Cisco :: Can't Configure Access List According To Project?
Feb 27, 2011this is a project and my configred file:I can't config access list according to the project.
View 19 Repliesthis is a project and my configred file:I can't config access list according to the project.
View 19 RepliesI'm trying to configure an extended access list on one AS5350XM but I get one way hearing on a voice calls and I can't determine why (please see the attached diagram). There is an OSPF running on both gigabit interfaces and the Loopback address is also advertised (it is actually the voip IP address). The access list is applied on both interfaces in the inbound direction. There is another gateway with IP:4.4.4.4 (no firewalls here) and the routing between gateways is working properly.
Here is part of the access list (applied on AS5350):
.
.
permit ip host 4.4.4.4 host 3.3.3.3
.
.
When I review the log of the AS5350xm I see many errors like this one:
%SEC-6-IPACCESSLOGP: list example denied udp 3.3.3.3(16638) -> 4.4.4.4(18094), 1 packet
So how it is possible to see this error since the access list is in inbound direction and the IP address (4.4.4.4) is open. I don't have problems when I do telnet or ssh from 3.3.3.3 to 4.4.4.4.
I'm looking at doing an intranet project at work. What i want is to have one main machine that will have a forum and website on (probably Windows IIS on Windows 7). Then i want to have approximately 10 other users on laptops that can connect to my intranet forum and site via "wireless" connection, but at the same time none of those 10 laptops or my main machine having any "internet" access. Is this possible and if so how
View 5 Replies View RelatedI have a SONY J series and I want to know how to make it project a wireless connection without using a router, as I have an ehternet cable going in to the sony but want to change that internet connection into wireless so I can connect my laptop to it, is there a way of doing this or am I imagining you can do this?
View 3 Replies View RelatedI have gotten myself a neoware e140.It has an VIA 800MHz CPU with 128MB Flash and 128MB DDR2 RAM.he one I received a spare PCI slot which is occupied by a matrox graphic card Matrox Epica card. It shows up in the System Specs as a TC4 but I think it is a TC2.
It comes with this special adapter which splits into two DVI adapters. Each of these adapters supposedly can drive 2 monitors (I have no clue how).
The box currently has some neoware linux on it.I want to make a pfsense box out it to have support for a dual WAN setup. I have never dealt with this kind of stuff before and do not even know how to load the OS on the flash etc.
I am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.
View 14 Replies View RelatedI've got a relative that needs a wireless solution for their new HD LCD. The spouse has vetoed running cat-5 (I'd have told her to pound sand...) so we're looking for an inexpensive router that we can install dd-wrt on and throw it in bridge mode. The Linksys wrt54g seems to have dried up in the area, no one seems to have one in stock and I haven't had any luck finding an Asus RT-N12 that I can get delivered in a timely fashion, that would have been my second pick.
Any recommendation for a fairly inexpensive G/N router that either features a robust bridge mode or that I can flash for this project?
How to implement mac access-list in 881 and 892 router ? As you now that we can get additional switch-port in the same router but I can't see the function in this router. I guess the switch port must function like the catalyst 2960 switch.
View 3 Replies View RelatedI'm creating an access-list that will contain all networks and host that will be redistribute into EIGRP.Till now, this access-list contains 72 entries but this number can increase anytime.
I'm using a 3750-x layer 3 switch, and I'm wondering how big this access-list can be, regarding CPU and memory utilization and performance.
we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students. We want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2
VLAN 1 192.168.11.0/24
VLAN 2 192.168.12.0/24
I am using VLAN interfaces. I know we have to use some access lists but if i apply
access-list 100 permit ip 192.168.10.0 0.0.255 any
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
With this access list two subnets can not access each other. How these access list should look likes ?
I was reviewing some old configs at work today and noticed somthing weird in the access-lists. What is this?
View 6 Replies View RelatedCreating an Access Control List
View 2 Replies View Relatedso far i also knew that if u assign an access-list to an interface:
for example:
int vlan1
ip access-group 150 in
and the access-list does not exist in the configuration it will block everything meaning it will be an implicit deny empty access-list but lately i've noticed on new routers that its different,if i assign an acl to an interface where the acl doesnt exist in the configuration it acts as permit all,
How to apply access list on Vlans ?
my Scenario is
13 Vlans in cisco 3560 switch (Vlan 10,20,30........ 130)
vlan 10 ---- ip range 192.168.10.0/24 interface vlan 10 ip add : 192.168.10.1
vlan 20 ---- ip range 192.168.20.0/24 interface vlan 20 ip add : 192.168.20.1
here i want to block vlan 10 access to vlan 20 i created extended access list deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
and applied in interface vlan 10 as out now i cant able to access any host in vlan 20 (host 192.168.20.1) but i can able ping vlan 20's gateway 192.168.20.1
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies View RelatedI reported a really strange issue on a Cisco Router 3945. Here below info about release software used: [code] Please look at a brief extract of router running configuration file: [code] It’s an easy configuration of Extended ACL and the application on an Ethernet interface. The expected result is:
- The interface works properly (because access list is permitting every kind of data traffic in input)
- Checking “show access-list 180”, the counter of matched packets increments for all the packets that are forwarded inside the fa0/0/1.
But actually the Fastethernet 0/0/1 drops all the packets as if all the packets don’t match with access list (And this behavior is really incredible). The interface couldn't be used anymore because any kind of data traffic is denied.
how to perform port security or mac access-list on LAN ports of router 861 or 881.There are commands access-list 700-799 , but I don't know how to apply that access list on configured vlan or particular port.
