PIX - ACL order
Hello
a year before, this is a conversation about the issue on the agenda in which the PIX - ACL are applied.
There where some of the different opinions about it.
Are applied on a basis first match as IOS - ACL or on an adjusted basis?
I remember someone saying that the old 'led' - statements have been applied to the adjusted basis.
Is this good? and what does "adjusted"?
And what of the ACL?
"If they are not applied" first match "it wouldn't make sense to give them an order in the MDP.
Another question: I wonder how the PDM can add rules in the middle of the access list without disrupting traffic. In IOS - ACL without sequence numbers, I have to rewrite the entire ACL to change a line in the middle.
ducts - adjusted
ACL - first match
Adjustment of the means that the PIX will scan all lines and choose the one that * best * corresponds to the traffic (source/destination/ports etc...).
The PIX does not run IOS. You can remove a line of an ACL without removing the entire ACL.
Scott
Tags: Cisco Security
Similar Questions
-
Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs
We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)
We have achieved this help attributes RADIUS of Cisco IOS/PIX
[009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)
However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).
Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).
We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.
Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;
pix_int list access permit tcp any host 10.x.x.x eq 1022
pix_int list access permit tcp any host 10.x.x.x eq 1023
Thank you
Download ACL works only with the RADIUS, as described here:
http://www.Cisco.com/warp/public/110/atp52.html#new_per_user
You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.
-
PIX ACL user downloadable issues
Recently, I opened a TAC case on an issue that I had with user downloadable ACLs on a radius server. I use the user acl on an intranet pix firewall that protects some servers. We have programmers who need special access for them and tried to have the ACL of assigned dynamically. It turns out that TAC said even if I had the correct ACL and they were applied to the user, I must have the same ACL allowing traffic on the interface which runs incoming traffic. There is no sense to me due to the fact that my goal was to get rid of permanent acl and not have to worry about the use of IP source addresses. I could have just the connection of the user through http and it gets the acl. Then finally the active uauth timer and removes the ACL so do not leave a hole on the PIX. I totally miss the downloadable ACLs goal, so if someone could shed some light on the subject I would appreciate it :) I have that someone has a solution or another solution to the problem that I have please do not hesitate to post! Thanks advance!
Tony
For authentication and ACL downloadable works, you need two ACLs on the PIX, the ACL interface and authentication ACL. You can consider the ACL interface as a trigger for the ACL authentication should it allow traffic through to trigger authentication. It must also allow the same traffic that the auth acl which means it is sometimes easier to make more restrictive the more permissive acl interface and the auth acl.
for example if you have users on 192.168.1.0 24 inside interface and you want to authenticate you to access Terminal Server services, you can if you want to configure the inside access list to allow all traffic to 192.168.1.0/24
! inside the 192.168.1.0 auth trigger
permit 192.168.1.0 ip access list inside_access_in 255.255.255.0 any
but deny all in the acl of authentication, which means that all traffic required authentication/authorization first.
! authentication for 192.168.1.0
! don't authenticate DNS and ICMP
inside_authentication list access deny udp 192.168.1.0 255.255.255.0 any eq 53
inside_authentication list access deny icmp 192.168.1.0 255.255.255.0 any
! authenticate everything.
permit 192.168.1.0 ip access list inside_authentication 255.255.255.0
! apply access lists
inside_access_in access to the interface inside group
AAA game inside_authentication inside RADIUS authentication
Your ACL ACS/RADIUS would be configured to
! term serv
permit tcp 192.168.1.0 255.255.255.0 any eq 3389
! http
permit tcp 192.168.1.0 255.255.255.0 any eq 80
That would provide the term serv and http access to an authenticated user. Your logs show permission denied for all other access to this user after authentication.
I hope this helps.
-
Cisco asa 9.1: crypto acl - order, order of operations,.
Hello
Let's say we have the following configuration
VPN1 list extended access permitted ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
card crypto mymap 10 correspondence address vpn1
card crypto mymap 10 peers set x.x.x.x
access-list extended 192.168.1.0 ip VPN2 allow 255.255.255.0 10.1.1.0 255.255.255.0
mymap 20 match address vpn2 crypto card
card crypto mymap 20 peers set y.y.y.y
In the above example, what happens if you intend to send a packet to a host on the 10.1.1.x and her counterpart that x.x.x.x is down (not SA).
