|
That's exactly what I needed. Hot drat thank you.
|
#
?
Jan 18, 2010 22:02
|
|
|
|
| # ? Jun 1, 2024 00:02 |
|
|
I'm having some trouble with ACLs on a 3560. I have the following:code:
|
|
#
?
Jan 20, 2010 15:00
|
|
|
Richard Noggin posted:I'm having some trouble with ACLs on a 3560. I have the following: Could be because it's a blank ACL it just ignores it. Try adding the deny manually and see if it makes a difference.
|
|
#
?
Jan 20, 2010 15:23
|
|
|
If you want it to deny all else, just make it explicit deny at the bottom. I've found this method to be less hit or miss than just hoping on the implicit deny.
|
|
#
?
Jan 20, 2010 16:59
|
|
|
I put in "deny icmp any any", and can still ping from Vlan30 to Vlan10. 
Richard Noggin fucked around with this message at 17:08 on Jan 20, 2010 |
|
#
?
Jan 20, 2010 17:06
|
|
|
Oh, wait a minute. change "ip access-group server_in in" to "ip access-group server_in out" The in/out references which way the traffic is flowing, "in" means anything coming FROM vlan 10 will be applied to the ACL, "out" means anything going TO vlan 10 will hit the ACL. Sorry, I should have noticed that in the first place. Slickdrac fucked around with this message at 17:19 on Jan 20, 2010 |
|
#
?
Jan 20, 2010 17:17
|
|
|
No change. Although I thought the 'out' keyword referred to traffic leaving the interface (inside-->out), and 'in' referred to traffic entering the interface (outside-->in)? You edited, so will I  Here's how I am visualizing traffic flow - anything coming from Vlan 30 to Vlan 10 is considered "in" traffic by Vlan 10 and "out" traffic by Vlan 30. Yes/No? edit 2: Why can't ACLs be standardized between security appliances and routers/switches? Do you know how long it took me to figure out that I had to use inverse masks instead regular old subnet masks? 
Richard Noggin fucked around with this message at 17:35 on Jan 20, 2010 |
|
#
?
Jan 20, 2010 17:23
|
|
|
Richard Noggin posted:Why can't ACLs be standardized between security appliances and routers/switches? Do you know how long it took me to figure out that I had to use inverse masks instead regular old subnet masks? Ugh. I've gone down this road recently. I'm much more of an IOS guy then a PIX/ASA guy, but I've had to do some work on a firewall switch module recently. As near as I can tell the FWSM contains none of the acl editing capabilities of IOS at all. I can't find a way to remove or insert an entry via line numbers or re-sequence the acl to insert gaps into the line numbers. It's all 1998 acl land : remove acl, no out acl, create new one with edits, re-apply. If anyone knows a better way to do this on a FWSM let me know. I haven't found anything in my FWSM book or the docs.
|
|
#
?
Jan 20, 2010 17:55
|
|
|
I've seen that ACLs on switch L3 interfaces aren't stateful and don't have session awareness so the ping request will get through but the return of the ping response will get eaten. Mitigate that by allowing all ICMP 'established' types through the ACL. Also since it's device local (the identity of both L3 gateways), it's not technically going in or out the interface and the ACL doesn't apply. A more valid test is two endpoints that don't reside on the switch itself. Then you'll truly be comparing flow direction and matching it against the policy criteria.
|
|
#
?
Jan 20, 2010 17:56
|
|
|
jbusbysack posted:Also since it's device local (the identity of both L3 gateways), it's not technically going in or out the interface and the ACL doesn't apply. I am obviously no expert, but I see no way that this is true.
|
|
#
?
Jan 20, 2010 18:14
|
|
|
Richard Noggin posted:I am obviously no expert, but I see no way that this is true. Tested and you're right, I must be thinking ASA and not having ICMP enabled on the interface identify itself.
|
|
#
?
Jan 20, 2010 18:17
|
|
|
Let me start off by saying I only know as much about networking as your average IT guy. I'm a DBA, but I'm trying to get some functionality working on one of the data driven web apps that my company uses. We have a Cisco 5550 ASA, and are trying to employ the web vpn portal to deliver the application. The problem is that the app uses a Java applet that tries to open it's own sockets. That traffic seems like it is not getting tunneled through -- with or without smart tunneling checked. Is there any direction I can give our network guys to get this working? They have been sitting on it for weeks.
|
|
#
?
