Cisco WAN :: RFC 1918 And 2827 Filtering Along With URPF?
May 24, 2012
i have R1(F0/0 :1.1.1.1 and R2 (F0/0:1.1.1.2) connected togather once i applied acl at R1 on the inbound direction i lost the ospf session and the ping between these 2 routers despite for the below ACL Config
acl 101 permit icmp host 1.1.1.1 host 1.1.1.2
acl 101 permit host 1.1.1.1 host 1.1.1.2
acl 101 permit ospf 1.1.1.1 host 1.1.1.2
acl 101 permit ip 192.168.1.0 0.0.0.15 any
R1
int f0/0
ip access-group 101 in
R1 is my main router while R2 is my customer , i gave my customer the block 192.168.1.0/25 so i m going to implement some security like RFC 1918 and RFC 2827 Filtering along with uRPF
View 2 Replies
ADVERTISEMENT
May 21, 2012
We've never had a problem setting up ASA to ASA or ASA to PIX vpn site to site tunnels using RFC-1918 addresses ( 10.x.x.x usually ). Now we have a customer ( a hospital ) that requires a public non-RFC1918 address to be presented to them. Since the addresses that we send are routable, they get routed through the internet instead of going through the tunnel. Here's the boiler plate from the customer:
"Important Note: The following information is to be used as a guideline in setting up a VPN connection between XXXX and your organization. Currently, XXXX supports only site-to-site VPN’s and all partners MUST present valid registered public IP addresses through the VPN tunnel.XXXX is unable to accept RFC-1918 addresses (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). We do not support PPTP, L2TP, or client VPN connections through a dialer application."
I was able to get a tunnel running between two ASA-5505 units using a public class C address that is currently not routable. How do I get this to work with a routable address? The tunnel will be carrying patient data and is basically a single server to single server link. It needs AES-256 and SHA-5 encryption but that shouldn't be a problem. The hospital is using a PIX, we are using an ASA-5510 with Security Plus license. We also have a couple of ASA-5505 units with base license to test with.
View 1 Replies
View Related
Sep 5, 2011
I have two RFC1918 domains I wish to connect, can I use double NAT with PAT so that each domain is represented as one single ip address with each session a port of that address-
The link is a private point to point link with a /32 mask so could I use this as the PAT address ?
View 3 Replies
View Related
Feb 7, 2012
I have come across articles mentioning that URL Filtering can be implemented by using ASA 5505 with URL Filtering Servers. But Websense and other Web Filtering Servers are paid ones ? Are there any free solutions available ? What exactly is N2H2 ? The reason is I don 't want to increase the CPU utilization of ASA by implementing URL filtering within the device. If I have around 30 nodes which connects to the internet via a 2Mbps line through ASA 5505 and if I want to block around say 10 or 15 URLs , will it increase CU utilization beyond permissible limits ? Currently the CPU Utilization is around 10 - 15 . Here's the infrastructure setup .
------------------------------------------------------------
Nodes -->Switches-->ASA 5505-->Internet
-------------------------------------------------------------
View 4 Replies
View Related
May 16, 2011
I am using a three interface ASA config (Internet, DMZ, Inside). The DMZ and Inside networks are both RFC 1918 space however it is against our corporate policy to allow our DMZ IP space to be internally routable, therefore we must target routable IP's which NAT to the DMZ hosts . In my DMZ network there are two devices - a Web Server and a 802.11 Access Point.
The Web Server is hosting our corporate web site. When the clients accessing the internet via the Access Point try to access our corporate web site they are not able to. A DNS lookup of the A record 'www' returns the public IP address, which when targeted translates to the real RFC 1918 IP of the web server.
Is there a way to use destination NAT or another clever config so when a host targets a public IP which is being translated on a different interface right back into the same interface it originated from it would allow the traffic?
View 1 Replies
View Related
Aug 2, 2011
I've recently set up a LAN-2-LAN VPN tunnel to a 3rd party service provider who uses RFC 1918 private addressing internally and cannot perform NAT on their side of the tunnel. In order to avoid conflicts with our address space I've had to implement DNAT for the address on the 3rd party network that users at my end must access. The tunnel terminates at my end on the outside interface of an ASA-5550 running 8.4.2. While the ASA has 8 interfaces at security levels between 0 and 100, DNAT only need occur for traffic flowing from inside (100) to outside (0).
The following (redacted) addressing applies:
Address of the server on the 3rd party provider network: 192.168.2.155
Mapped address of server as seen on the network at my end: 10.168.2.155
I've currently implemented DNAT using object NAT as follows:
object network remote-server
host 192.168.2.155
nat (outside,inside) static 10.168.2.155
This works as expected, however in examples and discussion I've seen, it appears that the typical way to configure NAT for this scenario is with manual NAT as follows:
object network remote-server
host 192.168.2.155
object network remote-server-mapped
host 10.168.2.155
nat (inside,outside) source static any any destination static remote-server-mapped remote-server
Is there any reason why I should consider using the manual NAT method rather than the object NAT method in this scenario?Are there any technical reasons why using object NAT in this manner should be avoided?
View 1 Replies
View Related
Mar 6, 2012
I am having an issue where occasionally the Sidewinder starts to see my internal RFC 1918 address instead of the configured external address of my firewall. This is for peering between the two. The error they see on the Sidewinder is:So instead of seeing the external peer address he sees a 10.220.3.18 address. We are not sure what triggers this becuase normally he see's my 63.117.98.222 address.
View 5 Replies
View Related
Nov 14, 2011
Setting up Web Filtering on Cisco881 sec K9 router using CCP.
At the moment every user on the domain got blocked by the rule that i set up on the Web Filter (just using the wizard and choose default category). What i want is to separate users so that specific user can have full access while other user get filtered by the category.
And Yes I want to configure this using CCP.
View 3 Replies
View Related
Apr 26, 2012
We have a Cisco 4400 series WLAN controller.When I go to the clients and view who is connected; I can also filter it. However it only lets me filter by mac address, ap, wlan profile, etc.
It does not have IP filtering. Is there a way to filter using IP? Basically I want to find a particular client with a certain IP that's connected to our WLAN.Also how do we block the client? If we deemed that person should not get access.
View 6 Replies
View Related
Dec 19, 2011
I just upgraded to the Belkin N750 DB router from the version just below it and couldn't get the wireless card (Ralink RT2760) in my daughter's dual-boot WinXP/Ubuntu 10.04 to connect to the WPA security setting (WEP only) on the Ubuntu side. There is an updated driver, but it's way above my Linux skill set, so instead I just disabled security completely, and used the MAC Address filtering to add all of our household devices.This solved her connection problem, but I am wondering if there is any danger to this method that I might not have considered
Originally Posted by BelkinMAC Address FilteringThe MAC Address Filter is a powerful security feature that allows you to specify which computers are allowed on the network. Any computer attempting to access the network that is not specified in the filter list will be denied access. When you enable this feature, you must enter the MAC address of each client on your network to allow network access to each. To enable this feature, select "Enable MAC Address Filtering". Next, enter the MAC address of each computer on your network by clicking "Add" and entering the MAC address in the space provided. Click "Apply Changes" to save the settings. To delete a MAC address from the list, simply click "Delete" next to the MAC address you wish to delete. Click "Apply Changes" to save the settings.
View 8 Replies
View Related
Jan 26, 2012
I have a 2621 with a WIC-1ADSL that connects to my ISP. Since the 2621 has 2 ethernet ports, I wanted to setup a network on the second ethernet port for testing things such as VPN into my network via my ASA5505. I have a DHCP pool set on the particular network but cannot get a client to get an address from the router. I think I might have an ACL that is blocking or need an ACL to allow bootp on the interface. Here is the config:
Building configuration...
Current configuration : 4144 bytes!version 12.3no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname r01!boot-start-markerboot-end-marker!security authentication failure rate 10 logsecurity passwords min-length 6logging buffered 4096 debugginglogging console criticalenable secret 5 SECRET
enable password 7 password
[code]...
When I try to get an ip address from a client, I never receive one. But when I issue dhcp server statistics, I can see packets hitting the interface:
r01#sh ip dhcp server statisticsMemory usage 14050Address pools 1Database agents 0Automatic bindings 0Manual bindings 0Expired bindings 0Malformed messages 0Secure arp entries 0
Message ReceivedBOOTREQUEST 0DHCPDISCOVER 68DHCPREQUEST 5DHCPDECLINE 0DHCPRELEASE 0DHCPINFORM 0
Message SentBOOTREPLY 0DHCPOFFER 0DHCPACK 0DHCPNAK 5
View 3 Replies
View Related
May 16, 2013
Could URL FIltering be implemented on Cisco ASA 5505-BUN-k9?i mean to block certain websites, like facebook, youtube, to block certain download files like .exe, .com .bat etc....Is there any extra license needed for this, or it could be done with the simple IOS ASA5505-bun-k9?
