Extended ACL problem
I have a question, I am doing an ACL extended to deny HTTP, Telnet, and FTP internet traffic to PC1 in an exercise that I do.
I did the ACL following and applied to the loopback interface on R2 (where the ISP is the 'cloud') PC1 is connected to R1 that is obviously connected to R2.
IP-access-list scope ACL_TCP
TCP 209.165.200.160 refuse 0.0.0.31 10.0.0.0 0.0.0.127 put in place
allow tcp any a Workbench
Is there a better way to do it? This ACL scope works for my purpose?
Tell R2 address is 192.168.1.2, and you only want to allow this address. You create the acl on R1 and R3, and they would look like:
R1: 192.168.1.1
R3: 192.168.1.3
access-list 23 allow host 192.168.1.2
You can apply this to your line on R1 and R3:
line vty 0 4
access-class 23 in
HTH,
John
Tags: Cisco Security
Similar Questions
-
Hi, I need help! On one VLAN specific, I want to give my users wifi access to the internet and to the specificities of the resources on the local network. I create and extended ACLs on my Cisco 3750 and apply tone my interface VLAN. It looks like this:
10 ip allow any 10.4.197.0 0.0.0.255--> my subnet for wifi users
20 ip allow any host 10.4.134.2
30 ip allow any host 10.4.134.3
40 ip allow any host 10.4.134.16
50 ip allow any host 10.4.134.117
60 ip enable any 192.168.0.0 0.0.0.255--> my DMZ
100 ip allow any 192.168.133.0 0.0.0.255--> my firewall subnet
on my interface vlan, the command is: ip access-group ACCESS in
My problem is: I can only access the hosts on my lan I've specified (it is perfect), but when I try to go on the internet I can not!
Does anyone have and idea to solve my problem? I try to put another ACL:
Extend the ACCESSWEB IP access list
10 permit tcp 10.4.197.0 0.0.0.255 any eq www
and apply it to my interface vlan (ip access-group ACCESSWEB on) with the other (ip access-group CSDDSF in) but the result is the same (not Dansnternet). If I put just this one (ip access-group CSDDSF in) internet works fine.
Thank you!
Bernard
Collin has done to identify the problem that DNS is necessary. I am surprised that he did not see the other part of the problem. Your access list allows destinations host specific and 2 subnets. Don't forget that in each access list, it is implicitly denied any one at the bottom of the access list. So when you try to access the Internet access list check your packet against the access list. It does not match any of the permit and if it is rejected.
To achieve the desired results in that access list should follow the permit that you created with deny statements that deny all network destinations that are inside your network and then has a permit ip any one for traffic can access the Internet.
HTH
Rick
-
Hello everyone, for some reason any with this workshop of tracer of package I get the last piece of ACL incorrect.
This is the lab I've done so far (94%)
http://www.sendspace.com/file/gsnk07
They ask the following
Configure the standard named ACL on the vty lines R1 and R3, allowing the hosts directly connected to their Fast Ethernet subnets for Telnet access. Deny explicitly all other connection attempts. Name these ACLs VTY-Local standard.
They also ask that for the extended ACL
Name of the block of the ACL.
Ban traffic from the LAN R1 to reach the R3 LAN.
Ban traffic from the R3 LAN to LAN of R1.
Allow any other traffic.
Here's what I have on the Router 1 for the standard ACL
IP access-list standard VTY-Local
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
10.1.1.1 permit 0.0.0.255
I couldn't understand why my ACL is incorrect.
Host 1 IP (connected to R1 ip host) - 10.1.1.1
Connecting series between R1 and R2 ip subnet is
10.1.0.0 30
East of R2 to R3
10.3.0.0 / 30
Host 2 to R2
10.3.1.0 24
2 host address is 10.3.1.1/24
Can someone help me?
deny 10.1.0.0 0.0.0.3 - corresponds to the IP 10.1.0.x
deny 10.3.0.0 0.0.0.3 - corresponds to the IP 10.3.0.x
deny 10.3.1.0 0.0.0.255 - corresponds to the IP 10.3.1.x
10.1.1.1 permit 0.0.0.255 - match IP 10.1.1.0
ACL must be correct: -.
deny 10.1.0.0 0.0.0.3
deny 10.3.0.0 0.0.0.3
deny 10.3.1.0 0.0.0.255
10.1.1.1 permit 0.0.0.0
or
10.1.1.1 permit 0.0.0.0
all refuse
HTH >
-
Extended ACL works in both directions?
