Access Control Lists Deny Traffic From Entering Network
Oct 5, 2011
My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.
View 2 Replies
ADVERTISEMENT
May 13, 2012
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
View 2 Replies
View Related
Jun 29, 2011
I would like to know if exists some configuration using a WLC 4402 that deny network acces to smartphones but not to netbooks and laptops.
View 1 Replies
View Related
Nov 7, 2012
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
ip access-group 145 out interface Internal
This work great on a 2821 Router, but not so much on the ASA.
View 11 Replies
View Related
Jan 20, 2013
I've been digging into some performance issues on a LAN that has a couple of 2960s. The monitoring software I'm using has indicated a high amount of discarded outbound packets (up to 5%). The suggested resolutions were to enable flow control.
My question is does enabling flow control on all ports interrupt network traffic at all? this is a production network so I had already planned on doing it during off hours but also wanted to know if I should be prepared for any significant drop in traffic.
View 14 Replies
View Related
Sep 20, 2012
So I was doing some testing with my BB Playbook where I wanted to see what outside connections it tried to make during startup and whatnot. I have a pix 506e running 6.3(5). I created an simple 'deny ip any any' access list on the inside interface so that the Playbook doesn't actually make any connections, but I set up a 'capture' on the inside interface accepting 'ip any any' to see what kind of traffic I could see heading outbound from the Playbook. Well, it started off showing attempts to query DNS (and failed, naturally), but then after a couple of minutes, it tried to connect to a couple of IPs over port 443 and actually got a response!!! For the life of me, I can't figure out how this can happen. NO traffic should be allowed outbound due to my explicit 'deny' rule, but for some reason some traffic on port 443 made it past the firewall and got a response back. There are no other rules in the access list except the 'deny' rule. My PIX configuration is quite simple and I cannot see anything that would allow the Playbook traffic to circumvent the access list.
I've come to think that either RIM has found away around Cisco access-lists, or there is a bug in the Pix OS. I know it's an old appliance/OS, but still. I wouldn't think it could be THAT easy to bypass the firewall.
View 4 Replies
View Related
Jan 15, 2013
I have new DIA Internet service coming in and unlike the last vendor who provided a router, I am configuring my own. This is my first full Cisco config - I've been looking at this for 3 days now. I have SIP signalling, rtp and default traffic on a (3) t1 multilink (4.5mb). My lan and firewall uses dscp tags and passes them to the 1841 for outbound. The ISP only prioritizes by destination address so I just need the 1841 to respect the tags internally. Inbound, I have only port numbers to go by to differentiate voice traffic and I want to tag EF and CS3 accordingly for use by the 1841 and the rest of my network.
Below is part of my proposed config. I have read tons of Cisco docs and looked at all the queuing methods and this one I understand the best. I am getting the error: "CBWFQ : Can be enabled as an output feature only", so I presume that something is wrong on an input definition somewhere. For now all the firewall functions are done at the actual firewall (Sonicwall NSA) so other than limiting ports to the PBX everything else is just pass-through. Any changes required. IOS is 12.4(4)T1.
[Code]....
View 6 Replies
View Related
Jun 24, 2011
How i can get access lan computer drives with out entering login password
View 1 Replies
View Related
May 17, 2011
i have a stack of 3750 (WS-C3750G-24TS-1U with IOS 12.2(53)SE2).
This is the conf I have:
!
class-map match-all DC_SC-to-DC_UW
match access-group 100
[Code].....
View 4 Replies
View Related
Jul 12, 2012
I need to allow a specifc hostname through my firewall. I found this article: [URL] But it's only for 8.4 updated ASA's and above.
Doing more research, I found this article: [URL] And have been trying to reverse engineer it. Am I on the right track?
View 3 Replies
View Related
Jun 17, 2011
I would like to have the ability to turn off the internet access to my teens computers without effecting myself. I have parental controls on my computer which work great, but this does not work to the other computers that are able to connect wirelessly. I have a router but I am not sure how to access it.
View 3 Replies
View Related
Sep 8, 2011
I am a part of small IT company and I need to know if there's a good program I can get to control file access on the network.
Here is my scenario : 5 users on a network with their own workstations, IT Technicians, Sales and Marketing, Admin, HR and Manager...All these users need to access different files on the network so here is what I want, I need for the IT guy to log on into his PC and only see files that he needs on his account and the same thing should apply for other users on their accounts..They should only see files and folders that are relevant to them.
Which program can I get to ensure I achieve this?
View 3 Replies
View Related
Feb 16, 2013
We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?
View 1 Replies
View Related
May 9, 2012
I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:
1. Does an ADSM- created access list end with any specific ADSM- added suffix?
2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?
View 4 Replies
View Related
Mar 29, 2011
I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?
View 4 Replies
View Related
Dec 11, 2006
I have reconfigure my Cisco 3825 for ssh after we lost the config sue to a power faliure. I have reconfigure the same way it was configured before and working properly.
when I try to access the router using Putty ssh, I get to the authentication screen but after entering uername and password (enable secrete and line password the same) i get access denied.
Below is the ssh and line configuration on the router. I have seen the pdf that has been recommended here at Netpro and have followed that document but still having problem:
[code]...
