Cisco WAN :: Access-list On Router 3945
Mar 15, 2012
I reported a really strange issue on a Cisco Router 3945. Here below info about release software used: [code] Please look at a brief extract of router running configuration file: [code] It’s an easy configuration of Extended ACL and the application on an Ethernet interface. The expected result is:
- The interface works properly (because access list is permitting every kind of data traffic in input)
- Checking “show access-list 180”, the counter of matched packets increments for all the packets that are forwarded inside the fa0/0/1.
But actually the Fastethernet 0/0/1 drops all the packets as if all the packets don’t match with access list (And this behavior is really incredible). The interface couldn't be used anymore because any kind of data traffic is denied.
View 14 Replies
ADVERTISEMENT
Nov 29, 2010
I am trying to allow telnet to port 551 but i couldn't get it to work.I am using a cisco 1720 router running on IOS 12.2.I am using the below commands to set the access list to allow access to port 551 using remote telnet to the Cisco router.hostname R1!interface ethernet0ip access-group 102 in!access-list 102 permit tcp any any eq 551.After i enter the above command the router will disconnect me and i will not be able to connect to it for awhile. Once the router is up i am still unable to telnet to port 551.
View 14 Replies
View Related
Dec 20, 2011
How to implement mac access-list in 881 and 892 router ? As you now that we can get additional switch-port in the same router but I can't see the function in this router. I guess the switch port must function like the catalyst 2960 switch.
View 3 Replies
View Related
Jan 17, 2011
we installed a cisco router in a school with two vlans (VLAN 1 & VLAN 2) VLAN 1 is for teachers and Admin and VLAN 2 is for students. We want so that VLAN 2 shouldn't be able to access any device in VLAN 1 but VLAN 1 should be able to access all devices in VLAN 1 & 2
VLAN 1 192.168.11.0/24
VLAN 2 192.168.12.0/24
I am using VLAN interfaces. I know we have to use some access lists but if i apply
access-list 100 permit ip 192.168.10.0 0.0.255 any
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
With this access list two subnets can not access each other. How these access list should look likes ?
View 5 Replies
View Related
Apr 9, 2013
I want to block access of some clients from the vlan1 to acces internet blocking their MAC address. How can i do this?
I have tring this way:
access-list 700 deny mac address 0000.0000.0000
access-list 700 permit 0000.0000.0000 ffff.ffff.ffff
int fa00
bridge-group 1 {input-address-list 700 output-address-list 700}
but it's not working .
View 1 Replies
View Related
Apr 2, 2013
I have a router in front of a few firewalls on an internet link. All traffic from the inside network must go through one of the firewalls to get out through the router and similarly there is a dmz on one of the firewalls.I am trying to make sure the router is fully hardened.Should I apply an access list on the outside interface of the router along with the access list for management access?
View 11 Replies
View Related
Dec 12, 2012
I am having some issues with creating an ACL for my gateway router.I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router asI am using named extened access list -
{
deny ip any 192.168.1.0 0.0.0.255 log
permit ip any any
}
and i applied this inbound accesslist on the WAN port of router as
"ip access-group acl-in in"
Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now. All i want is to block external traffic on the router WAN port but allow internal traffic to outside. Did i miss anything in the access list?
View 5 Replies
View Related
Sep 3, 2012
I have a router 2811 that it's configured with VPN remote access and I'm trying to block clients based on their MAC address, I tried configuring access interface as routing/bridging, configured an ACL 750 for 48-bit MAC address access list and enable "bridge-group 1 input-address-list 750" command on bridged interface, but the only match I got when VPN clients access the LAN is from router interface.
Internet(VPN) ---> Router1 (FE 0/1) ---> Router1 (FE 0/0) --> Router2 (FE 0/0) --> Router2 (FE 0/1) --> LAN
I tried configuring on Router1 (FE 0/0) interface and also on Router2 (FE 0/0) interface with same behaviour. Router2 is used for internal NAT.
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
[Code].....
View 4 Replies
View Related
Aug 31, 2012
Where can I find a log or list of devices that attempted to access my EA4500 wireless network?I am using the cloud services to monitor my EA4500 usage in an apartment environment.
View 1 Replies
View Related
Nov 8, 2012
I am trying to find out what the 'normal' operating temperature of the CPU in a 3945 router is? We have just replaced some 2800 routers for 3945's and the NMS server initially complained about the new router CPU temperature being too high. Compared to the 2800 the CPU temperature is much hotter - 50 degrees celcius as opposed to 20-smothing degrees. I have searched but can't find what are considered 'normal'?
This is the output:
router#sho environment allSYSTEM POWER SUPPLY STATUS==========================Internal Power Supply 1 Type: DCInternal Power Supply 1 12V Output Status: Normal
[Code].....
View 3 Replies
View Related
Nov 20, 2011
I'm creating an access-list that will contain all networks and host that will be redistribute into EIGRP.Till now, this access-list contains 72 entries but this number can increase anytime.
I'm using a 3750-x layer 3 switch, and I'm wondering how big this access-list can be, regarding CPU and memory utilization and performance.
View 2 Replies
View Related
Nov 10, 2011
I need to upgrade a router from a 2811 to a 3945.
2811 has the following modules:
View 1 Replies
View Related
Oct 3, 2012
I have some lags on my 3945 router. From show ip nat statistics there is following output:
BR1#show ip nat statistics
Total active translations: 20 (0 static, 20 dynamic; 20 extended)
Peak translations: 8877, occurred 1w0d ago
Outside interfaces:
GigabitEthernet0/0, GigabitEthernet0/1
[code].....
View 1 Replies
View Related
Jan 15, 2013
Is Cisco 3945 router support URL based filtering . For example to block website [URL] but not the main site [URL].
View 1 Replies
View Related
May 18, 2011
3945 Router IOS Required for support VoFR Feature
View 1 Replies
View Related
Aug 11, 2011
I just got my first 3945 router and E3/T3 Network cards and when I do a sho ver I can see the E3/T3 card but when I do a show run all I see are the 3 GE interfaces.
View 1 Replies
View Related
Aug 9, 2011
I am getting the following message from a 3945 router: %CERM-4-TX_BW_LIMIT: Maximum Tx Bandwidth limit of 85000 Kbps reached for Crypto functionality with securityk9 technology package license.
That router has 8 Gre/IPsec tunnels and one of those tunnels is 100Mbps.The question is, could I get 100Mbps as the sum of all tunnels, or is there a restriction to 85Mbps ??
View 2 Replies
View Related
Jul 25, 2011
I was reviewing some old configs at work today and noticed somthing weird in the access-lists. What is this?
View 6 Replies
View Related
Apr 6, 2013
Creating an Access Control List
View 2 Replies
View Related
Jan 12, 2012
so far i also knew that if u assign an access-list to an interface:
for example:
int vlan1
ip access-group 150 in
and the access-list does not exist in the configuration it will block everything meaning it will be an implicit deny empty access-list but lately i've noticed on new routers that its different,if i assign an acl to an interface where the acl doesnt exist in the configuration it acts as permit all,
View 3 Replies
View Related
Feb 27, 2011
this is a project and my configred file:I can't config access list according to the project.
View 19 Replies
View Related
Jan 12, 2013
How to apply access list on Vlans ?
my Scenario is
13 Vlans in cisco 3560 switch (Vlan 10,20,30........ 130)
vlan 10 ---- ip range 192.168.10.0/24 interface vlan 10 ip add : 192.168.10.1
vlan 20 ---- ip range 192.168.20.0/24 interface vlan 20 ip add : 192.168.20.1
here i want to block vlan 10 access to vlan 20 i created extended access list deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
and applied in interface vlan 10 as out now i cant able to access any host in vlan 20 (host 192.168.20.1) but i can able ping vlan 20's gateway 192.168.20.1
View 3 Replies
View Related
Feb 23, 2011
I have a question about access-lists on ASA: (5520 running 8.4)Often I want to permit all traffic from networks behind an interface (let's say DMZ in this example) to Internet, but NOT to internal networks. Then I first configure a Deny from DMZ to all internal network and then a Permit to ANY. If I forget the first Deny I will allow all traffic also to my internal networks. Is it possible to configure an access-list that permit all traffic from a network to all networks that are reachable via a given interface? In this example: Permit all traffic from DMZ to all networks that are reachable via the Outside-interface? This should permit traffic to Internet and deny traffic to internal networks in one statement.If I specify the outside-interface as the destination only traffic to the interface itself will be allowed.
View 1 Replies
View Related
Nov 4, 2008
how to perform port security or mac access-list on LAN ports of router 861 or 881.There are commands access-list 700-799 , but I don't know how to apply that access list on configured vlan or particular port.
View 1 Replies
View Related
Aug 24, 2011
I am having a problem getting this to work and I have always done it with 2 Static ip address. but now this company changed to 1 and I am doing something wrong.
I have comcast with 1 static IP, I have a local LAN with 6 host and 1 server that does Mail and remote access and web traffic.
I need a config that allows me to use 1 static ip on the outside interface of the PIX and allow with an ACL 7 ports open to the server and allow all the local host out to the internet.
View 11 Replies
View Related
Dec 21, 2012
When I try to configure a voice port (like voice-port 0/0/0:15) after doing a conf t, it gives me an error of invalid input detected.We are using a Cisco 3945. We have successfully setup 3825 and 2851 in the past.
View 2 Replies
View Related
May 29, 2010
I have a Cisco 3945 Router and when we try to add the same into the Cisco Works it gives me an error saying " CM0056 Config fetch failed for 192.168.xx.xx Cause: CM0204 Could not create DeviceContext for 1238 Cause: CM0206 Could not get the config transport implementation for 192.168.xx.xx Cause: UNKNOWN Action: Check if required device packages are available in RME. Action: Check if protocol is supported by device and required device package is installed.
We are using LMS version 2.6. Any info on the latest router 3945 with support or not.
View 6 Replies
View Related
Dec 10, 2012
On a 3945 voicegateway,I want to remove a wave file (announcement), with the purpose that a new one can be automaticaly downloaden from UCCE to the box.Is there a way to do that automaticaly with SNMPSET <voicegateway> <MIB OID> <??wave file name??> <reload>
EDIT: or clear the cache, which it should be I think. (all wave file cache, or only one file, not sure what should be used and/or what is possible
View 1 Replies
View Related
Dec 2, 2012
the router IPSec VPN config for remote users using Cisco VPN Client 5.0.07
Router 3945 IOS C3900-UNIVERSALK9-M Version 15.1(4)M4
Here is VPN related config part and log from router and client.
aaa new-model
!
!
aaa authentication login default none
aaa authorization network default none
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
[Code]...
I highlighted strings with possible problems of of unabling to connect but doesn't know what to do with it.
View 4 Replies
View Related
Feb 16, 2011
I'm new to this forum and Cisco in general but I feel it may be very resourceful to me as I am a new network administrator fresh out of school for a local credit unionHere's my situation:We need to limit access to one of our servers to only 3 workstations used by our IT department. The server is on a Cisco 3560G on port 17, which is the interface I'm trying to apply a standard, basic ACL to, which looks like this:
View 10 Replies
View Related
Apr 25, 2013
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies
View Related
Dec 18, 2011
I have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
I need vlan100 to have access to something on vlan70 now and I cannot get it to work. My question is would this work?
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
vlan100 <----- outbound acl (allows 9100) <---- vlan70
Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.
View 1 Replies
View Related
Feb 3, 2011
I have a sip gateway (AS5400) that is used to connect sip providers to our internal voice network.Internal gateway (10.1.1.2 LAN) -- SIP trunk -- AS5400 (10.1.1.3 LAN/ 8.23.23.43 WAN) -- SIP trunk -- Internet SIP Provider We encountered the following problem :A SIP call from internal gateway to the sip provider could establish but was muted on our side (sip provider could hear us)On the WAN interface of the AS5400, there is a ACL that filter traffic IN coming from SIP Provider
interface GigabitEthernet0/0
ip address 8.23.23.43 255.255.255.224
ip access-group 101 in
I log the deny on this ACL and I saw some udp packets denied with LAN addresses !*Mar 3 15:24:44.001: %SEC-6-IPACCESSLOGP: list 101 denied udp 10.1.1.3(0) -> 10.1.1.2 (0), 1 packet I did not bind anything on the sip config.When I changed the ACLs, calls went well.Why do I see LAN packets on the WAN interface ?
View 1 Replies
View Related