View 4 Replies
View Related
Apr 18, 2012
I try to implement the url filtering feature on a cisco 2811 router and whenever i enable the parameter map patterns the router retuns (after some time)
%Unable to compile obj regex.[code] The result is that the router blocks ALL webpages without giving a block page message.
View 2 Replies
View Related
Nov 26, 2012
I have two WAP 321 devices set up in our building they are on the same subnet with the same SSID and are using the WDS bridge mode. My question is, if i enable mac-address filtering on one of these devices will this infomation be passed to the other bridged device? or would the allow/deny list need to be populated manually on each device?
View 2 Replies
View Related
Nov 3, 2012
I have recently upgraded my company's network significantly, and in the process removed our Cisco edge routers and firewalls (gasp!), and replaced them with another vendor who gave a better price point for the router.However, i was only able to get ONE edge router, whereas before I had two, so I want to recycle one of my old 2921's as a cold standby (in case the brown sticky stuff hits the rotating air distribution blades, and $other-vendor router dies).Trouble is, the 2921 does not, I believe, have sufficient system resources to take the full routing table we're getting from our two ISP's.What I would like to ask is people's thoughts on the best method for me to configure the BGP setup on the 2921 to do the following:
-Accept the default route from each ISP and discard *everything* else in the route table
-Modify our advertisement (ad prepend) out the "secondary" ISP to reduce the priority of traffic coming in over this link.
-Configure the OUTBOUND priorities so that the "primary" link is used by preference for outgoing traffic (which will effectively shut down the secondary link for outbound traffic
View 6 Replies
View Related
Jan 29, 2013
I am trying to block clients based on MAC addresses connecting to our Wireless Guest network.
My scenario is: We have 2 interfaces (corporate and a guest). Users are connecting to our guest network after they have automatically connected to our corporate network and logged into Windows. When they realise that things are not quite working in the way they want (access to servers etc...), they reboot and then find they cannot logon to the laptop at all. This is because the laptop has automatically rejoined the guest network and has no access to AD. I then have to locally logon to the laptop and remove the guest network.
It’s starting to become a bit of a pain as we are an educational establishment and... well... you would wouldn’t you
Hardware: WLC5508, Software Version 7.3
So far I’ve tried enabling MAC Filtering under “Security -> AAA -> MAC Filtering”, but found out that it’s a white list. The opposite of what I’m trying to achieve, but I like the fact you can link it to a specific interface.
I’m just looking at the “Disabled Clients” again under “Security -> AAA ->”, but think this is more a total ban as I cannot see a method at attaching it to an individual interface. I'm kindda stuck and my good old friend Google is not yielding great results.
I’m not by any means a wireless expert, so there is probably a better method. I would prefer to use the controller as a way of achieving this, but if you think I’m wasting my time and should be looking at a Windows Group Policy method then I’ll go with that?
View 3 Replies
View Related
Sep 19, 2012
I am trying to do content-filtering over ssl VPN (clientless) on ASA 5505. [code]
View 2 Replies
View Related
Jan 22, 2013
I am curious if I can do an either or sitution with a single SSID. If you are on the mac filtering list then you gain access to the network, if not then enter your WPA2-ENT credentials. I have a minimal ammount of users that need mac filtering, but do not want to give them there own SSID.
Cisco WLC 5508 7.4 code
View 9 Replies
View Related
Jul 30, 2012
Any upto date reference for setting up the ACS v 5.3 for mac filtering via built in radius with wireless lan controllers?
all I seem to find is this old document - which uses the user database.
the ACS 5.3 has host store, which seems like the logical place to setup mac address information
[URL]
View 1 Replies
View Related
Feb 9, 2013
There is a feature in WLC 7.3.0 like Configuring a Fallback Policy with MAC Filtering and Web Authentication .We have an option to configure mac filtering and we can create a policy that if mac filtering failes redirect it to web authentication
Here i am using mac filtering is only for my mac caching process. But when i tried this its not working.
My mac address is not there in the WLC, so it should prompt me the web authentication page.But its not happening. As long as my mac is not there in the table, i am not able to connect to the SSID.
So what is this feature (Configuring a Fallback Policy with MAC Filtering and Web Authentication) meant for ?
