Cisco :: Access Control List Not Behaving As Expected
Dec 18, 2011
I have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:
Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.
I have recently purchased 2911 routers running 15.1 to replicate a system I had implemented using 2811 routers running 12.4 a few years ago. None of my applications and servers have changed, but trying to determine why my router access-list on my serial links are not behaving the same. I don't keep up with Cisco changes.
On my original system, which is a private network that distributes a lot of udp broadcast and multicast data to remote sites over 64k serial lines, I manage some of the udp broadcast data using access-lists. When I check on my 2811-based system, "show ip access-list" shows a nice distribution of filter hits showing my expected deny/permit access-list entries working as expected allowing me to filter the particular udp broadcast ports of interest on the various serial interfaces.
On my 2911 based system, with most other elements the same, the access-list is not working correctly, and I see data getting through the access control to the other side of the serial link. Using tcp dump and other tools on the remote systems my routers attach to, it looks like the access control is basically ignored... though if I "shutdown / no shutdown" the serial link between the routers, it definitely stops and restarts the flow of data, so I know data is traveling over that interface... when I run "show ip access-list" on the 2911, I see tons of hits on one deny filter, and the last "ip permit any any" filter, but other deny udp any any eq XXX port filters are simply not registering denies.. which should be triggering since I see my server sending the data, and my client systems receiving the extra data I am supposed to be filtering on the router...
Is there potentially a new feature or command set option that I am missing to correctly filter outbound data from my serial links?
On 2811 w/ an HWIC 4A/S int s0/0/0 ip access-group sample1 out ip access-list extended sample1 {code]...
access-list <#> permit/deny <protocol> <sourceAddress> <sourceMask> <destinationAdd> <destinationMask>Say I applied an ACL inbound on Fa0/0, would the source address be the outside the LAN?So if took the same ACL and applied it as outbound, would the source need to be change to an IP inside the LAN?I am a bit confused by the data flow I'm seeing in packet tracer simulation mode to. I set up an ACL for testing purposes "access-list 199 permit ip 193.20.30.0 0.0.0.63 any" set as inbound, the idea being it permits any traffic from the .0 subnet.When I watch the packet in the simulation, it makes it to the destination address then is dropped by the router on it's way back out to the sender.
I am copying files form one server to another using Bightserv ARCserve Backup, now the files copy over however the access control list to the files isn't.Does anybody no away around this?
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
I have a sip gateway (AS5400) that is used to connect sip providers to our internal voice network.Internal gateway (10.1.1.2 LAN) -- SIP trunk -- AS5400 (10.1.1.3 LAN/ 8.23.23.43 WAN) -- SIP trunk -- Internet SIP Provider We encountered the following problem :A SIP call from internal gateway to the sip provider could establish but was muted on our side (sip provider could hear us)On the WAN interface of the AS5400, there is a ACL that filter traffic IN coming from SIP Provider
interface GigabitEthernet0/0 ip address 8.23.23.43 255.255.255.224 ip access-group 101 in
I log the deny on this ACL and I saw some udp packets denied with LAN addresses !*Mar 3 15:24:44.001: %SEC-6-IPACCESSLOGP: list 101 denied udp 10.1.1.3(0) -> 10.1.1.2 (0), 1 packet I did not bind anything on the sip config.When I changed the ACLs, calls went well.Why do I see LAN packets on the WAN interface ?
I am having some issues with creating an ACL for my gateway router.I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router asI am using named extened access list -
{ deny ip any 192.168.1.0 0.0.0.255 log permit ip any any } and i applied this inbound accesslist on the WAN port of router as "ip access-group acl-in in"
Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now. All i want is to block external traffic on the router WAN port but allow internal traffic to outside. Did i miss anything in the access list?
We have WLC 4402 and LWAP 1510In access control list menu, all needed rule added and the last rule deny any to any We use Ethernet bridging on LWAP and some clients connect with wire network that associated with Ethernet bridge LWAP, Now when deny rule applied the client that connect with wired network couldn't established VPN connection or another service to the routing and remote server, I create rule that permit any to routing and remote server.
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
I'm trying to limit my kids' access to the internet during the night, since I caught them plugging their laptops and the Xbox into the router's Ethernet ports late at night so they could circumvent the wireless guest access. The problem is, I only have 5 available control slots and the list of devices I browse to choose from is vague at best. Half of the devices listed in parental controls say "Network Device" and the other half say "iPhone" or "iPad". Isn't there an easy way to choose the correct devices to restrict, like by IP or MAC address? And if not, why is this so confusing and difficult? I have a family of 10 in my house and everyone is connecting with their own phn or 3 iPads, 2 laptops, 2 desktop PCs, 1 Xbox and 1 PS3.I tried limiting the DHCP Reservation list, but that seems to only affect the wireless access, not the 4 ethernet port connections.
