Extended ACL problem

I have a question, I am doing an ACL extended to deny HTTP, Telnet, and FTP internet traffic to PC1 in an exercise that I do.

I did the ACL following and applied to the loopback interface on R2 (where the ISP is the 'cloud') PC1 is connected to R1 that is obviously connected to R2.

IP-access-list scope ACL_TCP

TCP 209.165.200.160 refuse 0.0.0.31 10.0.0.0 0.0.0.127 put in place

allow tcp any a Workbench

Is there a better way to do it? This ACL scope works for my purpose?

Tell R2 address is 192.168.1.2, and you only want to allow this address. You create the acl on R1 and R3, and they would look like:

R1: 192.168.1.1

R3: 192.168.1.3

access-list 23 allow host 192.168.1.2

You can apply this to your line on R1 and R3:

line vty 0 4

access-class 23 in

HTH,

John

Tags: Cisco Security

Similar Questions

  • Cisco extended ACL

    Hi, I need help! On one VLAN specific, I want to give my users wifi access to the internet and to the specificities of the resources on the local network. I create and extended ACLs on my Cisco 3750 and apply tone my interface VLAN. It looks like this:

    10 ip allow any 10.4.197.0 0.0.0.255--> my subnet for wifi users

    20 ip allow any host 10.4.134.2

    30 ip allow any host 10.4.134.3

    40 ip allow any host 10.4.134.16

    50 ip allow any host 10.4.134.117

    60 ip enable any 192.168.0.0 0.0.0.255--> my DMZ

    100 ip allow any 192.168.133.0 0.0.0.255--> my firewall subnet

    on my interface vlan, the command is: ip access-group ACCESS in

    My problem is: I can only access the hosts on my lan I've specified (it is perfect), but when I try to go on the internet I can not!

    Does anyone have and idea to solve my problem? I try to put another ACL:

    Extend the ACCESSWEB IP access list

    10 permit tcp 10.4.197.0 0.0.0.255 any eq www

    and apply it to my interface vlan (ip access-group ACCESSWEB on) with the other (ip access-group CSDDSF in) but the result is the same (not Dansnternet). If I put just this one (ip access-group CSDDSF in) internet works fine.

    Thank you!

    Bernard

    Collin has done to identify the problem that DNS is necessary. I am surprised that he did not see the other part of the problem. Your access list allows destinations host specific and 2 subnets. Don't forget that in each access list, it is implicitly denied any one at the bottom of the access list. So when you try to access the Internet access list check your packet against the access list. It does not match any of the permit and if it is rejected.

    To achieve the desired results in that access list should follow the permit that you created with deny statements that deny all network destinations that are inside your network and then has a permit ip any one for traffic can access the Internet.

    HTH

    Rick

  • ACL problem.

    Hello everyone, for some reason any with this workshop of tracer of package I get the last piece of ACL incorrect.

    This is the lab I've done so far (94%)

    http://www.sendspace.com/file/gsnk07

    They ask the following

    Configure the standard named ACL on the vty lines R1 and R3, allowing the hosts directly connected to their Fast Ethernet subnets for Telnet access. Deny explicitly all other connection attempts. Name these ACLs VTY-Local standard.

    They also ask that for the extended ACL

    Name of the block of the ACL.

    Ban traffic from the LAN R1 to reach the R3 LAN.

    Ban traffic from the R3 LAN to LAN of R1.

    Allow any other traffic.

    Here's what I have on the Router 1 for the standard ACL

    IP access-list standard VTY-Local

    deny 10.1.0.0 0.0.0.3

    deny 10.3.0.0 0.0.0.3

    deny 10.3.1.0 0.0.0.255

    10.1.1.1 permit 0.0.0.255

    I couldn't understand why my ACL is incorrect.