View 4 Replies
View Related
Mar 7, 2011
I have a problem configuring url filtering on ASA 5505 rel 8.3.1: I have to block the web navigation to facebook and, with my configuration, it works fine.The problem is when I try to access on other sites where there are a links to facebook, I cannot see that site and not only the button of facebook.
regex urllist1 ".*.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"
regex urllist2 ".*.([Pp][Ii][Ff]|[Vv][Bb][Ss]|[Ww][Ss][Hh]) HTTP/1.[01]"
regex urllist3 ".*.([Dd][Oo][Cc]|[Xx][Ll][Ss]|[Pp][Pp][Tt]) HTTP/1.[01]"
regex urllist4 ".*.([Zz][Ii][Pp]|[Tt][Aa][Rr]|[Tt][Gg][Zz]) HTTP/1.[01]"
[code]....
View 3 Replies
View Related
Sep 19, 2011
I've a new Dlink DIR-632. All ports snif from outside are answering stealth by default. And the port forwarding feature works good.The problem is that I would like to allow a trusted net IP to reach my computer, whatever the request may be (whatever tcp/udp and on any ports). A kind of DMZ just for a precise IP. I tried the inbound filter feature. I've choosen allow, and I've put the remote IP start and end the same IP. It has been added correctly to the list. However, this IP still doesn't seem to be able to access to my computer on any port unless it tries on an already forwarded port.
View 1 Replies
View Related
Oct 15, 2010
I tried to find an answer to my issue however came up short. Did find,url... but that for a 600 not 601. I have "Mac filtering on and to only ALLOW the addresses below" however, it allows any computer, even if i do not have them listed.
View 3 Replies
View Related
Jul 12, 2012
I have dlink dir-600 router and I want to block access to website [ URL] for only one PC connect to router. i can either block web access to both PCS connected or block entire web access to one PC.
View 1 Replies
View Related
Jan 12, 2011
Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.
View 11 Replies
View Related
Mar 18, 2013
One of our customers has an ASA5510 with CSC SSM-10 security module. The software version of the module is 6.6.1125.0.Is it possible to do https filtering with this module ? The customer is complaining that this is not possible...from Cisco I've read the following:
• HTTPS Filtering
– Able to allow or block HTTPS traffic.
– Supports group-based and user-based HTTPS policies.
– Includes URL blocking/URL exception list support for HTTPS domains.
View 2 Replies
View Related
Jul 7, 2012
I have ASA 5505 running 7.2.4, I want to prevent users accessing some web sites such as facebook , youtube and hotmail etc.
Which ASA 5505 IOS version should I use to block web access?
I don't want to isntall a dedicated filtering server ( websense etc) , I just want to block web sites statically on ASA 5505 via ASDM as I only have few sites to block.
know if ASA 5505 can do URL filtering, and what IOS is required ?
View 1 Replies
View Related
Jun 8, 2012
i am using two Cisco AP 4410N series in my network .Wants to use MAC address Filtering but it supports only 20Nos of MAC to add in the AP.
Is there any way like IOS upgrade the AP supports more MAC Address to add.
View 1 Replies
View Related
Dec 29, 2011
I'm attempting to block about 10 to 15 users on the wireless by using MAC address filtering on the Aironet. I referenced the following link: URL,The policy does indeed work, but once I apply the filter all traffic on the wireless for that particular VLAN stops. Why would this happen? I wouldn't think I need to configure anything else for this to work, but maybe I'm wrong.I was looking over the config and I noticed that each time I added a MAC address to the filter, it would create and access-list 701 deny 0000.0000.0000 ffff.ffff.ffff Once I removed this access-list, traffic starting flowing again, but when I add another MAC address the access-list shows up again.
View 15 Replies
View Related
Jun 24, 2012
I have worked at many compaines and I always see route filtering performed the same way when using BGPv4. Prefix list. Why do admins use this method. Dont route-maps/distribute list perform the same function ?
View 2 Replies
View Related
Jul 25, 2008
CAn we filter MAC address in LAN using ASA 5520 , whats the method ?
View 2 Replies
View Related
Apr 7, 2013
i been filterin LSA type 3 and the table route localy routes en ospf v2 ipv4 whit the commands distribute-list , area filter-list route-maps ACL and prefix-lis ¿but how can i do the same filterin in ipv6 whith OSPFv3?
View 2 Replies
View Related
Feb 15, 2012
I am running a Cisco ASA 5510 with Trend Micro Interscan. We have it set up to filter https except for a handful of sites. It is filtering the ones we don't want ie: facebook, and youtube. Though it is causing all other https to slow to a crawl. Therefore some sites it times out on us. What should we be looking for to change so it isn't slowing the allowed sites down?
Version numbers
ASA - 8.4(3)
ASDM - 6.4(3)
Trend - 6.6.1125
View 1 Replies
View Related