View 16 Replies
View Related
May 29, 2013
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I am running sw version 15.0(1)SE2.
View 1 Replies
View Related
May 8, 2012
I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that. I looking at the config of an ASA 5550.
example:
Interface is Production
access list is called Production_access_in.
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?
View 4 Replies
View Related
Apr 30, 2013
Yesterday, I configured ASA via CLI for Static PAT and created some entries in an access-list. I will be testing that setup this evening.
However on a quick double check of the settings on the device via ASDM I could not see the acess-list settings. I searched every tab and found nothing so I PuTTYed into the device and checked the running config. The rules I created were right there. Is this something I should expect? If so doesn't it defeat the point of having a GUI if it does not show a complete running config?
View 2 Replies
View Related
May 25, 2013
I have 5508 controller in my lab. I am working on a project to set up a public internet but with some condition.
- User should able to connect to the SSID without any authentication.
- Once user will connec to the SSID it should redirect to an external URL which indicates terms and condition and email address field.
- User should enter his/her email address in email addrss filed and click I accept button.
- Once that is done then he/she is allowed to access internet.
We are not sure how can we achive this as I do not know what should be the return value for WLC to allow that user to go through or what should be the settings on the WLC to redirect to the page.
I have seen a settings on web authentication for external URL but I guess it is only for username passwor or Radius authentication. While in this case I do not want to use any authentication just an accept buttor or Decline button and all good to go.
View 2 Replies
View Related
Aug 13, 2012
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
[code].....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
View 2 Replies
View Related
Aug 14, 2012
Got an ASA5505 connected to another endpoint running IPsec and being NAT'd at each end to a 10.0.0.0/24 network. I can pass other types of traffic through the ASA 5505 but not RTP traffic. The moment it is NAT'd and hits the firewall rules it gets denied by the default deny at the bottom of the list.
Currently the rules are as follows
Incoming External
allow ip any any
allow tcp any any
allow udp any any
default deny
[code]....
It wont allow us to setup a voip call...however when the same call manager sets up a voip call NOT using this ipsec tunnel it works just fine.
View 3 Replies
View Related
Mar 17, 2013
I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
View 1 Replies
View Related
Jun 8, 2012
i have Cisco L3 switch configured with diff vlan and assign diff subnet for all vlan . if i connect pc to vlan 2 i am able to ping host related to other vlan
View 5 Replies
View Related
Apr 1, 2013
Is it possible to deny all access except specific IP's to a service on a Dlink DIR-655 ?Say a web server on port 1234.The allowed IP's are not in a range.
View 1 Replies
View Related
May 28, 2013
I need developing a acl that can block a computer on the LAN from accessing the internet from midnight to 7am everyday. The router is a 857W, the computer is 192.168.2.33 the internal gw 192.168.2.254 (dialer 1 is 1.2.3.4).acl 101 deny tcp host 192.168.2.33 eq wwwwhat I need to figure out is how to add a time based acl to just this computer.
View 2 Replies
View Related
Jun 12, 2011
I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies
View Related
Dec 5, 2011
We have a 3750 which has a few vlans configured. One Vlan is for public access wifi and another for our security system (door access, cameras, etc.). I don't want the public wifi vlan to access the security system vlan. How can I accomplish this in the 3750?
View 4 Replies
View Related
Apr 5, 2012
I have a 2801 router. Is there another way to deny access to a specify web site ( like youtube, facebook .. etc ) without create acl's with specifed ip's ? The router doesen't support url filtering. I thought to do something like redirect traffic to another site : for example if one client want to access url.. that the browser will open url...
View 4 Replies
View Related
Apr 3, 2012
We are an A/V integrator and AMX shop and provide our clients with support through the use of VPN tunnels from our RV042 router to their mostly RVS4000 routers.Support is provided through access of remote site equipment using VNC, Telnet, FTP, etc. from multiple PC's at our main office.Netbios is not turned on, but the remote sites have the ability to access equipment on our local LAN should they know our private IP address range.Is there any way to limit the acces from the remote sites back to our LAN while maintaining our access to the equipment on their LAN?I know that one can limt the IP address range on on end of the VPN, but I would like to limit the ability of remote sites to gain "any" access to our LAN. If there's any way to just prevent all traffic from an IP address range on the remote site, that would also do.
View 1 Replies
View Related
Jan 18, 2011
I set-up my law firm network with a server 2008 database. Now I am renting out one of my offices to a separate lawyer and I want him to be able to use my network to access the internet, but not my server 2008. Is that possible or is it already secure being I haven't installed any of my software on his computer?
View 2 Replies
View Related
Jul 5, 2012
Recently a router crashed and some suspicious about the client arised. The point is that now the order is to deny all kind of router admin access for the client. I was thinking, is this a good idea or will be better to give him limited access to the router, to avoid the client to try to access the router at all cost? Something like to stop the motivation to crack the router password.
View 7 Replies
View Related
Sep 18, 2012
How to protect shared folders to denie access from server???i am really in need of a software where i can share files on network but i don't want the system administrator to access those files.
View 1 Replies
View Related
