Cisco :: Restricting Access To Certain Sites By Certain Hosts
Dec 4, 2012
I am trying to block access to facebook and twitter on my router, to a certain range of ips, 192.168.1.8 - 254. I have been digging around and trying stuff but all I do seems to restrict everyone access to the internet.
MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway 18.104.22.168 with subnet mask 255.255.255.240 after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.
Not sure If I am asking this correct. I want to install a wireless access point into a switch and out the WAN. Going to PW access into the wireless access point. Can I restrict the user from entering the LAN from wireless access point? Change subnets, what to do? Would not mind resticting speed, etc. I think I can through my switch.
I have installed a video security system into my home/office and several IP cameras are connected via my wired cat5 network which connects to my router and switcher into a PC with internet access. This will allow me to record any break ins and alert me of this event and view it in real time.I would like to restrict access to these devices for anyone else on the network, with either dedicated access or password protection.
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting complete internet access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one.
The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my user account. There must be someway by which I could disable the device or make the internet inaccessible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not work.
I have Configured a WLAN with WiSM2 Controller installed on a 6500 series, Aironet 3600series APs and ACS 5.3 for userauthentication. The ACS is connected to Active directory so users are authenticating using the AD (802.1x is used and not a pre-shared key) on SSID A. I have created a separate SSID B for guest users. I have put restrictions on this SSID. Guest users are also created on the same AD where internal users are created. How can I force Guest users to connect to SSID B and not be able to connect to SSID A? Currently they can connect to both.
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
I have a Cisco 2901 Terminal server with AAA authentication via ACS server. I create twoaccounts on the acs server, cciesec2011 and vendor. Both accounts can log into the Cisco 2901 Terminal Server without any issues. By the way, I am NOT using AAA authorization on the Cisco Terminal Server. Once cciesec2011 or vendor accounts are authenticated, theseaccounts can access all the async line on the Cisco Terminal Server.
Now I have a new requirements. I would like to allow cciesec2011, once this account is successfully authenticated, this account has access to ALL async line on the Terminal Server. The "vendor" account, I want to restrict this account access only to async line 35 (there are 32 async lines available on the Cisco Terminal Server) and nothing else.
How can I accomplish without using AAA authorization on the Cisco Terminal Server?Is it possible to use "privlege level" to accomplish this? if so, how?
We have recently ordered a laptop along with a docking station with the intention of connecting it with the desktop PC in the office. We want the documents folders of both computers to be synchronized and to that end we want to share the folders between each computer. However, to do so we will have to connect the laptop to the larger network in our office. Given the sensitive nature of the documents we only want the desktop PC and the laptop to be able to access these files and synchronize them.
Is there anyway in Windows 7 to specify exactly which computers are allowed access to shared folders on a computer? What's the best way to achieve the file synchronization between the two?
Is there a way to restrict wireless access to my router from wireless pc's in my home. Two grandsons are off from school now, and are playing online games to the wee hours of the morning. Can I do something to have the routher shut off their connection at a certain time? Is that possible. If I have to go back to dd-wrt to do that, fine. I have lynksis wrt54g with their 4.2.1 firmware.
I have a site to site vpn connection between ASA 5510 and PIX 515 which is working fine. There is no problem for hosts on any side of the tunnel to access a cross. However the local ip (192.168.20.1) on the client interface of my PIX is not allowed to access hosts on the other side of the tunnel. [code]
I'm just new with ASA. I'm just self-studying on it. I was tasked to have an ACL that will allow inside hosts to access a specific network. Is there a way on how to know all the inside hosts on the behind ASA so that I can do a "object-group network" on those inside hosts which I think it will look neat.
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet. I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere. Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet.
I am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
I am using ASA 5505 firewall with base-license. I connected my firewall to one cisco 3750 switch where i created 5 vlans. I done NATing for all vlans and they able to get internet and working fine. They able to browse all internet sites like gmail and yahoo mail.
All internal users are configured to use Outlook for their webmail. Here the problem is with outlook they are unable to send and receive the mails.
If they directly connected their system using public ip( Directly from ISP) they able to send and receive mails from outlook.
Currently have a setup where we have multiple SVI interfaces in a VRF on a Catalyst 6500 Switch. All these SVI belong to the same VRF. In order to achieve connectivity for hosts within the VRF to access hosts outside the VRF (Hosts reachabe via the Global Routing Table (GRT)) I am thinking I need to configure 2 things
1. Creating a summary route for all the subnets within the VRF in the Global Routing table. <Config on 6K in Global Routing Table> Note: 10.10.10.10 is the ip address of loopback 10 and this loopback 10 is in VRF Red ip route 172.16.0.0 255.255.0.0 loopback10 10.10.10.10
2. Create a couple static routes within the VRF for networks that reside in the Global Routing table but which are not local to this 6K. <Config on 6K within the VRF Routing Table>
Note: 22.214.171.124 is the ip address of loopback 1 and this loopback 1 is in the GRT or not assigned to a VRF ip route vrf Red 126.96.36.199 255.255.255.0 loopback1 188.8.131.52 global ip route vrf Red 184.108.40.206 255.255.255.0 loopback1 220.127.116.11 global ip route vrf Red 18.104.22.168 255.255.255.0 loopback1 22.214.171.124 global
I have read through some posts and it seems to indicate that I cannot point to a loopback interface as it is not a point to point interface. How this solution can be achieved. The reason I was pointing to a loopback was so that I am not tied to a particular physical interface and for the summary route that was created in step 1 really not sure what L3 interface I could point to since I have multiple SVI's that are in the same VRF. Would I also need to create that same summary within the VRF. I don't intend to since I am assuming that once within the VRF the more specific connected interfaces would take affect and forward respectively.
In addition to the above I also need determining the forwarding behavior when there is a ip helper address configured under the SVI's which are in a VRF but the ip address for that helper is not part of the VRF. I would think if a static route is configured under the VRF for that helper address network pointing it to the Global Routing table it should work. The config for that would be
ip route vrf RED 126.96.36.199 255.255.255.255 loopback1 188.8.131.52 global
1. To specify static IPs for components on my network, is it simply a matter of reserving each component in the DHCP Reservations List portion of the Network Settings page?
2. On the same page, in the DHCP Server Settings portion, if Enable DHCP Server : is deselected, does this mean that only the hosts specified in the DHCP Reservations List can access the network? In other words, is access now restricted to these entries?
3. If the DIR-615 is powered OFF, will the above settings, etc. be lost (similar to a reset)?
I have a SG300 Switche working in layer 3 mode.I configured 3 VLANs on the switch, assigned all ports, given IP addresses to VLANs interfaces, etc.Now I want to implement ACL to permit or deny access between vlans and hosts.Can I apply an ACL to a whole VLAN (in or out) like Catalyst models?I mean apply the ACL to the entire vlan or the only way in this model is to implement that ACL port by port?Every time I have a new port configure to work in a Vlan I have to implement the ACL?
I am going to hook my laptop directly up to my wireless router via ethernet. I will be showing them security, SSID, etc. My issue is when I put in my WAN and LAN settings. What exactly is the difference between a WAN address and a LAN address.I kept my Lan address that same as the router. 184.108.40.206.I create WAN addresses as 220.127.116.11 with subnet mask as 255.255.255.000 abut not sure what to put in for my gateway. Logic say 198.162.128. 1; however that doesn't work.I then configured my tcp/ip to reflect this. Although I can always access my router website, I cannot access any other web sites.
So I had trouble connecting to some sites before like apple and such right? No big deal, just one site. Probably down. Then more and more.I got worried, then figured it was my ISP and went to neighbor to check. No. It wasn't. I ran home and checked my router, googled it before all my internet went down. I read something about UPNP being enabled and so after my internet was down, I went and checked, it was, disabled it.
I would like to know if there is a possibility to create 2 Remote access VPNs for 2 ASA situated in different sites and using only one PCF file.Is set up a tunnel between the 2 ASA the only way to reach the 2 destinations with the same PCF file?
access https sites from my PC? I cannot access these sites from IE 9 nor Firefox 6. I even disable firewall to try getting access to the secured websites but to no avail. But this problem recently cropped up when i upgraded my PC from XP to Windows 7.
Our office is running a DELL Poweredge server2 xeon processors16 GB memory5 RaiddrivesVM WARE with 3 virtual machinesOne of the VM's handles our DNS with is our main server second is an exchange server third is a sequal applicaioas of recent we have notice a few website sites we cant access (municipalities of which we access tax info) we need to visit on a regular basis. and it only seem to be just the 3 or 4 that are closest to us. Othe area communities we can access fine. All we get is a page cannont be displayed.The sites works outside our office or on our phones.[CODE]
I cannot access http sites unless I manually write the prefix https. The issue is mainly on Wordpress blog pages and I have to keep writing https if I want to access other blogger's page.For the time being I am using Chrome's extension "Https Enforcer" which slows down my browsing speed but eventually the sites open. I have to disable it if I have to use google images. I use windows 7, Chrome browser, Pocket Modem.
We have a Main ASA 5520 and two remote site ASA 5505's that connect to each other via S2S VPN tunnels. Currently they are doing split tunneling, so only local traffic goes over the tunnel. We have are local LAN (10.0.0.0/16) and our DMZ (10.3.0.0/24) network at the main site. The DMZ hosts our external sharepoint, but we have access to it internally The problem is site A (10.1.0.0/24) and site B (10.2.0.0/24) have no idea of it, and when attempting to go to the site, it fails. You can access it via the external site address, but that's the only way. Normally the external address is blocked when you are internal.What i'm stuck at is even when we had all traffic sent from Site A to our main hub, it still wouldn't find it. Would i have to make a separate vpn tunnel purely for that DMZ traffic?
I cannot access google sites or services in any browser, tried Chrome, IE and firefox.I'm running Windows XP SP3. I can ping Google without issue. My hosts file is clean and I checked in the registry to make sure that the hosts file is where it is supposed to be. I had trouble finding one that worked but I configured Chrome to use an external proxy and it seemed to work, abeit too slowly to really tell. I did manage to get a Nigerian google page up though.I've flushed the DNS and switched to the free google DNS.Looking around I've seen similar issues with people using Linksys routers. I am not using a Linksys router. I am currently using my android phone as a hotspot.I am running a Windows 7 laptop on the same network with no issues and booting the same host into Vista also works fine.
I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?
when my Linux VM is running!How's this for a mystery - last night I noticed that I could no longer access my gmail. Thought it might be down. This morning, I still couldn't access it. Thought I would try comcast, no joy either. Changed computers, no difference. Changed routers, no difference. Bought a new router and started plugging in network cables one at a time. My main machine first, everything works - http and https sites, a second computer, all good. The switch. Fine. Powerline. Still good. Then I plug in a Windows server running a Linux VM. Https sites on all the other machines stop working. Pause the Linux VM, restart router - https sites return to life. Went to Linux machine, re-enabled ipv6 (the only recent change on the Linux machine was to disable ipv6 since upon a reboot, Linux didn't have an ipv4 address). Restart Linux everything seems fine. A few hours go by, try to connect my wife's new laptop and at that moment wireless seems to stop. Restart router, wireless is back. But lo and behold, https is gone again. Unplug the machine that has the Linux VM, restart router, all is good.Ever see anything this weird?