Cisco :: Access Control Lists And A Bridge Group?

May 13, 2012

I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]

View 2 Replies


ADVERTISEMENT

Access Control Lists Deny Traffic From Entering Network

Oct 5, 2011

My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.

View 2 Replies View Related

Cisco VPN :: ASA 8.2.x - Control Access To Different Group Policies On VPN? 

Mar 22, 2010

Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN?  We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.

For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.

View 12 Replies View Related

Cisco WAN :: QOS On 1841 With Access Lists?

Jan 15, 2013

I have new DIA Internet service coming in and unlike the last vendor who provided a router, I am configuring my own.  This is my first full Cisco config - I've been looking at this for 3 days now.  I have SIP signalling, rtp and default traffic on a (3) t1 multilink (4.5mb).   My lan and firewall uses dscp tags and passes them to the 1841 for outbound.  The ISP only prioritizes by destination address so I just need the 1841 to respect the tags internally.  Inbound, I have only port numbers to go by to differentiate voice traffic and I want to tag EF and CS3 accordingly for use by the 1841 and the rest of my network. 

Below is part of my proposed config.   I have read tons of Cisco docs and looked at all the queuing methods and this one I understand the best.  I am getting the error: "CBWFQ : Can be enabled as an output feature only", so I presume that something is wrong on an input definition somewhere.  For now all the firewall functions are done at the actual firewall (Sonicwall NSA) so other than limiting ports to the PBX everything else is just pass-through.  Any changes required. IOS is 12.4(4)T1.

[Code]....

View 6 Replies View Related

Cisco WAN :: 3750 - QoS With Access Lists Not Working

May 17, 2011

i have a stack of 3750 (WS-C3750G-24TS-1U with IOS 12.2(53)SE2).

This is the conf I have:
 
!
class-map match-all DC_SC-to-DC_UW
match access-group 100

[Code].....

View 4 Replies View Related

Cisco Firewall :: ASA 5510 8.2(1) Using Hostnames In Access-lists?

Jul 12, 2012

I need to allow a specifc hostname through my firewall. I found this article: [URL] But it's only for 8.4 updated ASA's and above.
 
Doing more research, I found this article: [URL] And have been trying to reverse engineer it. Am I on the right track?

View 3 Replies View Related

Cisco Firewall ::ASA 5550 - ADSM Created Access Lists

May 9, 2012

I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.

None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:

1. Does an ADSM- created access list end with any specific ADSM- added suffix?
2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

View 4 Replies View Related

Cisco Firewall :: PIX515 - Timeout ICMP / Access Lists?

Mar 29, 2011

I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
 
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP.  However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
 
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?

View 4 Replies View Related

Cisco Switching/Routing :: Object-groups In Access-lists On 3750X?

May 29, 2013

I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
 
I am running sw version 15.0(1)SE2.

View 1 Replies View Related

Cisco Firewall :: Automatic Naming / Binding Of Access Lists With ASA 5550?

May 8, 2012

I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that. I looking at the config of an ASA 5550.
 
example:
 
Interface is Production
access list is called Production_access_in.
 
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?

View 4 Replies View Related

Cisco Firewall :: ASA5505 8.4(4)1 Access-Lists Created In CLI Do Not Show In ASDM

Apr 30, 2013

Yesterday, I configured  ASA via CLI for Static PAT and created some entries in an access-list. I will be testing that setup this evening.
 
However on a quick double check of the settings on the device via ASDM I could not see the acess-list settings. I searched every tab and found nothing so I PuTTYed into the device and checked the running config. The rules I created were right there. Is this something I should expect? If so doesn't it defeat the point of having a GUI if it does not show a complete running config?

View 2 Replies View Related

Cisco WAN :: ASR 1004 Bridge Group Command Missing

Jul 19, 2012

On the Cisco forums, an example is shown for how to  configure BVI and bridge-groups on an ASR1004 but the same command  (bridge-group) is not available under the interface on our ASR routers. We are running version of code: asr1000rp1-advipservicesk9.03.06.00.S.152-2.S.bin

View 1 Replies View Related

Cisco Wireless :: 819 Work Group Bridge Through LWAPP Network

Jan 21, 2013

We are connecting a cisco router (819)  to wireless lan network (lwapp) through its wireless interface.
 
clients ---> 819 ---->AP (WGB) ------ lwapp ----- AP ---> LAN ---> servers.

since the clients are on the same subnet as the the VLAN on the lwapp, everything works great.When we add a new L3 VLAN on the 819 router, and we try to ping the clients from the servers, the packets can reach the clients but never received by the servers back. it seems like the bridge is dropping the packets when they go back from the client to the servers.when we use a GRE tunnel from the 819 to the LAN, everything works great.

View 3 Replies View Related

Cisco Switching/Routing :: Outbound Versus Inbound Access Lists On Catalyst 3750X?

Mar 17, 2013

I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.

View 1 Replies View Related

Cisco Firewall :: 5585 - Two Different Subnets Assigned To Single Bridge Group

Apr 9, 2013

We are deploying two Cisco 5585 in transparent mode and multiple contexts. they are running Active-Active fail over.
 
There are a lot of V LANs need to be added in the contexts, we are trying to use least contexts to fulfill.
 
ASA supports 8 bridge groups for each contexts, and maximum 4 interfaces for each bridge group.
 
We have assigned four interfaces in different V LANs , set two of them as a pair with one IP sub net and the other two interfaces are in another IP sub net.
 
For example :
 
Bridge group 1:
 
inside1  and  outside1    ------->   192.168.1.0/24
inside2  and  outside2    ------->   192.168.2.0/24
 
However, we can only make one sub net(V LAN pairs ) work when the BVI is set to that IP sub net. If the BVI set to  192.168.1.0/24, the inside1 and outside1, the other pair not work. If the BVI set 192.168.2.0/24, then only inside2 and outside2 work. 
 
Since the BVI can only be assigned to either of the sub net, Is it possible to make both vlan pairs work ? Or we only can have one sub net in one bridge group ?

View 1 Replies View Related

Cisco Wireless :: 1262 Maximum Number Of Clients In Work Group Bridge Mode

Dec 6, 2011

What is the maximum allowed number of wired clients behind a workgroup bridge? In other words, is there a limit on MAC addresses?I assume 1262 AP in WGB mode is connecting to a lighweight AP (1262 or 3502), latest IOS and WLC software. I wasn't able to find the answer from Cisco documentation.

View 2 Replies View Related

Cisco Firewall :: Cat6509 / FWSM - Default Route Per Bridge Group In Transparent Mode

Nov 14, 2011

I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;  

route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
 
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
 
How can I achieve outside per individual bridge-group?
 
 FWSM  context config:
 
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside

[code]...

View 2 Replies View Related

Cisco Switching/Routing :: 800 / Use ASA To Configure All The Vlans And Intervlan Routing And Access Lists?

Jul 4, 2012

upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?

View 4 Replies View Related

Cisco WAN :: 2621 / Time-Based Access Lists Using Time Ranges?

Jan 4, 2011

I have one 2621 router i want to creat time base access list so that one of my subnet user(10.128.194.0 255.255.255.128) use only internet between 11am to 2pm.

View 15 Replies View Related

Wifi Access Points With User Access Control?

Nov 27, 2012

We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.

Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?

View 1 Replies View Related

Cisco :: Access Control For Static NAT

Jun 15, 2012

(1) forward range of ports to a specific IPs using static NAT? for ex, i would like to forward port 5060 and 10000-20000 to a server 192.168.1.22..

(2) how to apply access control to this static NAT ? for ex. i would like to deny specfic IPs from accessing it from public..

====================================================
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside

[code]....

View 3 Replies View Related

Cisco :: 5508 - MAC Access Control

Nov 29, 2012

We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.

View 8 Replies View Related

Cisco :: Where Do Prefix-Lists Fit In

Sep 25, 2012

Difference between ACL , Distribution list and route map?

View 5 Replies View Related

Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?

Jul 31, 2012

I try to map LDAP Group to ASA Group policy following documentation:
 
[URL] 
 
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
 
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX

View 3 Replies View Related

Cisco :: Creating An Access Control List?

Apr 6, 2013

Creating an Access Control List

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 For Network Access Control

Feb 16, 2013

We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?

View 1 Replies View Related

Cisco VPN :: How To Control Access To Clientless SSL VPN On ASA 5520

Dec 11, 2011

I have setup clientless SSL VPN on my ASA.  User authentication is done by RADIUS using ACS 5.2, I have created two portal one for IT department and the other for auditing department but the user in auditing if the select IT group from the drop down list they can login to it, my question is how can I make them login to their group only and prevent them from accessing other groups ?

View 3 Replies View Related

How To Setup Access Control For My Children

Mar 22, 2011

I have a D-Link DIR-615 and am trying to set up the Access Control so that I can restrict Internet connection from midnight till morning (to keep my teenage kids from staying up half the night on the Internet)I can step through the Access Control set up, but I don't see how I can block only one MAC address or computer from accessing the internet at specific times.

View 14 Replies View Related

D-Link DIR-615 :: Access Control Blocks Too Much

Oct 24, 2012

I have tried to setup access control by setting up a policy that restricts certain MAC addresses during a period during the day from certain websites.  I set up the website filter and a schedule and selected them for the policy.  Instead of blocking just the websites on the filter list during the time setup in the schedule, it blocks all websites all the time.I made sure that I setup the policy to 'block some access' NOT 'block all access'.The only thing that seems to work is that only the computers with the MAC address selected are effected.

View 3 Replies View Related

D-Link DIR-655 :: Web Access Control Not Working?

Mar 2, 2010

I may be doing it incorrectly, but I'm trying to configure web access rules.  I first set up access control and tell it to use the website filter.  I've tried configuring it by both MAC address and IP address (separately, not simultaneously), but it still allows the listed sites in the web filter to get through.  Is there something else I need to block or am I not doing something correctly?  The network is on DHCP reservation, so IP addresses are always the same.  MAC addresses, as I mentioned, don't work, either and they are fixed and logged in the router.

View 9 Replies View Related

D-Link DIR-655 :: Access Control When IP Or MAC Can Be Changed

Dec 31, 2011

DIR655 with 1.33NA firmware.  I'm trying to determine how to block access to the internet for a specific LAN computer when the user knows how to change a MAC address.  I don't want to turn MAC control on and grant only to listed computers - the list doesn't accommodate enough MAC addresses, and the client has wireless and wired since it's a laptop.  I also don't want to set static IPs on all of the devices since some cannot accommodate that feature.I'm thinking that reserving an IP address isn't ultimately the solution either, since assigning the IP isn't going to work if the MAC changes. how to use access control under these circumstances?

View 1 Replies View Related

Cisco :: Access Control List Practice Site?

Apr 25, 2013

I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.

View 9 Replies View Related

Cisco :: Access Control List Not Behaving As Expected

Dec 18, 2011

I have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:

vlan70 -----> inbound acl (allows 80/443) ---> vlan100

I need vlan100 to have access to something on vlan70 now and I cannot get it to work. My question is would this work?

vlan70 -----> inbound acl (allows 80/443) ---> vlan100
vlan100 <----- outbound acl (allows 9100) <---- vlan70

Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved