adjustment rule - how to allow internal pc ping external ip address?
I eventuall put in place the PIX501 and everything seems fine except the internal pc cannot ping the DNS server and the external ip address. Still exceeded demand. I allow all outbound icmp traffic and especially udp traffic. I have also allow a part of tcp traffic and reject all others. We have access to the internet but just when ping external IP and DNS, for example, when I ping www.google.com, it can resolve ip from google, but procrastination requst.
What are the rules that I set up to allow internal pc ping external ips?
See you soon
ICMP incoming via the PIX is denied and outgoing ICMP is allowed, but the incoming response is denied by default allowed both it as below:
access-list 200 permit icmp any any echo or echo-reply
Access-group 200 in external interface
Kind regards
Mehrdad Arshad Rad
Tags: Cisco Security
Similar Questions
-
How to allow access to the external network of VPN through PPTP
Hi guys, this is probably a simple one, but I have not much firewall experience so any help is appreciated.
We would like to have the opportunity to connect to a private network virtual to a company, we have recently acquired. When you connect to it directly from the Internet (not), it is accessible. However, behind our firewall, there is no access. We use Cisco ASA 8.2 (2)
Currently, we have an entry as follows:
PPTP tcp service object-group
EQ pptp Port object
inside_access_in list extended access permit tcp any host object_name object-group PPTP
Please can anyone advise what else are required to complete what I'm not sure of what else is needed? Basically, we want any device within our network in order to access the VPN through PPTP.
Your help is appreciated
Kind regards
Hi Angelo,.
It should work when you make a pptp permitted and inspected. But will also Appreciate ACL with your firewall to the PPTP server.
The above documents helps you better understand.
Please assess whether the information provided is useful.
By
Knockaert
-
Cannot access internet or ping external site names
I have a problem with a cisco asa 5505
I'm unable to access the internet from any computer on the local network. I can access the network from outside, in fact I have rdp access to a server that has been installed with it. I can also ping external IP addresses, but no names. Here is the config. For any help or suggestion is appreciated. I'm starting to believe it's a DNS issue?
: Saved
:
ASA Version 8.2 (5)
!
My - ASA host name
domain monsite.fr
activate the password * encrypted
passwd * encrypted
names of
name description 192.168.10.x Srv - 192.168.10.x server
name 97.7x.xxx.xx2 outdoor-home
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
192.168.10.x 255.255.255.0 IP address
!
interface Vlan2
nameif outside
security-level 0
IP outside-host 255.255.255.252
!
passive FTP mode
clock timezone CST - 6
clock to summer time recurring CDT
DNS server-group DefaultDNS
domain monsite.fr
object-group service rdp tcp
Description Office remotely
EQ port 3389 object
inside_access_in list extended access permit tcp any any eq 3389
inside_access_in list extended access permit tcp any any eq www
inside_access_in list extended access permit icmp any one
inside_access_in list extended access udp allowed any any eq ntp
outside_access_in list extended access permit tcp any any eq 3389
outside_access_in list extended access permit icmp any any echo response
pager lines 24
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 192.168.10.0 255.255.255.0
static (inside, outside) interface tcp 3389 Prov-Srv - 192.168.10.9 3389 netmask 255.255.255.255
inside_access_in access to the interface inside group
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 97.7x.xxx.xx1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 192.168.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet 192.168.10.0 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:eea8b18bfa5f73b832857913a77486d1
: endyou do not allow any DNS traffic leaving your network. Add the following and try again:
access-list inside_access_in extended permit udp any any eq 53 access-list inside_access_in extended permit tcp any any eq 53
In general, it was not necessary to allow DNS to the entire internet, only for the DNS servers used by your internal systems.
Some other improvements to your config:
(1) If you configure icmp-inspection, you can remove the ACE that allows to echo-replys unconditionally in your network:
policy-map global_policy class inspection_default inspect icmp no access-list outside_access_in extended permit icmp any any echo-reply
(2) the outside AS to WHAT RDP could focus a little bit more:
access-list outside_access_in extended permit tcp any host 97.7x.xxx.xx2 eq 3389
-
Cisco ACS 5.3 - How only allow specific ad groups you want to connect
Someone can help me to understand what I have wrong or missing?
I have configured three specific AD groups, Admin, storage and HelpDesk, with their own sets of commands.
It seems to work fine, but everyone can connect to any, but they can't do anything other than exit.
My goal is to only allows don't not to open a session that is, do not part of the three AD groups that I've specified with the respective command sets.
All connections to hit the Admin account, even if the id in the AD isn't in this ad group. I've got something screwed up.
Check your authorization rules, make sure that the default rule is not allowed. Group mapping is only the mapping of the internal groups of the ACS ad groups, we need to verify your authorization rules to see what strategies they users strike, you can reset the number of accesses and a test to see what policy is to allow access.
Thank you
Tarik Admani
* Please note the useful messages *. -
How to allow my new iMac desktop computer to download previous purchases on the iTunes Store?
How to allow my new iMac desktop computer to download previous purchases on the iTunes Store? I transferred all of my information from my old Mac Mini to my new iMac, retina 4K, 21.5 - inch desktop computer via my Apple, WiFi, and Migration Wizard. My complete music in iTunes library is available and visible, but when I try to play the music of the song or artist I have the following message: "You must allow this computer from the Store menu until you can download previous purchases." I allowed off my old Mac Mini and an even more ancient PC of my iTunes account page. Please notify.
On your new machine > iTunes > main menu > account > permissions > authorize this computer?
-
How to allow access to all users of the connection on my computer?
How to allow access to all users of the connection on my computer?
Your question is hard to understand. I interpret as:
"How to allow all the users on my computer to access some files or folders?
The answer depends somewhat on the question of whether you have XP Pro or XP Home, but a general answer is found the following article.
"How to use file sharing Simple to share files in Windows XP"
<>http://support.Microsoft.com/kb/304040 >Click on "level 3: files in shared documents available to local users"
HTH,
JW -
How to allow only .gov Web sites on Windows XP using the installation of the broad-band
How to allow websites .gov only on Windows XP. Use BSNL broadband. Made of internet sharing in LAN.
Concerning
Maton
Hi Matt,
This forum is for MSE who cannot restrict access of Web site you want.
One of the possible methods that comes to mind uses the Parental http://www.windows-help-central.com/parental-controls-in-windows-xp.html may control with Windows Live Family Safety http://explore.live.com/windows-live-family-safety?os=other (according to the version of XP and whether or not you have a workgroup or domain LAN). When you set up, allow *.gov, but reject all other types you can imagine (I don't think there is a way to allow only .gov, but you can exclude most if not all of the other busiest - check domain name registrars to get a list of options). If you use a domain, way to go would be with a custom domain group policy to restrict access on all of the network (except perhaps the server or individuals of special category in Active Directory if you want).
If that is not the case, and I think it might, please repost your question in the following forum to get the expert assistance you need: http://answers.microsoft.com/en-us/windows/forum/windows_xp-networking?page=1&tab=all.
I hope this helps.
Good luck!
-
How to allow access to a local area network behind the cisco vpn client
Hi, my question is about how to allow access to a local area network behind the cisco vpn client
With the help of:
- Cisco 5500 Series Adaptive Security Appliance (ASA) that is running version 8.2 software
- Cisco VPN Client version 5.0 software
Cisco VPN client allows to inject a local routes in the routing table Cisco ASA?
Thank you.
Hi Vladimir,.
Unfortunately this is not a supported feature if you connect through the VPN Client. With VPN Client, that the VPN Client can access the VPN Client LAN host/local machine, not host from the local network to business as customer VPN is not designed for access from the local company network, but to the local corporate network.
If you want to access from your local business to your LAN network, you need to configure LAN-to-LAN tunnel.
-
How to allow a user to save their form to fill out (that I created in Adobe Acrobat DC) so that the fields are more editable when they return the form by e-mail?
If you submit a script, ASP.net server (see example below), you can merge and/or "Flatten" the form of PDF with iTextSharp for .NET platforms. You can also flatten the PDF with iText JAVA platform. You can also create Adobe's JavaScript action button validate before submitting it to an email that goes through the fields, making them 'read-only '; but, the ReadOnly property can easily be retroconcu.
Note: Submission to a script on the server also side bypasses software email client side and send the request using an SMTP account.
See the #3 example:
www.pdfemail.NET/examples/
-
How to allow multiple devices to my account from adobe digital editions?
How to allow multiple devices to my account from adobe digital editions?
Maximum, you can allow up to six devices. More information about the authorization of the device please refer to http://www.adobe.com/products/digital-editions/faq.html and
-
How to allow connect to user only from specified ip addresses?
Hello.
How to allow connect to user only from specified ip addresses?
For example,.
User1 can connect only from 192.168.1.10
User2 can only connect from 192.168.1.11
and etc...
Thank you.Web says:
CREATE OR REPLACE TRIGGER "A1_AFTER_LOGON" AFTER LOGON ON DATABASE BEGIN IF UPPER(SYS_CONTEXT('USERENV','IP_ADDRESS')) <> '192.168.1.10' THEN HOW TO FORBID ACCESS ???? END IF; END; ALTER TRIGGER "A1_AFTER_LOGON" ENABLE
How to deny access?
Check the blog post that I've provided above
RAISE_APPLICATION_ERROR(-20000, 'You don't have permission to login!');
-
How to add an external IP address to a split tunnel?
