sick of frustration... 501 and ACL
Hey all, what gives.
I worked on a pix 501 and I can't get the ACL to save my life. I'm new on this and obviously missing something. I have a 501 connected to a cable broadband account is public ip through DHCP. I want to limit all traffic going out to 80, 110 and 53.
I add the following commands.
access-l 125 permit tcp any any eq 80
access-l 125 permit tcp any any eq 53
access-l 125 permit tcp any any eq 110
access-l 125 deny ip any one
access-g 125 in interface inside
everything falls to the interface I think. I am able to browse the net, Kazaa, sof2 throughout the day if I use the default configuration provided by the firewall. I posted this before and actually got it to work once. I tried to repeat the process, but failed.
any help is GREATLY appreciated
humbly yours
MB
Add
> access-l 125 permit udp any how any eq 53
DNS searches with UDP, TCP not. You will find probably your DNS resolution does not work, so when you navigate to a web server by name it will fail, because the first thing that your PC will do is a name search.
Tags: Cisco Security
Similar Questions
-
processing order of encryption and ACLs
Hi people,
I am preparing to a test lab and have the following scenario:
R6---172.16.50/24---PIX---172.16.10/24--R1
R6 I have two interfaces:
lo0 6.6.6.6/24
FA0/1 172.16.50.50/24
R1 two int:
lo0 1.1.1.1/24
E0 172.16.10.1/24
I want to protect all traffic between the 6.6.6.0 and network 1.1.1.0 with IPSec. I use ESP to protect traffic.
Another condition is that I want to put an ACL to e0 allowing IPSec traffic.
I created an ACL named ACL_E0_IN that is applied on e0 for inbound traffic.
R1 #sh of access lists
Expand the IP ACL_E0_IN access list
esp permits 172.16.50.50 host 172.16.10.1 (15 matches)
permit udp host 172.16.50.50 host 172.16.10.1 eq isakmp (116 matches)
refuse the log host 1.1.1.1 icmp host 6.6.6.6 (5 matches)
Ping of R6 R1 does not work:
R6 #p 1.1.1.1 source lo 0
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes of 1.1.1.1, time-out is 2 seconds:
Packet sent with the address source 6.6.6.6
.....
Success rate is 0% (0/5)
R6 #.
On the R1, I get the following message:
* 8 Mar 03:58:37.917: % s-6-IPACCESSLOGDP: ACL_E0_IN denied icmp 6.6.6.6 - list
> 1.1.1.1 (8/0), 4 packs
This scenario works ONLY when I allow ICMP of R6 and ESP traffic.
I wonder why the decrypted packets are denied by the ACL. I expect that the ACL is processed BEFORE the packet is decrypted. When I look at the meter on the hit of the ACL, it seems that the ACL is checked twice.
Someone at - it an idea on the exact order of encryption and the treatment of the ACL?
Thank you
Michael
Attached you will find the configs of the R1 and R6
Michael
I recently saw an explanation of encryption and ACLs that indicates there has recently been a change in behavior. In most versions of IOS, the behavior is as you describe, the package is evaluated by the ACL twice. The explanation is that the package is evaluated first in his State encrypted to check that it was something that must be dealt with. After the package has been decrypted, the IOS necessary to assess the package decrypted to see if things like the quality of Service necessary to apply. So basically the decrypted packet passed through the interface again and the ACL again. In recent versions of the code (12.3 (4) T, if memory serves) a change has been made and the package will now go through the ACL only once.
HTH
Rick
-
Satellite 5100 501 and installation of Vista
Hello!
Is it possible to run Vista Business on 5100-501? No problem with drivers?
WBR
I can't say for sure if this is possible or not, but I know with certainty that the Satellite 5100 is not Vista supported for laptop and Toshiba will not offer a Vista driver for this older model laptop.
If you test it please report results.
-
Just a quick question. I have two ASA with a vpn site-to-site tunnel built between them. One is the Central Administration
site and the other is a remote site. On the remote site, I have the following IP as local hosts:
192.168.1.5
192.168.1.6
192.168.1.55
Those workstations attempt to access networks according to destination
10.1.1.0 24
10.1.2.0 24
10.1.3.0 24
In my interesting traffic on the remote end, I set myself to use
IP 192.168.1.0 255.255.255.0---> 10.1.0.0 255.255.0.0
On the side of the Central Headquarters, my interesting traffic looks like
IP 10.1.0.0 255.255.0.0---> 192.168.1.0 255.255.255.0
So now I'm encrypting IP traffic between 10.1.0.0 24 16 to 192.168.1.0. This part works very well. But now I want to put an ACL
the tunnel to allow ONLY 3 hosts on the 192.168.1.x on some ports for 3 subnets. This is done by group policy for a tunnel from Lan Lan 2. If I apply a group policy and define a filter of IPV4. This will accomplish what I'm shooting?
I am doing this on the ASDM, so keep this in mind when you try to explain to me how to solve this problem.
Thanks in advance,
I should stay in bed...
-
1.2 of the ISE and ACL with several ports
When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?
You can implement several DACL to control access and the sound works perfectly with ISE
Note the useful messages *.
-
Hello
On a PIX 515E v.6.3.5.
There are three lists ACL that can come into play when setting up an IPSec VPN on a PIX? (I hear a sound of 'It depends')
1 Nat (0) ACL - NOT NAT traffic, it is part of the IPSec VPN
2 crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3 ACL - ACL to allow | deny traffic after ACL #1 and #2.
#3 "Allow packet IPSec to bypass the blocking of access list" If the "ipsec sysopt connection permit" command is configured and ONLY for the #3 ACL? In other words the sysopt does not participate on ACL #1 or 2 above?
The mirroring of the ACL, which is suggested (required) to both sides of the tunnel IPSec applies to what ACL?
Thank you
Dan
pdvcisco wrote:
Hello,
On a PIX 515E v.6.3.5.
Are there three ACL lists that can come in to play when configuring an IPSec VPN on a PIX? (I hear a roar of "It depends" )
1. Nat (0) ACL - to NOT nat traffic this is part of the IPSec VPN
2. Crypto ACL - ACL that distinguishes if the traffic is destined for the IPSec tunnel.
3. ACL - ACL to permit | deny traffic after ACL #1 and #2.
Does #3 "enable IPSec packets to bypass access list blocking" if the "sysopt connection permit-ipsec" command is configured, and ONLY on ACL #3? In other words the sysopt doesn't participate on ACL #1 or 2 listed above?
The mirroring of ACL's, that is suggested (required) for both sides of the IPSec tunnel applies to which ACL?
Thanks,
Dan
Dan
It depends on
(1) is not always used, because with a site to site VPN sometimes you need to NAT your addressing internal
(2) always necessary
(3) if the "ipsec sysopt connection permit" is set up any ACLs on the interface where the VPN is finished is bypassed. If it is not enabled then once packets are decrypted they are then checked against the acl.
Mirrored ACLs is required.
Jon
-
L2L pix 501 and remote access VPN
Hi, I'm working on an old 501 PIX w / Software 6.3 (5), he already have access to remote VPN configuration and works very well, but now he needs a L2L implemented. One thing I try to do all the work remotely via VPN or ssh to the machine. I don't know what's on the other end, but they swear that it is set up and maybe my problem is when I start putting in orders for the other VPN it breaks the remote VPN access. One thing that I have to do is NAT a host on the inside to appear as another host on the end. I use these commands and I think it works cannot be said.
access-list 101 permit ip remote_network 255.255.255.0 local_server host
public static 10.1.0.203 (inside, outside) - access list 101
then
access-list 102 permit ip host 10.1.0.203 192.168.50.83
access-list 102 permit ip host 10.1.0.203 192.168.50.86
access-list 102 permit ip host 10.1.0.203 192.168.50.50
access-list 102 permit ip host 10.1.0.203 192.168.50.85and use it to match against
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
EMDs-map 10 ipsec-isakmp crypto map
correspondence address card crypto emds-map 10 102
card crypto emds-map 10 peers set remote_vpn_server
card crypto emds-card 10 set of transformation-ESP-3DES-SHAthen
ISAKMP key magic_key address remote_vpn_server netmask 255.255.255.255
ISAKMP identity hostname
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 1 ISAKMP policy group
ISAKMP life duration strategy 10 86400and that is where it usually breaks the VPN, I don't know if the other VPN works due to not being not able to get to this server to try to ping, I don't really like to try this stuff remotely but I don't have a lot of choice at the moment.
Any thoughts?
Thank you
Jarrid Graham
Yes, just use the number of different sequence with 1 name of the crypto map. Please also ensure that your dynamic crypto map, which is your vpn client has the sequence down the crypto map (more), because you want to make sure that the static crypto map (for lan-to-lan tunnel has higher sequence number (lower number)).
The political isakmp sequence number does not match, it is processed from top to bottom (number less than the high number) and also long 1 set of isakmp policy corresponds to the remote peer, it will be negotiated properly.
Hope that answers your question and please note useful post. Thank you.
-
Problems with PIX 501 and Server MS Cert
Hi all
I have two problems with my PIX 501:
1. registration works well. The pix has a certificate and use it with SSL and VPN connections. But after a refill, the pix certificate is lost and it has regenerated again self-signed certificate!
Yes, I wrote mem and ca records all!
2. at the request of ca CRL
, I get the following debugging: Crypto CA thread wakes!
CRYPTO_PKI: Cannot be named County ava
CRYPTO_PKI: transaction GetCRL completed
Crypto CA thread sleeps!
CI thread wakes!
And the CRL is empty.
Does anyone have any idea?
Bert Koelewijn
Not sure about 1, but 2 is usually caused by the COP (Point of Distribution of CRL, basically the situation where the PIX can download the Revocation list from) listed in cert CA is in a format the PIX does not, generally an LDAP URL.
Check the following prayer:
Open the administration tool of CA (Certification Authority) then
(1) right click on the name of CA and choose 'properties '.
2) click on the tab "Policy Module".
3) click on the button "configure."
4) click on the tab "X.509 extensions".
> From there, it can display the list of the "CRL Distribution Points".
Turn off everything that isn't HTTP.
You need to reinstall the CERT in the PIX, I think, but then it should be able to download the CRL through HTTP instead of LDAP.
-
PIX 501 and VPN Linksys router (WRV200)
I inherited a work where we have a Cisco PIX 501 firewall to a single site and Linksys WRV200 Router VPN on two other
sites. Asked me to connect these routers Linksys firewall PIX via the VPN.
According to me, the Linksys vpn routers can only connect via IPSec VPN, I'm looking for help on the configuration of the PIX 501 for the linksys to connect with the following, if possible.
Key exchange method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre Shared Key: xxx
PFS: Enabled
Life ISAKMP key: 28800
Life of key IPSec: 3600
The pix, I installed MDP and I tried to use the VPN wizard without result.
I chose the following settings when you make the VPN Wizard:
Type of VPN: remote VPN access
Interface: outside
Type of Client VPN device used: Cisco VPN Client
(can choose customer of Cisco VPN 3000, MS Windows Client by using the client MS Windows using L2TP, PPTP)
VPN clients group
Name of Group: RabyEstates
Pre Shared Key: rabytest
Scope of the Client authentication: disabled
Address pool
Name of the cluster: VPN - LAN
Starter course: 192.168.2.200
End of row: 192.168.2.250
Domain DNS/WINS/by default: no
IKE policy
Encryption: 3DES
Authentication: MD5
Diffie-Hellman group: Group 2 (1024 bits)
Transform set
Encryption: 3DES
Authentication: MD5
I have attached the log of the VPN Linksys router VPN.
This is the first time that I have ever worked with PIX so I'm still trying to figure the thing to, but I'm confident with the CCNA level network.
Thanks for your help!
Hello
Everything looks fine for me, try to have a computer in every network and ping between them. Check the newspapers/debug and fix them.
Let me know.
See you soon,.
Daniel
-
PIX 501 and pcAnywhere access rules
Hello
I'm having a problem with the implementation of pcANywhere remote access Access 2 servers on the inside network. I created 2 static rules and access lists 2 to start, but I can't get thru to the server. These are the settings
static (inside, outside) 7x.x.x.x 5631 172.16.x.x tcp 5631 255.255.255.255
static (inside, outside) udp 7x.x.x.x 172.16.x.x 5632 5632 255.255.255.255
list of allowed inbound tcp access any host 172.16.x.x eq 5631
list of allowed inbound udp access any host 172.16.x.x eq 5632
Access-group interface incoming outside
Version 6.3 of the PIX using
I also tried access server list terminal server because another method of access, but not go either.
There are no other rules.
Any ideas why this would not work?
