Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq www
ALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
Tags: Cisco Network
Similar Questions
-
Hello
I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.
The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.
I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Can I change the subnet mask in the first line and put the second line first?
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255
Or should I let the deny at the end statement, and add a line for each of the other remote sites:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255
... (others)
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Thank you.
John
John
Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?
In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.
Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.
According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:
IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255
ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255
This would allow 1 to 47 but not others.
HTH
Rick
-
bug in iOS? startup-config + command access-list + an invalid entry detected
I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.
Cisco 827
IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE
SOFTWARE (fc1)
I'm looking to use a host named in a more extended access list. The
script I copy startup-config contains the following entries:
! the 2 following lines appear at the top of the script
123.123.123.123 IP name-server 123.123.123.124
IP domain-lookup
! the following line appears at the bottom of the script
120 allow host passports - 01.mx.aol.com one ip access-list
When I reboot the router, I saw the following message:
Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)
120 allow host passports - 01.mx.aol.com one ip access-list
^
Invalid entry % detected at ' ^' marker.
It seems as if the entrance to the server name of the router is not processed
prior to the access list. I can not even check with
router02 access lists 120 #sh
makes the access list entry * not * exist.
But when I manually type the entry in the router I see the
Next:
router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host
any
Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)
[OK]
and I can confirm its creation:
router02 access lists 120 #sh
Extend the 120 IP access list
allow the host ip 64.12.137.89 one
I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)
Any help is very appreciated.
Hello
Currently IOS does not use DNS - names in the ACL for the saved configuration / running.
When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.
Router (config) #access - list 187 ip allow any host www.cisco.com
Router (config) #^ Z
router #show run | 187 Inc
IP access-list 187 allow any host 198.133.219.25
router #show worm | split 12
IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE
-
Question of access list for Cisco 1710 performing the 3DES VPN tunnel
I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.
For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.
My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "
Any input or assistance would be greatly appreciated.
Map Test 11 ipsec-isakmp crypto
..
match address 120
Interface Ethernet0
..
card crypto Test
IP nat inside source overload map route sheep interface Ethernet0
access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 allow ip 192.168.100.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 130
He would go through the interface e0 to the Internet in clear text without going above the tunnel
Jean Marc
-
Based on the IOS VPN Lan-to-Lan (NAT and route map Questions)
Hello world
I worked on my review of CCNA security and I have a question about this stage
LAN1 192.168.0.0/24---(routeur HQ)--10.10.10.0/30--(INTERNET)--20.20.20.0/30--(routeur Branch) - LAN2 192.168.1.0/24
I use 10.10.10.0/30 and 20.20.20.0/30 networks assuming that these are public addresses (is just a laboratory).
I read that if I want to make the VPN tunnel while I using NAT I must exclude valuable traffic from the NAT process so I look on the database of cisco for more help and I found this (look at the 3660 router configuration):
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008045a2d2.shtml#T1
so, I applied this config for my routers, so the config is:
IP nat inside source map route sheep interface fastEthernet0/1
access list 110 deny ip 192.168.0.0. 0.0.0.255 192.168.1.0 0.0.0.255
access list 119 permit ip 192.168.0.0. 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 110
I didn't really understand who is using the command route-map here, so I made this configuration:
IP nat inside list sheep interface FastEthernet0/1
sheep extended IP access list
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Licensing ip 192.168.0.0 0.0.0.255 any
Two of them worked I could translate my LAN addresses to the public to address internet and also could establish the VPN tunnel. So my questions are:
1. What is the purpose of the road-map command?
2. What is the difference between these two configuration?
3. which one I should use and in what cases?
Thanks in advance
Jose
Jose,
Very good questions and in fact no need to the road map it.
Personally, I like using course maps because it allows much more flexibility than simply ACL setup, but in order to bypass the NAT source IPs, there is no need of route-maps and you can do this with the ACL directly.
I personally always use road-maps just because I can (route-maps are cool) haha
Route-maps are very useful in other scenarios where you need to put more of conditions or factors.
Remember that it is almost always more than one method to accomplish a task... which is one of those cases.
It will be useful.
Federico.
-
Cisco ASA tunnel access list question
We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel. They ask now addresses. My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?
And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?
I thank you and I hope this makes sense. We were originally political thought based routing on the nearest core of the source.
Dwane
Hi Sylvie,.
If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.
If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)
But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...
So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...
Concerning
Knockaert
-
I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.
192.168.1x
* THE REMOTE SITE
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
192.168.0.X
HAND ROUTER
recording of debug trap
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
!
IP tcp mss<68-10000>
Hope this helps,
Gilbert
-
Router Access List - where it is applied?
I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":
R - H1BR1 #sh run
Building configuration...Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
endR H1BR1 #.
I guess you are looking for
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY?
Best regards
Milan
-
An access list has been configured on a router to block an IP address. Can can additional IPS added to the original access list at a later date?
ex.