Jan 20, 2010 20:04
|
|
|
12.2(46)SE on Cat 3750Gs still having the "port won't operate at 1000/Full" item crop up at random . Attempts to negotiate and operate at 1000 but links/delinks then eventually operates at 100/Full . Clears on reload, sometimes appears randomly. Had two power supplies die off last week, and then caps or something in them explode when we "tried another outlet/cord" for SnG's . Nice bang. This version of software doesn't apply the voice VLAN properly when using macros when the switchport type is not set prior to application, only on the first port, when that is the first thing you do when you configure via terminal. That's just so baffling that I can work around it but ugh. Now I've got ports on 3 or 4 switches which simply stop forwarding egress traffic for seemingly no reason . Debugs of the switch and packet captures confirm data is entering the switch , it is being processed, and data is coming back, but never makes it through the switch. Reload clears this, but, recently, it has cropped up again. All POST tests pass on the equipment. I wanted to do more rigorous diagnostics but I don't have enough spares to afford losing them all right now. To the earlier comment about the 802.3af power, note not all equipment will power on 48 ports , unfortunately. The 3750G's we bought won't do it for all 48 ports, only 24 are supported. The E's will do it with the 1150W PSU, but they also support the high power devices so if you get a couple of those on there you lose some capacity still. Nothing is perfect.
|
|
#
?
Jan 20, 2010 20:20
|
|
|
I am really baffled now. I can't even get the examples listed here to work. I think it's TAC time.
|
|
#
?
Jan 20, 2010 20:35
|
|
|
You have ip routing enabled, yes? I'm assuming you have. Otherwise you can create multiple SVIs but they don't work as you might expect.
|
|
#
?
Jan 20, 2010 21:25
|
|
|
jwh posted:You have ip routing enabled, yes? I'm assuming you have. Otherwise you can create multiple SVIs but they don't work as you might expect. Yup, ip routing is enabled. Trying a new image now (edit: no luck). And I just found out that we haven't ordered smartnet on this thing yet, so now I've got to wait a couple days. Fuuuuuuck. I really wish I was a lot better at this stuff. Richard Noggin fucked around with this message at 21:42 on Jan 20, 2010 |
|
#
?
Jan 20, 2010 21:30
|
|
|
inignot posted:Ugh. I've gone down this road recently. I'm much more of an IOS guy then a PIX/ASA guy, but I've had to do some work on a firewall switch module recently. As near as I can tell the FWSM contains none of the acl editing capabilities of IOS at all. I can't find a way to remove or insert an entry via line numbers or re-sequence the acl to insert gaps into the line numbers. It's all 1998 acl land : remove acl, no out acl, create new one with edits, re-apply. If anyone knows a better way to do this on a FWSM let me know. I haven't found anything in my FWSM book or the docs. TO remove an entire FWSM ACL: fwsm(config)# clear configure access-list <access-list name> TO remove just one line: fwsm(config)# no access-list <access-list name> line <line number> <full ACE> TO disable just one line: fwsm(config)# access-list <access-list name> line <line number> <full ACE> inactive TO add just one line: fwsm(config)# access-list <access-list name> line <line number> <full ACE> If you omit the line number the ACE gets added to the bottom of the ACL as the last line. If you add a line number the new ACE gets put in place of that existing line and the existing line becomes line n+1 (gets moved down).
|
|
#
?
Jan 20, 2010 21:39
|
|
|
Richard Noggin posted:Yup, ip routing is enabled. Trying a new image now (edit: no luck). And I just found out that we haven't ordered smartnet on this thing yet, so now I've got to wait a couple days. Fuuuuuuck. I really wish I was a lot better at this stuff. Can you paste a sanitized version of your config and describe your test procedure again?
|
|
#
?
Jan 20, 2010 21:47
|
|
|
jwh posted:Can you paste a sanitized version of your config and describe your test procedure again? http://pastebin.com/m213bdd08 Test procedure - pinging from my laptop (192.168.17.38, VLAN 30) to the configured L3 IP of VLAN 10 (192.168.16.1). You'll see I tried to block ICMP exiting 30 and entering 10.
|
|
#
?