TIA
Vince
your external ACL must mention the public IP address of your server:
list of allowed inbound tcp access any host 7x.x.x.x eq 5631
list of allowed inbound udp access any host 7x.x.x.x eq 5632
-
PIX 501 and THE, 3DES, AES
For a version newly produced PIX 501,
(1) are DES, 3DES and AES activation keys all pre-installed?
(2) how I can find on which of them is pre-installed on my PIX 501?
(3) when I create a server VPN (on the PIX 501), I see that all three OF THEM, 3DES and AES are available in the drop-down list of the PDM configuration screen. Does that mean my PIX 501 have all three of them (FROM THE, 3DES and AES)? -If the answer is no, assume that only is preinstalled on PIX 501, then why/how can appear in the drop-down list the 3DES and AES?
Thank you for helping.
Scott
Should be integrated already. depends on the way the news is your PIX 501.
To be sure to log in to the console and type:
See the version
See the example output version:
See the pixfirewall version (config) #.
Cisco PIX Firewall Version 6.2 (3)
Cisco PIX Device Manager Version 2.0 (1)
Updated Thursday April 17 02 21:18 by Manu
pixdoc515 up to 9 days 3 hours
Material: PIX - 515, 64 MB RAM, Pentium 200 MHz processor
I28F640J5 @ 0 x 300 Flash, 16 MB
BIOS Flash AT29C257 @ 0xfffd8000, 32 KB
0: ethernet0: the address is 0050.54ff.3772, irq 10
1: ethernet1: the address is 0050.54ff.3773, irq 7
2: ethernet2: the address is 00d0.b792.409d, irq 11
Features licensed:
Failover: enabled
VPN - A: enabled
VPN-3DES: enabled
Maximum Interfaces: 6
Cut - through Proxy: enabled
Guardians: enabled
URL filtering: enabled
Internal hosts: unlimited
Throughput: unlimited
Peer IKE: unlimited
Serial number: 480221353 (0x1c9f98a9)
Activation key running: 0x36df4255 0x246dc5fc 0x39d2ec4d 0x09f6288f
Modified configuration of enable_15 to 12:15:28.311 UTC Wednesday, may 1, 2002
pixfirewall (config) #.
Here, you should see if THE or 3DES, AES encryption is active or not. If you have just SOME so you can use the following link and get for free a new activation key that allows 3DES and AES.
https://Tools.Cisco.com/swift/licensing/JSP/formGenerator/Pix3DesMsgDisplay.jsp
sincerely
Patrick
-
Update from 11.2.0.4 to 12.1.0.2 and ACL
Hello;
Oracle Linux 6.7
Oracle 11.2.0.4
During the manual upgrade of Oracle 11.2.0.4 Oracle 12.1.0.2, I stumbled on ORA-01830 which was corrected by dropping the ACL, I had created.
I looked at MOS 1958876.1 and the query, it provides "extract/backup xml stored ACL.
My simple question is someone have a better query for that they are willing to share?
Best regards
mseberg
Lesson
Do not use "extract/backup xml stored ACL. Drop the ACL and recreate
So if the ACL has been abandoned, I will need the following to recreate:
ACL - DBA_NETWORK_ACL_PRIVILEGES
Description
main - DBA_NETWORK_ACL_PRIVILEGES
IS_GRANT - DBA_NETWORK_ACL_PRIVILEGES
privilege - DBA_NETWORK_ACL_PRIVILEGES
Home - DBA_NETWORK_ACLS
lower_port - DBA_NETWORK_ACLS
upper_port - DBA_NETWORK_ACLS
Description may not correspond to the former, but that's all.
-
We receive the ORA-24247: network access denied by the ACL access (ACL) error, and after following the instructions in the APEX Administrator's Guide, we are still unable to send e-mails. The above message continues to display.
In our environment, we have our application on the 1 server and our database on another server. Is there a configuration of email different to when the application and the database are on different servers?
I check theSELECT * FROM DBA_NETWORK_ACL_PRIVILEGES
Pls help!/sys/acls/local-access-users.xml C6DFCE496D3B5654E040160A1E0865C3 APEX_040100 connect true false /sys/acls/mailserver_acl.xml D644F57F87573998E040160A1E0801A5 APEX_040200 connect true false /sys/acls/mailserver_acl.xml D644F57F87573998E040160A1E0801A5 APEX_040200 resolve true false /sys/acls/www.xml C1FE22142B2E6F40E040160A1E081BDB SORS connect true false /sys/acls/www.xml C1FE22142B2E6F40E040160A1E081BDB SORS resolve true false /sys/acls/www.xml C1FE22142B2E6F40E040160A1E081BDB APEX_PUBLIC_USER connect true false /sys/acls/www.xml C1FE22142B2E6F40E040160A1E081BDB APEX_PUBLIC_USER resolve true false
Hi "Hunk09"
Sorry for apparently asking obvious questions, but I can not assume anything.
