sick of frustration... 501 and ACL

Hey all, what gives.

I worked on a pix 501 and I can't get the ACL to save my life. I'm new on this and obviously missing something. I have a 501 connected to a cable broadband account is public ip through DHCP. I want to limit all traffic going out to 80, 110 and 53.

I add the following commands.

access-l 125 permit tcp any any eq 80

access-l 125 permit tcp any any eq 53

access-l 125 permit tcp any any eq 110

access-l 125 deny ip any one

access-g 125 in interface inside

everything falls to the interface I think. I am able to browse the net, Kazaa, sof2 throughout the day if I use the default configuration provided by the firewall. I posted this before and actually got it to work once. I tried to repeat the process, but failed.

any help is GREATLY appreciated

humbly yours

MB

Add

> access-l 125 permit udp any how any eq 53

DNS searches with UDP, TCP not. You will find probably your DNS resolution does not work, so when you navigate to a web server by name it will fail, because the first thing that your PC will do is a name search.

Tags: Cisco Security

Similar Questions

  • processing order of encryption and ACLs

    Hi people,

    I am preparing to a test lab and have the following scenario:

    R6---172.16.50/24---PIX---172.16.10/24--R1

    R6 I have two interfaces:

    lo0 6.6.6.6/24

    FA0/1 172.16.50.50/24

    R1 two int:

    lo0 1.1.1.1/24

    E0 172.16.10.1/24

    I want to protect all traffic between the 6.6.6.0 and network 1.1.1.0 with IPSec. I use ESP to protect traffic.

    Another condition is that I want to put an ACL to e0 allowing IPSec traffic.

    I created an ACL named ACL_E0_IN that is applied on e0 for inbound traffic.

    R1 #sh of access lists

    Expand the IP ACL_E0_IN access list

    esp permits 172.16.50.50 host 172.16.10.1 (15 matches)

    permit udp host 172.16.50.50 host 172.16.10.1 eq isakmp (116 matches)

    refuse the log host 1.1.1.1 icmp host 6.6.6.6 (5 matches)

    Ping of R6 R1 does not work:

    R6 #p 1.1.1.1 source lo 0

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:

    Packet sent with the address source 6.6.6.6

    .....

    Success rate is 0% (0/5)

    R6 #.

    On the R1, I get the following message:

    * 8 Mar 03:58:37.917: % s-6-IPACCESSLOGDP: ACL_E0_IN denied icmp 6.6.6.6 - list

    > 1.1.1.1 (8/0), 4 packs

    This scenario works ONLY when I allow ICMP of R6 and ESP traffic.

    I wonder why the decrypted packets are denied by the ACL. I expect that the ACL is processed BEFORE the packet is decrypted. When I look at the meter on the hit of the ACL, it seems that the ACL is checked twice.

    Someone at - it an idea on the exact order of encryption and the treatment of the ACL?

    Thank you

    Michael

    Attached you will find the configs of the R1 and R6

    Michael

    I recently saw an explanation of encryption and ACLs that indicates there has recently been a change in behavior. In most versions of IOS, the behavior is as you describe, the package is evaluated by the ACL twice. The explanation is that the package is evaluated first in his State encrypted to check that it was something that must be dealt with. After the package has been decrypted, the IOS necessary to assess the package decrypted to see if things like the quality of Service necessary to apply. So basically the decrypted packet passed through the interface again and the ACL again. In recent versions of the code (12.3 (4) T, if memory serves) a change has been made and the package will now go through the ACL only once.

    HTH

    Rick

  • Satellite 5100 501 and installation of Vista

    Hello!

    Is it possible to run Vista Business on 5100-501? No problem with drivers?

    WBR

    I can't say for sure if this is possible or not, but I know with certainty that the Satellite 5100 is not Vista supported for laptop and Toshiba will not offer a Vista driver for this older model laptop.

    If you test it please report results.

  • ASA 5520 IPSEC L2L and ACL

    Just a quick question.  I have two ASA with a vpn site-to-site tunnel built between them.  One is the Central Administration

    site and the other is a remote site.   On the remote site, I have the following IP as local hosts:

    192.168.1.5

    192.168.1.6

    192.168.1.55

    Those workstations attempt to access networks according to destination

    10.1.1.0 24

    10.1.2.0 24

    10.1.3.0 24

    In my interesting traffic on the remote end, I set myself to use

    IP 192.168.1.0 255.255.255.0---> 10.1.0.0 255.255.0.0

    On the side of the Central Headquarters, my interesting traffic looks like

    IP 10.1.0.0 255.255.0.0---> 192.168.1.0 255.255.255.0

    So now I'm encrypting IP traffic between 10.1.0.0 24 16 to 192.168.1.0.   This part works very well.    But now I want to put an ACL

    the tunnel to allow ONLY 3 hosts on the 192.168.1.x on some ports for 3 subnets.   This is done by group policy for a tunnel from Lan Lan 2.  If I apply a group policy and define a filter of IPV4.  This will accomplish what I'm shooting?

    I am doing this on the ASDM, so keep this in mind when you try to explain to me how to solve this problem.

    Thanks in advance,

    I should stay in bed...

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  • 1.2 of the ISE and ACL with several ports

    When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?

    You can implement several DACL to control access and the sound works perfectly with ISE

    Note the useful messages *.

  • PIX IPSec and ACL issues

    Hello

    On a PIX 515E v.6.3.5.

    There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')

    1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN

    2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.

    3 ACL - ACL to allow | deny traffic after ACL #1 and #2.

    #3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?

    The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?

    Thank you

    Dan

    pdvcisco wrote:
    

    Hello,
    

    On a PIX 515E v.6.3.5.
    

    Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
    

    1. Nat (0) ACL  - to NOT nat traffic this is part of the IPSec VPN
    

    2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
    

    3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
    

    Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
    

    The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
    

    Thanks,
    

    Dan

    Dan

    It depends on

    (1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal

    (2) always necessary

    (3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.

    Mirrored ACLs is required.

    Jon

  • L2L pix 501 and remote access VPN

    Hi, I'm working on an old 501 PIX w / Software 6.3 (5), he already have access to remote VPN configuration and works very well, but now he needs a L2L implemented. One thing I try to do all the work remotely via VPN or ssh to the machine. I don't know what's on the other end, but they swear that it is set up and maybe my problem is when I start putting in orders for the other VPN it breaks the remote VPN access. One thing that I have to do is NAT a host on the inside to appear as another host on the end. I use these commands and I think it works cannot be said.

    access-list 101 permit ip remote_network 255.255.255.0 local_server host

    public static 10.1.0.203 (inside, outside) - access list 101

    then

    access-list 102 permit ip host 10.1.0.203 192.168.50.83
    access-list 102 permit ip host 10.1.0.203 192.168.50.86
    access-list 102 permit ip host 10.1.0.203 192.168.50.50
    access-list 102 permit ip host 10.1.0.203 192.168.50.85

    and use it to match against

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    EMDs-map 10 ipsec-isakmp crypto map
    correspondence address card crypto emds-map 10 102
    card crypto emds-map 10 peers set remote_vpn_server
    card crypto emds-card 10 set of transformation-ESP-3DES-SHA

    then

    ISAKMP key magic_key address remote_vpn_server netmask 255.255.255.255
    ISAKMP identity hostname
    part of pre authentication ISAKMP policy 10
    ISAKMP policy 10 3des encryption
    ISAKMP policy 10 sha hash
    10 1 ISAKMP policy group
    ISAKMP life duration strategy 10 86400

    and that is where it usually breaks the VPN, I don't know if the other VPN works due to not being not able to get to this server to try to ping, I don't really like to try this stuff remotely but I don't have a lot of choice at the moment.

    Any thoughts?

    Thank you

    Jarrid Graham

    Yes, just use the number of different sequence with 1 name of the crypto map. Please also ensure that your dynamic crypto map, which is your vpn client has the sequence down the crypto map (more), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).

    The political isakmp sequence number does not match, it is processed from top to bottom (number less than the high number) and also long 1 set of isakmp policy corresponds to the remote peer, it will be negotiated properly.

    Hope that answers your question and please note useful post. Thank you.

  • Problems with PIX 501 and Server MS Cert

    Hi all

    I have two problems with my PIX 501:

    1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!

    Yes, I wrote mem and ca records all!

    2. at the request of ca CRL , I get the following debugging:

    Crypto CA thread wakes!

    CRYPTO_PKI: Cannot be named County ava

    CRYPTO_PKI: transaction GetCRL completed

    Crypto CA thread sleeps!

    CI thread wakes!

    And the CRL is empty.

    Does anyone have any idea?

    Bert Koelewijn

    Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.

    Check the following prayer:

    Open the administration tool of CA (Certification Authority) then

    (1) right click on the name of CA and choose 'properties '.

    2) click on the tab "Policy Module".

    3) click on the button "configure."

    4) click on the tab "X.509 extensions".

    > From there, it can display the list of the "CRL Distribution Points".

    Turn off everything that isn't HTTP.

    You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.

  • PIX 501 and VPN Linksys router (WRV200)

    I inherited a work where we have a Cisco PIX 501 firewall to a single site and Linksys WRV200 Router VPN on two other

    sites. Asked me to connect these routers Linksys firewall PIX via the VPN.

    According to me, the Linksys vpn routers can only connect via IPSec VPN, I'm looking for help on the configuration of the PIX 501 for the linksys to connect with the following, if possible.

    Key exchange method: Auto (IKE)

    Encryption: Auto, 3DES, AES128, AES192, AES256

    Authentication: MD5

    Pre Shared Key: xxx

    PFS: Enabled

    Life ISAKMP key: 28800

    Life of key IPSec: 3600

    The pix, I installed MDP and I tried to use the VPN wizard without result.

    I chose the following settings when you make the VPN Wizard:

    Type of VPN: remote VPN access

    Interface: outside

    Type of Client VPN device used: Cisco VPN Client

    (can choose customer of Cisco VPN 3000, MS Windows Client by using the client MS Windows using L2TP, PPTP)

    VPN clients group

    Name of Group: RabyEstates

    Pre Shared Key: rabytest

    Scope of the Client authentication: disabled

    Address pool

    Name of the cluster: VPN - LAN

    Starter course: 192.168.2.200

    End of row: 192.168.2.250

    Domain DNS/WINS/by default: no

    IKE policy

    Encryption: 3DES

    Authentication: MD5

    Diffie-Hellman group: Group 2 (1024 bits)

    Transform set

    Encryption: 3DES

    Authentication: MD5

    I have attached the log of the VPN Linksys router VPN.

    This is the first time that I have ever worked with PIX so I'm still trying to figure the thing to, but I'm confident with the CCNA level network.

    Thanks for your help!

    Hello

    Everything looks fine for me, try to have a computer in every network and ping between them. Check the newspapers/debug and fix them.

    Let me know.

    See you soon,.

    Daniel

  • PIX 501 and pcAnywhere access rules

    Hello

    I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings

    static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255

    static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255

    list of allowed inbound tcp access any host 172.16.x.x eq 5631

    list of allowed inbound udp access any host 172.16.x.x eq 5632

    Access-group interface incoming outside

    Version 6.3 of the PIX using

    I also tried access server list terminal server because another method of access, but not go either.

    There are no other rules.

    Any ideas why this would not work?

    TIA

    Vince

    your external ACL must mention the public IP address of your server:

    list of allowed inbound tcp access any host 7x.x.x.x eq 5631

    list of allowed inbound udp access any host 7x.x.x.x eq 5632

  • PIX 501 and THE, 3DES, AES

    For a version newly produced PIX 501,

    (1) are DES, 3DES and AES activation keys all pre-installed?

    (2) how I can find on which of them is pre-installed on my PIX 501?

    (3) when I create a server VPN (on the PIX 501), I see that all three OF THEM, 3DES and AES are available in the drop-down list of the PDM configuration screen. Does that mean my PIX 501 have all three of them (FROM THE, 3DES and AES)? -If the answer is no, assume that only is preinstalled on PIX 501, then why/how can appear in the drop-down list the 3DES and AES?

    Thank you for helping.

    Scott

    Should be integrated already. depends on the way the news is your PIX 501.

    To be sure to log in to the console and type:

    See the version

    See the example output version:

    See the pixfirewall version (config) #.

    Cisco PIX Firewall Version 6.2 (3)

    Cisco PIX Device Manager Version 2.0 (1)

    Updated Thursday April 17 02 21:18 by Manu

    pixdoc515 up to 9 days 3 hours

    Material: PIX - 515, 64 MB RAM, Pentium 200 MHz processor

    I28F640J5 @ 0 x 300 Flash, 16 MB

    BIOS Flash AT29C257 @ 0xfffd8000, 32 KB

    0: ethernet0: the address is 0050.54ff.3772, irq 10

    1: ethernet1: the address is 0050.54ff.3773, irq 7

    2: ethernet2: the address is 00d0.b792.409d, irq 11

    Features licensed:

    Failover: enabled

    VPN - A: enabled

    VPN-3DES: enabled

    Maximum Interfaces: 6

    Cut - through Proxy: enabled

    Guardians: enabled

    URL filtering: enabled

    Internal hosts: unlimited

    Throughput: unlimited

    Peer IKE: unlimited

    Serial number: 480221353 (0x1c9f98a9)

    Activation key running: 0x36df4255 0x246dc5fc 0x39d2ec4d 0x09f6288f

    Modified configuration of enable_15 to 12:15:28.311 UTC Wednesday, may 1, 2002

    pixfirewall (config) #.

    Here, you should see if THE or 3DES, AES encryption is active or not. If you have just SOME so you can use the following link and get for free a new activation key that allows 3DES and AES.

    https://Tools.Cisco.com/swift/licensing/JSP/formGenerator/Pix3DesMsgDisplay.jsp

    sincerely

    Patrick

  • Update from 11.2.0.4 to 12.1.0.2 and ACL

    Hello;

    Oracle Linux 6.7

    Oracle 11.2.0.4

    During the manual upgrade of Oracle 11.2.0.4 Oracle 12.1.0.2, I stumbled on ORA-01830 which was corrected by dropping the ACL, I had created.

    I looked at MOS 1958876.1 and the query, it provides "extract/backup xml stored ACL.

    My simple question is someone have a better query for that they are willing to share?

    Best regards

    mseberg

    Lesson

    Do not use "extract/backup xml stored ACL. Drop the ACL and recreate

    So if the ACL has been abandoned, I will need the following to recreate:

    ACL - DBA_NETWORK_ACL_PRIVILEGES

    Description

    main - DBA_NETWORK_ACL_PRIVILEGES

    IS_GRANT - DBA_NETWORK_ACL_PRIVILEGES

    privilege - DBA_NETWORK_ACL_PRIVILEGES

    Home - DBA_NETWORK_ACLS

    lower_port - DBA_NETWORK_ACLS

    upper_port - DBA_NETWORK_ACLS

    Description may not correspond to the former, but that's all.

  • Error in mail and acl apex

    We receive the ORA-24247: network access denied by the ACL access (ACL) error, and after following the instructions in the APEX Administrator's Guide, we are still unable to send e-mails. The above message continues to display.

    In our environment, we have our application on the 1 server and our database on another server. Is there a configuration of email different to when the application and the database are on different servers?

    I check the
    SELECT * FROM DBA_NETWORK_ACL_PRIVILEGES
    /sys/acls/local-access-users.xml C6DFCE496D3B5654E040160A1E0865C3     APEX_040100     connect     true     false          
/sys/acls/mailserver_acl.xml     D644F57F87573998E040160A1E0801A5     APEX_040200     connect     true     false          
/sys/acls/mailserver_acl.xml     D644F57F87573998E040160A1E0801A5     APEX_040200     resolve     true     false          
/sys/acls/www.xml             C1FE22142B2E6F40E040160A1E081BDB     SORS              connect     true     false          
/sys/acls/www.xml            C1FE22142B2E6F40E040160A1E081BDB       SORS                     resolve       true     false          
/sys/acls/www.xml            C1FE22142B2E6F40E040160A1E081BDB          APEX_PUBLIC_USER connect     true     false          
/sys/acls/www.xml            C1FE22142B2E6F40E040160A1E081BDB          APEX_PUBLIC_USER resolve     true     false          
    Pls help!

    Hi "Hunk09"

    Sorry for apparently asking obvious questions, but I can not assume anything.

    (1) is your SMTP Server / SMTP relay really on your database server where the APEX is installed?

    (2) it listens on port 25?

    (3) you seem to have APEX 4.1 installed previously. Have you had this same problem with APEX 4.1?

    (4) your e-mail settings for instance in APEX Instance Administration level also specify localhost on port 25?

    Joel

  • After hard frustrations drive and the computer.

    Well, I'll start by saying that I searched google for answers and I'm getting a bunch of mixed responses and comments. So im here in the hope of figuring this out.

    I have a Dell Inspiron 531 and it came with Vista (chills just ran down my back! haha). Well recently I went to the front and did install a clean windows 10 on it. It seems that his works really well with it too... except for a number of things.

    I tried to install a 2nd hard drive but it does not recognize the hard drive in the Disk Manager, and he will not find it in BIOS boot. The hard drive is not an SSD, it's a 1 to that was in my old computer (which was running windows 7 on it). I don't want windows 7 or something like that on it as an OS to boot from the 2nd. All storage. But it does not detect on my computer.

    So here's some info that might help you...

    I checked the cables to the hard drive, but also put the SATA cable into different SATA ports on the motherboard and using different SATA data cables. The hard drive in my other old computer still works. So it seems the HD is not the problem.

    I noticed the BIOS is 1.0.7 and currently available is 1.0.13 and I have to use one day of BACK or something like that. But some places online say that I shouldn't update the BIOS because I can damage the computer. Some say that I have windows XP?

    The computer is still a clean install and it looks like windows 10 installed all the drivers for everything.

    Should I update the BIOS? Do you think the windows 7 OS on 2nd hard drive it keeps popping up?

    IM also decided to do a clean reinstall of windows 10 but this time, following the order of update on the dell site ("install the drivers in the order of: applications, drivers, firmware and BIOS"). I would like to know what you think of this idea... or maybe to install BIOS first then the rest.

    I also installed an AMD Radeon R5 220 in the computer. It takes a little more time to start. Is this normal? I wanted to have two screens, so I just skipped that in and it seems to work fine except for the departure to the top. It takes more time to start before the dell logo appears. Then it's a quick start from that.

    Sorry for the late reply. I dealt with the work.

    I understand later.

    In the BIOS if you will to...   Advanced > Integrated Peripherals > Configuration Serial - ATA, then assign the controller SATA SATA 1 + 2

    And that's all!

  • WLC and ACLs traffic flow

    Hello world

    For WLC I need config as strict ACLs of the traffic flow.

    I have to config ACL in both directions?

    As in ASA returns traffic is allowed because it's with State I must it ACL for traffic back from the outside to the inside also?

    Concerning

    MAhesh

    Hello

    It depends, but in general, you need to configure in both directions.

    Have a look here:

    http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN...

    Concerning

Maybe you are looking for