Cisco VPN :: Filter Remote Access Traffic On PIX 501?
Mar 20, 2012Is it possible to filter remote access VPN traffic on a PIX 501 (like you can on an ASA?)
View 1 RepliesIs it possible to filter remote access VPN traffic on a PIX 501 (like you can on an ASA?)
View 1 RepliesI have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.
Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN
I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
[Code].....
I am having trouble making my remote access vpn decrypt traffic. I am using an ASA5510 and the cisco 5.0 vpn client. I have no problem getting the tunnel to come up. But the "decrypted traffic" stays zero and the "discarded traffic" increments continuously.Here is the ASA5510 crypto config:OK I guess this site doesn't allow pasting text so I attached the config.I am pretty sure that I can't pass traffic because I have not been able to figure out how to specify the interesting traffic for the vpn connection. What is the syntax for this? It looks like it should be some kind of tunnel- group commands.
Am I the only one who thinks that the Cisco documentation is worthless on this subject? The ASA config guide gives you everything you need to set up a tunnel, but has absolutely nothing on the config required to actually pass traffic.
Most of our VPN connections are done with our Cisco 3030 and the internet goes out the ASA. We are able to filter all web traffic by doing a a span port for web traffic.
When we move VPN connections to the ASA we will loose the ability to span web traffic becuase its coming in and going out the same interface on the ASA. We will loose the ability to filter web traffic when this happens.
How we can filter web traffic on VPN connections on the ASA. We are using websense. I know there is some integration that can be done with the ASA and websense but it doesn't have all the capabilities as doing a span port for websense to monitor.
I've got a PIX running 7.2(4) with its outside interface on the Internet. The only thing this PIX is doing is acting as the endpoint for an IPSEC LAN-to-LAN tunnel with an Internet-connected ASA on another network.
I'd like to filter inbound Internet traffic to this PIX so that only the designated ASA can attempt to establish an IPSEC connection -- in other words, I want to prevent any other device on the Internet from even being able to attempt to establish an IPSEC connection to the PIX. As far as I know (and have seen), this can't be done with an access-list on the outside interface, since that access-list doesn't apply to traffic to the PIX itself.
We have remote VPN setup with Cisco ASA 5510. By using VPN filter, I can follow the guide and make client to use all necessary server services. (dns, ssh etc). However, is there any way that allow inside server access remote VPN client's services, ex. let inside server ssh to remote VPN client? Consider remote access VPN filter ACL's syntax, I have to always let source be the "remote VPN client PC", the dest is "inside firewall server", how can I let the other way traffice going?
View 1 Replies View RelatedIs it possible to configure cisco router like C3800 or catalyst switches like C4500 or C2960 to filter traffic based on allowable mac addresses only? I would like only to allow those devices that belongs to the domain, meaning if a user connects a computer or any devices that concerns network which I have not allowed the mac addresses, it will be denied access to the network. However, any of the allowable devices could able to use any port of the switch, meaning I dont want to associate an allowable Mac Address to a physical port on the switch.
View 2 Replies View RelatedI have a site to site VPN setup between a 5510 and 5505. All traffic is sent ovet the VPN from the remote site to the home office. Everything is working fine but the remote site "www" traffic is not going to the Barracuda. ISP -> CISCO ASA -> Barracuda -> Internal Switch.The Barracuda is setup "inline" with the internal network.
View 7 Replies View RelatedWhen I try to configure the Botnet Traffic filter with the commad "dynamic-filter use database" through the ASDM I get the following error message.
[ERROR] dynamic-filter use-database Dynamic Filter: New data file not terminated with newline
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies View RelatedI have a ASA 5585 and a Nexus 5596, and i need a sugestion to configure this cenário:
My users in the Vlan 10 need access on the network in the Vlan 20, but this traffic must be filtered for firewall. In the firewall a received a trunk port for Nexus 5596, and i created subinterfaces to receive the Vlans for this trunk.
The gateway for my users is the address for the ASA subinterfaces.
What i do to filter the traffic between the Vlans?
Can the SRP547W be configured to allow traffic on port 25 from an external ip range to an internal address?
View 0 Replies View RelatedWe want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried: ACL but it does not work since mac acls only match non ip traffic (We CAN NOT use ip acl). Use a static mac address-table entry to ALLOW specific mac addresses. It does not work either since the same MAC address needs to be seen on a different port. Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).
View 3 Replies View RelatedHow does a firewall block or filter traffic on a specific port or IP address?
View 1 Replies View RelatedI'm decommissioning my SonicWall PRO 3060 and upgrading to an ASA5550 (we're increasing our WAN link speed to 1Gig and need the 5550). In any case, I want to copy over the configuration from the PRO to the ASA. I have everything documented and I've started doing the changeover, but in looking at some other network diagrams on the net I'm seeing router symbols between the LAN switches and the ASA and I'm beginning to worry that I might need routers to do this which, of course, would increase cost quite a bit.
