SX20 with ACL

Hi guys,.

I had an interesting topic for discussion.

There are cases that SX20s deployed on outside of the firewall, because of the security & fiscal reason.

And with this topology, with a link between the SX20s that are outside the firewall can be even more dangerous. While their private network is still secure.

However, suppose they use video call with limited participants (always knew participants), it could be managed with a secure connection.

So, we can probably use some functions such as the ACL. ACL is actually included in Cisco router or switch, but I couldn't find something like this on the cisco far endpoint. (There is a similar function on VCS (management area), etc.)

Does anyone have an idea for ACL on SX20? or a similar configuration?

or should I proceed Feature Enhancement Request? then there should be enough requet?

Best regards

Paul

The right place to make the "ACL" ing would be on the switch/firewall/router between the codec and the internet. You can't do it on the codec itself.

Wayne
--
Remember the frequency responses and mark your question as answered as appropriate.

Tags: Cisco Support

Similar Questions

Extending the SX20 with 12 x zoom camera

Good day to all

Can someone provide me with the pin code on necessary to extend the 12 x zoom camera control (cable network) when it connects to a SX20 with the explosion of cable
- SX20
- Extension cable
- 12 x zoom camera
- Right HDMI cable (10 m)
Thank you!

It's a cable right but with pins 3 & 6 step. It would be nice if just Cree literature it in plain language, in addition to you give pinout diagrams.

SX20 with third party camera

Hi team,

Can we connect Cisco SX20 with 3rd party camera?

Since the SX20 12 X comes with a HDMI + power & control cable.

Only requirement is for the video. Third party camera has a HDMI output.

Camera controls & Device Control will be by Crestron.

Someone Pls help on this...

Thanks & best regards,

Bharath

As long as it is a supported resolution, it should work. Personally, I used my camcorder as an EX90 entry and it worked fine.

SX20 with Smart Board

Hello

My client is looking for SX20.

They would also like to integrate SX20 with the smart board to display the smart board for remote sites.

My question is, if I do not include the option to dual license, going to work with the Smart Board.

Or is it necessary to have the double display for this particular case.

Best regards

Titebiket

Hi titebiket,

Yes, you can share your screen through SX20 - but you will need to be

(1) get a telepresence unit SYNCH

http://www.Cisco.com/en/us/products/ps11653/index.html

http://www.Cisco.com/en/us/docs/Telepresence/endpoint/software/synch/synch_release_note_v4-01.PDF

Camera EOS/EOL

(2) download the video switch video/duplicater that splits in two. In the projector cable, one cable at the entrance to the presentation of the codec. Please note that this is not something that is officially supported by Cisco - so you won't be able to buy the switch/duplicater home.

(3) you can try to use the SX20 and the dual display option. But I don't know if it will work properly, because I have not tested. However, I tried option 2.

Thank you

Marius

SX20 with dual - can output duplicate / clone

Hello

I have a SX20 with dual display running s/w version TC7.3.3.

Two monitors are connected and I put the configuration as below

Setup > video > monitors = double

I get the far - end and discovered on the first monitor and the second will be content presentation

On change

Setup > video > monitors = Single

I get everything - Far end, near end and the presentation on the same screen

and then the changes below

Setup > video > SelfviewDefault modepleinecran > on

Setup > video > SelfviewDefault OnMonitorRole > second

Setup > video > output > HDMI 1 > MonitorRole = 1

Setup > video > output > HDMI 2 > MonitorRole = 1

But the situation is still the same

Please help me to find a solution, I need to clone screens.

Concerning

Boily

Well, I think I understand what you want now.

If the monitors are the unique value you will see end, selfview and presentation all shared on the same screen. However, if the monitors are set to dual, you see end on a screen with selfview and presentation on another. There is now way to just see the far - end on both screens without possibility of selfview or presentation, screen share or taking a whole screen for itself, if one is active.

Block a foreign network with ACL

So my router has been present entered Syslog about ID escape tent.

How can I write an ACL that blocks ALL traffic destined for this network:

NetRange: 23.32.0.0 - 23.67.255.255
CIDR: 23.64.0.0/14, 23.32.0.0/11

I am new to ACL and still in school for Cisco. Bare with me. We do have much to covered ACL.

Thanks a ton!

Chris

This could be the ACL to only block these two networks and leave the rest. You probably want to google the term 'generic-mask' which is a mask the other way around:
```
ip access-list extended OUTSIDE-IN  deny ip 23.32.0.0 0.31.255.255 any  deny ip 23.64.0.0 0.3.255.255 any  permit ip any any
```
The ACL must be applied to the external interface in the inbound direction:
```
interface gig 0/0  description Your public interface  ip access-group OUTSIDE-IN in
```

Cisco ASA Cisco 831 routing static. help with ACL, maybe?

Hi all

What should be a simple task turns out to be difficult and I really need help.

The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.

OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.

I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.

The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.

On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.

Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.

I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL

Thank you. :)

Thus, all traffic between these two LANs will travel on ASA, on the same interface.
Then please add this command in the global configuration of the ASA:
permit same-security-traffic intra-interface

help with acl

I'm trying to block all traffic with the address 192.168.5.6 port 25 out a router. All port 25 traffic is assumed from a mail server on 192.168.5.201.

the configuration is a server terminal server on 192.168.5.6 and the mail server is 192.168.5.201

all users sending a message via e-mail via outlook server to the mail server, so any attempt to send a message through any device or system is Aotearoa.

If I'm not mistaken, the acl would look like the following:

access-list 110 permit tcp 192.168.5.201 0.0.0.255 eq 25

access-list 110 tcp 192.168.5.6 refuse 0.0.0.255 eq 25

Is to correct what precedes, or do I need to dig deeper?

You can configure the following list of access, and it will also ensure that all your traffic is not blocked:

access-list 110 permit tcp 192.168.5.201 host any eq 25

access-list 110 tcp 192.168.5.0 refuse 0.0.0.255 any eq 25

access ip-list 110 permit a whole

First line will allow only 192.168.5.201 will send e-mail on port 25

Second line block / refuse any ip subnet 192.168.5.0/24 address will send e-mail on port 25

Third line will allow everything to go.

I hope this helps.

SX20 with ISDN link and vcs

Hi all

I have sx20 quickset with device connection isdn with 4 Numéris.

I want to register the sx20 VCS also.

in sx20 there is no secondary network to connect the ISDN connection device.

How can I configure the ISDN link for incoming and outgoing calls using ISDN link and also I need register sx20 VCS.

my version of sx20 is 5.1.6 and 1.0.0

Hello

Don't you won't need a key for unlocking,

Thank you

Ravi kr.

SG300-10 - need help with ACL

We recently received a SG300-10 switch and we need assistance in the creation of an access list for SSH access. The switch is running

1.3.0.62 SW version. We want to make sure the SSH access is allowed only from the 192.168.1.0 network. We would also like all attempts to the connected port tcp 22 for SSH. Right, SSH is now accessible from any IP including external (Internet). Here's what we have at the moment. The switch has an IP address of 192.168.1.7.

...

SSH_access extended IP access list

ip permit 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0

output

ssh line

exec-timeout 0

output

...

The external (Internet) users can still try and SSH in. Please notify.

You have defined an ip access list. Those who are for routed traffic filtering, is not to control access to the switch itself. What more, it seems that you don't activate it on any interface (via the access-class command), so it has no effect at all.

To control access to the switch itself, you must define a list of management access and activate it with the management access-class command. Unfortunately the syntax of these differs slightly from the standard ACL. For example:

management of the access-list SSH_access

ip-source service permit 192.168.1.0 mask 24 ssh

https service permit

deny

output

management of the access-class SSH_access

allow SSH for the 192.168.1.0 network and HTTPS everywhere, but reject everything else (IE. Telnet or HTTP). Details can be found in ch. 11 "ACL management orders" the CLI Guide 300 series.

HTH

Tilman

Cisco TelePresence SX20 with laptop

I use a Cisco TelePresence as autonomous SX20 endpoint configured with a public IP address (in Pakistan). I want to connect a portable computer (to Canada) to start video conferencing using the portable camera. Please advice me the software to install on the laptop so that I can start with my SX20 videoconferencing based on IP configured on my SX20.

To understand kindly refer to the disposal of partner network.

Please help me its urgent.

Hello

www.ciscojabbervideo.com

BR Oleksandr

Connect the sx20 with polycom endpoint

Hi guys

I would like to know if there are special requirements to connect fast sx20 Cisco with other brands of for example, Polycom, Lifesize, Sony telepresence... Customer has 3 locations and now want to replace one with the sx20

I'm not good in technical issues

TKS a lot

You may need the licence Multisite to the Conference, you will also need a public static IP address depends on who's going to make the call.

other than that just set up the H323 section in the faucet of the configuration and you're ready to go.

Integration of the Cisco Telepresence SX20 with Cisco Telepresence EX60

Hi all

I have a question, I have the following device:

-SX20 together

-EX60 with touchscreen controller

Do I know if the EX60 can be deployed in an environment SX20? as each of them as functions of call I don't know if it will be in conflict or not because I have little knowledge about the voice and video. If the device can be integrated, can I request a deployment guide, the configuration guide on these? Thank you very much!

If your devices are not connected to any call (VCS or CUCM) control, search for SX20 autonomous in the forums - there are many threads that describe what you need to configure the settings. Do the same configuration on the SX and exodus once this is done, you should be able to call the IP address of one of the other.

Wayne
--
Remember the frequency responses and mark your question as answered as appropriate.

IOS VPN with NAT need help with ACL?

What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.

I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.

I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!

Thank you very much.

----------

Current configuration: 5508 bytes

!

! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin

!

version 12.2

horodateurs service debug uptime

Log service timestamps uptime

encryption password service

!

AAA new-model

!

AAA authentication login userauthen local

AAA authorization groupauthor LAN

AAA - the id of the joint session

IP subnet zero

!

IP domain name mondomaine.fr

name of the IP-server 199.13.28.12

name of the IP-server 199.13.29.12

!

IP inspect the audit trail

IP inspect high 1100 max-incomplete

IP inspect a high minute 1100

inspect the tcp IP Ethernet_0_1 name

inspect the IP udp Ethernet_0_1 name

inspect the IP name Ethernet_0_1 cuseeme

inspect the IP name Ethernet_0_1 ftp

inspect the IP h323 Ethernet_0_1 name

inspect the IP rcmd Ethernet_0_1 name

inspect the IP name Ethernet_0_1 realaudio

inspect the IP name smtp Ethernet_0_1

inspect the name Ethernet_0_1 streamworks IP

inspect the name Ethernet_0_1 vdolive IP

inspect the IP name Ethernet_0_1 sqlnet

inspect the name Ethernet_0_1 tftp IP

inspect the IP name Ethernet_0_1 http java-list 99

inspect the name Ethernet_0_1 rtsp IP

inspect the IP name Ethernet_0_1 netshow

inspect the tcp IP Ethernet_0_0 name

inspect the IP name Ethernet_0_0 ftp

inspect the IP udp Ethernet_0_0 name

audit of IP notify Journal

Max-events of po verification IP 100

!

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

ISAKMP crypto nat keepalive 20

!

ISAKMP crypto client configuration group vpngroup

xxxxxxxxx key

DNS 199.13.28.12 199.13.29.12

domain mydomain.com

pool vpnpool

ACL 110

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

!

!

map clientmap client to authenticate crypto list userauthen

card crypto clientmap isakmp authorization list groupauthor

client configuration address map clientmap crypto answer

10 ipsec-isakmp crypto map clientmap Dynamics dynmap

!

MTA receive maximum-recipients 0

!

!

interface Ethernet0/0

Description connected to the Internet

IP 199.201.44.198 255.255.255.248

IP access-group 101 in

NAT outside IP

inspect the IP Ethernet_0_0 in

no ip route cache

no ip mroute-cache

Half duplex

clientmap card crypto

!

interface Serial0/0

no ip address

Shutdown

!

interface Ethernet0/1

Connected to the private description

IP 192.168.1.254 255.255.255.0

IP access-group 100 to

IP nat inside

inspect the IP Ethernet_0_1 in

Half duplex

!

IP local pool vpnpool 192.168.2.201 192.168.2.210

period of translation nat IP 119

!!

!! -removed the following line for VPN configuration

!! IP nat inside source list 1 interface Ethernet0/0 overload

!! -replaced by the next line...

IP nat inside source map route sheep interface Ethernet0/0 overload

IP nat inside source 192.168.1.1 static 199.201.44.197

IP classless

IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

IP http server

7 class IP http access

local IP http authentication

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 5 permit 192.5.41.40

access-list 5 permit 192.5.41.41

access-list 5 refuse any

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 refuse any

access-list 99 refuse any

access-list 100 permit udp any eq rip all rip eq

access-list 100 permit tcp 192.168.1.1 host any eq www

access-list 100 permit ip 192.168.1.1 host everything

access list 100 permit tcp host 192.168.1.2 any eq www

access-list 100 permit ip 192.168.1.2 host everything

access-list 100 deny ip 192.168.1.253 host everything

access ip-list 100 permit a whole

access-list 101 deny host ip 199.201.44.197 all

access-list 101 permit tcp any host 199.201.44.197 eq 22

access-list 101 permit tcp any host 199.201.44.197 eq www

access-list 101 permit tcp any host 199.201.44.197 eq 115

access-list 101 permit icmp any host 199.201.44.197

access list 101 ip allow any host 199.201.44.198

access-list 101 permit tcp any host 199.201.44.197 eq 8000

access-list 101 permit tcp any host 199.201.44.197 eq 8080

access-list 101 permit tcp any host 199.201.44.197 eq 9090

access-list 101 permit udp any host 199.201.44.197 eq 7070

access-list 101 permit udp any host 199.201.44.197 eq 554

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 115 permit ip 192.168.1.0 0.0.0.255 any

!

sheep allowed 10 route map

corresponds to the IP 115

!