(config) #access - list 5 deny 10.10.117.0 0.0.0.255
(config) #access-list 5 permit one
Can use us the access list 5 to block additional IP addresses or to create a new access list?
of course, you can
lets take this example
R2 #sh - ip access lists
IP access list 5 standard
10 deny 10.10.117.0 0.0.0.255
20 allow a
You can do like
R2 (config) #ip - 5 standard access list
R2 (config-ext-nacl) #no 20 allowed any R2 (config-ext-nacl) #end
then start putting the statements refuse you want
as
(config) #access - list 5 deny 10.10.118.0 0.0.0.255
(config) #access - list 5 deny 10.10.119.0 0.0.0.255
then put your license
(config) #access-list 5 permit one
Remember that without the permit, everything in the end something not permitted by the ACL will be denied because there is no default all refuse (implicit deny) at the end of each ACL
If the permit all it will solve
Good luck
Please, if useful rates
-
access-list on a 2500 series router
Hello
I want to deny traffic from a concrete what IP connected to the 2500 series router and I want to do it in the router. Is there enough adding a 'access-list 6 refuse 192.168.148.13' command to drop packets from that address or it is necessary to other statement?
Thanks in advance.
You must also use the ACL on the interface in which the traffic is delivered.
Use "ip access-group in 6" on the interface.
in specified packets entering this interface must be inspected.
-
The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).
Router (works)
access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80
PIX (does not work)
access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80
I get the error on the PIX:
ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair
Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?
Thank you!
Domo Arigato!
You can use
192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.
Of course you can refuse the host 192.168.1.49 and
Let the others allow 192.168.1.48 255.255.255.248
-
PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
-
Simple Question SSH Access-List
I am allowing SSH access for all of our Cisco devices and you want to restrict access to all the following ip addresses: 192.168.200.1 - 192.168.200.50. I forgot the exact configuration of access list to achieve this. The subnet is 24 and I don't want the whole subnet - seulement.1-. 50.
Thank you
Thomas Reiling
Hello
If you use ssh, make sure that you have a domain name, host name and a rsa key is generated. Assuing you have done this, the command vty ACL and following line will do the trick. Note that the host 1-50 list is not on a subnet barrier.
To get it exactly
access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.31access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
host access-list 1 192.168.200.50
access-list 1 refuse any newspaper
It would be a good idea to put it on a limit, however, so the following would be much simpler and easier to read.
access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.63access-list 1 refuse any newspaper
Apply the class of access on the vty lines and authentication, I would put something there too.
line vty 0 4
access-class 1
entry ssh transportpassword Bonneau
That should do it.
Good luck!
Brad
-
Newbie question: to access the items in a locked file "kind of."
Newbie question: a friend (who is not accessible now) has sent a file I. Vector graphics are enclosed in a blue box. I can move the whole box within the artboard and you can add other items, but I can't change the existing components. Unlock, dissociate are gray. How can I get 'in' components?
Look in the layer panel and see if the layers are locked. You can also check in tracks mode and see if there is really something out there, or if it has been saved as an image.
-
Newbie question: access property programmatically
Newbie question: how to work this MXML:
< mx:Box backgroundColor= "0xff0000" / >
but this ActionScript does not work?
Import mx.core.Container;
Import mx.containers.Box;
var myBox:Box = new Box();
myBox. backgroundColor = 0xff0000; <-1119 error: undefined the backgroundColor property
More generally: there seems to be some properties I put in MXML but not As Ce that I'm missing?
-BrianbackgroundColor is a style property with that you define
myBox.setStyle ("backgroundColor", 0xff0000);When you look at the docs, don't forget to click on the "Show inherited styles" link to see all the component styles is supported, including those defined in the superclass.
Maybe you are looking for
-
I noticed since the Firefox upgrade, identify a website in my favorites, all the icons disappeared, but if I go to Favorites, view all bookmarks, and then in the bookmarks menu, all icons identifying a web site, are all there. I have always used Fire
-
I can't retrieve my password to icloud cause I can't access the email
Hello! I'm new here created some additional chaos in my life, creating two different accounts of ID on my iphone. I forgot the password to the icloud account, which no doubt, I put long, totally do not understand exactly what I was doing which reads:
-
Cannot copy files from a corrupted on a new user acct
For some reason my user account was in sashes. I wasn't able to access the system restore. I did a restore and it allowed me to create new user accounts that my old files were still on the drive under the old user acct, I am not able to copy on. I tr
-
HPE-140F - replacing the video card
Ok For the 2nd time in 2 years the video card is bad. One was replaced under warranty, now that I'm out of warranty, which is a decent replacement? The original card NVIDIA GEForce GT230, I suppose that HP sent me something similar, if not the same c
-
Hi, I upgraded from cs3 to cs 6 and can't find the extract filter, I have used many. CANY anyone help