So my question is this: If I have a core switch carved into multiple VLANs and I connect each VLAN to a port on the ASA, will I be able to route and filter traffic from VLAN to VLAN through the ASA? If so how, in general, is this accomplished (I'm betting ACLs). I think that the ASA will be able to do this easily, but I just want to be sure before I get too far into the configuration of this unit,.
ASA
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GigE0/0 GigE0/1 GigE0/2 GigE0/3 GigE1/0 GigE1/1 GigE1/2 GigE1/3
| | | | | | | |
| | | | | | | |
WAN BackupWAN VLAN400 VLAN500 VLAN600 VLAN700
I am having a setup with a 2851 router & websense url filtering server where I need to forward the traffic to websense server for all the internet requests. The http traffic is getting filtered properly, but the https traffic is not getting filtered. The two commands I ahev given for http & http are as follows: ip inspect name test http urlfilter ip inspect name test https.
View 9 Replies View RelatedI have upgraded to the new RV042G to take advantage of the gigabit Ethernet speeds and to prepare for when our ISP upgrades our bandwidth. I currently use the RV042 with Protect Link enabled to filter out various categories from our network traffic. I noticed that this feature is not included with the RV042G.
Is this something Cisco will decide to add back in later? In the meantime, how to block content on the network? The basic URL and keyword filter will not meet our needs, since it is much easier to let a service such as Trend Micro manage what is blocked in the categories they offer.
I have couple C2960G and C3750. Is there any way to filter (on ingress port) type of traffic? I would like to allow IP only, and discard (i.e.) IPX, or other garbage, that any device can produce.I have tried to find something about this, but only thing I have found is feature : protocol filter, which doesn't seems to be working on my hardware.
View 6 Replies View RelatedI had to edit an ACL on an active S2S VPN today because traffic was being denied from a host onsite to a host on the remote site (port 449). After I made the change, we tried to make the connection again, but it was still denied. Do we need to tear down the S2S vpn for the change to the ACL to take effect? Also, what if we just wait for the connection to rekey itself? Will it work after that?
View 2 Replies View RelatedI'm trying to find the maximum number of mac filters that are supported on the Cisco 4410N access point. The datasheet says that it supports mac filtering but does not indicate the maximum number of filters.
View 3 Replies View Relatedi need to block internet on all computers in our clinic except few websites (URL) that we need. I'm doing this on the router in WEBSITE filter in the manner of DISABLE ALL, except...
Specifically i have issues with using FAX client. ringcentral.com is ENABLED on the router, so anything within this DOMAIN will work (as forum.ringcentral.com etc.)
BUT when i attempt to send a fax, it falls into a black hole. although the client application shows - being sent, it wont go to SENT items and it just disappears. When i disable the website filter on router, it works.
there must be a different URL that the ring central call controlled tries to connect when sending. Receiving works no problem even with the website filter on. How do i detect / intercept what ULR / IP address is truing to be reached so i can enable it on the website filter ?
We have a Cisco ASA 5520 and Web sense. I added a filter but it seems like it is still not allowing us to access a certain website from most of the machines however some machines with the same configuration work on the DMZ. Accessing website tells us:
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete".
Filter I applied on the firewall:
filter url except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
filter https except 0.0.0.0 0.0.0.0 64.18.218.0 255.255.255.0 allow
I tried to configure my wifi router recently to secure my internet connection. I wanted to add a MAC adress filter, but I had to leave before I could enter them all. I thought that I wouldn't have to enter my own MAC adress since I'm directly connected to the router with a wire, but it looks like I should have entered my MAC adress, because now I can't get access to my router by typing the IP adress, as usual. I tried to reset it, but it doesn't work.
View 2 Replies View RelatedI have a few ASAs with L2Ls in a hub-and-spoke fashion, works great. All ASAs are 8.2(1). I've tried to add remote-vpn to the HQ ASA. I have this working on a PIX 6.3 box at HQ, but have not been able to make it work completely on the ASA.
Just to check, I also set up remote client vpn access on one of the spoke ASAs, and that actually did go well. Applying the equivalent config on the HQ ASA - won't function.
The problem with the HQ ASA remote client vpn is that after completed phase 1 & 2, the traffic goes one way only, from client side towards the ASA. I e remote side only encaps, no decaps; ASA side only decaps, no encaps. If the remote client pings a host on the inside (i e behind the HQ ASA) the packets arrive, and are returned towards the ASA (a correct route for the remote vpn network is in place on the inside host). However, it seems as if the ASA doesn't send that traffic back into the tunnel, but rather sends it unencrypted through the default route (doing a traceroute from the inside host for instance suggests this).
The ONLY way I can pass traffic towards the remote client is by initiating a ping from within the HQ ASA, it's the only time I get encaps on the ASA side and decaps on the remote side of the tunnel. Interestingly, it's actually the "ping outside 192.168..." that works, doing an "inside" ping fails. Compare this to the spoke ASA and its remote vpn client, there an inside ping is succesful, but not a outside ping, i e the spoke ASA functions as expected with its remote vpn. Given that the configs on the two ASAs are the same for remote client access, I would have expected both to work, not only one of them. But then, the HQ ASA has more lines of code, and I guess that something there gets in the way. [code]
I have a game launcher who do not want to update because:"The system is unable to connect to the update server url... The Windows operating system has a proxy redirecting port 80 to your local machine port 8877.If you have a real proxy, make sure it is configured to allow port 80 .NET remoting traffic. If you do not have a proxy, you may have leftover problems from malware in which case you will have to disable the proxy on your machine."i have made many tests and i have no malware and no proxy! so as the error message says, the problem is because the port 80 is not allowed .NET remoting traffic, how do i allow it ?
View 2 Replies View RelatedIf you have MAC filter enabled with the E4200 Firmware Version: 1.0.01 you cannot connect to guest.
View 2 Replies View RelatedI have several laptops at home that connect via wireless connection tot he DIR_655. Using the MAC address of those laptops, I want to prevent them from going to certain websites.Under 'Advanced" and "Website Filter", I addes several domain names (websudoku.com for example). I selected "DENY computersaccess to ONLY these sites". I then saved settings.I then went to "Access Control". I clicked on "Enable Access Control".I clicked on "Add Policy" to cdreate a new policy for one of the laptops.When I boot the laptop and go to one of the websites, it still allows me access. The URL/domain name is correct.
View 5 Replies View RelatedI have a problem with ASA 8.4.2 and U turn for remote vpn traffic that needs to exit from Remote VPN and then to make a u turn on outside interface to enter another site to site VPN.
Interesting traffic access list is modified as needed, routing is ok, but debug icmp trace 20 is showing that icmp packet from remote vpn client address to the host on the other side of maintained site to site tunnel is going to the inside - not to the outside as it should go.
Route
S 172.17.1.2 255.255.255.255 [1/0] via Internet Provider, outside
ASA# ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=159 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=160 len=32
ICMP echo request from outside:172.16.10.149 to inside:172.17.1.2 ID=1 seq=161 len=32
Same security intra interface command is entered
For some reason I can't get Access Control/Webaccess Filters working on my Dir-655 w/ 1.35NA. I've tried it with MAC and IP Address without any success. I've also enabled/disabled/enabled DNS Relay, recreated the rules, recreated the filters, etc. Nothing.
View 14 Replies View RelatedI have a customer which has a main location office and a remote one. Recently we interconnect their facilities using a local ISP service called Virtual Connectivity, which basically is a private network which can be accessed over aDSL or any other data circuit. They are using Cisco 888 routers to interconnect both sites.At the main site the customer also has an Internet circuit (with a Cisco 857 router)and he wants to remove the Internet circtuit from the remote site and provide them access over their main location Internet circuit.At the primary offices, we installed Cisco 2811 router as a gateway to route the Internet and remote network traffic over the required data circuit. Everything is working fine, but we can not access Internet from the remote location over the circuit installed a the main site. I understand this is a routing issue, since the traffic hits the main office network it does not knows how to reach the Internet. I am assuming this routing must be set into the main office Cisco 888 router (installed by the ISP to interconnect to their private cloud) in order to properly route it over the Internet circuit.Since I already have access over the Internet router and the gateway router at the main site, but not into the ISP router, is there any other way I can make this configurtion over the routers I already have access?
View 3 Replies View RelatedWe have a Cisco 2921 router at the head office (Easy VPN Server) and been deploying Cisco 887VA (EasyVPN remote - Network Extension) for remote offices using EasyVPN. We are allowing Voice and Data traffic over VPN. Everything has been working great until this issue was discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in either direction.
Calls to/from head office and external mobiles/landlines are fine. Only calls between two remote sites are affected. As there is no need for DATA connection between Remote office, our only concern is Voice support.
I think "hair-pinning" of traffic over VPN interface is needed. (Examples configs etc).
I'm using my 655 as a WAP, so nothing is connected to the WAN port. Since I run a SBS2008 in my home, I also have the 655's DHCP disabled.If I enable Network Filtering, everything inbound/outbound on the LAN ports works except accessing the Admin page. Even if I put the connecting PC's LAN MAC in the tablet.
View 9 Replies View RelatedI'm trying to set up a website filter on my DIR-601. I created a policy for 2 MAC addresses, with a schedule from 10AM-6PM, selected "Block some websites", and disabled logging. Under website filter, I added some entries, and selected "DENY computers access to ONLY these sites". When the policy is enabled, and I try to access one of the blocked websites, it gets blocked correctly ("The URL access was denied by administrator.") However, for all other websites, I get "server unexpectedly dropped the connection" errors, eg "Safari can�t open the page [URL] because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes, and then try again." or in Chrome "No data received. Unable to load the webpage because the server sent no data." This happens with ALL non-blocked websites. I'm using hardware version A1, firmware version 1.01NA.
View 2 Replies View Related