Line con 0

exec-timeout 0 0

password 7 XXXXXXXXXXXXXXX

line to 0

line vty 0 4

password 7 XXXXXXXXXXXXXXXX

!

NTP-period clock 17208655

source NTP Ethernet0/0

peer NTP access-Group 5

NTP 7 use only group-access

NTP master 3

NTP 192.5.41.41 Server

NTP 192.5.41.40 Server

!

end

----------

Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.

For what is 192.168.1.1, because you have this:

> ip nat inside source 192.168.1.1 static 199.201.44.197

It substitutes for this:

> ip nat inside source map route sheep interface Ethernet0/0 overload

for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:

loopback interface 0

IP 1.1.1.1 255.255.255.0

interface ethernet0/1

Static IP policy route map

permissible static route map 10

match address 120

set ip next-hop 1.1.1.2

access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255

Problems with ACL in config IPSec ASA-5504

I'm putting a tunnel IPSec between two ASA - 5540 s. There is a PC (SunMed_PC) behind the ASA-5540-B and a laptop (laptop-GHC) behind the ASA-5540-A. If the card encryption allows all IP, through the outside_cryptomap ACL, then the tunnel rises a FTP session is established.

But, when I restrict the following FTP, error message traffic is generated:

... Group = 164.72.1.147, IP = 164.72.1.147, IPSec tunnel rejecting: no entry for crypto for proxy card proxy remote 164.72.1.155/255.255.255.255/6/0 local 164.72.1.135/255.255.255.255/6/21 on the interface to the outside

Here's the configs giving only the relevant controls. I added the ACL 100 and "access-group 100 in the interface inside", but the error has not changed.

No idea what I'm missing?

CRO-ASA5540-A

names of

164.72.1.135 GHC_Laptop description name to test the VPN

164.72.1.155 SunMed_pc description name to test the VPN

!

interface GigabitEthernet0/0

nameif inside

security-level 100

IP 164.72.1.129 255.255.255.240

!

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 164.72.1.145 255.255.255.248

!

passive FTP mode

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1

access-list 100 scope ip allow a whole

ASDM image disk0: / asdm - 603.bin

Access-group 100 in the interface inside

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map0 1 match address outside_cryptomap

outside_map0 card crypto 1jeu peer 164.72.1.147

outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA

outside_map0 card crypto 1jeu nat-t-disable

outside_map0 interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Group Policy Lan-2-Lan_only internal

attributes of Lan-2-Lan_only-group policy

VPN-filter no

Protocol-tunnel-VPN IPSec

tunnel-group 164.72.1.147 type ipsec-l2l

tunnel-group 164.72.1.147 General-attributes

Group Policy - by default-Lan-2-Lan_only

IPSec-attributes tunnel-group 164.72.1.147

pre-shared-key *.

!

: end

----------------------------------------------------------------------------------------------------------

ROC-ASA5540-B # sh run

ASA Version 8.0 (3)

!

names of

name 164.72.1.135 GHC_laptop

name 164.72.1.155 SunMed_PC

!

interface GigabitEthernet0/0

nameif inside

security-level 100

IP 164.72.1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

IP 164.72.1.147 255.255.255.248

!

passive FTP mode

DM_INLINE_TCP_1 tcp service object-group

port-object eq ftp

port-object eq ftp - data

outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1

access-list 100 scope ip allow a whole

ASDM image disk0: / asdm - 603.bin

Access-group 100 in the interface inside

Route outside 164.72.1.128 255.255.255.240 GHC-Medical 1

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

card crypto outside_map0 1 match address outside_cryptomap

outside_map0 card crypto peer GHC-Medical 1jeu

outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA

outside_map0 card crypto 1jeu nat-t-disable

outside_map0 interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 4

preshared authentication

3des encryption

sha hash

Group 2

life 86400

internal Lan-2-Lan group strategy

Lan Lan 2-strategy of group attributes

Protocol-tunnel-VPN IPSec

tunnel-group 164.72.1.145 type ipsec-l2l

tunnel-group 164.72.1.145 General-attributes

strategy-group-by default 2 Lan Lan

IPSec-attributes tunnel-group 164.72.1.145

pre-shared-key *.

: end

Your acl mapped on the card encryption is suspect on the first device:

access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1

The source port should not be defined because it

is dynamic.

The second acl appears corrected:

outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1

SX20 with ACL

Similar Questions

Maybe you are looking for