SX20 with ACL
Hi guys,.
I had an interesting topic for discussion.
There are cases that SX20s deployed on outside of the firewall, because of the security & fiscal reason.
And with this topology, with a link between the SX20s that are outside the firewall can be even more dangerous. While their private network is still secure.
However, suppose they use video call with limited participants (always knew participants), it could be managed with a secure connection.
So, we can probably use some functions such as the ACL. ACL is actually included in Cisco router or switch, but I couldn't find something like this on the cisco far endpoint. (There is a similar function on VCS (management area), etc.)
Does anyone have an idea for ACL on SX20? or a similar configuration?
or should I proceed Feature Enhancement Request? then there should be enough requet?
Best regards
Paul
The right place to make the "ACL" ing would be on the switch/firewall/router between the codec and the internet. You can't do it on the codec itself.
Wayne
--
Remember the frequency responses and mark your question as answered as appropriate.
Tags: Cisco Support
Similar Questions
-
Extending the SX20 with 12 x zoom camera
Good day to all
Can someone provide me with the pin code on necessary to extend the 12 x zoom camera control (cable network) when it connects to a SX20 with the explosion of cable
- SX20
- Extension cable
- 12 x zoom camera
- Right HDMI cable (10 m)
Thank you!
It's a cable right but with pins 3 & 6 step. It would be nice if just Cree literature it in plain language, in addition to you give pinout diagrams.
-
Hi team,
Can we connect Cisco SX20 with 3rd party camera?
Since the SX20 12 X comes with a HDMI + power & control cable.
Only requirement is for the video. Third party camera has a HDMI output.
Camera controls & Device Control will be by Crestron.
Someone Pls help on this...
Thanks & best regards,
Bharath
As long as it is a supported resolution, it should work. Personally, I used my camcorder as an EX90 entry and it worked fine.
-
Hello
My client is looking for SX20.
They would also like to integrate SX20 with the smart board to display the smart board for remote sites.
My question is, if I do not include the option to dual license, going to work with the Smart Board.
Or is it necessary to have the double display for this particular case.
Best regards
Titebiket
Hi titebiket,
Yes, you can share your screen through SX20 - but you will need to be
(1) get a telepresence unit SYNCH
http://www.Cisco.com/en/us/products/ps11653/index.html
http://www.Cisco.com/en/us/docs/Telepresence/endpoint/software/synch/synch_release_note_v4-01.PDF
Camera EOS/EOL
(2) download the video switch video/duplicater that splits in two. In the projector cable, one cable at the entrance to the presentation of the codec. Please note that this is not something that is officially supported by Cisco - so you won't be able to buy the switch/duplicater home.
(3) you can try to use the SX20 and the dual display option. But I don't know if it will work properly, because I have not tested. However, I tried option 2.
Thank you
Marius
-
SX20 with dual - can output duplicate / clone
Hello
I have a SX20 with dual display running s/w version TC7.3.3.
Two monitors are connected and I put the configuration as below
Setup > video > monitors = double
I get the far - end and discovered on the first monitor and the second will be content presentation
On change
Setup > video > monitors = Single
I get everything - Far end, near end and the presentation on the same screen
and then the changes below
Setup > video > SelfviewDefault modepleinecran > on
Setup > video > SelfviewDefault OnMonitorRole > second
Setup > video > output > HDMI 1 > MonitorRole = 1
Setup > video > output > HDMI 2 > MonitorRole = 1
But the situation is still the same
Please help me to find a solution, I need to clone screens.
Concerning
Boily
Well, I think I understand what you want now.
If the monitors are the unique value you will see end, selfview and presentation all shared on the same screen. However, if the monitors are set to dual, you see end on a screen with selfview and presentation on another. There is now way to just see the far - end on both screens without possibility of selfview or presentation, screen share or taking a whole screen for itself, if one is active.
-
Block a foreign network with ACL
So my router has been present entered Syslog about ID escape tent.
How can I write an ACL that blocks ALL traffic destined for this network:
NetRange: 23.32.0.0 - 23.67.255.255
CIDR: 23.64.0.0/14, 23.32.0.0/11I am new to ACL and still in school for Cisco. Bare with me. We do have much to covered ACL.
