Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About falain
Stats
Member since
01-09-2004
106
Posts
4
Helpful
1
Solution
Created by
falain
in Network Security
in Network Security
09-02-2010
01:13 AM
09-02-2010
01:13 AM
Hello, I reboot 2821 every night . Today, I have these counts since reload: ipsecrtr#sh access-list Acl_Outside Extended IP access list Acl_Outside 10 permit icmp any any (206 matches) 20 permit object-group OGs_VPN any host (2230673 matches) 30 permit esp any host 40 permit udp any host eq isakmp non500-isakmp (98 matches) 50 permit object-group OGs_VPN any host (285530 matches) 60 permit esp any host 70 permit udp any host eq isakmp non500-isakmp (40 matches) 80 deny ip any any log (206 matches) ipsecrtr# regards Alain
... View more
Created by
falain
in Network Security
in Network Security
09-01-2010
02:44 AM
09-01-2010
02:44 AM
On 2821ISR 12.4.24T3, how can you explain ACE line 20 hit count, this should be 0 hit because matching should be done in ACE line 10 it looks like some isakmp packets are not matched within object-group service OGs_VPN this is why I added classical ace ipsecrtr#sh access-list Acl_Outside Extended IP access list Acl_Outside 10 permit object-group OGs_VPN any host <outside IP1> (16154927 matches) 15 permit esp any host <outside IP1> 20 permit udp any host <outside IP1> eq isakmp (224 matches) 25 permit udp any host <outside IP1> eq non500-isakmp 30 permit object-group OGs_VPN any host <outside IP2> (2022900 matches) 35 permit esp any host <outside IP2> 40 permit udp any host <outside IP2> eq isakmp (105 matches) 45 permit udp any host <outside IP2> eq non500-isakmp 50 permit icmp any any (607 matches) 60 deny ip any any log (1187 matches) ipsecrtr#sh object-group OGs_VPN Service object group OGs_VPN Description ** Services VPN ** udp eq isakmp udp eq non500-isakmp tcp eq 10000 esp Needs explanation Regards Alain
... View more
Labels:
03-09-2010
08:34 AM
Hello, I am looking for a solution to carry one L2 Internet vlan on 10 remote dsl/Atm connected sites. For security, this L2 Vlan has no IP add and is not routable across internal network On each remote site, is a C870 router used for internal people. I want to reserve one Eth interface for external people surfing on Internet without leasing a new separate access. I have seen 2 cisco solutions: - L2TPv3 Easy to set up. It can carry L2 traffic across Dsl lines and terminate on any C870 L2 interface I just have to xconnect my internet vlan to the same Vid than remote site Problem is it is not multipoint, just point to point I can't create more than one xconnect Vid for each remote site on L2 Vlan sub interface. - mGRE I can have multiple remote tunnels for one on Lan site But I don't know how to bridge it to L2 Vlan (no bridge-group command on tunnel interface). Any help ? Thanks
... View more
Labels:
02-15-2010
01:43 AM
hello Tanveer, I changed my config to the following and now both Active and Passive FTP work, but I can't explain nor test furthermore (users wil complain). Main changes were to have only one route-map using 2 acls for inside G0/0, Dmz G0/1 Pbrs and for Nat Inside - outside, so it's simplier. also noticed that : - if I add or modify ACE lines, and clear Nat translations, I have to reload router because it doesnt works properly. - other protocols do not support load-balancing: pop3, pptp/gre so I include them in acl route-map interface GigabitEthernet0/0 ip address I.I.I.255.255.255.0 ip access-group Acl_Inside in ip wccp web-cache redirect in ip inspect Cbac out ip nat inside no ip virtual-reassembly ip policy route-map Rm_NC interface GigabitEthernet0/1 ip address L.L.L.254 255.255.255.0 ip nat inside ip policy route-map Rm_NC interface Vlan303 ip address 10.10.7.1 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip virtual-reassembly interface Vlan304 ip address 10.10.8.250 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip nat outside ip virtual-reassembly ip route M.M.M.M 255.255.255.255 10.10.8.251 ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload ip access-list extended Acl_Rm_Dmz permit ip host D.D.D..2 object-group OGn_Externe ip access-list extended Acl_Rm_Inside permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp ftp-data permit tcp object-group OGn_FTP object-group OGn_Externe gt 1024 permit tcp object-group OGn_MailOut object-group OGn_Externe eq pop3 smtp 995 465 permit gre host L.L.L.20 host permit tcp host L.L.L.20 host eq 1723 ..... route-map Rm_Nat_NC permit 10 match ip address Acl_Rm_Inside Acl_Rm_Dmz match interface Vlan304 ! route-map Rm_NC permit 10 match ip address Acl_Rm_Inside Acl_Rm_Dmz set ip next-hop verify-availability 10.10.8.251 1 track 7 set ip next-hop verify-availability 10.10.7.254 2 track 3 regards Alain
... View more
02-08-2010
12:37 AM
Hello Sachinjara, Thanks for answer. As I said, Here's only problem's relevant config. I didn't give it for clearness. Also are other Outside Wan Vlans with Cbac out. But on that ISR, I also have a 3rd intf (Dmz) where connections can be initiated to Lan intf. Then, it needs to have a Cbac out on Lan intf. I think problem is due to Nat which translates inside FTP client's source port, and that outside FTP server ignores this new client's one (it only knows the one given to it with LIST command TCP Syn) I tried to move FTP transfers to another Nat pool with a different route-map, but did not succeed at this time. regards Alain
... View more
02-05-2010
07:23 AM
Hello CCIEs or not, 2821 ISR IOS Firewall 12.4(24)T2 is connected to a second ISP through Vlan304 and cable router I added nat inside source route-maps in order to nat in each ISP addressing subnets Problem is that inside FTP clients successfully connect to outside FTP servers using active mode, but no more with previous passive mode. Many debugs were done: FTP server can't answer to LIST command outside acl rejects Syn/Ack packet because client's source port is not opened I observe that client's source port changes during Outbound Nat process of data connection. I give you : relevant config lines Ios Debugs and packet capture I also tried to add separate Nat pool with route-map but did not succeed Relevant Config: ip inspect name Cbac tcp router-traffic ip inspect name Cbac ftp interface GigabitEthernet0/0 ip address L.L.L.5 255.255.255.0 ip access-group Acl_Inside in ip wccp web-cache redirect in ip inspect Cbac out ip nat inside no ip virtual-reassembly ip policy route-map Rm_Inside duplex auto speed auto ! interface FastEthernet0/0/3 switchport mode trunk ! interface Vlan304 ip address 10.10.8.250 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip nat outside ip virtual-reassembly ! router eigrp 1 redistribute connected passive-interface default no passive-interface GigabitEthernet0/0 network L.L.L.0 0.0.0.255 auto-summary ! ip forward-protocol nd ip route M.M.M.M 255.255.255.255 10.10.8.251 ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload ip access-list extended Acl_Inside .... permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp ip access-list extended Acl_Outside permit icmp any any deny ip any any log ! ip access-list extended Acl_Rm_Ftp permit tcp host 172.16.3.3 object-group OGn_Externe eq ftp ftp-data permit tcp host 172.16.3.3 object-group OGn_Externe gt 1024 ! route-map Rm_Inside permit 10 match ip address Acl_Rm_Ftp set ip next-hop 10.10.8.251 set interface Vlan304 ! route-map Rm_Nat_NC_Ftp permit 10 match ip address Acl_Rm_Ftp match interface Vlan304 Debug Feb 5 10:25:32.521: FIREWALL FTP sis 451ADD74 FTP-Client: PASV~~ Feb 5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature Feb 5 10:25:32.521: TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 46, forward Feb 5 10:25:32.521: TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH Feb 5 10:25:32.521: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, sending full packet Feb 5 10:25:32.521: TCP src=2670, dst=21, seq=3562961433, ack=1627344340, win=64167 ACK PSH Feb 5 10:25:32.537: NAT: s=S.S.S.S, d=10.10.8.250->172.16.3.3 [50281] Feb 5 10:25:32.537: FIREWALL FTP sis 451ADD74 FTP-Server: 227 Entering Passive Mode (S,S,S,S,106,18).~~ Feb 5 10:25:32.537: FIREWALL FTP sis 451ADD74 Handle response to PASV request S.S.S.S:27154 Feb 5 10:25:32.537: FIREWALL OBJ_CREATE: create pre-gen sis 471F4070 Feb 5 10:25:32.537: FIREWALL OBJ-CREATE: sid 461E4974 acl Acl_Inside Prot: tcp Feb 5 10:25:32.537: Src 172.16.3.3 Port [0:65535] Feb 5 10:25:32.537: Dst S.S.S.S Port [27154:27154] Feb 5 10:25:32.537: FIREWALL Pre-gen sis 471F4070 created: 172.16.3.3[0:65535] S.S.S.S[27154:27154] Feb 5 10:25:32.541: NAT*: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40649] Feb 5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature Feb 5 10:25:32.541: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature Feb 5 10:25:32.541: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature Feb 5 10:25:32.541: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Access List(26), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.541: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S, len 52, input feature Feb 5 10:25:32.541: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature Feb 5 10:25:32.545: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Policy Routing(59), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature Feb 5 10:25:32.545: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, WCCP(61), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, input feature Feb 5 10:25:32.545: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, MCI Check(64), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, CCE Output Classification(5), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=2672, dst=27154, seq=2273304199, ack=0, win=65535 SYN, WCCP(12), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Post-routing NAT Outside(17), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Stateful Inspection(20), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Firewall (NAT)(33), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: FIREWALL sis 471F4070 initiator_addr (172.16.3.3:2672) responder_addr (S.S.S.S:27154) initiator_alt_addr (10.10.8.250:1123) responder_alt_addr (S.S.S.S:27154) Feb 5 10:25:32.545: FIREWALL OBJ-CREATE: sid 461E0534 acl Acl_Outside Prot: tcp Feb 5 10:25:32.545: Src S.S.S.S Port [27154:27154] Feb 5 10:25:32.545: Dst 10.10.8.250 Port [1123:1123] Feb 5 10:25:32.545: FIREWALL OBJ_CREATE: create host entry 461D94FC addr S.S.S.S bucket 228 (vrf 0:0) insp_cb 0x46973E3C Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, output feature Feb 5 10:25:32.545: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 52, forward Feb 5 10:25:32.545: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN Feb 5 10:25:32.545: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 52, sending full packet Feb 5 10:25:32.549: TCP src=1123, dst=27154, seq=2273304199, ack=0, win=65535 SYN Feb 5 10:25:32.549: NAT: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40652] Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Post-routing NAT Outside(17), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Stateful Inspection(20), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Firewall (NAT)(33), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.549: FIREWALL FTP sis 451ADD74 FTP-Client: LIST~~ Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, output feature Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH, Firewall (inspect)(38), rtype 2, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), g=10.10.8.251, len 46, forward Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH Feb 5 10:25:32.549: IP: s=10.10.8.250 (GigabitEthernet0/0), d=S.S.S.S (Vlan304), len 46, sending full packet Feb 5 10:25:32.549: TCP src=2670, dst=21, seq=3562961439, ack=1627344388, win=64155 ACK PSH Feb 5 10:25:32.601: NAT: s=S.S.S.S, d=10.10.8.250->172.16.3.3 [50282] Feb 5 10:25:35.501: NAT*: s=172.16.3.3->10.10.8.250, d=S.S.S.S [40714] Feb 5 10:25:35.517 CET: %SEC-6-IPACCESSLOGP: list Acl_Outside denied tcp S.S.S.S(27154) -> 10.10.8.250(2672), 1 packet Feb 5 10:25:35.521: FIREWALL OBJ_CREATE: Pak 45B5B318 sis 45174EAC initiator_addr (10.10.8.250:0) responder_addr (S.S.S.S:106) initiator_alt_addr (10.10.8.250:0) responder_alt_addr (S.S.S.S:106) Feb 5 10:25:38.561: FIREWALL OBJ_CREATE: Pak 45B5BE94 sis 46FB16D8 initiator_addr (10.10.8.250:0) responder_addr (S.S.S.S:106) initiator_alt_addr (10.10.8.250:0) responder_alt_addr (S.S.S.S:106) Any help would be greatly appreciated Thanks
... View more
Labels:
02-05-2010
07:10 AM
Hello CCIEs or not, On my 2821 ISR IOS Firewall 12.4(24T2), since I added a new ISP and then nat inside source route-maps, inside FTP clients successfully connect to outside servers using active FTP but no more with previous passive mode. Many debugs were done: FTP server can't answer to LIST command outside acl rejects Syn/Ack packet because client's source port is not opened I give you : relevant config lines Ios Debugs and packet capture I also tried to add separate Nat pool with route-map but did not succeed Relevant Config: ip inspect name Cbac tcp router-traffic ip inspect name Cbac ftp interface GigabitEthernet0/0 ip address L.L.L.5 255.255.255.0 ip access-group Acl_Inside in ip wccp web-cache redirect in ip inspect Cbac out ip nat inside no ip virtual-reassembly ip policy route-map Rm_Inside duplex auto speed auto ! interface FastEthernet0/0/3 switchport mode trunk ! interface Vlan304 ip address 10.10.8.250 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip nat outside ip virtual-reassembly ! router eigrp 1 redistribute connected passive-interface default no passive-interface GigabitEthernet0/0 network L.L.L.0 0.0.0.255 auto-summary ! ip forward-protocol nd ip route M.M.M.M 255.255.255.255 10.10.8.251 ip nat inside source route-map Rm_Nat_NC interface Vlan304 overload ip access-list extended Acl_Inside .... permit tcp object-group OGn_FTP object-group OGn_Externe eq ftp ip access-list extended Acl_Outside permit icmp any any deny ip any any log ! ip access-list extended Acl_Rm_Ftp permit tcp host 172.16.3.3 object-group OGn_Externe eq ftp ftp-data permit tcp host 172.16.3.3 object-group OGn_Externe gt 1024 ! route-map Rm_Inside permit 10 match ip address Acl_Rm_Ftp set ip next-hop 10.10.8.251 set interface Vlan304 ! route-map Rm_Nat_NC_Ftp permit 10 match ip address Acl_Rm_Ftp match interface Vlan304 Any help would be greatly appreciated Thanks
... View more
Labels:
10-01-2009
04:53 AM
Hello again Peter, found doc at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html it specifies : "You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, IPSec, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic" May be all not implemented in my current release ? Best regards Alain
... View more
10-01-2009
04:44 AM
hello Peter, Thank you again for your quick answer. I am looking for this document but I can't open your link. I don't understand all: This acl is not only done for IPsec and it is not applied in a crypto map It is just to filter incoming traffic of my vpn gateway. And almost any time it works (look at counters) I added a log statement in lines 30 & 40 and I get : list Acl_Outside permitted udp (0) -> (0), 1 packet and other protocols like esp, udp/4500 are correctly detected in service Object-group It sounds much more like a bug. Best regards, Alain
... View more
09-30-2009
05:11 AM
Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE lines 10 or 20 should be enough to filter IPsec activity I had to add lines 30 - 65 to get it working. Why line 30 or 35 see some isakmp packets ? Extended IP access list Acl_Outside 10 permit object-group OGs_VPN any host x.x.x.x (4836797 matches) 20 permit object-group OGs_VPN any host y.y.y.y (208 matches) 30 permit udp any host x.x.x.x eq isakmp (255 matches) 35 permit udp any host y.y.y.y eq isakmp (2 matches) 40 permit udp any host x.x.x.x eq non500-isakmp 45 permit udp any host y.y.y.y eq non500-isakmp 50 permit esp any host x.x.x.x 55 permit esp any host y.y.y.y 60 permit tcp any host x.x.x.x eq 10000 log 65 permit tcp any host y.y.y.y eq 10000 log 70 permit icmp any any (180 matches) 80 deny ip any any log (358 matches) C2821#sh object-group OGs_VPN Service object group OGs_VPN Description ** VPN ** udp eq isakmp udp eq non500-isakmp tcp eq 10000 esp Best regards Alain
... View more
Labels:
09-25-2009
01:15 PM
HI Peter, Why IOS couldn't automatically optimize Acl processing by autoresequencing them rather than doing it manually ? It could be a background task running at periodic moments when packet counters become significant. It is just an idea to submit Alain
... View more
09-23-2009
04:03 AM
Hello, Thank you for your answer. I did not verify that this ACE was existing elsewhere in this Acl. But one question remains: Can you change the order of ACE when you see they are more frequently used ? In this case, do I have to do ip access-list extended Acl.... no 60 10 permit .... Couldn't it be easier by just changing ACE sequence number ? Regards Alain
... View more
09-23-2009
02:36 AM
Hello all, On this (12.4(24)T1 IOS Firewall, after some successfull Acl updates, now, new ones do not appear anymore cisco2821#sh access-list Acl_DmzSec Extended IP access list Acl_DmzSec 20 permit object-group OGs_Standard any any (7 matches) 30 permit icmp any any 40 permit 112 any host 224.0.0.18 50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches) 60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches) 70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches) 80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches) 90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138499 matches) 100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches) 110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp 120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches) 130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128 140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp 150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp cisco2821#conf t Enter configuration commands, one per line. End with CNTL/Z. cisco2821(config)#ip access-list extended Acl_DmzSec cisco2821(config-ext-nacl)#10 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 cisco2821(config-ext-nacl)#end cisco2821#sh access-list Acl_DmzSec Extended IP access list Acl_DmzSec 20 permit object-group OGs_Standard any any (7 matches) 30 permit icmp any any 40 permit 112 any host 224.0.0.18 50 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.26 (308 matches) 60 permit object-group OGs_DNS host 172.19.201.1 host 172.17.202.102 (94 matches) 70 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzRev (47 matches) 80 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_DmzProxySig (13 matches) 90 permit object-group OGs_DNS host 172.19.201.1 object-group OGn_Externe (138956 matches) 100 permit tcp host 172.19.201.1 object-group OGn_Externe eq www (1119 matches) 110 permit udp host 172.19.201.1 object-group OGn_DmzProxySig eq ntp 120 permit udp host 172.19.201.1 object-group OGn_Externe eq ntp (132 matches) 130 permit tcp host 172.19.201.1 object-group OGn_DmzProxySig eq 3128 140 permit tcp host 172.19.201.1 host 172.17.202.61 eq smtp 150 permit tcp host 172.19.201.1 object-group OGn_Externe eq smtp If I reload, it will do it again, but users will surely be angry Regards, Alain
... View more
Labels:
09-07-2009
11:48 PM
Hello, here is my 1841 ip inspect config: ip cef ip inspect log drop-pkt ip inspect max-incomplete high 2000 ip inspect max-incomplete low 1999 ip inspect one-minute high 4000 ip inspect one-minute low 3999 ip inspect hashtable-size 8192 ip inspect tcp window-scale-enforcement loose ip inspect tcp max-incomplete host 50 block-time 0 ip inspect tcp reassembly alarm on ip inspect name Cbac pop3 ip inspect name Cbac pptp ip inspect name Cbac tcp router-traffic ip inspect name Cbac udp router-traffic ip inspect name Cbac icmp router-traffic ip inspect name Cbac http java-list 10 ip inspect name Cbac esmtp ip inspect name Cbac ftp ...track 3 ip sla 303 reachability delay down 10 up 10 ! track 4 ip sla 304 reachability delay down 10 up 10 ! interface FastEthernet0/0 ip address 255.255.255.0 ip access-group Acl_Inside in ip wccp web-cache redirect in ip inspect Cbac out ip nat inside ip virtual-reassembly ip policy route-map Rm_Ftp ! interface FastEthernet0/1 ip address 255.255.255.0 ip access-group Acl_DmzProxy in ip helper-address ip helper-address ip inspect Cbac out ip nat inside ip virtual-reassembly ! interface FastEthernet0/0/0 description ** Adsl rtr 1 ** switchport access vlan 303 ! interface FastEthernet0/0/1 description ** Adsl rtr 2 ** switchport access vlan 304 ! ! interface Vlan303 description ** Adsl 1 ** ip address 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip virtual-reassembly max-reassemblies 256 ! interface Vlan304 description ** Adsl 2 ** ip address 255.255.255.0 ip access-group Acl_Outside in ip inspect Cbac out ip virtual-reassembly max-reassemblies 256 ! router eigrp 1 redistribute connected passive-interface default no passive-interface FastEthernet0/0 network 0.0.0.255 distribute-list Acl_Eigrp out auto-summary ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 track 3 ip route 0.0.0.0 0.0.0.0 track 4 ip route 255.255.255.255 FastEthernet0/0/0 ip route 255.255.255.255 FastEthernet0/0/1 ip route 255.255.255.255 ip route 255.255.255.255 ip sla 303 icmp-echo threshold 1000 ip sla schedule 303 life forever start-time now ip sla 304 icmp-echo threshold 1000 ip sla schedule 304 life forever start-time now ! route-map Rm_Ftp permit 10 match ip address Acl_Rm_Ftp set ip next-hop verify-availability 1 track 3 set ip next-hop verify-availability 2 track 4 set interface FastEthernet0/0/0 On intfs, I always use : - ip access-group in - ip inspect name Cbac out in order to filter incoming traffic allow returning traffic so, if FTP client's traffic is allowed to come in inside intf, answers from external FTP server are allowed to come back on outside adsl intfs. Best regards, Alain
... View more
09-06-2009
09:14 AM
hello Mohamed, Thanks a lot for your answer. I agree with you that FTP route map is not a kind solution. But I tried many IP CEF debug commands without clear explaination on what happens. And I don't know where I can find Thank you also for learning me about a tracking object on PBR I will experiment it with something like: route-map Rm_FTP set ip next-hop verify-availability 10.10.7.254 1 track 303 set ip next-hop verify-availability 10.10.8.254 1 track 4 Best regards Alain
... View more
09-02-2010
Hello,I reboot 2821 every night .Today, I have these counts since
reload:ipsecrtr#sh access-list Acl...
09-01-2010
On 2821ISR 12.4.24T3, how can you explain ACE line 20 hit count, this
should be 0 hit because matchi...
03-09-2010
Hello,I am looking for a solution to carry one L2 Internet vlan on 10
remote dsl/Atm connected sites...
02-15-2010
hello Tanveer,I changed my config to the following and now both Active
and Passive FTP work, but I c...
02-08-2010
Hello Sachinjara,Thanks for answer.As I said, Here's only problem's
relevant config.I didn't give it...
02-05-2010
Hello CCIEs or not,2821 ISR IOS Firewall 12.4(24)T2 is connected to a
second ISP through Vlan304 and...
02-05-2010
Hello CCIEs or not,On my 2821 ISR IOS Firewall 12.4(24T2), since I added
a new ISP and then nat insi...
10-01-2009
Hello again Peter,found doc at
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_...
10-01-2009
hello Peter,Thank you again for your quick answer.I am looking for this
document but I can't open yo...
09-30-2009
Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE
lines 10 or 20 should be enough...
09-25-2009
HI Peter,Why IOS couldn't automatically optimize Acl processing by
autoresequencing them rather than...
09-23-2009
Hello,Thank you for your answer.I did not verify that this ACE was
existing elsewhere in this Acl.Bu...
09-23-2009
Hello all,On this (12.4(24)T1 IOS Firewall, after some successfull Acl
updates, now, new ones do not...
09-07-2009
Hello,here is my 1841 ip inspect config:ip cefip inspect log drop-pktip
inspect max-incomplete high ...
Public Statistics
| Date Registered | 01-09-2004 09:40 AM |
| Date Last Visited | 08-18-2017 03:55 AM |
| Total Messages Posted | 106 |
| Total Helpful Votes Received | 4 |