If Asa will verify that the SA is down or away he starts the process of the next crypto access list according to the sequence number of crypto card? or simply drag the package?
If Asa trial next crypto map entry/crypto acl and that if no matching ACL? Packets are sent as clear text?
Thank you explantion
Peter
Hi Peter,.
This would work if the first tunnel is down and there is not SA for her.
However, it is not recommended to overlap crypto ACL.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
Who is first on one filter access inbound (IN group-access in the interface to the outside): static or ACL?
For example...
Let's say I want to redirect all outside hosts trying to reach 10.7.7.21 in DMZ7 to use 192.1.24.21...
static (DMZ7, Outside) 192.1.24.21 10.7.7.21 netmask 255.255.255.255
Now, I want to only allow outside users to use HTTP on the redirected host DMZ7 10.7.7.21 on 205.15.25.0/24.
Since 10.7.7.21 has been translated into 192.1.24.21 use...
access-list to permit tcp 205.15.25.0 0.0.0.255 host 10.7.7.21 eq www
OR
access-list to permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www
TIA
Because this access list is bound to the external interface, you need the IP address that corresponds to the external interface. So your second line of the access list should be correct.
access-list to permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www
-
PIX and ACS ACL downloadable Question
Good day to all,
I'm just working on a project to test using a PIX 535 and a cisco ACS (we use RADIUS) and I need to know what order the pix acl is applied.
On the pix, we have a set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). It works well, but now we have a problem, can you use rules ACSACL to remove the default rights within the rules on the pix?
Basically I'm curious to know what order the parsed pix ACLs, (ACSACL and then pix ACL, pix ACL the ACSACL, or none of the above)
all the links on more information would be great.
Thanks for any information,
Brian
I did some tests with ACL applied by a Radius Server on a PIX 525 6.3.3 running.
In my particular case, the user is a remote VPN connection. I ACL applied on the external interface, and then on the shelf, I applied the specific user against another ACL.
The ACL on the external interface is applied first. The downloadable ACLs cannot add services that are not listed in the other ACL, however, it can refuse and remove services.
You use your ACL in a different way that I like it. I use a server Radius of third parties and the use of the ACL extended via the Id attribute of the filter.
See you soon,.
-Joshua
-
SonicWall VPN PIX - does not, could someone help?
Hi all
I'm trying to set up an a 506th PIX VPN tunnel (firmware 6.3 (2)), a firewall SonicWall Pro. It does not at the moment. Phase 1 is ok but the phase 2 is not, the VPN tunnel has not been established, and the security association is removed after a minute or two. I enclose below the PIX config and an attempt to create VPN tunnel debugging output (slightly modified and cut for reasons of confidentiality). The PIX already has other two VPN configured which work perfectly.
I would be very grateful to anyone who could help me answer the following questions about this VPN configuration:
1. to debug output, which means the next?
ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
2. in the config, I don't know if the 3 static controls are necessary and how it might interact... What do you think?
3. in what order things happen in the PIX when traffic is from the local network to remote network by VPN? What is NAT then treatment then setting up VPN to access list? or or treatment, then NAT and VPN to access list? or another possibility?
4. How can I get it work?
Thank you very much in advance for any help provided,
A.G.
########### NAMING #################################
vpnpix1 - is the local cisco PIX
remotevpnpeer - is the Sonicwall firewall remote
Intranet - is the local network behind PIX
remotevpnLAN - is the remote network behind the SonicWall
################ CONFIG #############################
6.3 (2) version PIX
interface ethernet0 10full
interface ethernet1 10full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
.../...
hostname vpnpix1
.../...
names of
name A.B.C.D vpnpix1-e1
name X.Y.Z.T vpnpix1-e0
name E.F.G.H defaultgw
intranet name 10.0.0.0
name 192.168.250.0 nat-intranet
name J.K.L.M internetgw
name 10.M.N.P server1
name Server2 10.M.N.Q
name 10.M.N.R server3
name 192.168.252.0 remotevpnLAN
name 10.1.71.0 nat-remotevpnLAN
.../...
object-group network server-group
description servers used by conencted to users remote LAN through a VPN tunnel
network-host server1 object
host Server2 network-object
network-host server3 object
.../...
access allowed INCOMING tcp nat-remotevpnLAN 255.255.255.0 list object-group server-eq - ica citrix
.../...
OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0
access list permits INTRANET-to-remotevpnLAN-VPN ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN
.../...
IP address outside the vpnpix1-e0 255.255.255.240
IP address inside the vpnpix1-e1 255.255.252.0
.../...
Global 192.168.250.1 1 (outside)
NAT (inside) 0 access-list SHEEP-to-remotevpnLAN
NAT (inside) 1 intranet 255.0.0.0 0 0
.../...
static (inside, outside) server1 server1 netmask 255.255.255.255 0 0
public static server2 (indoor, outdoor) server2 netmask 255.255.255.255 0 0
public static server3 (indoor, outdoor) server3 netmask 255.255.255.255 0 0
static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0
.../...
Access-group ENTERING into the interface outside
Access-group OUTGOING in the interface inside
Route outside 0.0.0.0 0.0.0.0 internetgw 1
Route inside the intranet 255.0.0.0 defaultgw 1
.../...
Permitted connection ipsec sysopt
.../...
Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS1
.../...
map BusinessPartners 30 ipsec-isakmp crypto
card crypto BusinessPartners 30 matches the INTRANET-to-remotevpnLAN-VPN address
card crypto BusinessPartners 30 set peer remotevpnpeer
card crypto BusinessPartners 30 game of transformation-VPN-TS1
BusinessPartners outside crypto map interface
ISAKMP allows outside
.../...
ISAKMP key * address remotevpnpeer netmask 255.255.255.255
ISAKMP identity address
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 28800
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 28800
part of pre authentication ISAKMP policy 30
ISAKMP policy 30 3des encryption
ISAKMP policy 30 md5 hash
30 1 ISAKMP policy group
ISAKMP duration strategy of life 30 28800
.../...
: end
################## DEBUG ############################
vpnpix1 # debug crypto isakmp
vpnpix1 #.
ISAKMP (0): early changes of Main Mode
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): treatment ITS payload. Message ID = 0
ISAKMP (0): audit ISAKMP transform 1 against the policy of priority 10
ISAKMP: 3DES-CBC encryption
ISAKMP: MD5 hash
ISAKMP: default group 2
ISAKMP: preshared auth
ISAKMP: type of life in seconds
ISAKMP: duration of life (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): processing KE payload. Message ID = 0
ISAKMP (0): processing NONCE payload. Message ID = 0
ISAKMP (0): load useful treatment vendor id
ISAKMP (0): ID payload
next payload: 8
type: 1
Protocol: 17
Port: 500
Length: 8
ISAKMP (0): the total payload length: 12
to return to the State is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
Exchange OAK_MM
ISAKMP (0): processing ID payload. Message ID = 0
ISAKMP (0): HASH payload processing. Message ID = 0
ISAKMP (0): SA has been authenticated.
ISAKMP (0): start Quick Mode Exchange, M - ID - 1346336108:afc08a94
to return to the State is IKMP_NO_ERROR
ISAKMP (0): send to notify INITIAL_CONTACT
ISAKMP (0): sending message 24578 NOTIFY 1 protocol
Peer VPN: ISAKMP: approved new addition: ip:remotevpnpeer / 500 Total VPN peer: 3
Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt incremented: 1 Total VPN peer: 3
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP (0): processing NOTIFY payload Protocol 14 1
SPI 0, message ID = 476084314
to return to the State is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmission of the phase 2 (0/0)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): start Quick Mode Exchange, M - ID 1919346690:7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (1: 1)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (0/2)... mess_id 0x7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (2/3)... mess_id 0xafc08a94
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): retransmission of the phase 2 (1/4)... mess_id 0x7266e802
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: error msg not encrypted
ISAKMP (0): start Quick Mode Exchange, M - ID - 1475513565:a80d7323
ISAKMP (0): delete SA: CBC vpnpix1-e0, dst remotevpnpeer
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: drop msg deleted his
ISADB: Reaper checking HIS 0x10ff1ac, id_conn = 0 DELETE IT!
Peer VPN: ISAKMP: Peer ip:remotevpnpeer / 500 Ref cnt decremented for: 0 Total of VPN peer: 3
Peer VPN: ISAKMP: deleted peer: ip:remotevpnpeer / 500 Total VPN peers: 2
ISADB: Reaper checking HIS 0 x 1100984, id_conn = 0
ISADB: Reaper checking HIS 0x10fcddc, id_conn = 0
crypto_isakmp_process_block:src:remotevpnpeer, dest:vpnpix1 - dpt:500 e0 spt:500
ISAKMP: its not located for ike msg
#####################################################
Get rid of:
static (exterior, Interior) nat-remotevpnLAN remotevpnLAN netmask 255.255.255.0 0 0
You don't need it. Change:
OUTBOUND ip intranet 255.0.0.0 allowed access list nat-remotevpnLAN 255.255.255.0
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 nat-remotevpnLAN
TO:
access list permits OUTGOING ip intranet 255.0.0.0 255.255.255.0 remotevpnLAN
access-list SHEEP, remotevpnLAN permits intranet ip 255.0.0.0 255.255.255.0 remotevpnLAN
This indicates the PIX not NAT IPSec traffic. NAT happens BEFORE IPSec in the PIX, so if you the traffic IPSec nat it will never match your crypto access list and will not be encrypted.
This, however, should not stop the tunnel of Phase 2 of the course of construction, they would stop flowing above the tunnel, traffic, so you still have a problem somewhere. What I'm guessing, is that the Sonicwall (SW) has a different encryption-defined list access, it must be the EXACT OPPOSITE of what is configured on the PIX. In other words, the SW should be encrypting the traffic of "remotevpnLAN-24" "intranet/8", make sure that the subnet mask ar ETHE same too. "
To answer your questions:
1. it simply means that the PIX has not received a response and is to retransmit the last ISAKMP packet. The process_block simply means that the PIX has dropped a package that was to be encrypted because the IPSec tunnel has not been built. If you get the tunnel built, these messages will disappear.
2. the 3 first static does not appear to be linked to the tunnel IPSec, if they are simply to access a server inside, then they will not affect this VPN tunnel. The last of them should be deleted, as I already said.
3. for traffic initiated from inside the PIX, the order is incoming ACL, then NAT, IPSec processing. That's why your OUTGOING ACL must allow traffic first, then your NAT 0 statement refuses to be NAT had, then the encryption function is the traffic and the number.
4 do what I said above :-)
If you still have no luck, re - run debugs, but initiate traffic behind the Sonicwall, in this way the Sonicwall will try and debug of build that the tunnel and you will get more information on the PIX. Mainly, we'll see what traffic model the SonicWall is configured to encrypt (you don't see if the PIX initiates the tunnel).
-
Downloadable ACLs for users of VPN
Hello
I replaced the old pix with ASA (7.2). There were groups configured for the remote VPN users authenticated through the ACS and ACS download a specific ACL for each group to the PIX. After the replacement, users cannot establish the VPN connection. After troubleshooting, I discovered that the downloadable ACLs were not working very well. When I disabled this option the established tunnel. When I get back to the old pix with the same configuration, it works very well with downloadable ACL option. I opened a TAC case and he said the v3.0 ACS (I) are not compatible with the ASA. He did not really convince me and he asked to try to use the option to pair AV. I tried option pair AV with ASA and it did not work also. can you please advice.
Hello
Check out this point,
In addition, 3.0 is very old, and I guess that in this version, we have "Downloadable PIX ACL" and not "downloadable IP ACL", on ASA download able ACL will work but with "Downloadable IP ACL" but not with "Downloadable PIX ACL".
Kind regards
Prem
-
VPN to PIX, Win2K, Active Directory - where to start?
Hello world.
I am waiting the arrival of a PIX 515 and 501 for firewalls and creating VPN between my main site and a remote location. Remoteness is having a LAN installed but will not have a real Win2k domian while the main site is an area complete with exchange and AD win2k. The two site will connect to INet w / cable modems.
Here's the question:
Is it possible to have this remote site to be part of my site main area via the VPN? Can I set up a server on the remote site to replicate AD to, in which case the VPN is stopped for some reason any. Do I need to open ports on the firewall or not because it will be on a VPN?
Is it an easy thing to do? Is a beginner at the top of his head?
Thanks in advance for any advice.
Marc
No router required - basically, everything will be static routed - your customers, regardless of the site, will have the pix as the default gateway. each pix will have a default gateway configured, by you, by a statement of 'road '. Each pix ACL crypto will also act as a static route through the tunnel to the other pix
-
PIX 515E Version 6.1 (4) a fall port scans
Hello
Is it possible to configure the PIX he abandoned scan port behind the firewall host guests? I have a combustion chamber watchguard when I scan a crowd behind him, he will drop all connections from computers that performs the analysis of ports. The PIX it?
Thanks for any help!
-Jesse
You can use the commands 'IP audit' to activate the ID feature in the PIX. Order with examples is here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/cmdref/GL.htm#1027034
Signatures that will search the PIX are here:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_62/syslog/pixemsgs.htm#1032267
That said, the PIX will not be able to detect a port scan, and then automatically stops all packets from that host. With a network of system ID the PIX can be used to run packages for more than 300 different types of signatures, but in itself it checks only about 59 signatures (detailed in the link above) and those who are in general only the signatures of a package type.
Detect port scans is best left up to a good device IDS which aims to do and let your firewall to firewall.
-
I use version 7.x PIX IOS.
I have a very basic question about the ACL. As cisco router IOS in each access list it is an implicit deny a whole at the end of the default ACL. Is the same rule apply to the PIX ACL or we write explicitly refuse at the end of the instructions of the ACL?
Hello
By default, all access lists have an implicit refusal unless you specify explicitly allowed.
I hope this helps.
Glen
-
UAL IP on a PIX 515E with 6.2 (2)
Sorry, I have not found this in a search. I need to understand how to connect what specific host IPs access only. I have a 6.2 (2) running of PIX 515E and no other devices to use for this - no router, etc., nor lead us auth servers. I have used the parameter "log" on router ACL several times but do not see that in this version of PIX. Thanks in advance.
Hi Brian,.
The feature of logging for PIX ACL not brought up to version 6.3. The following link has some info on it:
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/63rnotes/pixrn63.htm#wp68356
I'm afraid you will have to upgrade to get this functionality.
Hope that help - rate pls post if it does.
Paresh
-
ACL IP and TCP ACL... What is the difference?
Hello
I have a few questions on the ACL.
1. for PIX ACL, let's say I want to host a Web server in the network internally (just to simplify my question), and I do not PAT, but only a static NAT
public static 202.188.100.1 (Interior, exterior) 10.1.1.1 netmask 255.255.255.0
acl_out tcp allowed access list all 10.1.1.1 eq 80
Access-group acl_out in interface outside
Done the above equivalent to
public static 202.188.100.1 (Interior, exterior) 10.1.1.1 netmask 255.255.255.0
ip access list acl_out permit any 10.1.1.1
Access-group acl_out in interface outside
2. for IOS ACL, is it possible to block A (10.1.1.0/24) network access to network B (10.1.2.0/24) but to allow access from network B to network A? How can I do?
Thank you.
Hello
1. first of all your ACL is a little bad, you need to enable connections to the public of your devices address and not the private sector when allowing traffic from the outside.
The answer to your first question is no, if you don't mind the tcp 80 port in your access list then you allow just that, if you allow ip in your access list then you allow all IP protocols based including all TCP ports, UDP and ICMP ports all.
2. you can do this using either the keyword in your access list or reflexive access lists.
Network B to an ACL
---
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
Network from A to B ACL
---
ip licensing 10.1.1.0 0.0.0.255 10.1.2.0 all created 0.0.0.255
Means that any traffic can pass from network B to network A, however only established connections (packets with the ACK bit value) are admitted from B to A.
The other method is reflexive-list using access which are with State of access lists. When the traffic moves from one network to the other a dynamic access list is created, traffic is only allowed to enter the network source if a dynamic entry is present in the table with the same source and destination IP information. An access list works in a direct, so from A to B, if you wanted to allow B to talk to A you need to configure specific static access list entries.
HTH
PJD
-
VPN3k and communication inter-talks - need the official position Cisco
Hi Experts.
A Cisco VPN3k in a hub-and-spoke IPSEC network station will be able to route packets between the spokes?
On the shelves, I have firewall Cisco Pix.
Thank you
Michele
Yes, provided that the subnet of each ray is included in the list of the network sent to another talk. Do not forget that the PIX will only send traffic over the tunnel that corresponds to its crypto access list, so this ACL must include subnets behind PIX. Therefore, the ACL on the 3000 must understand all these networks as the local network.
It's pretty easy to do if you have set up your networks speaks correctly. A good way to proceed is to ensure that each subnet speaks is say, a subnet 10.0.0.0/8. So talking A 10.1.1.0/24, B is 10.2.2.0/24, talking about C is 10.3.3.0/24, etc.
Then your PIX ACL for talks just must be:
permit the 10.1.1.0 ip access list ipsec 255.255.255.0 10.0.0.0 255.0.0.0
ACL PIX for talking B has to be:
ipsec ip 10.2.2.0 access list permit 255.255.255.0 10.0.0.0 255.0.0.0
Then just the opposite on the 3000 and all get is routed accordingly.
-
processing order of encryption and ACLs
Hi people,
I am preparing to a test lab and have the following scenario:
R6---172.16.50/24---PIX---172.16.10/24--R1
R6 I have two interfaces:
lo0 6.6.6.6/24
FA0/1 172.16.50.50/24
R1 two int:
lo0 1.1.1.1/24
E0 172.16.10.1/24
I want to protect all traffic between the 6.6.6.0 and network 1.1.1.0 with IPSec. I use ESP to protect traffic.
Another condition is that I want to put an ACL to e0 allowing IPSec traffic.
I created an ACL named ACL_E0_IN that is applied on e0 for inbound traffic.
R1 #sh of access lists
Expand the IP ACL_E0_IN access list
esp permits 172.16.50.50 host 172.16.10.1 (15 matches)
permit udp host 172.16.50.50 host 172.16.10.1 eq isakmp (116 matches)
refuse the log host 1.1.1.1 icmp host 6.6.6.6 (5 matches)
Ping of R6 R1 does not work:
R6 #p 1.1.1.1 source lo 0
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:
Packet sent with the address source 6.6.6.6
.....
Success rate is 0% (0/5)
R6 #.
On the R1, I get the following message:
* 8 Mar 03:58:37.917: % s-6-IPACCESSLOGDP: ACL_E0_IN denied icmp 6.6.6.6 - list
> 1.1.1.1 (8/0), 4 packs
This scenario works ONLY when I allow ICMP of R6 and ESP traffic.
I wonder why the decrypted packets are denied by the ACL. I expect that the ACL is processed BEFORE the packet is decrypted. When I look at the meter on the hit of the ACL, it seems that the ACL is checked twice.
Someone at - it an idea on the exact order of encryption and the treatment of the ACL?
Thank you
Michael
Attached you will find the configs of the R1 and R6
Michael
I recently saw an explanation of encryption and ACLs that indicates there has recently been a change in behavior. In most versions of IOS, the behavior is as you describe, the package is evaluated by the ACL twice. The explanation is that the package is evaluated first in his State encrypted to check that it was something that must be dealt with. After the package has been decrypted, the IOS necessary to assess the package decrypted to see if things like the quality of Service necessary to apply. So basically the decrypted packet passed through the interface again and the ACL again. In recent versions of the code (12.3 (4) T, if memory serves) a change has been made and the package will now go through the ACL only once.
HTH
Rick
Maybe you are looking for
-
Windows 7, update services does not work
I have a problem to update software in windows 7. I have a HP G72 laptop. I replaced my hard drive. 350GB, Western Digital 750Go digital West. -J' made an image of the C partitie (if it is 3 months, installed for the recovery partition, new updated w
-
Hi, have an extra 16 GB SATA SSD and you are looking for a way to add my PC performance. It would be useful for me to free 16 GB of the drive, if possible, or maybe speed up the system by a notch or two. Thought I might be able to move the paginatio
-
For the life of me, I can't the controller to detect the physical disks. These are Dell brand discs. Any specific ideas of the BIOS settings, maybe I need to change? The box has been initially implemented RAID 10 on the S110 raid, but I removed that
-
Dear HP I have a problem with my machine, when I wanted to do for her recovery, I'm not surprised that no available recovery partition here.
-
Cannot disable touchpad.
Same problem as before. Mice and touchpad on together, need touchpad off the coast. Tried what was suggested last time, but cannot get by mistake of the mouse to get to the mouse settings. Suggestions?