Thanks a ton!
Chris
This could be the ACL to only block these two networks and leave the rest. You probably want to google the term 'generic-mask' which is a mask the other way around:
ip access-list extended OUTSIDE-IN deny ip 23.32.0.0 0.31.255.255 any deny ip 23.64.0.0 0.3.255.255 any permit ip any any
The ACL must be applied to the external interface in the inbound direction:interface gig 0/0 description Your public interface ip access-group OUTSIDE-IN in
-
Cisco ASA Cisco 831 routing static. help with ACL, maybe?
Hi all
What should be a simple task turns out to be difficult and I really need help.
The Cisco ASA obviously isn't a strong point on mine and could do with a point in the right direction. I hope that this will allow me to learn more about the ASA 5505.
OK so I have an ASA 5505. VLAN 1 is 192.168.254.1 and VLAN 2 DHCP of my cable modem.
I have a cisco 831 Ethernet router that will sit between my main LAN and my LAN test I want to implement for multicasting. the Cisco 831 has 1 Ethernet as 192.168.254.254 and Ethernet 0 is 10.1.1.1.
The ASA I have an interior route 10.0.0.0 255.0.0.0 192.168.254.254.
On the Cisco 831, there is a route 0.0.0.0 0.0.0.0 192.168.254.1. I can pass traffic via Cisco 831 to the ASA 5505 and internet, for example I can ping 8.8.8.8 and access everything on my main local network, but the other wan of any host inside the ASA 5505 is unable to ping anything on 10.1.1.x.
Where I'm going wrong? I did all my access to my a whole ASA, but it is still unable to do anything.
I will attached my configs with deleted passwords here and would like a good kick in the right direction. Without a doubt, it's something simple I'm missing and I'm sure it's with the ACL on the ASA 5505 like the packet tracer said that the package is abandoned due to the ACL
Thank you. :)
Thus, all traffic between these two LANs will travel on ASA, on the same interface.
Then please add this command in the global configuration of the ASA:
permit same-security-traffic intra-interface -
I'm trying to block all traffic with the address 192.168.5.6 port 25 out a router. All port 25 traffic is assumed from a mail server on 192.168.5.201.
the configuration is a server terminal server on 192.168.5.6 and the mail server is 192.168.5.201
all users sending a message via e-mail via outlook server to the mail server, so any attempt to send a message through any device or system is Aotearoa.
If I'm not mistaken, the acl would look like the following:
access-list 110 permit tcp 192.168.5.201 0.0.0.255 eq 25
access-list 110 tcp 192.168.5.6 refuse 0.0.0.255 eq 25
Is to correct what precedes, or do I need to dig deeper?
You can configure the following list of access, and it will also ensure that all your traffic is not blocked:
access-list 110 permit tcp 192.168.5.201 host any eq 25
access-list 110 tcp 192.168.5.0 refuse 0.0.0.255 any eq 25
access ip-list 110 permit a whole
First line will allow only 192.168.5.201 will send e-mail on port 25
Second line block / refuse any ip subnet 192.168.5.0/24 address will send e-mail on port 25
Third line will allow everything to go.
I hope this helps.
-
Hi all
I have sx20 quickset with device connection isdn with 4 Numéris.
I want to register the sx20 VCS also.
in sx20 there is no secondary network to connect the ISDN connection device.
How can I configure the ISDN link for incoming and outgoing calls using ISDN link and also I need register sx20 VCS.
my version of sx20 is 5.1.6 and 1.0.0
Hello
Don't you won't need a key for unlocking,
Thank you
Ravi kr.
-
We recently received a SG300-10 switch and we need assistance in the creation of an access list for SSH access. The switch is running
1.3.0.62 SW version. We want to make sure the SSH access is allowed only from the 192.168.1.0 network. We would also like all attempts to the connected port tcp 22 for SSH. Right, SSH is now accessible from any IP including external (Internet). Here's what we have at the moment. The switch has an IP address of 192.168.1.7.
...
SSH_access extended IP access list
ip permit 192.168.1.0 0.0.0.255 192.168.1.7 0.0.0.0
output
ssh line
exec-timeout 0
output
...
The external (Internet) users can still try and SSH in. Please notify.
You have defined an ip access list. Those who are for routed traffic filtering, is not to control access to the switch itself. What more, it seems that you don't activate it on any interface (via the access-class command), so it has no effect at all.
To control access to the switch itself, you must define a list of management access and activate it with the management access-class command. Unfortunately the syntax of these differs slightly from the standard ACL. For example:
management of the access-list SSH_access
ip-source service permit 192.168.1.0 mask 24 ssh
https service permit
deny
output
management of the access-class SSH_access
allow SSH for the 192.168.1.0 network and HTTPS everywhere, but reject everything else (IE. Telnet or HTTP). Details can be found in ch. 11 "ACL management orders" the CLI Guide 300 series.
HTH
Tilman
-
Cisco TelePresence SX20 with laptop
I use a Cisco TelePresence as autonomous SX20 endpoint configured with a public IP address (in Pakistan). I want to connect a portable computer (to Canada) to start video conferencing using the portable camera. Please advice me the software to install on the laptop so that I can start with my SX20 videoconferencing based on IP configured on my SX20.
To understand kindly refer to the disposal of partner network.
Please help me its urgent.
Hello
BR Oleksandr
-
Connect the sx20 with polycom endpoint
Hi guys
I would like to know if there are special requirements to connect fast sx20 Cisco with other brands of for example, Polycom, Lifesize, Sony telepresence... Customer has 3 locations and now want to replace one with the sx20
I'm not good in technical issues
TKS a lot
You may need the licence Multisite to the Conference, you will also need a public static IP address depends on who's going to make the call.
other than that just set up the H323 section in the faucet of the configuration and you're ready to go.
-
Integration of the Cisco Telepresence SX20 with Cisco Telepresence EX60
Hi all
I have a question, I have the following device:
-SX20 together
-EX60 with touchscreen controller
Do I know if the EX60 can be deployed in an environment SX20? as each of them as functions of call I don't know if it will be in conflict or not because I have little knowledge about the voice and video. If the device can be integrated, can I request a deployment guide, the configuration guide on these? Thank you very much!
If your devices are not connected to any call (VCS or CUCM) control, search for SX20 autonomous in the forums - there are many threads that describe what you need to configure the settings. Do the same configuration on the SX and exodus once this is done, you should be able to call the IP address of one of the other.
Wayne
--
Remember the frequency responses and mark your question as answered as appropriate. -
IOS VPN with NAT need help with ACL?
What I forget? I have tried other positions, studied bugs known with 12.2 (13) T1, etc. workaround solutions, but perhaps my other choice of configuration interfere with my VPN configuration.
I can connect, authenticate locally, very well. Stats of Cisco VPN client 3.6.3 show I'm Encrypting traffic on the protected networks, but I can not all traffic through internal hosts once I've connected.
I removed security tags and replaced all the public IP addresses to fake in hope that someone can point me to what is obvious!
Thank you very much.
----------
Current configuration: 5508 bytes
!
! 22:24:38 PST configuration was last modified Thursday February 20, 2003 by kevin
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
AAA new-model
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
!
IP domain name mondomaine.fr
name of the IP-server 199.13.28.12
name of the IP-server 199.13.29.12
!
IP inspect the audit trail
IP inspect high 1100 max-incomplete
IP inspect a high minute 1100
inspect the tcp IP Ethernet_0_1 name
inspect the IP udp Ethernet_0_1 name
inspect the IP name Ethernet_0_1 cuseeme
inspect the IP name Ethernet_0_1 ftp
inspect the IP h323 Ethernet_0_1 name
inspect the IP rcmd Ethernet_0_1 name
inspect the IP name Ethernet_0_1 realaudio
inspect the IP name smtp Ethernet_0_1
inspect the name Ethernet_0_1 streamworks IP
inspect the name Ethernet_0_1 vdolive IP
inspect the IP name Ethernet_0_1 sqlnet
inspect the name Ethernet_0_1 tftp IP
inspect the IP name Ethernet_0_1 http java-list 99
inspect the name Ethernet_0_1 rtsp IP
inspect the IP name Ethernet_0_1 netshow
inspect the tcp IP Ethernet_0_0 name
inspect the IP name Ethernet_0_0 ftp
inspect the IP udp Ethernet_0_0 name
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
ISAKMP crypto nat keepalive 20
!