    Host 1 IP (connected to R1 ip host) - 10.1.1.1

    Connecting series between R1 and R2 ip subnet is

    10.1.0.0 30

    East of R2 to R3

    10.3.0.0 / 30

    Host 2 to R2

    10.3.1.0 24

    2 host address is 10.3.1.1/24

    Can someone help me?

    deny 10.1.0.0 0.0.0.3 - corresponds to the IP 10.1.0.x

    deny 10.3.0.0 0.0.0.3 - corresponds to the IP 10.3.0.x

    deny 10.3.1.0 0.0.0.255 - corresponds to the IP 10.3.1.x

    10.1.1.1 permit 0.0.0.255 - match IP 10.1.1.0

    ACL must be correct: -.

    deny 10.1.0.0 0.0.0.3

    deny 10.3.0.0 0.0.0.3

    deny 10.3.1.0 0.0.0.255

    10.1.1.1 permit 0.0.0.0

    or

    10.1.1.1 permit 0.0.0.0

    all refuse

    HTH >

  • Extended ACL works in both directions?

    Hello

    I would like to know the following, and hopefully one of you can help me:

    If I request an extended ACL that PC1 must not communicate with PC2 and apply to an interface of output like this:

    Cisco(config-ACL-whatever) #-host pc1 pc2 host extended ip access list

    .. is it still possible for PC2 start for example a telnet to PC1 session?

    IOS ACL are not stateful, except if you use CBAC (IOS Firewall). Which means:

    1. your ACL will block the origination of traffic du.1 a.2

    2 hote.2 can come from communication a.1, du.1.2 response packets are blocked, so no tcp sessions can be set up. Stateless protocols that use udp and don't expect answers could work-.2 could syslog a.1, for example

  • Need of the ACL kung fu for VPN from Site to Site ACL problem

    Group,

    Have a little problem I know is related to ACL. I wanted to have a few experts to take a look at my config please. Here's the question:

    Attempt to create a site between two offices, but for some reason any that they cannot ping each other. It is a strange thing.

    97.XX.231.22 <-->71.xx.160.123

    I can ping both firewalls from the outside using a computer to another, but from the internal firewall utilities, they cannot ping each other. At the same time I can ping to their respective gateways.

    Secondly, I did an interior outside translation as you can see here for 80 & 443 preventing me from browsing http and https via VPN for Remote LAN, can it be modified to allow access? I can access when I dial in via VPN client but not via permanent VPN tunnel. Here is the config.

    no ip nat service sip 5060 udp port

    IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/0 overload

    IP nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extensible

    IP nat inside source static tcp 10.41.14.103 71.xx.160.123 expandable 443 443

    IP route 0.0.0.0 0.0.0.0 71.xx.160.121

    IP route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

    IP route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

    IP route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

    IP route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

    IP route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

    IP route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

    IP route 208.67.188.32 255.255.255.224 10.41.14.99 2 Permanent

    IP route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

    !

    auto discovering IP sla

    Logging trap errors

    host 192.168.10.29 record

    access-list 2 Note HTTP access class

    Note access-list category 2 CCP_ACL = 1

    Note access-list 2 Platinum LAN

    access-list 2 permit 10.41.14.0 0.0.0.255

    access-list 2 refuse any

    Access-list 101 remark rules Master

    Note access-list 101 category CCP_ACL = 1

    Note access-list 101 FaxFinder WWW traffic

    access-list 101 permit tcp any host 71.xx.160.123 eq www

    Note access-list 101 traffic HTTPS FaxFinder

    access-list 101 permit tcp any host 71.xx.160.123 eq 443

    Note access-list 101 NTP Time Protocol

    access-list 101 permit udp any host 71.xx.160.123 eq ntp

    Access-list 101 remark IPSEC protocols

    access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp

    Access-list 101 remark IPSEC protocols

    access-list 101 permit udp any host 71.xx.160.123 eq isakmp

    Note access-list 101 traffic ESP

    access-list 101 permit esp any host 71.xx.160.123

    Note the access list 101 General License

    access list 101 ip allow a whole

    Note access-list 102 CCP_ACL category = 2

    access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

    Note access-list 102 IPSec rule

    access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

    Note access-list 102 IPSec rule

    access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

    Access-list 102 remark Platinum LAN NAT rule

    access-list 102 permit ip 10.41.14.0 0.0.0.255 any

    Note category from the list of access-104 = 4 CCP_ACL

    Note access-list 104 IPSec rule

    access-list 104. allow ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31

    Note access-list 108 CCP_ACL category = 4

    access-list 108 allow ip 10.41.14.0 0.0.0.255 any

    Note access-list 109 IPSec rule

    Note access-list 109 CCP_ACL category = 4

    access-list 109 allow ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255

    Note access-list 110 CCP_ACL category = 4

    Note access-list 110 IPSec rule

    access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255

    not run cdp

    !

    allowed SDM_RMAP_1 1 route map

    corresponds to the IP 102

    There is more then one way how you can achieve this goal.

    (1) the best way is possible if the two VPN counterparts are IOS routers. Then you can migrate to virtual VPN - tunnel interfaces (VTI). With this, the external interface doesn't mix - and non-VPN-traffic VPN.

    (2) if VTI is not possible, you can restrict the translation to only non - VPN traffic using a roadmap:

    object-group network RFC1918

    10.0.0.0 255.0.0.0

    172.16.0.0 255.240.0.0

    192.168.0.0 255.255.0.0

    NAT-SERVER - 10.41.14.103 allowed 10 route map

    corresponds to the TRAFFIC-NAT-SERVER IP - 10.41.14.103

    TRAFFIC-NAT-SERVER extended IP access list - 10.41.14.103

    deny ip host 10.41.14.103 object-group RFC1918

    permit tcp host 10.41.14.103 eq 80 a

    allow a host EQ 10.41.14.103 tcp 443

    IP nat inside source static 10.41.14.103 71.xx... map route NAT-SERVER - 10.41.14.103

    What makes that?

    When your server communicates with a system with an address in the range RFC1918, then the road map does not correspond and the translation is not used. It is you, the VPN scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • named extended ACL doesn't work, can you help me?

    The camera I used is 2651xm router and NAT is used to connect my everything inside the LAN (192.168.1.x) to outside internet. A standard ACL was used to block some local host access outside the internet, and it worked fine. My question is, when I created a named ACL extended and apply it to the interface that is attached to the LAN, entire local network will not be able to access the internet outside! can you give me some advice?

    My hardware and software is 2651xm + IOS 12.3(6b)

    The best regards.

    Jan

    Hi Jan,

    I think the problem here is that you are confusing the use of an access list to control the SENATE, with the use of an access list to filter traffic.

    Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 of overload. This means that you still need to access list 1 to define which source addresses are translated. You could, I guess, use a named access list to do this, and the order would be something like ip nat inside source list of people inside outside pool cisco2651-natpool-168 overload, where the people inside of the country is the name of a standard named access list. But no matter how you play, you still need to access list. Try to put back the access list 1, and you will see that it will start working again. Note that the access list used to control NAT must be a-list type , named or numbered, not a scope.

    On the other hand, you used the named acl test scope list to filter your traffic, and that's fine. OK, the list is wide open at the moment, but I guess you want to restrict later.

    I hope this helps. Write back and let us know how you go.

    Kevin Dorrell

    Luxembourg

  • extended display problem

    Hello, I have a p7-1235 HP with AMD A8-5500 3.2 Ghz and Radeon HD D 7560, it's about 3 months with an Acer H233H as the main (DVI analog) and an older Samsung 223BW (VGA) as a secondary screen. A week ago that the Samsung show the extended desktop after being off for a few hours, if it's after a cold start or windows it turns off after 30 minutes of activity. But if I push the power on and off the Samsung button, the screen is restored.

    The strange thing is that the display is active in the boot process, start the windows message appears, but once that windows 7 is the Samsung needs to have the power button through the boot process / bike off then turn it back on before you post again. However if I turn off the computer for an hour and a restart round both monitors are working fine.

    I read on a forum of HP that I should do a system restore to a time when I knew that the system was working so I did it and still have the same problem.  So I guess that's not windows. I make the false assumption that you think.

    If the hardware is the issue, is it more likely the MB video card or the monitor itself?

    Thanks for any help.