Jan 20, 2010 22:05
|
|
|
Richard Noggin posted:http://pastebin.com/m213bdd08 101 doesn't apply because the traffic doesn't originate from that Vlan. 102 doesn't apply because, as jbusbysack said, ACLs don't apply to traffic originating from the switch, and also the source and destination are backwards for the response. If you were pinging a device on Vlan10 and you applied 101 outbound instead of inbound, it would match. It's always a good idea to test a device designed to forward packets by testing how it forwards packets, not how it responds itself. Consider a router set up with control plane policing: You could have a system administrator insist that the router is responsible for packet loss, and attempt to prove it by doing a ping -f from a workstation to the router, when in reality it would forward those same packets to and from a different destination just fine.
|
|
#
?
Jan 20, 2010 23:51
|
|
|
Casimirus posted:101 doesn't apply because the traffic doesn't originate from that Vlan. I hate to sound stupid here, but I just don't get this. Can you explain a bit more in-depth as to why 101 doesn't apply? Is the ACL format not permit|deny protocol source mask destination mask? Also, on 102, the traffic is originating from my laptop. Regarding your third point, to which interface should I apply it as outbound?
|
|
#
?
Jan 21, 2010 00:47
|
|
|
Right, you have the flow backwards. Traffic enters the switch on VLAN 30. It exits the switch on VLAN 10. Consider the ACL was being written from the point of view of the switch.
|
|
#
?
Jan 21, 2010 00:51
|
|
|
jwh posted:Right, you have the flow backwards. And the light goes on. I was thinking in terms of the interface. Thanks
|
|
#
?
Jan 21, 2010 01:18
|
|
|
Richard Noggin posted:And the light goes on. I was thinking in terms of the interface. Thanks Your laptop 192.168.17.38 Vlan30 pinging a hypothetical device 192.168.16.2 on Vlan10. You have four places to stop it: access-list 103 deny icmp 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.31 access-list 104 deny icmp 192.168.16.0 0.0.0.31 192.168.17.0 0.0.0.255 interface Vlan10 ip address 192.168.16.1 255.255.255.224 ip access-group 104 in <-- #3 this stops the ICMP echo reply as it enters the switch on Vlan10 if #1 and #2 don't exist ip access-group 103 out <-- #2 this stops the ICMP echo request as it exits the switch on Vlan10 if #1 doesn't exist interface Vlan30 ip address 192.168.17.1 255.255.255.0 ip access-group 103 in <-- #1 this stops the ICMP echo request as it enters the switch on Vlan30 ip access-group 104 out <-- #4 this stops the ICMP echo reply from exiting the switch on Vlan30 if #1,2,3 don't exist In your case, you're pinging an SVI on the switch, there's only one way to stop it: access-list 103 deny icmp 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.31 interface Vlan30 ip address 192.168.17.1 255.255.255.0 ip access-group 103 in Because the SVI is inside the switch, it never enters Vlan10, and the reply can't be stopped because the ACL doesn't apply to traffic originating from the switch.
|
|
#
?
Jan 21, 2010 01:31
|
|
|
inignot posted:Ugh. I've gone down this road recently. I'm much more of an IOS guy then a PIX/ASA guy, but I've had to do some work on a firewall switch module recently. As near as I can tell the FWSM contains none of the acl editing capabilities of IOS at all. I can't find a way to remove or insert an entry via line numbers or re-sequence the acl to insert gaps into the line numbers. It's all 1998 acl land : remove acl, no out acl, create new one with edits, re-apply. If anyone knows a better way to do this on a FWSM let me know. I haven't found anything in my FWSM book or the docs. FWSM version 2.x or 3/4.x? Post above covers 3 and 4. Don't think 2.x supports reorder.
|
|
#
?
Jan 21, 2010 01:42
|
|
|
Anyone have any experience with cisco RV model VPN routers? We're looking at setting up some site to site ipsec tunnels to remote offices but the literature on these products aren't very good and I'm not sure they'll do an ipsec site to site tunnel with an ASA. Or, can anyone recommend a good site to site VPN router (very small remote office, 1-2 connections)? *edit* I am a grammar retard. Sojourner fucked around with this message at 18:46 on Jan 21, 2010 |
|
#
?
Jan 21, 2010 17:00
|
|
|
Sojourner posted:Anyone have any experience with cisco RV model VPN routers? We're looking at setting up some site to site ipsec tunnels to remote offices but the literature on this products aren't very good and I'm not sure they'll do an ipsec site to site tunnel with an ASA. Or, can anyone recommend a good site to site VPN router (very small remote office, 1-2 connections)? Cisco 871. They can DMVPN just fine. And they're extra cheap now that the 881s are out.
|
|
#
?