Hello
I would like to know the following, and hopefully one of you can help me:
If I request an extended ACL that PC1 must not communicate with PC2 and apply to an interface of output like this:
Cisco(config-ACL-whatever) #-host pc1 pc2 host extended ip access list
.. is it still possible for PC2 start for example a telnet to PC1 session?
IOS ACL are not stateful, except if you use CBAC (IOS Firewall). Which means:
1. your ACL will block the origination of traffic du.1 a.2
2 hote.2 can come from communication a.1, du.1.2 response packets are blocked, so no tcp sessions can be set up. Stateless protocols that use udp and don't expect answers could work-.2 could syslog a.1, for example
-
Need of the ACL kung fu for VPN from Site to Site ACL problem
Group,
Have a little problem I know is related to ACL. I wanted to have a few experts to take a look at my config please. Here's the question:
Attempt to create a site between two offices, but for some reason any that they cannot ping each other. It is a strange thing.
97.XX.231.22 <-->71.xx.160.123
I can ping both firewalls from the outside using a computer to another, but from the internal firewall utilities, they cannot ping each other. At the same time I can ping to their respective gateways.
Secondly, I did an interior outside translation as you can see here for 80 & 443 preventing me from browsing http and https via VPN for Remote LAN, can it be modified to allow access? I can access when I dial in via VPN client but not via permanent VPN tunnel. Here is the config.
no ip nat service sip 5060 udp port
IP nat inside source map route SDM_RMAP_1 interface GigabitEthernet0/0 overload
IP nat inside source static tcp 10.41.14.103 80 71.xx.160.123 80 extensible
IP nat inside source static tcp 10.41.14.103 71.xx.160.123 expandable 443 443
IP route 0.0.0.0 0.0.0.0 71.xx.160.121
IP route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent
IP route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent
IP route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent
IP route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent
IP route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent
IP route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent
IP route 208.67.188.32 255.255.255.224 10.41.14.99 2 Permanent
IP route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent
!
auto discovering IP sla
Logging trap errors
host 192.168.10.29 record
access-list 2 Note HTTP access class
Note access-list category 2 CCP_ACL = 1
Note access-list 2 Platinum LAN
access-list 2 permit 10.41.14.0 0.0.0.255
access-list 2 refuse any
Access-list 101 remark rules Master
Note access-list 101 category CCP_ACL = 1
Note access-list 101 FaxFinder WWW traffic
access-list 101 permit tcp any host 71.xx.160.123 eq www
Note access-list 101 traffic HTTPS FaxFinder
access-list 101 permit tcp any host 71.xx.160.123 eq 443
Note access-list 101 NTP Time Protocol
access-list 101 permit udp any host 71.xx.160.123 eq ntp
Access-list 101 remark IPSEC protocols
access-list 101 permit udp any host 71.xx.160.123 eq non500-isakmp
Access-list 101 remark IPSEC protocols
access-list 101 permit udp any host 71.xx.160.123 eq isakmp
Note access-list 101 traffic ESP
access-list 101 permit esp any host 71.xx.160.123
Note the access list 101 General License
access list 101 ip allow a whole
Note access-list 102 CCP_ACL category = 2
access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255
Note access-list 102 IPSec rule
access-list 102 deny ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255
Note access-list 102 IPSec rule
access-list 102 deny ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31
Access-list 102 remark Platinum LAN NAT rule
access-list 102 permit ip 10.41.14.0 0.0.0.255 any
Note category from the list of access-104 = 4 CCP_ACL
Note access-list 104 IPSec rule
access-list 104. allow ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31
Note access-list 108 CCP_ACL category = 4
access-list 108 allow ip 10.41.14.0 0.0.0.255 any
Note access-list 109 IPSec rule
Note access-list 109 CCP_ACL category = 4
access-list 109 allow ip 10.41.14.0 0.0.0.255 192.168.76.0 0.0.0.255
Note access-list 110 CCP_ACL category = 4
Note access-list 110 IPSec rule
access-list 110 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 102
There is more then one way how you can achieve this goal.
(1) the best way is possible if the two VPN counterparts are IOS routers. Then you can migrate to virtual VPN - tunnel interfaces (VTI). With this, the external interface doesn't mix - and non-VPN-traffic VPN.-->
(2) if VTI is not possible, you can restrict the translation to only non - VPN traffic using a roadmap:
object-group network RFC1918
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0
NAT-SERVER - 10.41.14.103 allowed 10 route map
corresponds to the TRAFFIC-NAT-SERVER IP - 10.41.14.103
TRAFFIC-NAT-SERVER extended IP access list - 10.41.14.103
deny ip host 10.41.14.103 object-group RFC1918
permit tcp host 10.41.14.103 eq 80 a
allow a host EQ 10.41.14.103 tcp 443
IP nat inside source static 10.41.14.103 71.xx... map route NAT-SERVER - 10.41.14.103
What makes that?