View 1 Replies View RelatedI want to block access of some clients from the vlan1 to acces internet blocking their MAC address. How can i do this?
I have tring this way:
access-list 700 deny mac address 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
int fa00
bridge-group 1 {input-address-list 700 output-address-list 700}
but it's not working .
I am having a problem getting this to work and I have always done it with 2 Static ip address. but now this company changed to 1 and I am doing something wrong.
I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.
I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.
Currently in place ISP WISP Point to Point network would like some pointers to exceed in doing it right. Here are some issues.ISP Fiber 50 Megs down and 50 Megs up ( Working )What Router do I use? Looking at Cisco RVS4000 at JDT Site as main router I have routers at others towers using the 10.1.19.xxx address as wans setup.Do I pull out all routers and use only one from the JDT Site?
a. Due to Port forwarding
b. Lets say main Wan is 74.144.55.159 Lan 10.1.19.1
1. Site BTT router is assign address 10.1.19.33 Lan 192.168.6.1
a. Can I setup 74.144.55.159:85 to see 10.1.19.33?
My Point ot Point radio use different IP address to separate from lan address (10.1.19.xxx) Radios (10.1.119.xxx)1. Everything is working just want to re-design everything never thought I would grow this fast with in 2 years. Hope I explain this well enought. 90% of users are out in the country without high speed internet.
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
View 10 Replies View RelatedI've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies View RelatedI have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
I need vlan100 to have access to something on vlan70 now and I cannot get it to work. My question is would this work?
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
vlan100 <----- outbound acl (allows 9100) <---- vlan70
Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.
I have a router in front of a few firewalls on an internet link. All traffic from the inside network must go through one of the firewalls to get out through the router and similarly there is a dmz on one of the firewalls.I am trying to make sure the router is fully hardened.Should I apply an access list on the outside interface of the router along with the access list for management access?
View 11 Replies View RelatedI have a sip gateway (AS5400) that is used to connect sip providers to our internal voice network.Internal gateway (10.1.1.2 LAN) -- SIP trunk -- AS5400 (10.1.1.3 LAN/ 8.23.23.43 WAN) -- SIP trunk -- Internet SIP Provider We encountered the following problem :A SIP call from internal gateway to the sip provider could establish but was muted on our side (sip provider could hear us)On the WAN interface of the AS5400, there is a ACL that filter traffic IN coming from SIP Provider
interface GigabitEthernet0/0
ip address 8.23.23.43 255.255.255.224
ip access-group 101 in
I log the deny on this ACL and I saw some udp packets denied with LAN addresses !*Mar 3 15:24:44.001: %SEC-6-IPACCESSLOGP: list 101 denied udp 10.1.1.3(0) -> 10.1.1.2 (0), 1 packet I did not bind anything on the sip config.When I changed the ACLs, calls went well.Why do I see LAN packets on the WAN interface ?
I am trying to create a user restriction to allow one user to access only two networks (10.192.3.0 and 10.192.5.0) I have range of networks but I want to permit only two networks for limited user and full access for the admins. I know this was possible with ACS 3.3 but I am not too sure if this is also applicable with ACS 5.2.
View 1 Replies View RelatedI'm configuring Control Plane Police in a Catalyst 6509. This equipment is using IS-IS like its IGP routing protocol, and iBGP. In order to make CoPP work Im classifying the traffic entering the control plane like CRITICAL, IMPORTANT, NORMAL, UNDESIRABLE and DEFAULT. Obviously routing protocol traffic must be classified like CRITICAL. Doing so is easy to BGP because it runs over TCP/IP and I can configure the following access list to classify BGP:
ip access-list extended CP-CRITICAL-IN
remark #### CONTROL PLANE CRITICAL TRAFFIC INBOUND ####
remark #### ROUTING TRAFFIC - BGP ####
permit tcp host [BGP neighbor addr] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor addr] host [local BGP addr] eq bgp
deny ip any any
But IS-IS is also a CRITICAL traffic, but IS-IS doesn't run over TCP/IP, rather it exchange its own PDUs. So, how do I classify IS-IS traffic with an access list?
Nexus1000V and I was wondering if there is a way to limit snmp access via access-list on the RO/RW community, as can be done on IOS. I can't find anything relevent on the Reference Pages
View 3 Replies View RelatedAfter adding the below Extended Access-List Entry into my 1841 Router, access-list 102 permit ip host 192.168.1.1 any. I can access the Internet from this client but cannot connect to this client from another branch through vpn tunnels. I can access all other clients that do not have this access-list entry.
View 5 Replies View RelatedUsers behind a Cisco 1841 are not able to connect to a network using the Cisco Systems VPN Client. Transport is IP sec over UDP (NAT/PAT). Connection just times out.
Which ports should be allowed in the access list? Or do you have an link to a article for this?
Trying to figure this all out. I'm getting untranslated hits. I posted the config I have so far.
Code...
This is a working example using static. But it doesn't work with the dynamic interface or I'm doing something wrong. Need to get rdp access to my laptop.
ASA Version 8.4(5)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]...
I need to configure the access list on the outbound internet port to accept the following:
ip access list 10
access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx
access-list 10 permit RDP any xxx.xxx.xxx.xxx
access-list 10 permit FTP any xxx.xxx.xxx.xxx
access-list 10 permit Postgresql any xxx.xxx.xxx.xxx
access-list 10 permit MacARD any xxx.xxx.xxx.xxx
This method does not work on the Cisco 2921 router with FW