Cisco Firewall :: Access-List Traffic Control Attempting To Block RDP 3389
Nov 7, 2012
I have an ASA pair configured to replace a router that hosts a collection of IPSec Tunnels. Tunnels appear to work. I am lab'ing some additional controls that I would like to implement. On the Production Router that i plan to replace with the ASA's the current Tunnels are all wide open (all traffic allowed to pass). I was hoping to lock things down a little without having to reconfigure all of the Tunnels. My though was that an ACL on the Inside Interface blocking selected traffic Out (so into the LAN) should not impact the stability of the Tunnels but allow me to restrict some traffic from entering the LAN. One port that I was attempting to block is RDP 3389. When this ACL is applied to the inside interface it does not block Port 3389 at all. What am I missing? Is it that the trffic is being allowed because it is coming through one of my 'open' Tunnels?
Shouldn't IPSec Tunnel traffic be processed by the Inside Interface ACL just like all other traffic?
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 3389
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 135
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 137
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 138
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 139
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 445
access-list 145 deny tcp 192.168.30.0 0.0.0.255 10.187.10.0 0.0.0.255 eq 389
access-list 145 permit ip any any
ip access-group 145 out interface Internal
This work great on a 2821 Router, but not so much on the ASA.
View 11 Replies
ADVERTISEMENT
Apr 18, 2011
I would like to know how can we allow traffic on ports 3389 (rdp) and 8007 which comes from any to 192.168.2.10 but pretend to be a Phones interface 192.168.2.1? [code]
View 9 Replies
View Related
Apr 6, 2013
Creating an Access Control List
View 2 Replies
View Related
Apr 17, 2012
I am copying files form one server to another using Bightserv ARCserve Backup, now the files copy over however the access control list to the files isn't.Does anybody no away around this?
View 3 Replies
View Related
Apr 25, 2013
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies
View Related
Dec 18, 2011
I have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
I need vlan100 to have access to something on vlan70 now and I cannot get it to work. My question is would this work?
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
vlan100 <----- outbound acl (allows 9100) <---- vlan70
Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.
View 1 Replies
View Related
Feb 3, 2011
I have a sip gateway (AS5400) that is used to connect sip providers to our internal voice network.Internal gateway (10.1.1.2 LAN) -- SIP trunk -- AS5400 (10.1.1.3 LAN/ 8.23.23.43 WAN) -- SIP trunk -- Internet SIP Provider We encountered the following problem :A SIP call from internal gateway to the sip provider could establish but was muted on our side (sip provider could hear us)On the WAN interface of the AS5400, there is a ACL that filter traffic IN coming from SIP Provider
interface GigabitEthernet0/0
ip address 8.23.23.43 255.255.255.224
ip access-group 101 in
I log the deny on this ACL and I saw some udp packets denied with LAN addresses !*Mar 3 15:24:44.001: %SEC-6-IPACCESSLOGP: list 101 denied udp 10.1.1.3(0) -> 10.1.1.2 (0), 1 packet I did not bind anything on the sip config.When I changed the ACLs, calls went well.Why do I see LAN packets on the WAN interface ?
View 1 Replies
View Related
Dec 12, 2012
I am having some issues with creating an ACL for my gateway router.I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router asI am using named extened access list -
{
deny ip any 192.168.1.0 0.0.0.255 log
permit ip any any
}
and i applied this inbound accesslist on the WAN port of router as
"ip access-group acl-in in"
Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now. All i want is to block external traffic on the router WAN port but allow internal traffic to outside. Did i miss anything in the access list?
View 5 Replies
View Related
Jul 15, 2012
How to find out the upper limit of ACL on CISCO876-SEC-I-K9 router. How to measure performance parameter on the same as BGP is running on this router.
View 1 Replies
View Related
Aug 18, 2011
We have WLC 4402 and LWAP 1510In access control list menu, all needed rule added and the last rule deny any to any We use Ethernet bridging on LWAP and some clients connect with wire network that associated with Ethernet bridge LWAP, Now when deny rule applied the client that connect with wired network couldn't established VPN connection or another service to the routing and remote server, I create rule that permit any to routing and remote server.
View 1 Replies
View Related
Aug 8, 2012
I want to do what I thought would have been a simple enough task - block my kids phone/computer after certain hours. Instead of blocking the specified MAC address(es), all my computers does not have internet access. As soon as I disable the policy, internet access is on again. Here's what I did:
[code]...
View 4 Replies
View Related
Apr 29, 2012
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
View 2 Replies
View Related
May 15, 2011
we are not able to access port 3389 on host 10.45.4.2 over our vpn connection. vpn is up and running and we can access othet tcp ports on the host but not 3389. hereunder part of the config:
ip http serverno ip http secure-serverip nat inside source route-map SDM_RMAP_1 interface BVI1 overloadip nat inside source static tcp 10.45.4.2 18330 94.229.51.184 18330 route-map SDM_RMAP_2 extendableip nat inside source static tcp 10.45.4.1 3389 213.148.231.156 3389 extendableip nat inside source static tcp 10.45.4.1 5800 213.148.231.156 5800 extendableip nat inside source static tcp 10.45.4.1 5900 213.148.231.156 5900 extendable!access-list 1 remark SDM_ACL Category=16access-list 1 permit 10.45.4.0 0.0.0.255access-list 100 remark SDM_ACL Category=4access-list 100 remark IPSec Ruleaccess-list 100 permit ip 10.45.4.0 0.0.0.255 10.45.1.0 0.0.0.255access-list 101 remark SDM_ACL Category=2access-list 101 remark IPSec Ruleaccess-list 101 deny ip 10.45.4.0 0.0.0.255 10.45.1.0 0.0.0.255access-list 101 permit ip 10.45.4.0 0.0.0.255 anyaccess-list 102 deny ip host 10.45.4.2 10.45.1.0 0.0.0.255access-list 102 permit ip host 10.45.4.2 anyroute-map SDM_RMAP_1 permit 1 match ip address 101!route-map SDM_RMAP_2 permit 1 match ip address 102!!control-plane!bridge 1 protocol ieeebridge 1 route ip
View 6 Replies
View Related
Jan 2, 2012
I want to block the sql port access of my server to all except few of my ip addresses while access list on Cisco Router IOS how do i do that.
View 3 Replies
View Related
Jan 9, 2012
I have a layer 3 switch, 3550.I have several vlans on there just for playing around with. One of the vlans, has a vonage linksys box attached to it with a UK number attached. From time to time telemarketers call at 03:00 in the morning, this as I'm sure you can imagine is not much fun. The linksys box gets 192.168.3.3 as it's ip.The switch is connected to a non cisco router at 192.168.0.1
interface FastEthernet0/24
no switchport
ip address 192.168.0.2 255.255.255.0
I was thinking a time based access list would work best I have tried several variations but the phone still rings. I have tried access-list 1 deny host 192.168.3.3 permit ..... and more extensive lists but the phone still rings. I have not applied the time-range yet, so that's not the problem.I have applied the list to the vlan interface and to fa0/24 but it's not working.
View 3 Replies
View Related
Aug 21, 2011
It's been a while since I've done a lot with a PIX config so what is the best way to allow access for 2 IP addresses that need to RDP into a server here inside our network. They also wanted to have ports redirected, 3391 to 3389 and 3397 to 3389.
View 12 Replies
View Related
Oct 2, 2011
Why does my E1200 forget my Parental Control Password? This happens almost weekly and I have to use the "forgot password" option. It asks my security question, I answer it and set the new password to the same password it keeps forgetting. Why does this happen? Also, is there anyway to have total 24hr control on the Block Internet Access?
View 4 Replies
View Related
Sep 4, 2012
I am using cisco 1841 LAN router, I need to block MAC address i have applied the command access-list 1102 deny 0000.0000.0000.0000 mac address..... but it does not work.
View 24 Replies
View Related
Jan 20, 2013
We have a data center with servers set up for different projects, some servers from partner companies and several small LANs. The traffic between all those needs to be controlled and firewalled. The servers and LANs are divided into different subnets and VLANs. Physically, their traffic is aggregated on a couple of 4506 and then sent to a FreeBSD server, where the logical gateways are set up and traffic is filtered between them.The BSD server is dying and having it there is incorrect in the first place, so we are planning to replace it with two ASA (5520) in failover.The question that arises is how to correctly implement firewalling between VLANs. Originally we thought to set up the firewalls in transparent mode and logically terminate VLANs on a stack of 3750 switches behind them, but would that filter the traffic between the VLANs? Then we thought to perhaps terminate the VLANs on the ASAs, use routing mode, and do filtering there, as well. Or should we implement multiple contexts? We have about 20 VLANs and all of them differ in rules of what should go there. None of this can be concidered an "inside" - trusted - zone, nor "outside". Internet and external links are connected and filtered in a different place.