When your server communicates with a system with an address in the range RFC1918, then the road map does not correspond and the translation is not used. It is you, the VPN scenario. But if the server communicates with a non-RFC1918 address, then the translation is used and the server can be reached.
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
named extended ACL doesn't work, can you help me?
The camera I used is 2651xm router and NAT is used to connect my everything inside the LAN (192.168.1.x) to outside internet. A standard ACL was used to block some local host access outside the internet, and it worked fine. My question is, when I created a named ACL extended and apply it to the interface that is attached to the LAN, entire local network will not be able to access the internet outside! can you give me some advice?
My hardware and software is 2651xm + IOS 12.3(6b)
The best regards.
Jan
Hi Jan,
I think the problem here is that you are confusing the use of an access list to control the SENATE, with the use of an access list to filter traffic.
Looking at the NAT, I see you have ip nat inside source list 1 pool cisco2651-natpool-168 of overload. This means that you still need to access list 1 to define which source addresses are translated. You could, I guess, use a named access list to do this, and the order would be something like ip nat inside source list of people inside outside pool cisco2651-natpool-168 overload, where the people inside of the country is the name of a standard named access list. But no matter how you play, you still need to access list. Try to put back the access list 1, and you will see that it will start working again. Note that the access list used to control NAT must be a-list type , named or numbered, not a scope.
On the other hand, you used the named acl test scope list to filter your traffic, and that's fine. OK, the list is wide open at the moment, but I guess you want to restrict later.
I hope this helps. Write back and let us know how you go.
Kevin Dorrell
Luxembourg
-
Hello, I have a p7-1235 HP with AMD A8-5500 3.2 Ghz and Radeon HD D 7560, it's about 3 months with an Acer H233H as the main (DVI analog) and an older Samsung 223BW (VGA) as a secondary screen. A week ago that the Samsung show the extended desktop after being off for a few hours, if it's after a cold start or windows it turns off after 30 minutes of activity. But if I push the power on and off the Samsung button, the screen is restored.
The strange thing is that the display is active in the boot process, start the windows message appears, but once that windows 7 is the Samsung needs to have the power button through the boot process / bike off then turn it back on before you post again. However if I turn off the computer for an hour and a restart round both monitors are working fine.
I read on a forum of HP that I should do a system restore to a time when I knew that the system was working so I did it and still have the same problem. So I guess that's not windows. I make the false assumption that you think.
If the hardware is the issue, is it more likely the MB video card or the monitor itself?
Thanks for any help.
Hello kevn57
To help identify the problem have you tried another monitor? This will remove the current monitor as the culprit. What current readers for the Radeon HD 7560D? The drivers may not be correctly wake up the monitor. The problem could be the cable as well, so before exchanging the monitor, you should try another VGA cable.
I start with the monitor and cable first of all they are easier to isolate. -
Using 3500 as a Wireless Extender DHCP problem iPhone X 6
Hello
If all goes well, a simple question with a simple answer.
Background:
I stayed away from my DSL provider to a cable provider (VirginMedia). My new ISP is delivered with a modem cable (SuperHub 2 ac) and I connected the two devices together to extend my wireless home network. The cable modem, it's that the two routers are physically apart from others - connected through just their Ethernet ports - the technology of power line (Devolo dLAN 1200 +). Both routers have the same SSID broadcast, but on separate channels.Question:
All devices in my house, the tablets of laptops, phones roam between the two areas wi - fi transparently * except * the iPhone 6 (iOS8.1), this works on the cable modem wi - fi, but not on the X 3500 wireless. I also have an iPad Mini 2 (also iOS8.1) which works too - aptly / wrong I have excluded iO8.1 as the issue. Oddly enough, the iPhone 6 connects to the x 3500 but isn't getting an IP address (the cable modem's DHCP server). Even if a static IP address doesn't help.Comments:
If the X 3500 is configured as a DHCP server, the iPhoen connects (and gets an IP address), but then the default gateway is incorrect (gateway IP address of the X 3500 is not the modem cable remote). I can't find anywhere to specify a default gateway configuration.Question
I start thinking, it is a problem with the iPhone 6 (know all other devices work correctly), but I want to just make sure I am the X 3500 configuration correctly. I am particularly interested in it if I use the right to 'Mode' ADSL / Ethernet. I tried 'Bridged Mode Only' (ADSL) and "Automatic DHCP only" (Ethernet), but does not seem to solve the problem of having the iPhone 6.any suggestions on how to fix / help would be most welcomed.