Hello
I've set up VPN access on my ASA box as customers use a split tunnel so that only on our internal network traffic through the tunnel. Now, I need to add an external IP address to this tunnel. Is this possible, and if so, how can I achieve that? Just add the address to the list of tunnel network does not; If I do this, the client cannot connect to the external address at all.
Can anyone help?
Cheers, Georg.
Hello
Will need to see some configurations.
Usually incoming VPN traffic bypasses ACL interface. If you have the default setting, you will need to allow traffic to the pool/subnet VPN server. Unless of course the server already has a rule that allows traffic to a "some" source address.
Also a likely problem may be your NAT configuration.
The local IP address of the server the public IP address is included in the current NAT0 configurations for the VPN connection? If yes then which will probably cause problems for connections to its public IP address. Traffic could be abandoned due to a RPF NAT audit that basically checks the NAT that corresponds to the traffic in the opposite direction.
Therefore to confirm the above things, or share configurations, then we can do it.
To my knowledge by adding the address IP of the Split tunnel should naturally also be taken.
EDIT: The number of the station 6000
-Jouni
-
My ASA cannot ping the lan address
I use ASA built ezvpn. I can access the ASA and ping inside port address successfully. But in my ping to the address of interconnection 10.100.255.2 window7 cant. I don't know how to solve the problem. If all goes well, can help me. Thank you...
set it up
ASA5520 # sh run
: Saved
:
ASA Version 7.2 (3)
!
asa5520-host name
sxng domain name
activate the encrypted password of DOAXe2w/ilkXwCIz
names of
DNS-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 10.100.255.254 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
IP x.x.x.x 255.255.255.0
!
interface GigabitEthernet0/3
nameif wireless
security-level 10
IP x.x.x.x 255.255.255.0
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
Disk0: / pix723.bin starting system
passive FTP mode
DNS server-group DefaultDNS
sxng domain name
dmz_access_in of access allowed any ip an extended list
dmz_access_in list extended access permit icmp any one
tunnel of splitting allowed access list standard 10.0.0.0 255.0.0.0
inside_nat0_outbound list of allowed ip extended access all 10.100.254.0 255.255.255.0
inside_nat0_outbound to access ip 10.0.0.0 scope list allow 255.0.0.0 10.100.254.0 255.255.255.0
outside_cryptomap_dyn_20 list of allowed ip extended access all 10.100.254.0 255.255.255.0
acl_out list extended access permit icmp any one
acl_out list extended access permit tcp any host x.x.x.x eq www
acl_out list extended access permit tcp any host x.x.x.x eq 9000
acl_out list extended access permit udp any host x.x.x.x eq 9000
........
......
acl_out allowed ip extended access list any 10.1.1.0 255.255.255.0
inside_access_in list extended access permitted tcp 10.1.10.0 255.255.255.0 any eq 5000
acl_inside of access allowed any ip an extended list
acl_inside list extended access permit icmp any one
wireless_access_in of access allowed any ip an extended list
wireless_access_in list extended access permit icmp any one
pager lines 24
Enable logging
timestamp of the record
emergency list vpn-event logging level
log message 109001-109028 vpn-event list
log message 113001-113019 vpn-event list
exploitation forest-size of the buffer 5000
information recording console
debug logging in buffered memory
recording of debug trap
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
MTU 1500 wireless
management of MTU 1500
IP local pool vpnpool 10.100.254.1 - 10.100.254.250 mask 255.255.255.0
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow all outside
ICMP allow any inside
ASDM image disk0: / asdm - 507.bin
don't allow no asdm history
ARP timeout 14400
Global (outside) 1 x.x.x.x
Global (dmz) 1 10.100.253.101 - 10.100.253.200 netmask 255.255.255.0
Global (wireless) 1 172.16.255.101 - 172.16.255.200 netmask 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.1.1.14 255.255.255.255
NAT (inside) 1 10.1.13.100 255.255.255.255
NAT (wireless) 1 172.16.0.0 255.255.0.0
static (dmz, outside) tcp x.x.x.x www 10.100.253.1 www netmask 255.255.255.255
.......
.........
static (inside, dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
static (inside, dmz) 10.1.1.16 10.1.1.16 netmask 255.255.255.255
static (dmz, external) 10.100.253.20 x.x.x.x 255.255.255.255 netmask
static (dmz, external) 10.100.253.32 x.x.x.x 255.255.255.255 netmask
Access-group acl_out in interface outside
acl_inside access to the interface inside group
Access-group interface inside acl_inside
Access-group dmz_access_in in dmz interface
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.1 1
Route inside 10.0.0.0 255.0.0.0 10.100.255.2 1
Route wireless 172.16.0.0 255.255.0.0 172.16.255.1 1
!
router ospf 1
255.255.255.255 network 10.67.180.0 area 0
network 0.0.0.0 0.0.0.0 area 1
Journal-adj-changes
!
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Crypto outside-dyn-map Dynamics-plan 20 reverse-drive value
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
Telnet 0.0.0.0 0.0.0.0 outdoors
Telnet 10.0.0.0 255.0.0.0 inside
Telnet 10.100.0.0 255.255.0.0 inside
Telnet 10.100.255.0 255.255.255.0 inside
Telnet 0.0.0.0 0.0.0.0 wireless
Telnet timeout 10
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
Console timeout 0
dhcpd x.x.x.x dns
!
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
internal sxnggroup group policy
attributes of the strategy of group sxnggroup
value of server DNS 202.99.192.68
enable IP-comp
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
username password sxtrq Y6cwK1wOhbhJ6YI / encrypted
maboai R6eu6P1iKIwFIFjS username encrypted password
winet FwZ0ghxvIpXOepvf username encrypted password
tunnel-group sxnggroup type ipsec-ra
tunnel-group sxnggroup General-attributes
address vpnpool pool
Group Policy - by default-sxnggroup
sxnggroup group of tunnel ipsec-attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:119ae137eef5ed97d38b4e2f90ed46d7
: end
ASA5520 # route sh
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is 202.97.158.177 to network 0.0.0.0
C x.x.x.x 255.255.255.248 is directly connected to the outside of the
C 172.16.255.0 255.255.255.0 is directly connected, wireless
S 172.16.0.0 255.255.0.0 [1/0] via 172.16.255.1, wireless
S 10.0.0.0 255.0.0.0 [1/0] via 10.100.255.1, inside
[1/0] via 10.100.255.2, inside
C 10.100.255.0 255.255.255.0 is directly connected to the inside
S 10.100.254.2 255.255.255.255 [1/0] via x.x.x.x, outdoor
C 10.100.253.0 255.255.255.0 is directly connected, dmz
S * 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outdoor
ASA5520 # sh arp
outside 00d0.d0c6.9181 x.x.x.x
outside 00d0.d0c6.9181 x.x.x.x
outside 224.0.0.5 0100.5e00.0005
inside 224.0.0.5 0100.5e00.0005
inside the 10.100.255.1 0000.0c07.acff
inside the 10.100.255.2 001c.b0cb.5ec0
DMZ 10.100.253.20 60a4.4c23.3032
DMZ 224.0.0.5 0100.5e00.0005
DMZ 10.100.253.1 001a.6436.6df6
224.0.0.5 wireless 0100.5e00.0005
Wireless 172.16.255.1 0026.98c6.41c8
Try to use the "crypto ipsec to show his ' command to watch the program and decaps packages, I hope this isn't too fast increment. You should be able to see the two increase when you successfully and only one side increase when it fails. Check both sides of the vpn, and this should give you an idea where the problem is. If the program packages are multiplying on the ASA local to your PC Win7 and Decaps multiply on the ASA Remote and the program is not so, then the question is with packets from the remote side. I hope this will help you determine the location of the problem and then you can focus your search here.
-
LRT224 redirection port internal port different external
Port forwarding seems to work flawlessly - but I need to route allows you to say external port 940 to internal port 1005.
On most routers, you choose this in the "service" module or the module "port forward" - but I can't seem to find anything to indicate that the IP address is internal.
How to do this?
/ Ulrik
Click management services under Configuration > Configuration > Port Address Translation.
-
How my HP8620 come with one e-mail address? How can it be reversed and deleted
I don't want an e-mail addreww for my printer how the ILO can be removed...
Hello
The printer email address is for ePrint, if you do not want to use ePrint you can access your connected HP account and don't allow you to send to her address, then no one can send anything to it. You need a day.
Kind regards.
Maybe you are looking for
-
little emoji and emoji does not work with the new iOS update
After installing the new iOS does not work. I uninstalled two emoji and re-installed. Does not work. Ideas?
-
Send to Bluetooth from Outlook - MIA in version 5.10.01 (T)
Hello Used Toshiba BT Stack v4.00.23 very successfully under Windows XP SP 2 on my Tecra M4. Just upgraded to v5.10.01 and everything is good... except that the addin "send to bluetooth" for Outlook is no longer there... I think it has been included
-
House share for members of the app different shops, country.
I want to use the home for family sharing. But we all live in different countries and different app store, then apple does not allow to configure home sharing. I use AppStore UNITED Arab Emirates and other Member is Japan and Viet Nam stores. If I un
-
More serious CD DVD CD-ROM DVD-ROM, BD Blu - ray disc
I cannot connect not my iPhone, I got a message that a USB port does not work properly.
-
E250 crashing and restarting while 'refreshing' database'
Hello I have a problem with my e250 (I think as its v1). When I try to turn it on, it goes down during the updating of the database, and then it restarts and continues to repeat again and again the same problem. The connection to the PC is not possi