone tell me how I can do the task above? expecially option 1. Thanks in advance for your help. Are there other options I can use outside of the above?

Your 2620 will be limited to help to stop this traffic. You could write a custom module of NBAR search in HTTP headers, but that's assuming that they actually login.icq.com in the http headers. They could not. You will need to check and see.

Really ask you for content filtering. SurfControl is affordable and does it well and don't sit inline to the firewall/router.

An IDS sensor can do that for you too. You have an engine inspection rish that can find almost anything in a RST packet, shun/block, etc.

Blocking IPs is a pain in the neck and ICQ change / add over time.

A simple and efficient method that works 99% is simply creating a fake icq.com on your internal DNS domain. Since your server DNS think its authority, it will not ask the real servers. Therefore, the ICQ clients won't be able to connect unless they point outwards DNS. If you allow only your internal DNS, the right to use Server outgoing UDP/53, requires customers to understand it's a DNS issue, get the name and the IP need and put them in the local hosts file. Of course, users should not have admin access to edit the hosts file. Of course, they also should not have admin access to install the ICQ software either... It's a tough battle. ;)

L2TP/ipsec passthrough firewall of cisco router

Hello! I have the following problem.

External network users wish to connect internal Windows to network and share resources 2012 (start the software, files, etc)

So it's time to deploy a vpn server and as I did not have a free license to run on my windows 2012, I decided to use my qnap for it (because it has this built-in feature) so I chose l2tp/ipsec and tested on the laboratory at home with simple tplink router with upnp function and it worked like a charm.

However, in the real production environment, I need to use the cisco router, and this is how the story begins ;)

Thus, clients with their machines say (7, 8.1, 10) must pass router cisco (with nat) firewall and access a vpn server and the internal network on qnap.

I googled for sample configuration, but most of them related to the configuration of the router as a vpn server, and I want to achieve is to make my pass router vpn traffic. Once I found the same sample of pptp config, I have modified it a bit, but do not know if it works because I have not yet tested.

In any case, could you check my config and see if it's ok? I'm doing a static nat for vpn 192.168.5.253 server to external address?

Also, here is a short pattern

vpn client VPN server (win 7,8,10)---routeur cisco 1921 - qnap)

xxx.194 cloud 5,254 5.253 (internal network)

test #show runn
Building configuration...

Current configuration: 3611 bytes
!
! Last modified at 19:31:01 UTC Wednesday, may 4, 2016 configuration by
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret $5
!
No aaa new-model
!
!
!
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.5.200 192.168.5.254
DHCP excluded-address IP 192.168.5.1 192.168.5.189
!
pool dhcp IP network
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
network domain name
xxx.x.xxx.244 DNS server
!
!
!
IP domain name temp
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
CTS verbose logging
!
!
license udi pid CISCO1921/K9 sn xxxxxx
licence start-up module c1900 technology-package securityk9
!
!
username secret abc 5
username privilege 15 7 cisco password
!
redundancy
!
!
!
!
!
property intellectual ssh version 2
!
type of class-card inspect entire game cm_helpdek_protocols
http protocol game
https protocol game
ssh protocol game
type of class-card inspect entire game cm_gre_protocols
Access-group name WILL
type of class-card inspect entire game cm_icmp
group-access icmp name game
type of class-card inspect the correspondence cm_helpdesk
match the name of group-access helpdesk
type of class-card inspect entire game inside_to_outside
h323 Protocol game
match Protocol pptp
ftp protocol game
tcp protocol match
udp Protocol game
match icmp Protocol
!
type of policy-card inspect pm_outside_to_inside
class type inspect cm_gre_protocols
Pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class by default
Drop newspaper
type of policy-card inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
Pass
class class by default
Drop newspaper
!
area inside security
Description inside the zone of confidence
security of the outside area
Outside the untrusted area description
source of zonep_insiede_to_outside security pair area inside the destination outside
type of service-strategy inspect pm_inside_to_outside
source of zonep_outside_to_inside security zone-pair outside the destination inside
type of service-strategy inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description 'LAN '.
IP 192.168.5.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description "WAN CID: xxxxx".
IP address xxx.xxx.xxx.194 255.255.255.252
NAT outside IP
IP virtual-reassembly in
security of the outside Member area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
!
IP nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
IP nat inside source list 1 pool overload the network
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
GRE extended IP access list
Note ACL to allow ACCORD of PPTP OUTBOUND
allow a gre
permit any any eq udp 1701
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
helpdesk extended IP access list
IP enable any host 192.168.5.253
icmp extended IP access list
allow icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control plan
!
!
!
Line con 0
local connection
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad telnet, rlogin xxxxx
StopBits 1
line vty 0 4
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Kind regards

Andrew

Once the client has been connected to the VPN, you want traffic back to flow to the client. Which can be easily received with "inspect".