ISAKMP crypto client configuration group vpngroup
xxxxxxxxx key
DNS 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
ACL 110
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
MTA receive maximum-recipients 0
!
!
interface Ethernet0/0
Description connected to the Internet
IP 199.201.44.198 255.255.255.248
IP access-group 101 in
NAT outside IP
inspect the IP Ethernet_0_0 in
no ip route cache
no ip mroute-cache
Half duplex
clientmap card crypto
!
interface Serial0/0
no ip address
Shutdown
!
interface Ethernet0/1
Connected to the private description
IP 192.168.1.254 255.255.255.0
IP access-group 100 to
IP nat inside
inspect the IP Ethernet_0_1 in
Half duplex
!
IP local pool vpnpool 192.168.2.201 192.168.2.210
period of translation nat IP 119
!!
!! -removed the following line for VPN configuration
!! IP nat inside source list 1 interface Ethernet0/0 overload
!! -replaced by the next line...
IP nat inside source map route sheep interface Ethernet0/0 overload
IP nat inside source 192.168.1.1 static 199.201.44.197
IP classless
IP route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
IP http server
7 class IP http access
local IP http authentication
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 refuse any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 refuse any
access-list 99 refuse any
access-list 100 permit udp any eq rip all rip eq
access-list 100 permit tcp 192.168.1.1 host any eq www
access-list 100 permit ip 192.168.1.1 host everything
access list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip 192.168.1.2 host everything
access-list 100 deny ip 192.168.1.253 host everything
access ip-list 100 permit a whole
access-list 101 deny host ip 199.201.44.197 all
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access list 101 ip allow any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
sheep allowed 10 route map
corresponds to the IP 115
!
Line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line to 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
NTP-period clock 17208655
source NTP Ethernet0/0
peer NTP access-Group 5
NTP 7 use only group-access
NTP master 3
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
!
end
----------
Config looks OK, you should be able to get for each internal host EXCEPT 192.168.1.1 with this configuration. If you do a ' sho cry ipsec his 'you see Pkts Decaps increment, indicating that you see the traffic of the remote client? " Do you not see Pkts Encaps increment, indicating that you send a response réécrirait the client to the internal host.
For what is 192.168.1.1, because you have this:
> ip nat inside source 192.168.1.1 static 199.201.44.197
It substitutes for this:
> ip nat inside source map route sheep interface Ethernet0/0 overload
for this host traffic only and therefore back for just this host is always NAT would have even if you don't want it to be. To work around to send traffic to this host through an interface of closure with no NAT enabled on it, that it is NAT would have stops and allows you to connect via VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically, we must add this:
loopback interface 0
IP 1.1.1.1 255.255.255.0
interface ethernet0/1
Static IP policy route map
permissible static route map 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 allow host ip 192.168.1.1 192.168.2.0 0.0.0.255
-
Problems with ACL in config IPSec ASA-5504
I'm putting a tunnel IPSec between two ASA - 5540 s. There is a PC (SunMed_PC) behind the ASA-5540-B and a laptop (laptop-GHC) behind the ASA-5540-A. If the card encryption allows all IP, through the outside_cryptomap ACL, then the tunnel rises a FTP session is established.
But, when I restrict the following FTP, error message traffic is generated:
... Group = 164.72.1.147, IP = 164.72.1.147, IPSec tunnel rejecting: no entry for crypto for proxy card proxy remote 164.72.1.155/255.255.255.255/6/0 local 164.72.1.135/255.255.255.255/6/21 on the interface to the outside
Here's the configs giving only the relevant controls. I added the ACL 100 and "access-group 100 in the interface inside", but the error has not changed.
No idea what I'm missing?
CRO-ASA5540-A
names of
164.72.1.135 GHC_Laptop description name to test the VPN
164.72.1.155 SunMed_pc description name to test the VPN
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 164.72.1.129 255.255.255.240
!
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 164.72.1.145 255.255.255.248
!
passive FTP mode
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1
access-list 100 scope ip allow a whole
ASDM image disk0: / asdm - 603.bin
Access-group 100 in the interface inside
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map0 1 match address outside_cryptomap
outside_map0 card crypto 1jeu peer 164.72.1.147
outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map0 card crypto 1jeu nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 5
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Group Policy Lan-2-Lan_only internal
attributes of Lan-2-Lan_only-group policy
VPN-filter no
Protocol-tunnel-VPN IPSec
tunnel-group 164.72.1.147 type ipsec-l2l
tunnel-group 164.72.1.147 General-attributes
Group Policy - by default-Lan-2-Lan_only
IPSec-attributes tunnel-group 164.72.1.147
pre-shared-key *.
!
: end
----------------------------------------------------------------------------------------------------------
ROC-ASA5540-B # sh run
ASA Version 8.0 (3)
!
names of
name 164.72.1.135 GHC_laptop
name 164.72.1.155 SunMed_PC
!
interface GigabitEthernet0/0
nameif inside
security-level 100
IP 164.72.1.153 255.255.255.248
!
interface GigabitEthernet0/3
nameif outside
security-level 0
IP 164.72.1.147 255.255.255.248
!
passive FTP mode
DM_INLINE_TCP_1 tcp service object-group
port-object eq ftp
port-object eq ftp - data
outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1
access-list 100 scope ip allow a whole
ASDM image disk0: / asdm - 603.bin
Access-group 100 in the interface inside
Route outside 164.72.1.128 255.255.255.240 GHC-Medical 1
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
card crypto outside_map0 1 match address outside_cryptomap
outside_map0 card crypto peer GHC-Medical 1jeu
outside_map0 card crypto 1jeu transform-set ESP-3DES-SHA
outside_map0 card crypto 1jeu nat-t-disable
outside_map0 interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 4
preshared authentication
3des encryption
sha hash
Group 2
life 86400
internal Lan-2-Lan group strategy
Lan Lan 2-strategy of group attributes
Protocol-tunnel-VPN IPSec
tunnel-group 164.72.1.145 type ipsec-l2l
tunnel-group 164.72.1.145 General-attributes
strategy-group-by default 2 Lan Lan
IPSec-attributes tunnel-group 164.72.1.145
pre-shared-key *.
: end
Your acl mapped on the card encryption is suspect on the first device:
access-list extended permits outside_cryptomap tcp ftp eq host GHC_Laptop host SunMed_pc object-group DM_INLINE_TCP_1
The source port should not be defined because it
is dynamic.
The second acl appears corrected:
outside_cryptomap list extended access permit tcp host host SunMed_PC GHC_laptop object-group DM_INLINE_TCP_1
Maybe you are looking for
-
How can I contact Apple about my candidacy for the post of specialist service in the store of Exeter by land. I submitted my application to the sides of my RESUME on August 16 and have heard nothing, except an automatic e-mail confirming, response si
-
Satellite Pro S500-10F - cannot reinstall the operating system
Hello I have a Satellite Pro S500-10F provided with Windows 7 Professional with downgrade rights (and DVD) to XP Pro. I downgraded to XP Pro and everything worked fine (I did it on a number of similar machines). Then Windows started to have problems
-
How to unlock my toolbars to change the order they are in?
Well, I have a character on my toolbar that is covered by the placement of one of my bars. I want to unlock the toolbars so that I can change the order in which they appear. On Internet Explorer, you can unlock them and move them.
-
Need drivers Win XP for Satellite A215-S5848
Good day, official fans! I bought my laptop (Satellite A215-S5848) with pre-installed Windows Vista with all the drivers and additional programs of Toshiba. But I like about Windows Vista! Now, I want to install Windows XP SP3. But I am worried about
-
S3 Graphics device no longer works.
Original work of title: nt device S3 graphics VIAChrome9 stopped working unable to play games, displays the code 43 However on the scanner States all drivers are up-to-date