Thank you!
Thanks a lot for the details... Now I have a config that works also for the iPhone6.
Basically, I connected the cable on the 3500 x port and the Ethernet port on the cable modem connected to the internet (via the Powerline). I then changed the network on the 3500 of 192.168.0.x x range (this is the range of network addresses used by the cable modem connected to the internet) to 192.168.168.x. Finally I activated the DHCP on the x 3500 which seemed to be the element that was killing the iPhone6.
The iPhone6 connects now (which he always did), but with DHCP running on the x 3500 on the new range of network addresses of the iPhone 6 also get a valid IP address.
Looks like that much just to get the iPhone 6 to work... never found a manual way to specify a default on the x 3500 gateway when you run DHCP (appears by default which is her own IP address - with no provision to change).
Anyway... This works for now... I'll keep an eye on the iPhoen updates 6, just in case where the anomaly is something specific to the iPhone 6, if something changes I will post here.
I have attached a picture for furture reference. Thanks again for your advice and support.
-
HP 6100 on extended connection problem router wireless
We have two printers a 8600 while one and a new printer 6100. My Office I use a mac OSX Mavericks on the network SSID 'Outhouse' my wifes machine is in another building with the 6100 and the extended network SSID "outhouse_EXT". We both need to be able to print to other printers. His laptop that runs Windows 7 works very well and can print on both machines. However I can't print its 6100. In an attempt to discover his printer nothing comes.
Any help greatly appriciated.
Hi detaylor12,
I understand that you have a 8600 Officejet and an Officejet 6100 and want to be able to print to each of them, but have problems. I'm sorry to hear that, but I'm absolutely going to do my best to help you!
The latrines and outhouse_EXT that both appear as options of connection on your Mac? If they do, I think that's the problem. You must be connected to the same network that the printer is turned on in order to access it. When you want to print to the printer of your wife, you would have to make sure that your Mac is connected to the network rather than the Outhouse network as your printer and your Mac are normally on outhouse_EXT.
Give that a try and let me know if it helps
-
Currently, I am at a very basic level of agreement and have obtained internet access via binding of pep to the router and seem to have reached an active VPN connection. VPN connection is active, but the traffic counters are at 0. When I change the sequence of the ACL, it connects perfectly.
2800 router using
There is not enough information given here for us to understand the problem and propose solutions. If you change the sequence number of ACL and it connects perfectly then maybe the problem is solved?
HTH
Rick
-
Hello
I have configured ISE and WLC for use with CWA guestportal but there is a problem with the CoA - he won't apply airespace alc after auth to guestportal.
1. on page authC, I configured a MAB wireless to continue if not found user and use an internal users as an identity store.
2. on page authZ I configured a WEBAUTH as a default rule with the following:
Access type = ACCESS_ACCEPT
Cisco-av-pair = url-redirect-acl = ACL-WEBAUTH-REDIRECT
Cisco-av-pair = redirect url =https://ip:port/guestportal/gateway? sessionId = SessionIdValue & action = cwa
3. I've also configured this ACL to WLC to allow
permit any - any icmp and dns
allow all-to-the-ise-8443
ise-to-any license
This part works very well because I could redirect to guestportal and use my guest connection & pw to allow myself. The guest account has been previously generated by portal sponsor and it works too.
4. on page authC, I use a dot1x wireless to use internal users
5. in the authZ page I use a "if internal users: Guest can leave COMMENTS" rule
6 rule PROMPT resembles the following:
Access type = ACCESS_ACCEPT
Airespace-ACL-Name = GUEST_INTERNET_ONLY
7. this ACL is configured on the WLC allowing all unless private networks (ISE is also permitted)
After authentication Portal comments, I see a success message and I was able to ping internet but I don't have web access. It looks like CoA and Airespace acl are not working and I continue to use my access ACL-WEBAUTH-REDIRECT-list and I see a strange error messages in newspapers WLC:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I swear my ACL name spelling is correct and ACL-WEBAUTH-REDIRECT and GUEST_INTERNET_ONLY are on the WLC with counters more!
I have not one point what problem could be...
Any ideas?
P.S. see attach for authentication log Live
You can try "debug client" in the CLI WLC and try to connect with the customer. It you see if the WLC applies your ACL.
