Routing VPN access list
Hello
I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.
The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.
I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Can I change the subnet mask in the first line and put the second line first?
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255
Or should I let the deny at the end statement, and add a line for each of the other remote sites:
access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255
access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255
... (others)
access-list 103 deny ip 10.19.0.0 0.0.255.255 everything
Thank you.
John
John
Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?
In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.
Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.
According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:
IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255
ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255
This would allow 1 to 47 but not others.
HTH
Rick
Tags: Cisco Security
Similar Questions
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
Packet capture vpn access list filter
I just install a VPN filter to secure traffic between two of our facilities. As a good security admin, I am only allowing good ports and blocks everything else. Now I see one-way packet loss.
I wanted to set up a capture of packets to detect which packages were being allowed and which were dropped. However, none of my packet captures are showing all the captured packets. I tried the following shots.
capture the data interface type DPEP bullies xo [Capturing - 0 bytes]
match ip 10.1.8.0 255.255.252.0 allcapture the data type DPEP raw access-list 105 interface xo [Capturing - 0 bytes]
capture the data interface type DPEP raw asa_dataplane [Capturing - 0 bytes]
match ip 10.1.8.0 255.255.252.0 allIt is certainly a problem of formatting on my part that I am does not detect traffic to subnets that the traffic that goes with success.
Any help would be appreciated. Thank you.
Hi Michael,
do not change the VPN filter... you created a dummy access just to capture list and who as a rule and use it to capture.
Concerning
Knockaert
-
L2l VPN Access-list crypto-interesting
Hi everyone, I have a question.
I have ASA1 and ASA2 connected via a private cloud to intellectual property and two hosts behind each of the ASA.
The tunnel is up, and I can ping to host1, which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
When I show crypto ipsec his on ASA2 I see
#pkts program: 451, #pkts encrypt: 451, #pkts digest: 451
#pkts decaps: 451, #pkts decrypt: 451, #pkts check: 451
and they are multiplying, each ping I have sent to host1 host2. But when I do sh cryptointeresting access-list that defines my crypto interesting traffic on ASA2 I see not growing hits with each ping I send host1 who is behind ASA1.
The question is whether I'm supposed to see crtyptointeresting access-list hits rising on ASA2, when I ping host2 to host1, which is on the other end behind ASA1 (behind ASA2).
Thank you
Hi my friend.
When you ping with the ASA2 ASA1 you won't see hitcounts in the ASA2 ACL. This happens because the number of access number to increase traffic must be defined in the ACL.
Basically when you ping ASA1 with the ASA2 traffic does not match the direction of the ACL on ASA 2 crypto (which is defined from ASA2 LAN to LAN ASA1) so it does not count as a success.
You see decrypted packets and decapsualated because the traffic corresponding to the terms previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent through the tunnel.
I hope this clarifies your questions.
BTW sorry I did not get back to you on your second post NAT, I see that Varun has given you a great answer.
Have fun!
Raga
-
bug in iOS? startup-config + command access-list + an invalid entry detected
I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.
Cisco 827
IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE
SOFTWARE (fc1)
I'm looking to use a host named in a more extended access list. The
script I copy startup-config contains the following entries:
! the 2 following lines appear at the top of the script
123.123.123.123 IP name-server 123.123.123.124
IP domain-lookup
! the following line appears at the bottom of the script
120 allow host passports - 01.mx.aol.com one ip access-list
When I reboot the router, I saw the following message:
Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)
120 allow host passports - 01.mx.aol.com one ip access-list
^
Invalid entry % detected at ' ^' marker.
It seems as if the entrance to the server name of the router is not processed
prior to the access list. I can not even check with
router02 access lists 120 #sh
makes the access list entry * not * exist.
But when I manually type the entry in the router I see the
Next:
router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host
any
Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)
[OK]
and I can confirm its creation:
router02 access lists 120 #sh
Extend the 120 IP access list
allow the host ip 64.12.137.89 one
I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)
Any help is very appreciated.