View 1 Replies
View Related
Feb 16, 2011
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
View 10 Replies
View Related
May 16, 2012
I'm configuring Control Plane Police in a Catalyst 6509. This equipment is using IS-IS like its IGP routing protocol, and iBGP. In order to make CoPP work Im classifying the traffic entering the control plane like CRITICAL, IMPORTANT, NORMAL, UNDESIRABLE and DEFAULT. Obviously routing protocol traffic must be classified like CRITICAL. Doing so is easy to BGP because it runs over TCP/IP and I can configure the following access list to classify BGP:
ip access-list extended CP-CRITICAL-IN
remark #### CONTROL PLANE CRITICAL TRAFFIC INBOUND ####
remark #### ROUTING TRAFFIC - BGP ####
permit tcp host [BGP neighbor addr] eq bgp host [local BGP addr]
permit tcp host [BGP neighbor addr] host [local BGP addr] eq bgp
deny ip any any
But IS-IS is also a CRITICAL traffic, but IS-IS doesn't run over TCP/IP, rather it exchange its own PDUs. So, how do I classify IS-IS traffic with an access list?
View 3 Replies
View Related
Oct 5, 2011
My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.
View 2 Replies
View Related
Aug 29, 2012
we have two 2851's. One in Australia, one in NZ, IPsec VPN between the two.
We have multiple subnets behind the tunnels. From all the sunbets in Aus we can reach all the subnets in NZ, except for one. From NZ we can reach all the subnets in Aus. The traceroute and pings from the subnet in question in Aus goes out the internet interface of the router instead of going into the tunnel.
The subnets in question are 10.110.220/24 (Aus), 10.110.250/24 (NZ)
The access lists at both ends cover the traffic required but for some reason when leaving Australia the traffic is not captured by:
Crypto Map "AUS-SYD" 20 ipsec-isakmp
Description: Auckland VPN
Peer = 203.167.249.46
[Code].....
View 3 Replies
View Related
Dec 25, 2012
I have been trying to figure out a NAT issue on my 2811 and the inspect engine.I have 'ip inspect FW out' on my outside interface. If I turn it off, I also have to remove the access-list applying to inbound traffic on that same interface. Why is that? This whole thing centered around SIP registrations from devices on my LAN to my provider. The provieder is showing that I am registering from a high end port (1024 or something crazy). He said that it sounds like some type of SIP ALG or something on my router. For the life of me, I can't figure out what would be causing it. I am just using a standard route-map that points to the outside interface using 'overload'.
View 6 Replies
View Related
Jan 28, 2013
I'm using ASA 5515X my concern is I was not able to block the traffic of P2P such as BitTorrent etc. I was also view some technotes on how to use webfilter without using Websense or Smartfilter tools and lucky I'm able to block certain websites. how to block the traffic of P2P?
View 2 Replies
View Related
Nov 7, 2011
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH
permit #host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices.
View 1 Replies
View Related
Jul 7, 2011
Is it possible to block internet traffic on the PC using ASA5501 firewall which is used in transperent mode.The DHCP pc is working fine we just need to pass through ASA to block the internet on the pc however intranet should be available.
View 3 Replies
View Related
Dec 12, 2012
I was configure 3 interface on ASA1st - managemetn (only for management)2nd - gig0/0 is connected to internet with real IP3rd - gig0/1 is connected to local networkI was configure routed NAT to internet.But I have problem with restriction incomming traffic to inside interface (ifname is inside)but I can connect to ip address of inside interface from other ip. It is wrong and i can't understand where is my mistake.
View 2 Replies
View Related
Dec 15, 2011
I am having an ASA5510 with a CSC-SSM-10 module. I am able to block http traffic through the ASA but cannot block https traffic through it. Need to block https traffic using the CSC module.
View 19 Replies
View Related
Nov 15, 2011
How does a firewall block or filter traffic on a specific port or IP address?
View 1 Replies
View Related
Aug 3, 2012
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445
20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445
25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243
26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254
30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254
[code]....
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
View 26 Replies
View Related
Jul 1, 2011
We have ASA 5520 with CSC-SSM 20 and we want to block https traffic but when we are blocking https traffic http traffic going to block but user are able to open website.
View 1 Replies
View Related
Sep 12, 2011
I have configure Cisco 5505 as layer 2 firewall mode. I have vendor machine connected to Cisco ASA 5505 on port 2 as VLAN2 inside then VLAN1 outside connected to my internal network on layer 2 cisco 2960 switch. This machine needs access only to LOGMEIN then block all internal/internet traffic.
vendor machine on vlan 2 inside >> Cisco ASA 5505 vlan1 outside >> layer2 switch >> internal LAN >> Cisco 5520 main FW >>> INTERNET
View 1 Replies
View Related