And from the point of view of the firewall, you do not have ESP-traffic (which would be the IP/50). You have only UDP traffic (initially UDP/500 which goes into UDP/4500)

And you are right with your last ACE. That of a lot to permissive and not necessary for this function.

ASA - Tunnel all traffic, allow rays to communicate with each other

Well, I hope someone can help me with this headache! Switching to employ a PIX and VPN 3005 concentrator Office at home in an ASA5510 for firewall and IPSEC tunnels. It is pretty much a
- VPN on a stick, multiple rays.
- All traffic sent by tunnel
- Internet access through main office (using the web filter) of
- VOIP to VOIP between rays
- All departments are using the clients VPN 3005 HW or ASA 5505 s
HEADQUARTERS: 10.0.0.0/24

Speaks 1: 192.168.11.0 / 24

Speaks 2: 192.168.12.0 / 24

Speaks 3: 192.168.13.0 / 24

-continues to 192.168.31.0 / 24

Spoke with the current configuration, 1 can communicate with all the resources in the home, office and Internet integrated properly checked by a tracert. However, the rays cannot communicate with each other. This is required for VOIP traffic, when all TALK TALK calls are made (sites).

Logging information when talk of talks initiated icmp:
- No group of translation found for icmp src, dst outside: 192.168.31.1 inside: 192.168.11.1 (type 8, code 0)
If I remove the nat (outside) 1 192.168.0.0 255.255.00 - rays will begin to respond to each other, but then the rays cannot tunnel through the Home Office Internet traffic. My brain is so scrambled after the cramming of VPN configurations for these days, so I hope someone has an idea. I've always used concentrators 3005, so it's a little different! In the search for documentation for this configuration, I was surprised that this isn't a most common topology. It seems that this article would (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml), but there is no rays! In any case, I'm sure this has something to do with NAT rules and perhaps who need access for traffic list speaks of talking.

=============================================

ASA Version 8.2 (1)
!
hostname asa5510

interface Ethernet0/0
Speed 100
full duplex
nameif outside
security-level 0
IP address 97.65.x.x 255.255.255.224

interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 10.0.0.40 255.255.0.0

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

the DM_INLINE_NETWORK_1 object-group network
object-network 10.0.0.0 255.255.0.0

object-network 192.168.0.0 255.255.0.0

access-list sheep extended ip 10.0.0.0 allow 255.255.0.0 192.168.0.0 255.255.0.0

Allow Access-list extended wccp servers ip host 10.0.0.83 a

Redirect traffic extended access-list deny ip any object-group DM_INLINE_NETWORK_1

Redirect traffic scope permitted any one ip access-list

Global 1 interface (outside)
NAT (outside) 1 192.168.0.0 255.255.0.0
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.0.0 255.255.0.0

Route outside 0.0.0.0 0.0.0.0 97.65.x.x 1
Route inside 192.168.0.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.2.0 255.255.255.0 10.0.0.1 1
Route inside 192.168.3.0 255.255.255.0 10.0.0.1 1

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ipsec df - bit clear-df outdoors

Crypto-map dynamic dynmap 1 transform-set RIGHT

map mymap 65535-isakmp ipsec crypto dynamic dynmap

mymap outside crypto map interface

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400

crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400

crypto ISAKMP ipsec-over-tcp port 10000

management-access inside

a basic threat threat detection

no statistical access list - a threat detection
no statistical threat detection tcp-interception

WCCP web cache redirect-list Redirect-traffic group-list password xxxxxxx wccp-servers
WCCP 90 redirect-list traffic Redirect wccp servers group-list password xxxxxxx

WebVPN

internal MJHIvpn group strategy

attributes of Group Policy MJHIvpn
value of server WINS 10.0.10.1 10.0.10.2
value of 10.0.10.1 DNS server 10.0.10.2
allow password-storage
Split-tunnel-policy tunnelall
mjhi.local value by default-field
allow to NEM

username field-3002 SjfS1Pq2xZGxHicx encrypted password

attributes of username field-3002
VPN-access-hour no
VPN - 250 simultaneous connections
VPN-idle-timeout no
VPN-session-timeout no
Protocol-tunnel-VPN IPSec
allow password-storage
type of remote access service

remote access to field tunnel-group type

General-field tunnel-group attributes
Group Policy - by default-MJHIvpn

IPSec-attributes of tunnel-group field
pre-shared-key *.

class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the they
inspect the icmp
!
global service-policy global_policy

Hello Ala,

In Act got to be with the Nat configuration.