Looks like this for my license - all ACLs
* apfReceiveTask: 25 Oct 11:17:05.867: c8:bc:c8:13:4e:35 172.16.10.13 WEBAUTH_REQD (8) change IPv4 ACL 'none' (ACL ID 255) ===> 'PERMIT-ALL' (ACL ID 1)-(calling apf_policy.c:1762)
It must be near the bottom.
And then after all debug disable.
Another question, you can test internet but no web access, as well as the URL? Is DNS works after applying the last ACL?
On this line in the log:
* apfReceiveTask: 17:32:27.317 12 Nov: % ENTRY_DONOT_EXIST-3-ACL: acl.c:369 cannot find an ACL by name.
I get that with CWA to work so I don't know which is linked. (for my setup)
Concerning
MikaelSent by Cisco Support technique iPad App
Post edited by: Mikael Gustafsson
-
Hello
I try to put an ACL on a group policy on my VPN Ipsec Lan to Lan.
My LCD does not work and blocking all traffic.
Since it does not work with the ACLs on group policy, I put an ACL on the interface inside but do not match.
To match, I must decline any all a put before a permit.
Thank you
Hello
The main problem when the configuration of IPSec filters is that people set up a descendant. You must specify the inbound traffic you want to allow or deny.
Here is the document that explains how to configure filters. Take a look and if you have any problems please contact your VPN configuration.
Have fun.
Raga
-
After that we went from 11.2.0.1 to 11.2.0.2, we started having this problem:
ORA-24247: network access denied by the ACL access (ACL) ORA-06512: at "SYS." DBMS_LDAP_API_FFI', line 25 ORA-06512: at "SYS." DBMS_LDAP", line 57 ORA-06512: at"BANINST1. ZPGKOUSR', line 1606
1606 line is:
l_session: = dbms_ldap.init (host name = > l_host,)
PortNum = > v_ADConfig.zgpwdrecfg_port);
We have an ACL with * and NULL lower and upper ports and connected user a plug in and solve this ACL privileges.
What do we lack?
Thank you
Alex.Hi Alex
Please check these references:
notes 1317940.1 DBMS_LDAP fails to authenticate after the DB to 11.2.0.2
notes 1361247.1 ORA-24247 after application 11.2.0.2 group patchsee that if 10170706 Patch can help, it is a problem when not all authorisations valid acl has been verified
a correspondent in some scenarios,Greetings,
Damage ten Monkshood
-
I bought Tecra with 3 years warranty. I save two years (using www) and now I try to register the extension. System wonder contract number. I get extension as a DVD/CD as envelope box, cd, and the terms of warrianty. where can I find this number? can someone help me? everyone knows email to toshiba support?
Tom
Hello
After the first record of the warranty you received a confirmation e-mail from Toshiba? Usually, there must be agreement in number.
-
What is is it possible to use the acl extended for split tunneling on ASA?
I'm setting up VPN IPSEC RA on SAA and I would like to know if it is possible to use the ACL extended as part of the split tunneling?
Thank you!
Yes, you can use the extended ACL. See this example:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...
Kind regards
Averroès.
Maybe you are looking for
-
LeCroy LT344L, MAX, IVI and the Ethernet connection
Howdy! I installed lcltxxxx IVI driver of the NOR for the scope of LeCroy LT344L. IVI Compliance Package: 4.5 MAX 5.4.0f0 I want to use an ethernet connection, but the area of selection "Descriptor resources" does not offer a resource ethernet (see p
-
Activation of Windows Update Error: Installation faild-Error 0x80072EE2 update information
When I try to open "Windows Activation Uapdate" this error will appear after you download the update package: (Update installation failed. Information about the Error - 0x80072EE2) I want to know why this happens?
-
FixIt left all my music files Media Player for the C"" drive. How your choice?
The tool recommended FixIt reconfigured/updated to update my Windows Media Player and sent almost all my music files on drive "C" of their location in the multimedia player! How can I move the files BACK to the media player? He said that none of the
-
Well I was being a fool and pasted my usb key to connect the mouse to the computer in a hole and he is now stuck I tried it out and after a little research I discovered that I stuck the USB to the USB jack on the bottom of the mouse, but why didn't h
-
Installation of Flash Builder 4.6 conflicts with the other version
Install all the programs of the CS 6 on my mac. I used to have the CS before 5. I deleted the CS 5 apps, well well Flash Builder 4.5...But the installer refuses to install it, it says he's still conflict with one another or a version installed. But I