    Hello kevn57

    To help identify the problem have you tried another monitor? This will remove the current monitor as the culprit. What current readers for the Radeon HD 7560D? The drivers may not be correctly wake up the monitor. The problem could be the cable as well, so before exchanging the monitor, you should try another VGA cable.

    I start with the monitor and cable first of all they are easier to isolate.

  • Using 3500 as a Wireless Extender DHCP problem iPhone X 6

    Hello

    If all goes well, a simple question with a simple answer.

    Background:
    I stayed away from my DSL provider to a cable provider (VirginMedia). My new ISP is delivered with a modem cable (SuperHub 2 ac) and I connected the two devices together to extend my wireless home network. The cable modem, it's that the two routers are physically apart from others - connected through just their Ethernet ports - the technology of power line (Devolo dLAN 1200 +). Both routers have the same SSID broadcast, but on separate channels.

    Question:
    All devices in my house, the tablets of laptops, phones roam between the two areas wi - fi transparently * except * the iPhone 6 (iOS8.1), this works on the cable modem wi - fi, but not on the X 3500 wireless. I also have an iPad Mini 2 (also iOS8.1) which works too - aptly / wrong I have excluded iO8.1 as the issue. Oddly enough, the iPhone 6 connects to the x 3500 but isn't getting an IP address (the cable modem's DHCP server). Even if a static IP address doesn't help.

    Comments:
    If the X 3500 is configured as a DHCP server, the iPhoen connects (and gets an IP address), but then the default gateway is incorrect (gateway IP address of the X 3500 is not the modem cable remote). I can't find anywhere to specify a default gateway configuration.

    Question
    I start thinking, it is a problem with the iPhone 6 (know all other devices work correctly), but I want to just make sure I am the X 3500 configuration correctly. I am particularly interested in it if I use the right to 'Mode' ADSL / Ethernet. I tried 'Bridged Mode Only' (ADSL) and "Automatic DHCP only" (Ethernet), but does not seem to solve the problem of having the iPhone 6.

    any suggestions on how to fix / help would be most welcomed.

    Thank you!

    Thanks a lot for the details... Now I have a config that works also for the iPhone6.

    Basically, I connected the cable on the 3500 x port and the Ethernet port on the cable modem connected to the internet (via the Powerline). I then changed the network on the 3500 of 192.168.0.x x range (this is the range of network addresses used by the cable modem connected to the internet) to 192.168.168.x. Finally I activated the DHCP on the x 3500 which seemed to be the element that was killing the iPhone6.

    The iPhone6 connects now (which he always did), but with DHCP running on the x 3500 on the new range of network addresses of the iPhone 6 also get a valid IP address.

    Looks like that much just to get the iPhone 6 to work... never found a manual way to specify a default on the x 3500 gateway when you run DHCP (appears by default which is her own IP address - with no provision to change).

    Anyway... This works for now... I'll keep an eye on the iPhoen updates 6, just in case where the anomaly is something specific to the iPhone 6, if something changes I will post here.

    I have attached a picture for furture reference. Thanks again for your advice and support.

  • HP 6100 on extended connection problem router wireless

    We have two printers a 8600 while one and a new printer 6100. My Office I use a mac OSX Mavericks on the network SSID 'Outhouse' my wifes machine is in another building with the 6100 and the extended network SSID "outhouse_EXT".  We both need to be able to print to other printers. His laptop that runs Windows 7 works very well and can print on both machines. However I can't print its 6100. In an attempt to discover his printer nothing comes.

    Any help greatly appriciated.

    Hi detaylor12,

    I understand that you have a 8600 Officejet and an Officejet 6100 and want to be able to print to each of them, but have problems. I'm sorry to hear that, but I'm absolutely going to do my best to help you!

    The latrines and outhouse_EXT that both appear as options of connection on your Mac? If they do, I think that's the problem. You must be connected to the same network that the printer is turned on in order to access it. When you want to print to the printer of your wife, you would have to make sure that your Mac is connected to the network rather than the Outhouse network as your printer and your Mac are normally on outhouse_EXT.

