06-24-2014 02:55 PM - edited 03-11-2019 09:22 PM
Hi,
I have a network segmented out into two pieces.
Inside nic has a bunch of servers, one of which is a Wins server and ethernet1 has a segmented network which should have basically no access to the inside nic. I did not want to stand up another WINS server. Is there anyway to add to my access-list a rule that only allows wins lookup traffic? the purpose of this is for pinging via hostname when connected to the seperate network via VPN.
Thanks,
Jeff
06-24-2014 02:58 PM
Can you post your existing ACL?
06-25-2014 06:07 AM
hi,
is that really necessary to explain how to allow wins traffic?
i don't have the actual config as i am not home right now. i do however have my configuration script i have been building to reset/setup the configuration:
#open hyper terminal on machine where cisco pix is plugged into the console port
#set baud rate to 9600
#restart device
write erase
reload
#may need to do above 2 commands again to get to interactive config prompts below
#Pre-configure Firewall now through interactive prompts [yes]? Hit Enter
#Firewall Mode [Routed]: Hit Enter
#Enable password [<use current password>]: password
#Allow password recovery [yes]?
#Inside IP address: 10.1.1.1
#Inside network mask: 255.255.255.0
#Host name: thcvpn01
#Domain name: somedomain.net
#IP address of host running Device Manager:
#Use this configuration and write to flash? yes
y
Routed
password
Yes
2014
10.1.1.1
255.255.255.0
thcvpn01
somedomain.net
yes
enable
password
configure terminal
interface ethernet0
nameif outside
ip address dhcp setroute
no shutdown
exit
#configure dns
#allow dns lookup on the inside and outside interfaces
dns domain-lookup inside
dns domain-lookup outside
#set the dns servers to use globally
dns name-server 8.8.8.8
dns name-server 8.8.4.4
#configure dhcp
#set the address range
dhcpd address 10.1.1.50-10.1.1.254 inside
#set the dns to use
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd wins 10.1.1.3
#allow dhcpd to work on the inside interface
dhcpd enable inside
#set up network address translation
#enable network address translation
nat-control
#Define the inside group to be included for NAT.
nat (inside) 101 10.0.0.0 255.0.0.0
#Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.
global (outside) 101 interface
#allow outside interfaces to access the inside interfaces
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
#allow inside interfaces to access the outside interfaces
access-list ThcInside-nat0 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ThcInside-nat0 extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0
#allow outside full tunnel host to outside split tunnel hosts
access-list ThcInside-nat0 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0
#allow outside split tunnel host to outside full tunnel hosts
access-list ThcInside-nat0 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0
#apply the access list to the inside interface
nat (inside) 0 access-list ThcInside-nat0
#allow networks with the same security level to communicate
same-security-traffic permit intra-interface
#allow web traffic into the network
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
access-group outside_access_in in interface outside
http server enable
http 10.0.0.0 255.0.0.0 inside
#allow ping packets into the network
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
exit
exit
#setup authentication mechanisms for vpn access
#part one is peer to peer communications
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto isakmp nat-traversal 30
#part two is cryptography
crypto ipsec transform THCTransformSet esp-aes-256 esp-sha-hmac
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
#setup vpn user names
username user1 password password
#setup full tunnel vpn access
nat (outside) 101 10.1.2.0 255.255.255.0
ip local pool ThcIPFullTunnelPool 10.1.2.1-10.1.2.254 mask 255.255.255.0
group-policy THCFullTunnel internal
group-policy THCFullTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server value 10.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group THCFullTunnel type ipsec-ra
tunnel-group THCFullTunnel general-attributes
address-pool ThcIPFullTunnelPool
default-group-policy THCFullTunnel
tunnel-group THCFullTunnel ipsec-attributes
pre-shared-key password
#setup split tunnel vpn access
nat (outside) 101 10.1.3.0 255.255.255.0
access-list THCSplitTunnelAccessList standard permit 10.1.1.0 255.255.255.0
ip local pool ThcIPSplitTunnelPool 10.1.3.1-10.1.3.254 mask 255.255.255.0
group-policy THCSplitTunnel internal
group-policy THCSplitTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server value 10.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value THCSplitTunnelAccessList
tunnel-group THCSplitTunnel type ipsec-ra
tunnel-group THCSplitTunnel general-attributes
address-pool ThcIPSplitTunnelPool
default-group-policy THCSplitTunnel
tunnel-group THCSplitTunnel ipsec-attributes
pre-shared-key password
#setup web only vpn access
nat (outside) 101 10.1.4.0 255.255.255.0
ip local pool ThcIPWebOnlyTunnelPool 10.1.4.1-10.1.4.254 mask 255.255.255.0
group-policy THCWebOnlyTunnel internal
group-policy THCWebOnlyTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group THCWebOnlyTunnel type ipsec-ra
tunnel-group THCWebOnlyTunnel general-attributes
address-pool ThcIPWebOnlyTunnelPool
default-group-policy THCWebOnlyTunnel
tunnel-group THCWebOnlyTunnel ipsec-attributes
pre-shared-key password
#setup email logging of remote vpn sessions
no logging asdm
logging enable
logging timestamp
logging host inside 10.1.1.1
logging list THCLogList message 113012
logging list THCLogList message 113019
smtp-server 10.1.1.3
logging from-address someone@somewhere.com
logging recipient-address someone@somewhere.com level debug
logging mail THCLogList
#setup segregated network segment
#setup and configure ethernet2 nic
interface ethernet2
nameif lab
ip address 10.1.5.1 255.255.255.0
security-level 100
no shutdown.