Hello
Currently IOS does not use DNS - names in the ACL for the saved configuration / running.
When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.
Router (config) #access - list 187 ip allow any host www.cisco.com
Router (config) #^ Z
router #show run | 187 Inc
IP access-list 187 allow any host 198.133.219.25
router #show worm | split 12
IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE
-
IOS VPN on 7200 12.3.1 and access-list problem
I'm in IOS 12.3 (1) a 7200 and have configured it for VPN access. I use the Cisco VPN client. Wonder if someone has encountered the following problem, and if there is a fix.
The external interface has the access-list standard applied that blocks incoming traffic. One of the rules is to block the IPs private, not routable, such as the 10.0.0.0 concern, for example.
When I set my VPN connection, none of my packets get routed and I noticed that outside access list interface blocks the traffic. When I connect to the router through VPN, the router attributes to the client an IP address from a pool of the VPN as 10.1.1.0/24. But normal outside the access list denies this traffic as it should. But as soon as I have established a VPN connect, it seems that my encrypted VPN traffic must ignore the external interface access list.
If I change my external access list to allow traffic from source address 10.1.1.0/24 my VPN traffic goes through correctly, but this goes against the application to have an outdoor access list that denies such traffic and have a VPN.
Anyone else seen this problem or can recommend a software patch or version of IOS which works correctly?
Thank you
R
That's how IOS has always worked, no way around it.
The reasoning is to do with the internal routing on the router. Basically an encrypted packet inherits from the interface and initially past control of ACL as an encrypted packet. Then expelled the crypto engine and decrypted, so we now have this sitting pouch in the cryptographic engine part of the router. What do we with her now, keeping in mind users may want political route she is also, might want to exercise, qos, etc. etc. For this reason, the package is basically delivered on the external interface and running through everything, once again, this time as a decrypted packet. If the package hits the ACL twice, once encrypted and clear once.
Your external ACL shall include the non encrypted and encrypted form of the package.
Now, if you're afraid that people can then simply spoof packets to come from 10.1.1.0 and they will be allowed through your router, bzzzt, wrong. The first thing that the router checks when it receives a packet on an interface with a card encryption applied is that if the package needs to be encrypted, it is from his crypto ACL and its IP pools. If he receives a decrypted packet when it knows that it must have been encrypted, it will drop the package immediately and a flag a syslog something as "received the decrypted packet when it should have been."
You can check on the old bug on this here:
http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCdz54626&submit=search
and take note of the section of the security implications, you may need to slightly modify your configuration.
-
Question of access list for Cisco 1710 performing the 3DES VPN tunnel
I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.
For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.
My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "
Any input or assistance would be greatly appreciated.
Map Test 11 ipsec-isakmp crypto
..
match address 120
Interface Ethernet0
..
card crypto Test
IP nat inside source overload map route sheep interface Ethernet0
access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 allow ip 192.168.100.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 130
He would go through the interface e0 to the Internet in clear text without going above the tunnel
Jean Marc
-
Client VPN access router to the Internet through the same router! How?
Hi all
I already setup VPN users connect to our router 1841 and corporate network. Use Cisco VPN Client and connection ends on the interface Dialer1 in 1841. This interface is also our ADSL Internet connection.
I need the VPN users out to the Internet via this VPN connection (it is through this Dialer1), rather than use the split tunneling and Internet browsing from their Local Internet service providers.
Of course, this Dialer1 is also 'nat outside' and FastEthernet is LAN and "nat inside '.
So I'll need NAT these VPN-pool addresses to address IP Dialer1. But what would be 'nat inside' in this case...
Can anyone help?
a loopback interface must be configured to "nat inside '.
for example
Loopback int 1
IP 1.1.1.1 255.255.255.0
No tap
IP nat inside
access-list 199 refuse ip<1841 private="" net=""><1841 private="" net="" mask="">
access-list 199 ip allow a
allowed policy-road route map 10
corresponds to the IP 199
set ip next-hop 1.1.1.2
interface Dialer0
political map of IP policy-road route
-
VPN - cannot subnets behind 2nd router internal access. Help.
Hi guys,.
Looking for a little help after a day of frustration. I'm really new to this and student so I know I'm doing something stupid. In any case, I bought an ASA 5505 and placed it between my cable Modem and router Cisco 3745. The external interface on the ASA is dhcp, the inside interface is 192.168.100.1. The external interface of the 3745 is 192.168.100.2 and inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.
These are the problems...
1. when I set up a VPN to ASA session, I can ping and access resources dierectly connected to interfaces of the ASA and the 192.168.100.0 internal ASA network. However, I can't access any resource behind the 3745. I can't even ping 192.168.1.1.
2. Although I believe I sent split tunnel, I can't turn to the internet when connected to the VPN.
Here's my network and my config ASA topology and router config...
ASA...ASA Version 8.2 (5)
!
poog-fw1 hostname
Poog domain name
activate the password * encrypted
encrypted
names of
name 192.168.100.2 RouterWAN
internal name 192.168.100.0
name 192.168.200.0 VPN
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.100.1 address 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
!
boot system Disk0: / asa825 - k8.bin
passive FTP mode
DNS lookup field inside
DNS domain-lookup outside
DNS server-group DefaultDNS
Server name 167.206.245.129
Server name 167.206.245.130
Poog domain name
permit same-security-traffic intra-interface
object-group, VPN network
the RouterWAN object-group network
object-group network RouterWAN-01
object-group network RouterWAN-02
object-group network RouterWAN-03
object-group network RouterWAN-04
object-group network RouterWAN-05
the obj_any object-group network
network of subject-group obj_any-01
object-group network obj - 0.0.0.0
object-group network iphone
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
outside_access_in list extended access permitted tcp VPN 255.255.255.0 everything
Comment from outside_access_in-Telnet access on the router list
outside_access_in list extended access permit tcp any interface outside eq telnet
Comment from outside_access_in-access IP cameras list
outside_access_in list extended access allowed object-group TCPUDP any interface apart from 1021 1022 range
outside_access_in list extended access permit tcp any interface outside eq www
Comment from outside_access_in-list of FTP access to NAS
outside_access_in list extended access permit tcp any interface outside eq ftp
Comment from outside_access_in-VNC server WX access list
outside_access_in list extended access permit tcp any interface outside eq 5900
outside_access_in list extended access permit tcp any interface outside eq https
Comment from outside_access_in-Telnet access on the router list
Comment from outside_access_in-access IP cameras list
Comment from outside_access_in-list of FTP access to NAS
Comment from outside_access_in-VNC server WX access list
AnyConnect_Client_Local_Print list extended access permit tcp any any eq lpd
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 631
print the access-list AnyConnect_Client_Local_Print Note Windows port
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.251 eq 5353
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
AnyConnect_Client_Local_Print list extended access permit udp any host 224.0.0.252 eq 5355
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
AnyConnect_Client_Local_Print list extended access permit tcp any any eq 137
AnyConnect_Client_Local_Print list extended access udp allowed any any eq netbios-ns
AnyConnect_Client_Local_Print deny ip extended access list a whole
Note AnyConnect_Client_Local_Print of access list IPP: Internet Printing Protocol
print the access-list AnyConnect_Client_Local_Print Note Windows port
access-list AnyConnect_Client_Local_Print mDNS Note: multicast DNS protocol
AnyConnect_Client_Local_Print of access list LLMNR Note: link Local Multicast Name Resolution protocol
Note access list TCP/NetBIOS protocol AnyConnect_Client_Local_Print
inside_nat0_outbound to access extended list internal ip 255.255.255.0 allow VPN 255.255.255.0
standard access-list internal split tunnel permit 255.255.255.0
host of standard splitting allowed access list 192.168.1.0 tunnel
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
local pool VPNPOOL 192.168.200.10 - 192.168.200.20 255.255.255.0 IP mask
IP verify reverse path to the outside interface
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 647.bin
don't allow no asdm history
ARP timeout 14400
NAT-control
Overall 101 (external) interface
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
public static tcp (indoor, outdoor) interface telnet RouterWAN telnet netmask 255.255.255.255
static (inside, inside) tcp 5900 5900 RouterWAN netmask 255.255.255.255 interface
public static tcp (indoor, outdoor) interface ftp RouterWAN ftp netmask 255.255.255.255
1021 RouterWAN 1021 netmask 255.255.255.255 static interface tcp (indoor, outdoor)
static (inside, inside) tcp 1022 1022 RouterWAN netmask 255.255.255.255 interface
Access-group outside_access_in in interface outside
!
router RIP
internal network
default information are created
version 2
No Auto-resume
!
Route inside 192.168.1.0 255.255.255.0 RouterWAN 1
Route inside VPN 255.255.255.0 192.168.100.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http internal 255.255.255.0 inside
http VPN 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet internal 255.255.255.0 inside
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address RouterWAN-RouterWAN inside
dhcpd auto_config outside interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
SVC disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1 image
enable SVC
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
value of server DNS 167.206.245.129
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-network-list value split tunnel
internal Clientless group strategy
attributes without Group Policy client
VPN-tunnel-Protocol webvpn
WebVPN
the value of the URL - list VPN_Book_Marks
internal AnyConnect group strategy
attributes AnyConnect-group policy
Welcome To My Network Banner value
value of server DNS 167.206.245.129
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list no
Poog value by default-field
WebVPN
the value of the URL - list VPN_Book_Marks
SVC Dungeon-Installer installed
SVC request no svc default
username ogonzalez encrypted password privilege 0 0VrbklOhGRHipw79
username ogonzalez attributes
Clientless VPN-group-policy
username ymcpO334smdskkpl encrypted password privilege 0 jgonzalez
jgonzalez username attributes
AnyConnect VPN-group-policy
type tunnel-group RAVPN remote access
attributes global-tunnel-group RAVPN
address VPNPOOL pool
tunnel-group RAVPN webvpn-attributes
enable RAVPN group-alias
allow group-url https://69.121.142.156/RAVPN
tunnel-group AnyConnect type remote access
tunnel-group AnyConnect General attributes
address VPNPOOL pool
strategy-group-by default AnyConnect
tunnel-group AnyConnect webvpn-attributes
enable AnyConnect group-alias
allow group-url https://69.121.142.156/AnyConnect
tunnel-group type Clientless Remote access
tunnel-group Clientless General attributes
Clientless by default-group-policy
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7d91e2ad8d7a86c40860fa8a1b117271
: end
Router...
Current configuration: 1922 bytes
!
version 12.3
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
hostname poog_rtr1
!
boot-start-marker
boot-end-marker
!
no set record in buffered memory
no console logging
no logging monitor
enable secret 5 *.
!
No aaa new-model
IP subnet zero
!
!
IP cef
no ip domain search
DHCP excluded-address IP 192.168.1.1 192.168.1.150
!
IP dhcp DHCP1 pool
import all
network 192.168.1.0 255.255.255.0
default router 192.168.1.1
DNS-server 167.206.245.129 167.206.245.130
!
!
!
!
!
!
!
!
!
!
!
!
username * password privilege 15 0 *.
!
!
!
!
interface Loopback0
IP 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
LAN description
IP 192.168.1.1 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface FastEthernet0/1
WAN description
DHCP IP address
NAT outside IP
automatic duplex
automatic speed
!
router RIP
version 2
network 192.168.1.0
network 192.168.100.0
network 192.168.200.0
No Auto-resume
!
IP nat inside source list 1 interface FastEthernet0/1 overload
IP nat inside source static tcp 192.168.1.100 80 interface FastEthernet0/1 80
IP nat inside source static tcp 192.168.1.13 5900 interface FastEthernet0/1 5900
IP nat inside source static tcp 192.168.1.12 1022 interface FastEthernet0/1 1022
IP nat inside source static tcp 192.168.1.11 1021 interface FastEthernet0/1 1021
IP nat inside source static tcp 192.168.1.100 21 interface FastEthernet0/1 21
IP nat inside source static tcp 192.168.1.1 23 interface FastEthernet0/1 23
IP http server
local IP http authentication
IP classless
IP route 192.168.200.0 255.255.255.0 FastEthernet0/1
!
!
Remark SDM_ACL category of access list 1 = 16
access-list 1 permit one
not run cdp
!
!
!
!
!
!
!
Dial-peer cor custom
!
!
!
entry door
!
Banner motd ^ C
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED! *****^C
!
Line con 0
line to 0
line vty 0 4
local connection
!
end
"192.168.100.0---> 192.168.1.0 I DO NOT get ping responses."
Please add "inspect icmp" in politics of inspection_default class as shown below.
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmp
I hope this helps.
Evaluate the useful ticket.
Thank you
-
Cisco 877 VPN router LAN access
I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.
So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)
Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.
In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?
Appreciate the help:
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec localtime
encryption password service
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
clock timezone CST 9 30
!
Crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 901674690
revocation checking no
rsakeypair TP-self-signed-901674690
!
!
TP-self-signed-901674690 crypto pki certificate chain
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
IP cef
!
!
inspect the IP router-traffic tcp name _OUTBOUND_
inspect the IP router traffic udp name _OUTBOUND_
inspect the name _OUTBOUND_ http IP
inspect the IP name _OUTBOUND_ https
inspect the IP dns _OUTBOUND_ name
inspect the IP router traffic icmp name _OUTBOUND_
no ip domain search
IP domain name mydomain.com.au
Name A.B.C.D IP-server
IP-name x.y.z.w Server
!
aes encryption password
!
!
username admin privilege 15 secret 5 #$% ^ & *.
Admin2 username privilege 15 secret 5 #$% ^ & *.
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
!
ISAKMP crypto group configuration of VPN client
key 6 #$%^&_)(*&^%$%^&*(&^$
DNS 192.168.100.5
domain mydomain.com.au
pool VPN
ACL 100
Max-users 5
Max-Connections 1
netmask 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
!
Crypto-map dynamic dynmap 11
Set transform-set vpn1
market arriere-route
!
!
list of card crypto dynmap customer VPN authentication
card crypto dynmap VPN isakmp authorization list
client configuration address card crypto dynmap initiate
client configuration address card crypto dynmap answer
dynmap 11 card crypto ipsec-isakmp dynamic dynmap
!
Archives
The config log
hidekeys
!
!
!
type of class-card inspect VPN-match-all traffic
game group-access 100
!
!
type of policy-card inspect PCB-pol-outToIn
class type inspect VPN traffic
inspect
!
!
!
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description LAN_INTERFACE
IP 192.168.100.1 address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Dialer0
ADSL description
the negotiated IP address
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the _OUTBOUND_ over IP
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap 7 76478678786 password
card crypto dynmap
!
local pool IP VPN 192.168.200.1 192.168.200.10
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
the IP nat inside source 1 interface Dialer0 overload list
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 newspaper
access-list 101 permit tcp any any eq smtp newspaper
access-list 101 permit tcp any any eq 1352 newspaper
access-list 101 permit tcp A.B.C.D host any newspaper
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
!
route allowed sheep 11 map
corresponds to the IP 102
!
!
control plan
!
Banner motd ^ C
Unauthorized access prohibited! ^ C
!
Line con 0
exec-timeout 20 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
entry ssh transport
!
max-task-time 5000 Planner
x.x.x.x SNTP server
y.y.y.y SNTP server
endMy877Router #.
Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.
Can you please try to connect by a different ISP and see if that makes a difference?
You can also try to connect from another PC and see if that makes a difference?
The configuration on the router seems correct to me.
-
Router Access List - where it is applied?
I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":
R - H1BR1 #sh run
Building configuration...Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
endR H1BR1 #.
I guess you are looking for
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY?
Best regards
Milan
-
Lock the AnyConnect VPN with broader access list
I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.
Configuration:
attributes Anyconnect-group policy
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list WebAccessVPN
WebVPN
list of URLS no
SVC request to enable default webvpn
WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace
External FTP FTP access WebAccessVPN-list comment
WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2
WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace
WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host
WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1
You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.
-
An access list has been configured on a router to block an IP address. Can can additional IPS added to the original access list at a later date?
ex.
(config) #access - list 5 deny 10.10.117.0 0.0.0.255
(config) #access-list 5 permit one
Can use us the access list 5 to block additional IP addresses or to create a new access list?
of course, you can
lets take this example
R2 #sh - ip access lists
IP access list 5 standard
10 deny 10.10.117.0 0.0.0.255
20 allow a
You can do like
R2 (config) #ip - 5 standard access list
R2 (config-ext-nacl) #no 20 allowed any R2 (config-ext-nacl) #end
then start putting the statements refuse you want
as
(config) #access - list 5 deny 10.10.118.0 0.0.0.255
(config) #access - list 5 deny 10.10.119.0 0.0.0.255
then put your license
(config) #access-list 5 permit one
Remember that without the permit, everything in the end something not permitted by the ACL will be denied because there is no default all refuse (implicit deny) at the end of each ACL
If the permit all it will solve
Good luck
Please, if useful rates
-
Different 'outside_cryptomap access-list"for each VPN?
Hello
Just for my understanding.
I have a VPN connected to my Cisco ASA 5520 when I tried to add an another VPN, the I must create a 2nd cryptomap, can I not create a group so there is only one card encryption?
Currently I have:
access-list 1 permit line outside_cryptomap_1 extended ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
I just added outside_cryptomap_2 line access-list 1 permit extended ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
But I was wondering if I could use something like:
access-list 1 permit line outside_mycryptomap extended ip 0.0.0.0 0.0.0.0 VPN_Remote_Networks object-group
When I do this, but I guess that this will cause a problem with the address in hand?
You must use different access-list in cryptomap for each VPN.
-
access-list on a 2500 series router
Hello
I want to deny traffic from a concrete what IP connected to the 2500 series router and I want to do it in the router. Is there enough adding a 'access-list 6 refuse 192.168.148.13' command to drop packets from that address or it is necessary to other statement?
Thanks in advance.
You must also use the ACL on the interface in which the traffic is delivered.
Use "ip access-group in 6" on the interface.
in specified packets entering this interface must be inspected.
Maybe you are looking for
-
16.0.2 Firefox won't open You tube with the last Adobe Shockflash 11.4 etc.
Forefox 16.0.2 on MAC OSX 10.8.2 with latest Adobe Shockwave Flash does not open You Tube videos. Photo of video shows, seems to load, but then nothing happens. I went through all of the suggestions on your site and spent a lot of time and still cann
-
DV6-6053ea: Windows 8.1 for dv6-6053ea drivers
Right now I use windows 7 and drivers, I need are only from HP that are only 2011 for windows 7. So I was wondering can I find drivers for windows 8.1 and will they work? The main problem is the graphics driver... I can only use that HP has achieved
-
Error on startup: "to interrupt the normal setting, press the blue ThinkVantage button.
Original title: Windows XP doesn't start until When I turn on my computer it stops starting after the initial screen, what is the ThinkPad. It is said: "To interrupt the normal setting, press the blue ThinkVantage button", but nothing happens. If I'm
-
The ACP prevention policy and intrusion
Hi all What happened to apply a strategy of access control with some rules and some Intrusion prevention policy in an architecture where the ips is deployed in passive mode with a mirror port? Is it advisable? Thanks in advance Lore
-
How to prevent users from a domain network to connect from another pc
We have a domain based LAN with 6 users with individual workstations and a server (windows server 2003). Is it possible to configure a workstation in such a way that they would make newspaper-on the system using only a user ID? Currently all users ca