    Give that a try and let me know if it helps

  • Sequence ACL problem

    Currently, I am at a very basic level of agreement and have obtained internet access via binding of pep to the router and seem to have reached an active VPN connection. VPN connection is active, but the traffic counters are at 0. When I change the sequence of the ACL, it connects perfectly.

    2800 router using

    There is not enough information given here for us to understand the problem and propose solutions. If you change the sequence number of ACL and it connects perfectly then maybe the problem is solved?

    HTH

    Rick

  • ISE Airespace WLC ACL problem

    Hello

    I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.

    1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.

    2. on page authZ I configured a WEBAUTH as a default rule with the following:

    Access type = ACCESS_ACCEPT

    Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT

    Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa

    3. I've also configured this ACL to WLC to allow

    permit any - any icmp and dns

    allow all-to-the-ise-8443

    ise-to-any license

    This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.

    4. on page authC, I use a dot1x wireless to use internal users

    5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule

    6 rule PROMPT resembles the following:

    Access type = ACCESS_ACCEPT

    Airespace-ACL-Name = GUEST_INTERNET_ONLY

    7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)

    After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:

    * apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

    I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!

    I have not one point what problem could be...

    Any ideas?

    P.S. see attach for authentication log Live

    You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.

    Looks like this for my license - all ACLs

    * apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)

    It must be near the bottom.

    And then after all debug disable.

    Another question, you can test internet but no web access, as well as the URL?  Is DNS works after applying the last ACL?

    On this line in the log:

    * apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.

    I get that with CWA to work so I don't know which is linked. (for my setup)

    Concerning
    Mikael

    Sent by Cisco Support technique iPad App

    Post edited by: Mikael Gustafsson

  • ASA ACL problem

    Hello

    I try to put an ACL on a group policy on my VPN Ipsec Lan to Lan.

    My LCD does not work and blocking all traffic.

    Since it does not work with the ACLs on group policy, I put an ACL on the interface inside but do not match.

    To match, I must decline any all a put before a permit.

    Thank you

    Hello

    The main problem when the configuration of IPSec filters is that people set up a descendant. You must specify the inbound traffic you want to allow or deny.

    Here is the document that explains how to configure filters. Take a look and if you have any problems please contact your VPN configuration.

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

    Have fun.

    Raga

  • ACL problems after upgrade to 11.2.0.2 11.2.0.1, please help

    After that we went from 11.2.0.1 to 11.2.0.2, we started having this problem:

    ORA-24247: network access denied by the ACL access (ACL) ORA-06512: at "SYS." DBMS_LDAP_API_FFI', line 25 ORA-06512: at "SYS." DBMS_LDAP", line 57 ORA-06512: at"BANINST1. ZPGKOUSR', line 1606

    1606 line is:

    l_session: = dbms_ldap.init (host name = > l_host,)
    PortNum = > v_ADConfig.zgpwdrecfg_port);

    We have an ACL with * and NULL lower and upper ports and connected user a plug in and solve this ACL privileges.

    What do we lack?

    Thank you

    Alex.

    Hi Alex

    Please check these references:

    notes 1317940.1      DBMS_LDAP fails to authenticate after the DB to 11.2.0.2
    notes 1361247.1      ORA-24247 after application 11.2.0.2 group patch

    see that if 10170706 Patch can help, it is a problem when not all authorisations valid acl has been verified
    a correspondent in some scenarios,

    Greetings,

    Damage ten Monkshood

  • Extended warranty problem

    I bought Tecra with 3 years warranty. I save two years (using www) and now I try to register the extension. System wonder contract number. I get extension as a DVD/CD as envelope box, cd, and the terms of warrianty. where can I find this number? can someone help me? everyone knows email to toshiba support?

    Tom

    Hello

    After the first record of the warranty you received a confirmation e-mail from Toshiba? Usually, there must be agreement in number.

  • What is is it possible to use the acl extended for split tunneling on ASA?

    I'm setting up VPN IPSEC RA on SAA and I would like to know if it is possible to use the ACL extended as part of the split tunneling?

    Thank you!

    Yes, you can use the extended ACL. See this example:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

    Kind regards

    Averroès.

Maybe you are looking for