So basically you want to tunnel the traffic on the rays to communicate with each other.

OK, it would be with a nat 0 with the access list with the corresponding traffic outside.

Also on the crypto ACL for each site configuration, you must add an entry for the traffic of other offices.

I hope that I have explained myself.

Have a good

Julio

Note all useful posts!

VPN - Pix 515e for Cisco router

I have the following Setup and I can't seem to get the next tunnel. My end is a PIX 515e race 7.2 (4). The other end is a Cisco router-not sure of the model or version of the IOS.

PIX:

90 extended access-list allow ip host a.a.a.a host b.b.b.b

NAT (inside) - 0-90 access list

correspondence address card crypto mymap 20 90
card crypto mymap 20 peers set x.x.x.x
map mymap 20 set transformation-strong crypto
mymap outside crypto map interface
ISAKMP crypto identity hostname
crypto ISAKMP allow outside
crypto ISAKMP policy 8
preshared authentication
3des encryption
sha hash
Group 2
life 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared key 12345

Router:

/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} / * Définitions de style * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

SDM_5 extended IP access list

permit ip host b.b.b.b host a.a.a.a

ISAKMP crypto key 12345 address y.y.y.y no.-xauth

map SDM_CMAP_1 5 ipsec-isakmp crypto

Description vpn for laboratory

defined peer y.y.y.y

game of transformation-ESP-3DES-SHA

match address SDM_5

I'm running him debugs following:

Debug crypto ipsec enabled at level 1
ISAKMP crypto debugging enabled at level 1

I get the following debug output:

August 16-04:16:10 [IKEv1]: IP = x.x.x.x, counterpart of drop table counterpart, didn't match!
August 16-04:16:10 [IKEv1]: IP = x.x.x.x, error: cannot delete PeerTblEntry

Isa HS her

IKE Peer: x.x.x.x
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG2

Any ideas?

Thank you

Dave

If you see the MM_WAIT_MSG2, which means that her counterpart (the other side) does not answer and this side where you can see the status MM_WAIT_MSG2 sent the first message IKE, however, did not hear of the peer.

You can check if UDP/500 is stuck on the way between the 2 sites.

Try running traffic on the other side and see if you also get the same status of MM_WAIT_MSG2. If you do, that confirms 100% 500/UDP is blocked on the way between the 2 sites.

VPN between ASA and cisco router [phase2 question]

Hi all

I have a problem with IPSEC VPN between ASA and cisco router

I think that there is a problem in the phase 2

Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

Looking forward for your help

Phase 1 is like that

Cisco_router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

and ASA

ASA # sh crypto isakmp his

ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1

1 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE

Phase 2 on SAA

ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41

#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393AB

SAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y

Phase 2 on cisco router

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors

local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)

SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE

outgoing ah sas:

outgoing CFP sas:

VPN configuration is less in cisco router

access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

sheep allowed 10 route map
corresponds to the IP 105

Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101

crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4

Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

You currently have:

Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

It should be:

Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

To remove it and add it to the bottom:

105 extended IP access list

not 5

IP 172.19.194.0 allow 60 0.0.0.255 any

Then ' delete ip nat trans. "

and it should work now.

ASA - same-security-traffic allowed inter VS permit/deny access-list interface

Hi people,

I wonder if I use the same-security-traffic permits inter-interface order to ASA and I have 2 separate interfaces with the same level of security and ACL with a few rules explicit allow , if not covered by these statements to allow traffic will be blocked by implicit deny at the end of the ACL or am I completely wrong in my thinking?

That is right.

But then if you have an interface with an ACL and another interface without an ACL and you want to pass traffic between the two interfaces, then the interface without an ACL will rely on the level of security while configured with the ACL interface will rely on configured ACL entries.

--

Please do not forget to select a correct answer and rate useful posts

ACL logging on router for syslog

ACL logging on router for syslog

I need to monitor ports on the router to a particular host to a destination. I have an ACL as shown below

permit log host 192.168.0.10 ip host 10.0.0.1

allow an ip

I have server syslog configuration, I see on the syslog server log messages, but there is no port information.

Log message looks like

"% S-6-acl IPACCESSLOGP:list permits 10.0.0.1 (0)-> 192.168.0.10 (0), xx packages.

I need to know which ports are host 10.0.0.1 uses the server 192.168.0.10

What is the best way to get this information.

Thank you

Dominic provides a creative solution. And according to the requirements of the original post, it could be a very satisfactory solution.

But we can also provide an explanation of the problem and a solution for this. A very simple access list that allows traffic between a specific pair of guests receive the original message and then allow all ip traffic. The access list does not cover all the values for the Protocol ports. And it is the reason for the log messages do not have port information. If the access list does not review the port numbers the message cannot report port numbers. If you want the log message to include port numbers, then you must consider the port numbers in the access list. This version of the list is slightly more complex, but it will provide the port numbers you want:

permit udp host 10.0.0.1 host 192.168.0.10 between 0 65535 Journal

permit tcp host 10.0.0.1 host 192.168.0.10 between 0 65535 Journal

permit log host 192.168.0.10 ip host 10.0.0.1

allow an ip

HTH

Rick

Cisco 5525 with outside Internet (Design)

I have a question of design:

Currently, we run to the internet connection of the provider to the heart of our network (via Vlan99). Then it must be connected to our firewall via vlan 99...

This is the flow:

ISP provider
Stack of switch port G1/0/25 switchport access vlan 99
Firewall connected to our Switch stack via the trunk (trunk allowed vlan 99)
G0/7 IP subnet x.x.x.x-x.x.x.x interface logical Vlan99 Type of firewall.

Our Firewall (Cisco ASA5525), has a configuration interface for the connection (Vlan99), with a name on the outside and our external IP address. (Logical Type interface).

I would like to move our base for firewall connection, (I don't want the internet to run firstly through the switch, then the firewall).

Would it not prudent to say that I could physically move the connection to the firewall and that is all? The firewall has a route outside 0.0.0.0 0.0.0.0 with our Interface of G0/7 firewall gateway.

Or is it more that meet the eye?

Sorry for the noob question, but I want to understand a little better and my feeling says that pass the core to the firewall connection would be sufficient, but then again im no expert at the firewall much.

Thank you...

Yes, it's true.

Your default switch in the route based on through the firewall inside the interface. No change in this regard.

The firewall applies security policy and performs NAT network of public IP address space.

The Firewall default route on the ISP interface in front of you. Don't change there either.

As I have noted, if your firewall configuration interface has currently investigating a vlan that will no longer be necessary since you will not have a trunk port with VLAN tagging.

Launch a VPN from a cisco router on the LAN behind the ASA?

We currently have an ASA with used site to site VPN and anyconnect VPN. We received a third party cisco router that will be used to launch their own VPN site to site of inside our LAN to their local network through our ASA.

1 NAT Traversal would call our ASA? 5540 (config) #crypto isakmp nat-traversal

2. the ports listed below interfere with site to site VPN and anyconnect VPN ports?

SSH

-allow access of xxxxx on TCP Port 22

ICMP

-allow access of xxxxx - Protocol No. 1

ISAKMP

-allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT - T

ESP

-allow access to xxxxx - protocol 50

Port of certificate:

-allow access to xxxxx on port TCP 8080

NTP port:

-allow access to xxxxx on port UDP 123

Hi Michael,

1-

NAT - T is only required if one of the sites is behind NAT.

NAT - T allows to establish a connection through a NAT device counterparts IPsec. It does this by encapsulating IPsec datagrams UDP traffic, using the port 4500, which provides information of port NAT. NAT - T devices automatically detects all NAT devices and only encapsulates IPsec traffic when necessary. This feature is disabled by default.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/vpn_ike.html#wp1120836

2-

ISAKMP

-allow access to xxxxx on UDP Port 500, also add UDP 4500 for NAT - T

ESP

-allow access to xxxxx - protocol 50

The ports above are those used for the IPsec VPN, SSL AnyConnect does not use them.

Let me know.

Thank you.

Portu.

Please note all messages that you be useful.

Post edited by: Javier Portuguez

Need some advice about the VPN between local Cisco router and remote Watchguard

Hi all

I am configuring a Cisco 887 to VPN router to a device of watchguard at the remote site.

From what I understand, the VPN tunnel is in PLACE. I can ping to the remote server on the 192.168.110.0 of the network, but whenever I try to navigate to it on the local server, it wouldn't work.

I ping the remote server via the IP address on the local server, but not on the Cisco router. Is - will this work as expected?

--------------------------------------------------------------------------------------

R5Router #sh crypto isakmp his

IPv4 Crypto ISAKMP Security Association

DST CBC conn-State id

110.142.127.237 122.3.112.10 QM_IDLE 2045 ACTIVE

IPv6 Crypto ISAKMP Security Association

--------------------------------------------------------------------------------------

R5Router #sh encryption session

Current state of the session crypto

Interface: Virtual-Access2

The session state: down

Peer: 122.3.112.10 port 500

FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0

Active sAs: 0, origin: card crypto

Interface: Dialer0

The session state: UP-ACTIVE

Peer: 122.3.112.10 port 500

IKEv1 SA: local 110.142.127.237/500 remote 122.3.112.10/500 Active

FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 2, origin: card crypto

FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0

Active sAs: 0, origin: card crypto

FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0

Active sAs: 0, origin: card crypto

Crypto ACL 102, should really include only 1 line, that is to say:

10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255

and you should have the image mirror on the remote end ACL line too.

PLS, remove the remaining lines on 102 ACL ACL.

I guess that the ACL 101 is NAT exemption, if it is pls include "deny ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255" on top of your current line "license".

Clear the tunnels as well as the NAT translation table after the changes described above.

Is there a way in which I can see if Apple firewall blocks the traffic to a certain IP address?

Connection to my e-mail domain seems to be blocked by a body between my home network (via Apple AirPort) and my mail server to an external service provider. I can connect to this fine through my mobile operator, but not from my home network. This leads me to believe it may have something to do with the Apple firewall, blocking traffic to. Where can I see if this is the case? Other possibilities or what to check?

I agree that it seems that the Apple router blocking communication (Support Apple says that is not possible, is said by the way)... but please read this thread for another angle that you would not have thought:

Unable to connect to a single site with Airport Extreme

Controller of domain and DNS behind RRAS without VPN connected directly to the internet with a Cisco router

I hava a ME Cisco 3400 with physical single port available for a cable connection.

The ISP give me an IP address interface = 89.120.29.89 to act as a gateway to the IP Address of the host, which is provided for in the order 89.120.29.90.

The host computer is a dual Xeon computer with two NICs for LAN and WAN.

Fields of application: to install a windows 2008 R2 between public and private network server.

Even though I know it's not recomanded, I put the DNS role and directories Active Directory roles installed on the same computer, the computer above, (I do not have enough computer for roles different place on different computers)

The desired configuration:

To have installed with his roles behind a WS2008R2 has RRAS. without a VPN.

b with VPN

and for WAN access for the client computers of the private LAN Windows 7 OS. (The basin of LAN address 192.168.0.1 - 255).

First step : to have internet access in the browser (I use Google chrome) (without taking into account the DNS and AD)

Network configuration:

Map NETWORK WAN, at the top of the stack of liaison in the Control Panel/network connections and sharing:

Host IP: 89.120.29.90

Mask: 255.255.255.252

Gateway: 89.120.29.89

DNS: 193.231.100.130 my ISP name server address.

OK, I can browse the internet.

Second stage. (Consider DNS and Active Directories)

DNS instaled role for this computer.

AD installed as a global catalog.

NETWORK WAN server that is directly connected to the Cisco router:

Conection area 3

Properties:

Client for Microsoft Netwaork: not verified

Network Load Balancing: not verified

File and shared printer: not verified

QoSPacketScheduler: not verified;

Microsoft Network Monitor 3 pilot: not verified

IPv4 ; checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

Host IP: 89.120.29.90

Mask: 255.255.255.252

Gateway: 89.120.29.89

DNS: 193.231.100.130 my ISP name server address.

under the tab advanced

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: not verified

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: not verified;

Use this connection DNS suffix in DNS registration: not verified;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: don't check;

Disable NetBios on TCP IP: checked;

Connection to the local network 2

Properties :

Client for Microsoft Netwaork: checked

Network Load Balancing: no

File and shared printer: checked

QoS Packet Scheduler: not verified;

Microsoft Network Monitor 3 pilot: not verified

IPv4 checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

NETWORK LAN CARD: 192.168.0.101

Mask: 255.255.255.0

Gateway: 192.168.0.1

under Advanced tab:

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: checked

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: checked;

Use this connection DNS suffix in DNS registration: checked;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: check;

Disable NetBios on TCP IP: not verified;

Install RRAS as NAT (NAT) under any condition imposed by DHCP(not installed) in ideea that RRAS will generate the private IP address of the DHCP allocator.

In any case, for the beginning, I have a fix IP, do not get IP automatically.

At this point, it gets the configuration simple posible for RRAS follows:

3, LAN connection that corespond to the WAN interface IP:

"NAT configured for the following Internet interface: Local Area Connection 3.
The clients on the local network will assign the IP addresses of the following range:

network address: 192.168.0.0. netmask 255.255.0.0.

After Windows RRAS are open:

The Network Interfaces tab:

NICs are enabled and connected;

UAL remotely & policies:

Launch NPS,

on the NPS server tab:

Allow access to successful Active Directory directories:

Properties: authentication: port 1812,1645

kept port 1813,1646;

on the accounting tab: nothing;

under NPS policies:

Grant permission for the RRAS server under builin\Administrator of the accounts;

On strategy and the type of server unspecified (NAT do not exist as an entry in the drop-down list server dwn)

under the static road: nothing;

under the IPv4 tab or both are there(there IP) and are up

under NAT

Connection to the local network 3: public interface connected to the internet

enable NAT on this interface:

under the address pool: ISP addresses public;(two addresses)

under the terms of service and the ports: Web server: http 80.

(I have I have a static IP address for the client computer in mind, I set up a single customer).

At the client computer :

configured as domain customer and added to the users AD and computer AD

logon to the domain:

Local Area Connection

Properties:

Client for Microsoft Netwaork: checked

Network Load Balancing: not verified

File sharing and printer: checked

QoS Packet Scheduler: checked;

Microsoft Network Monitor 3 pilot: not verified

IPv4 ; checked

Pilot a Link Layer Topology Mapper i/o: checked

Link layer Discover responder: checked

IPv4 tab

Host IP: 192.168.0.101

Mask: 255.255.0.0

Gateway: 192.168.0.1

DNS: (auto-add the same to the local machine).

under the tab advanced

IP settings : even that, tab IPV4 with automatic metric check;

DNS tab :

Add primary and connection suffixes DNS specific: checked

Add suffixes primary DNS suffixes parents: not verified

Add this DNS suffixes: no

Registry deals with this connection in DNS: checked;

Use this connection DNS suffix in DNS registration: checked;

WINS tab : enable search LMHOST: not verified

Enable NetBios over TCP IP: checked;

Disable NetBios on TCP IP: not verified;

right now the 192.168.0.101 client cannot connect to internet through RRAS.

;

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

How can I put the Windows XP firewall in a port configuration 'allow all' and only block some ports?

Without going into the details of why I need to do this, I'm putting the firewall of Windows XP in one allow all the configuration of ports and only refuse some ports I have in a list.

I train this script via the command-line batch with the netsh firewall add portopening command. From what I've read, if enabled the firewall denies all traffic and only allows ports with exceptions, so through batch scripts, I opened all the 65 000 + ports TCP and UDP, essentially with the firewall turned on but in a configuration of "allow all the» I don't deny the 100 or so ports to my list that I want blocked after they are all open.

This strategy seems to work, but the problem I waited and I now see is that svchost.exe takes 50% of my CPU time, have to deal with constantly these firewall rules.

"From what I've seen on Windows XP, there is no way to have the firewall ON, and in a configuration of" allow all the "" because the XP firewall may not have defined port ranges, they must be defined one by one. It looks like Windows Vista or 7 would be much easier because the firewall has got a re vamp of advanced features.

Does anyone have a suggestion on how to realize this "allow all", deny some' strategy? I know it's a strange use of the Windows Firewall, so let's please jump in front of a 'why would you do this incredibly stupid thing?"messages.

Also, if it was the wrong forum (or website) to post on for this kind of question, I'd appreciate a recommendation of a more appropriate forum.

Hello

See the steps in the following article.

How to manually open ports in Internet Connection Firewall in Windows XP?

http://support.Microsoft.com/kb/308127

ACLs on Cisco router - block outside traffic, allow all inside

Dialer interface 1

IP Access-group 101 IN

Similar Questions

Maybe you are looking for