We have almost identical networks in two offices, with the only difference being, one uses an RV042 and the other an RV082.The setup is: two WAG54GS ADSL modems carry PPOA ADSL connections with static IPs to the two WAN ports of the RV0XX.The WAG54GS routers are configured to DMZ all incoming traffic to the relevant WAN IP of the RV0XXs. VPN pass-through is also set on them. The RV0XX port forwarding is set to forward a selection of traffic such as, PPTP, HTTP, HTTPS, RDP, POP3, SMTP and Remote Desk to the external adapter of an SBS 2003 server which processes all operations including ISA and Exchange.Mail for Exchange arrive through both ADSL connections for redundancy. VPN connection requests from remote users to the SBS come in through both ADSL connections.The office fitted with RV042 works fine and does all the following without problems.The office fitted with RV082 has issues. Remote VPN requests comming from ADSL to WAN port 1 of the RV082 connect successfully to the SBS2003 server, but the VPN requests coming from ADSL to WAN port 2 fail to connect! Similarly, incoming mail destined for Exchange don't get through if coming from ADSL of WAN port 2.I have updated the firmware on both RV042 and RV082, but the RV082 still has the above issues.
I am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.
We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.
Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?
I am doing some really rough budget numbers. What can I expect for a life cycle on some Cisco gear like a 2801 router and a 48 port PoE switch? Is 4 years pushing it too much? We usually don't upgrade unless something breaks.
I'm paying for 18 Mbps download speed, and my laptops and one desktop get this speed, but the computer from which I write only gets 5 Mbps. He didn't know why.I'm pasting my HJT and DDS logs, and attaching Attach.txt. Ark.txt will be copied to this also.
We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.
I've got very basic problem but I cannot find the solution... I am sitting on the Cisco 4948E switch. And, I wanted to allow to guys who have not enable password to issue command sh running-config.I used the the following command to do that:SW4948E(config)#privilege exec level 1 show running-config.
I have 10 new AIR-CAP3502I-A-K9 connected to a WS-C3750X-48PF-L switch. 8 of the APs power on and connect perfectly, but two are problematic. Both devices are granted power, but they never go past the stage of getting power from the switch. A look at POE shows: [code]
Where the AP that is not working is connected to Gi1/0/4. The interface shows down/down. I've tried shutting the interface, removing power, cdp etc.
Are there any other tricks you can think of to get it working or would you say that it's 2 faulty APs? I am not based at site unfortunately so I cannot console to the APs and check them out.
We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?
Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.
For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.
I have setup clientless SSL VPN on my ASA. User authentication is done by RADIUS using ACS 5.2, I have created two portal one for IT department and the other for auditing department but the user in auditing if the select IT group from the drop down list they can login to it, my question is how can I make them login to their group only and prevent them from accessing other groups ?
Usually, when I connect to nearby game servers I would have 10 - 60 ping. However, recently my NETGEAR CG814WG stops working randomly (The lights are all on, I can connect to it, but there's no internet connection) and I have to reboot it. (I had this router for a bit longer than a year, by the way)Currently I get around 80 - 300 ping connecting to servers in sydney. Ping directly from my router:
Ping statistics:
Pings sent: 25 (4 per second); Replies received: 25 (4 per second) Bytes sent: 1600 (266 per second); Bytes received: 1600 (266 per second) 25 replies passed verification (0 failed) Min time: 10 ms; Max time: 400 ms; Avg time: 132 ms; Total time: 6090 ms
When I reboot the router it has low ping (~30) for a minute or two but then the ping increases.
I have a D-Link DIR-615 and am trying to set up the Access Control so that I can restrict Internet connection from midnight till morning (to keep my teenage kids from staying up half the night on the Internet)I can step through the Access Control set up, but I don't see how I can block only one MAC address or computer from accessing the internet at specific times.
I have tried to setup access control by setting up a policy that restricts certain MAC addresses during a period during the day from certain websites. I set up the website filter and a schedule and selected them for the policy. Instead of blocking just the websites on the filter list during the time setup in the schedule, it blocks all websites all the time.I made sure that I setup the policy to 'block some access' NOT 'block all access'.The only thing that seems to work is that only the computers with the MAC address selected are effected.
I may be doing it incorrectly, but I'm trying to configure web access rules. I first set up access control and tell it to use the website filter. I've tried configuring it by both MAC address and IP address (separately, not simultaneously), but it still allows the listed sites in the web filter to get through. Is there something else I need to block or am I not doing something correctly? The network is on DHCP reservation, so IP addresses are always the same. MAC addresses, as I mentioned, don't work, either and they are fixed and logged in the router.
DIR655 with 1.33NA firmware. I'm trying to determine how to block access to the internet for a specific LAN computer when the user knows how to change a MAC address. I don't want to turn MAC control on and grant only to listed computers - the list doesn't accommodate enough MAC addresses, and the client has wireless and wired since it's a laptop. I also don't want to set static IPs on all of the devices since some cannot accommodate that feature.I'm thinking that reserving an IP address isn't ultimately the solution either, since assigning the IP isn't going to work if the MAC changes. how to use access control under these circumstances?
How to implement mac access-list in 881 and 892 router ? As you now that we can get additional switch-port in the same router but I can't see the function in this router. I guess the switch port must function like the catalyst 2960 switch.
I'm creating an access-list that will contain all networks and host that will be redistribute into EIGRP.Till now, this access-list contains 72 entries but this number can increase anytime.
I'm using a 3750-x layer 3 switch, and I'm wondering how big this access-list can be, regarding CPU and memory utilization and performance.
we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students. We want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2
VLAN 1 192.168.11.0/24 VLAN 2 192.168.12.0/24
I am using VLAN interfaces. I know we have to use some access lists but if i apply
access-list 100 permit ip 192.168.10.0 0.0.255 any access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
With this access list two subnets can not access each other. How these access list should look likes ?
I have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected?
For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout.
If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection.