Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
On 2821ISR 12.4.24T3, how can you explain ACE line 20 hit count, this should be 0 hit because matching should be done in ACE line 10it looks like some isakmp packets are not matched within object-group service OGs_VPNthis is why I added classical ace...
Hello,I am looking for a solution to carry one L2 Internet vlan on 10 remote dsl/Atm connected sites.For security, this L2 Vlan has no IP add and is not routable across internal networkOn each remote site, is a C870 router used for internal people.I ...
Hello CCIEs or not,2821 ISR IOS Firewall 12.4(24)T2 is connected to a second ISP through Vlan304 and cable router I added nat inside source route-maps in order to nat in each ISP addressing subnetsProblem is that inside FTP clients successfully conne...
Hello CCIEs or not,On my 2821 ISR IOS Firewall 12.4(24T2), since I added a new ISP and then nat inside source route-maps, inside FTP clients successfully connect to outside servers using active FTP but no more with previous passive mode.Many debugs w...
Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE lines 10 or 20 should be enough to filter IPsec activityI had to add lines 30 - 65 to get it working.Why line 30 or 35 see some isakmp packets ?Extended IP access list Acl_Outside ...
Hello,I reboot 2821 every night .Today, I have these counts since reload:ipsecrtr#sh access-list Acl_OutsideExtended IP access list Acl_Outside 10 permit icmp any any (206 matches) 20 permit object-group OGs_VPN any host (2230673 matches) 3...
hello Tanveer,I changed my config to the following and now both Active and Passive FTP work, but I can't explain nor test furthermore (users wil complain).Main changes were to have only one route-map using 2 acls for inside G0/0, Dmz G0/1 Pbrs and fo...
Hello Sachinjara,Thanks for answer.As I said, Here's only problem's relevant config.I didn't give it for clearness. Also are other Outside Wan Vlans with Cbac out.But on that ISR, I also have a 3rd intf (Dmz) where connections can be initiated to Lan...
Hello again Peter,found doc at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.htmlit specifies :"You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, IPSec, Dynam...
hello Peter,Thank you again for your quick answer.I am looking for this document but I can't open your link.I don't understand all:This acl is not only done for IPsec and it is not applied in a crypto mapIt is just to filter incoming traffic of my vp...