(1) is your SMTP Server / SMTP relay really on your database server where the APEX is installed?
(2) it listens on port 25?
(3) you seem to have APEX 4.1 installed previously. Have you had this same problem with APEX 4.1?
(4) your e-mail settings for instance in APEX Instance Administration level also specify localhost on port 25?
Joel
-
After hard frustrations drive and the computer.
Well, I'll start by saying that I searched google for answers and I'm getting a bunch of mixed responses and comments. So im here in the hope of figuring this out.
I have a Dell Inspiron 531 and it came with Vista (chills just ran down my back! haha). Well recently I went to the front and did install a clean windows 10 on it. It seems that his works really well with it too... except for a number of things.
I tried to install a 2nd hard drive but it does not recognize the hard drive in the Disk Manager, and he will not find it in BIOS boot. The hard drive is not an SSD, it's a 1 to that was in my old computer (which was running windows 7 on it). I don't want windows 7 or something like that on it as an OS to boot from the 2nd. All storage. But it does not detect on my computer.
So here's some info that might help you...
I checked the cables to the hard drive, but also put the SATA cable into different SATA ports on the motherboard and using different SATA data cables. The hard drive in my other old computer still works. So it seems the HD is not the problem.
I noticed the BIOS is 1.0.7 and currently available is 1.0.13 and I have to use one day of BACK or something like that. But some places online say that I shouldn't update the BIOS because I can damage the computer. Some say that I have windows XP?
The computer is still a clean install and it looks like windows 10 installed all the drivers for everything.
Should I update the BIOS? Do you think the windows 7 OS on 2nd hard drive it keeps popping up?
IM also decided to do a clean reinstall of windows 10 but this time, following the order of update on the dell site ("install the drivers in the order of: applications, drivers, firmware and BIOS"). I would like to know what you think of this idea... or maybe to install BIOS first then the rest.
I also installed an AMD Radeon R5 220 in the computer. It takes a little more time to start. Is this normal? I wanted to have two screens, so I just skipped that in and it seems to work fine except for the departure to the top. It takes more time to start before the dell logo appears. Then it's a quick start from that.
Sorry for the late reply. I dealt with the work.
I understand later.
In the BIOS if you will to... Advanced > Integrated Peripherals > Configuration Serial - ATA, then assign the controller SATA SATA 1 + 2
And that's all!
-
Hello world
For WLC I need config as strict ACLs of the traffic flow.
I have to config ACL in both directions?
As in ASA returns traffic is allowed because it's with State I must it ACL for traffic back from the outside to the inside also?
Concerning
MAhesh
Hello
It depends, but in general, you need to configure in both directions.
Have a look here:
http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN...
Concerning
Maybe you are looking for
-
Screen LED-2311 x - idle time return to the screen of the monitor
Hello the only problem I'm having is that when my computer shuts the screen due to idle time, when I move the mouse to wake up, the monitor will be taken more than 10 seconds to display the... I got more than 5 monitors, all display the screen in 5 s
-
Status of SharePoint Server 2007 Distribution List Email
You have a question about the status of Sharepoint server 2007 distribution list email address, where is the best place to get an answer?
-
Well, I have to tell you my story that I was happy that I bought a "new" (DELL) C.P. and 64 bit vista pre-installed and that he had not. and had some problems with my new! Dell xps 9000 from the GET go > but I learned that I was eligible for a free w
-
Making screen shared to Windows Movie Maker
I have Windows 7 and I'm trying to do a split screen video, so I can demo side, what a single version of a product made and performs in comparison with another product, do the same thing. I can't find in the transitions or effects to do. I have Virtu
-
System Restore gets stuck - Windows 8
Original title: problem restoring Windows 8. I tried to restore my windows 8 on a laptop computer at an earlier date, but after more than a day, the process is still ongoing. I think that the restoting process is stuck, what can I do to solve the pro