Jan 21, 2010 17:32
|
|
|
Casimirus posted:Your laptop 192.168.17.38 Vlan30 pinging a hypothetical device 192.168.16.2 on Vlan10. You have four places to stop it: This works perfectly, thank you. Thanks also to jwh for clearing up the traffic flow confusion.
|
|
#
?
Jan 21, 2010 17:50
|
|
|
jwh posted:Cisco 871. They can DMVPN just fine. And they're extra cheap now that the 881s are out. But over twice the cost of a cisco RV042.
|
|
#
?
Jan 21, 2010 18:47
|
|
|
Tremblay posted:FWSM version 2.x or 3/4.x? Post above covers 3 and 4. Don't think 2.x supports reorder. It's 3.2(12). I'll consult this thread the next time I have to make an acl change.
|
|
#
?
Jan 21, 2010 19:51
|
|
|
Sojourner posted:But over twice the cost of a cisco RV042. I have heard nothing but horror stories about the RV042. In fact, we yanked one out of a customer's site because the VPN client wouldn't work, and Linksys support was unable to resolve the problem. Richard Noggin fucked around with this message at 20:17 on Jan 21, 2010 |
|
#
?
Jan 21, 2010 20:15
|
|
|
Sojourner posted:But over twice the cost of a cisco RV042. Looks like a Linksys toy with "Cisco" written on it, not an IOS based device.
|
|
#
?
Jan 21, 2010 21:52
|
|
|
inignot posted:Looks like a Linksys toy with "Cisco" written on it, not an IOS based device. That's exactly what it is.
|
|
#
?
Jan 21, 2010 22:41
|
|
|
Not a question but a comment. A $20,000 price tag on one MCS 7845I is insane. It's nothing more than a rebadged HP server.
|
|
#
?
Jan 25, 2010 16:39
|
|
|
InferiorWang posted:Not a question but a comment. A $20,000 price tag on one MCS 7845I is insane. It's nothing more than a rebadged HP server. CISCO QUALITY In all seriousness I completely agree. Its batshit.
|
|
#
?
Jan 25, 2010 16:45
|
|
|
It seems the I stands for IBM; so it's a rebadged IBM server. The H series are HPs. Still crap though.
|
|
#
?
Jan 25, 2010 16:49
|
|
|
InferiorWang posted:It seems the I stands for IBM; so it's a rebadged IBM server. The H series are HPs. Still crap though. Yeah I dont really touch them for anything other than layer 2 and 3 products, where I kinda require 'always up' and I cant build that without spending all this year and next years budget. For anything else Id rather just buy 2, or 5, cheaper ones.
|
|
#
?
Jan 25, 2010 16:56
|
|
|
We tend to make our big technology leaps(catching up) when a new school is built or an existing school is renovated. Basically, whenever there is a large capital project, we can do some upgrades as they are a small fraction of the overall project budget. At some point in the not too distant past it was decided to go with a Cisco voice environment. While it's not a bad setup, it's expensive and they didn't put much thought into the cost when it would finally come time to upgrade. Our existing MCS boxes are EOL and it's only a matter of time before CCM 4.x will be too. Looking deeper into it, I don't need the 7845I box. A 7825H4 will work fine. CDW lists it for about $6000. Still a big ticket item considering what it actually is behind the Cisco logo. Boner Buffet fucked around with this message at 17:40 on Jan 25, 2010 |
|
#
?
Jan 25, 2010 17:33
|
|
|
InferiorWang posted:We tend to make our big technology leaps(catching up) when a new school is built or an existing school is renovated. Basically, whenever there is a large capital project, we can do some upgrades as they are a small fraction of the overall project budget. At some point in the not too distant past it was decided to go with a Cisco voice environment. While it's not a bad setup, it's expensive and they didn't put much thought into the cost when it would finally come time to upgrade. Our existing MCS boxes are EOL and it's only a matter of time before CCM 4.x will be too. I believe you can just buy the server from HP or IBM, built to our specs and it will still be a supported install. Please double check that before you do it...
|
|
#
?
Jan 25, 2010 17:41
|
|
|
|
| # ? Jun 1, 2024 00:02 |
|
|
I've gone back and taken another look at the FWSM acl commands and I still hate this device.tortilla_chip posted:TO remove an entire FWSM ACL: This is really easy to miss in help. ? inside config mode reads back both the config and exec commands: code:tortilla_chip posted:TO remove just one line: The availability of this command just isn't reflected in help at all. code:
|
|
#
?
Jan 25, 2010 18:36
|
|