exit
#allow dns lookup
dns domain-lookup lab
#allow dhcp to give out IP addresses in specified range to the lab hosts, for hosts not connecting through a tunnel
dhcpd address 10.1.5.150-10.1.5.200 lab
dhcpd dns 8.8.8.8 8.8.4.4 interface lab
dhcpd enable lab
#gets web access running from the 10.1.5.x subnet
nat (lab) 101 10.0.0.0 255.0.0.0
#allow inside interfaces to access the outside interfaces
access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
#allow outside full tunnel host to lab hosts
access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.2.0 255.255.255.0
#allow outside split tunnel host to lab hosts
access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.3.0 255.255.255.0
#allow hosts on the lab tunnel to access lab hosts in the lab, that are not in the tunnel
access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.5.0 255.255.255.0
#apply the access list to the inside interface and the lab interface
nat (lab) 0 access-list ThcInside-nat0
#define the ip address pool to use when connecting through a tunnel
ip local pool ThcIPLabOnlyTunnelPool 10.1.5.201-10.1.5.254 mask 255.255.255.0
#set up seperate vpn group with full tunnel that only has access to the lab
group-policy THCLabOnlyTunnel internal
group-policy THCLabOnlyTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server value 10.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group THCLabOnlyTunnel type ipsec-ra
tunnel-group THCLabOnlyTunnel general-attributes
address-pool ThcIPLabOnlyTunnelPool
default-group-policy THCLabOnlyTunnel
tunnel-group THCLabOnlyTunnel ipsec-attributes
pre-shared-key password
#setup seperate vpn group with split tunnel that only has access to the lab
access-list THCLabSplitTunnelAccessList standard permit 10.1.5.0 255.255.255.0
group-policy THCLabSplitTunnel internal
group-policy THCLabSplitTunnel attributes
dns-server value 8.8.8.8 8.8.4.4
wins-server value 10.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value THCLabSplitTunnelAccessList
tunnel-group THCLabSplitTunnel type ipsec-ra
tunnel-group THCLabSplitTunnel general-attributes
address-pool ThcIPLabOnlyTunnelPool
default-group-policy THCLabSplitTunnel
tunnel-group THCLabSplitTunnel ipsec-attributes
pre-shared-key password
#add users that can use the lab
username someone1 password password1
username someone2 password password2
#copy the current config so it always starts up with this configuration
copy running-config startup-config
#make backup of the configuration
copy running-config config-backup
====================
#debug and stat commands
show uauth
show ipsec sa
show isakmp sa
show ipsec stats
show isakmp stats
show isakmp ipsec-over-tcp stats
debug crypto ipsec
debug crypto isakmp
#test cases
full tunnel
can ping all 10.1.1.1 hosts by ip and host name
ping from remotely connected host to another host on 10.1.2.x by host name and ip
ping from 10.1.2.1 to 10.1.3.x, 10.1.4.x and 10.1.5.x
tracert where all web traffic goes to the house first and then out to the internet
split tunnel
can ping all 10.1.1.1 hosts by ip and host name
ping from remotely connected host to another host on 10.1.2.x by host name and ip
ping from 10.1.2.1 to 10.1.3.x, 10.1.4.x and 10.1.5.x
tracert goes directly out to the internet
web only tunnel
can't ping any hosts by ip or host name on 10.1.1.x, 10.1.2.x, 10.1.3.x or 10.1.5.x
tracert where all web traffic goes to the house first and then out to the internet
lab only full tunnel
can ping all 10.1.5.x hosts by ip and host name
ping from remotely connected host to another host on 10.1.5.x by host name and ip
can not ping any 10.1.1.x, 10.1.2.1, 10.1.3.x, or 10.1.4.x hosts
tracert where all web traffic goes to the house first and then out to the internet
lab only split tunnel
can ping all 10.1.5.x hosts by ip and host name
ping from remotely connected host to another host on 10.1.5.x by host name and ip
can not ping any 10.1.1.x, 10.1.2.1, 10.1.3.x, or 10.1.4.x hosts
tracert goes directly out to the internet
#current issues needing resolution
lab via, can't lookup host names
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide