In cisco router 2911 how to creat a network object with port permission on ACL. herz what i have done but couldnt succeed in port 22 and 24 should be denied and rest all port services are allowed to outside interface. [code]
View 3 RepliesAny one know when object-group ACLs will be supported in cat4500 IOS-XE ?? Doesnt seem to be supported now.
View 1 Replies View RelatedI have two layer 3 switches C3560 and C3750 Cisco switches with ios version "ipservices-mz.122-35.SE5".Now with the current ios version, these layer 3 switches are not supporting object group.so my question is , do i need to upgrade the ios, for this feature, if yes, which version ?
View 7 Replies View RelatedCan i use acl object group with wccp redirect list?My platforms are 6500 and isr 2921
View 1 Replies View RelatedDoes the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
can it possible and create dynamic VLAN for specific group of users.
I have 3 ASA 5510s; two of which are in production and the 3rd one is new. I inherited the two in production and was trying to configure that 3rd one using some of the existing object-group network statements. The problem is that when I try to create a range of IPs in one of the object-groups; the range command is not available. Here is one of the statements extracted from one of the production ASAs: object network REMOTE range 62.77.130.14 62.77.130.208.Both ASAs have the same image ver (asa842-k8). Is there something that I am missing to be able to enable the range option on the new ASA?
View 2 Replies View RelatedWe have Cisco ASA 5510, I am about to add another 2 Objectgroup network groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
Also are there any other things to keep in mind before i go-ahead with this huge object group?
I have recently upgraded my ASA 5510 to 8.3 code and honestly I am confused on the best and most efficient way to do many nat translations through it. I have a group of about 100 IP's that need http/https/and sqlnet allowed through for our web farm.
I have a text file with the real and translated IP addresses and in 8.2 I could simply modify it and dump the thing in and make the NAT rules and access-lists. Now with the new object based model I am having a hard time wrapping my brain around how to do this using as few lines of code as possible.
Do I have to create an network object for each and every IP i want to nat through?
I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an object group as a source
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?
I'm migrating our network objects from our current firewall to a new ASA 5520 configuration. I'm using ASDM 6.4 for configuration.
We have a range of IP addresses for hosts that we need to add to a firewall rule/ACL. In the previous FW software I could create an object that was a range of IP address. For example there is an object called emailservers that is defined as 192.168.2.25-192.168.2.50.
Is there a way to do a similar thing on the ASA 5520?
I can see how to create subnets, but in this case I only have a range of IP addresses, no subnet mask.
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
my ip service object
object-group service g-as400 description access client 2 as400 machine service-object tcp-udp destination eq 397 service-object tcp destination eq 137 service-object tcp destination eq 2001 service-object tcp destination eq 3000 service-object tcp destination eq 445 service-object tcp destination range 446 447 service-object tcp destination eq 449 service-object tcp destination eq 5010 service-object tcp destination eq 5544 service-object tcp destination eq 5555 service-object tcp destination range 8470 8476 service-object tcp destination eq 8480 service-object tcp destination eq
[code]...
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I am running sw version 15.0(1)SE2.
I am using a bunch of Cisco 1721 routers for my T1 lines. We recently purchased Digi cell modems as a backup for the T1. On configuring vrrp to work on both devices I discovered that IOS 12.3(6c) does not support the "vrrp track" feature. After reviewing the Cisco Feature Navigator I could not see an IOS that will support the vrrp object tracking. Is that correct? The routers have T1 WIC's installed. If it does work what is the latest IOS that will work on this end of life product?
View 1 Replies View Relatedim unable to create pri-group under T1 controllers in 2651xm , I have 3 T1 VWIC controller cards [dual port], tried using differnt IOS [advance enterprise/IPVoice/SPservices], i can onyl see channel-group unter the controllers.
network-clock-particiapte slot 1
network-clock-participate wic 0
i havent added "isdn switch type", does addign these command enables the Pri-group, also wheni do sh inv, i see 3 pvdms, but no serail number,
Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510 I´ve allowed to my VPN an acces to all my Internal LAn But i want to configure a group of vpn in the CLI for have different group of user which can access to different server or different network on my LAN.
Example : informatique group------access to 10.70.5.X Network
Consultor group -------- access to 10.70.10.X Network
I need to know how can i do that , and if you can give me some eg script for complete this Here is my configuration :
ASA Version 8.0(2)!hostname ASA-Vidruldomain-name vidrul-ao.comenable password 8Ry2YjIyt7RRXU24 encryptednamesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address X.X.X.X 255.255.255.X!interface Ethernet0/1 nameif inside security-level 100 ip address X.X.X.X 255.255.255.X!interface Ethernet0/2 shutdown no nameif no security-level no ip address!interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 description Port_Device_Management nameif Management security-level 99 ip address X.X.X.X 255.255.255.X management-only!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name vidrul-ao.comaccess-list 100 extended
[code]....
I am using Cisco 2911 & IOS version is 15.1. My problem is that after some days (e.g. 15-20 days), the routing table suddenly stops updating & then I have to enter the default route again to make it up. I am using Track 1 to track default route here. After primary link goes down, the Track is also going down but after coming the primary link up, the track is not coming up. So, I have to add the default route again to make it up.
View 2 Replies View Relatedi am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.How can I stop traffic into the LAN network?
View 6 Replies View Relatedi downloaded and transfered the new ios to the 2911, but no install routine started.
View 3 Replies View Relatedafter installation of demo versions of 2900-SEC-TEMP & 2911-2921-SSLVPN-TEMP & rebooting the 2911 router I do not have access SSL commands.Show license indicates that 2900-SEC-TEMP & 2911-2921-SSL-TEMP licenses are active but NOT IN USE.
View 1 Replies View RelatedI am configuring my first 2911 using a SFP card but I dont know the interface name for this module.
show inv shows the card..
What is the interface number for this card or if it needs some config before it will recognize the interface?
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
View 21 Replies View RelatedI have installed a cisco 2911 router and the cisco usb console drivers on my pc, win 7 64 bit.however when I use putty and open the com port assigned it just goes blank, I am using the usb port on my laptop to connect and using the cisco usb console cable provided
View 1 Replies View RelatedI've got two routers, Cisco 2911's with 15.1(4)M1 on one and 15.0(1)M5 on another.
I'm trying to set up ip sla for vrrp tracking but the commands seem gimped? I don't even have an option for ip sla <operation number>. All I've got is ip sla responder/server/key-chain.
we are in the planning phase for a network upgrade. We have two C2960 Switches connected via one (L2) Etherchannel (4x1 Gbit/s) which works very well. In the next phase we would like to upgrade our router to an 2911 series which has 3 gb interfaces. and indeed we would like to create an etherchannel as well. our plan is to use 2 of the 2911 to connect to the first 2960 switch and the one left to the other 2960. i think we will achieve some redundancy with this config.
View 6 Replies View Relatedconnected DSL directly to 2900 series router , but as DSL public IP is not static (dynamic) its difficult to access Router when out of home, any other means to access router without static IP
View 2 Replies View RelatedI have 2 2911 routers that will be connected via fiber with an ethernet Gig handoff to each router. Each router will then be connected to local networks on a second ethernet interface on the router. I have always connected routers via serial connections so this is new to me. Outside of the usual ethernet interface addressing configuration, is there anything else that would need to be configured on the 2 routers?
View 1 Replies View RelatedI have two cisco 4506-E series switches ..
We are planning to go for HSRP redundancy for 32 VLANs. Means In a Cisco 4506-E switch , we will configure 32 vlans and among them 16 vlans will be primary and 16VLANs will be standby ans it is viceversa in another core-switch
My querie is How many standby groups can we create in Cisco 4506-E switch,
Is there any limitation..
If there is any limitation , can we go ahead with VRRP,GLBP? Are there any limitation in VRRP/GLBP? Is there any design related issue can we face if we use same group number to all VLANs?
Product details :
Model : Cisco 4506-E
Sup Model : WS-X45-SUP6L-E
IOS : S45EIPBK9-12254SG
What is the maximum group of HSRP Group that supports the WS-C3750G-24T-S running the IOS c3750-advipservicesk9-mz.122-44.SE2.bin?I have this message:Mensaje ERROR: %Platform already has maximum FHRP groups configured
View 6 Replies View RelatedI need to know, can i create svi on the ASR 1002 ?
View 2 Replies View RelatedI want to confirm this is a licensing issue. On a 3750X with ipbase, I cannot create a vrf. So I would need the universal image, and that is a seperate license, correct?Is there a link that describes the difference bewteen ipbase and univeral images?
View 6 Replies View Relatedi want to check if cisco2911-sec/k9 can support IP service image? what PAK(license) can be bought to activate the IP service feature set?
View 1 Replies View Relatedwe have bought 2911 router recently has to set up VOIP line seperately for the network we have two two broadband service provider:
1. how can i use 1 line as an active and other line as a failover(when 1 line is down other line should automatically bear the traffic).clear config will be useful. NATTING using MAtch address objects( roughly )
broadband service provider 1: 97.89.X.X 255.255.252.0
broadband service provider 2: 10.0.x.x 255.255.240.0
2. there are only 20 users to set up a voip line now. here we have telecom provider where they should route the traffic to make any international calls( say telecom public ip 200.200.109.110)from lan - wan everything is allowed from wan -lan we have to allow only telcom provider IP(200.200.109.110)