Member_2_7970364
asked on
Cisco ASA5505 problems
Hi - I am having a mare of a day here with this ASA ... I wonder if anyone can help
I basically have 2 domains running on the network and they all go via seperate ports on the cisco
domain1 - eth/1 - internal 10.0.9.x
domain2 - eth/2 - internal 10.0.1.x
I do not want the networks to communicate generally but the mailserver that hosts both is on the 10.0.1.x network
I have 6 usable Ip addresses 81.2.23.20-25 and I have configured eth/1 to listen for incoming traffic on .21 and the rest on .22-24
All traffic for some reason goes out via .22 (ideally I would like the eth/1 to send all traffic via .21 - but its not the end of the world) but the issue currently is when someone on the 10.0.9.x networks wants their email they resolve the IP address for the server (eg:mail.net) and this resolves 81.2.23.20 for example but they can never connect
users on the 10.0.1.x network are OK as in DNS i have an IP for the mailserver which sits on the .1 network
I suspect this is because all the addresses .20 - .25 are really on the same network
I see there is a option to allow connections between 2 networks wit the same security weighting but I really dont want them to communcate generally but as both companies are on the same mail server .. they need to just for this (but happy to use the external address)
Please does anyone have an idea on how to do this !!!
I basically have 2 domains running on the network and they all go via seperate ports on the cisco
domain1 - eth/1 - internal 10.0.9.x
domain2 - eth/2 - internal 10.0.1.x
I do not want the networks to communicate generally but the mailserver that hosts both is on the 10.0.1.x network
I have 6 usable Ip addresses 81.2.23.20-25 and I have configured eth/1 to listen for incoming traffic on .21 and the rest on .22-24
All traffic for some reason goes out via .22 (ideally I would like the eth/1 to send all traffic via .21 - but its not the end of the world) but the issue currently is when someone on the 10.0.9.x networks wants their email they resolve the IP address for the server (eg:mail.net) and this resolves 81.2.23.20 for example but they can never connect
users on the 10.0.1.x network are OK as in DNS i have an IP for the mailserver which sits on the .1 network
I suspect this is because all the addresses .20 - .25 are really on the same network
I see there is a option to allow connections between 2 networks wit the same security weighting but I really dont want them to communcate generally but as both companies are on the same mail server .. they need to just for this (but happy to use the external address)
Please does anyone have an idea on how to do this !!!
Last Comment
Cheever000
I would love to provide some assistance for you on this question can you show a diagram showing even fake networks on each side and perhaps the firewall configuration. This would really help, what you are describing isn't to out of the realms of difficulty, but I can't make heads or tails of the actual question sorry.
ASKER
Hi
Thanks for your comment and time - it is really appreciated.
below is the config and in essence what I am trying to acheive is to allow people who are on the linnaeus network (10.0.9.x) and public (192.168.10.x) access to certain servers on the inside network.
The main one being our mailserver, on the inside network this is simple as I have a DNS entry for the mainserver (eg: mailserver.me.com) to the internal address being 10.0.2.25 and everything works.
On the public and linnaeus network when they try and resolve mailserver.me.com the publc DNS record responds with the same external IP as itself and therefore no one on the linnaues or public network can ever get their email.
The public and linnaeus networks are on their own seperate switches so there is no internal route between them .. their only 'theorietical' route connecting them could be the cicso ASA or the internet
I hope this explains things a little better and I thank you for your time.
----
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.41.242.249 255.255.255.248
!
interface Vlan12
nameif public-wifi
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface Vlan22
nameif linnaeus
security-level 100
ip address 10.0.9.100 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.1.2
domain-name willows.local
object-group network EPA
description Email Systems IP Ranges
network-object EPA3 255.255.255.0
network-object EPA1 255.255.255.240
network-object EPA2 255.255.255.192
network-object EPA9 255.255.248.0
network-object EPA10 255.255.254.0
network-object EPA11 255.255.254.0
network-object EPA12 255.255.254.0
network-object EPA4 255.255.240.0
network-object EPA8 255.255.248.0
network-object EPA5 255.255.240.0
network-object EPA6 255.255.248.0
network-object EPA7 255.255.248.0
object-group service RDP tcp
description Remote Desktop
port-object eq 3386
object-group service VNC tcp
description VNC Viewer
port-object eq 3386
port-object eq 3387
port-object eq 3388
port-object eq 3389
object-group network Fuji
network-object host FUJI2
network-object host FUJI
network-object host FUJI3
network-object host curtis
object-group network EPA-LDAP
description LDAP auth for EPA
network-object host 176.34.228.109
network-object host 176.34.228.117
network-object host 176.34.228.121
network-object host 176.34.228.76
network-object host 46.137.116.147
network-object ldaps-1 255.255.252.0
network-object LDAPS-2 255.255.248.0
network-object LDAPS-3 255.255.255.0
network-object LDAPS-4 255.255.255.0
network-object MIKETEST 255.255.255.0
object-group service rdp2 tcp
group-object RDP
port-object eq 3385
port-object eq https
object-group service r3389 tcp
port-object eq 3389
object-group service https_and_6001 tcp
port-object eq 6001
port-object eq 6002
port-object eq 6003
port-object eq 6004
port-object eq https
object-group service fujIrequest tcp
port-object eq 2837
port-object eq 2861
port-object eq 2876
port-object eq 2898
port-object eq 3011
port-object eq 3030
port-object eq 5900
port-object eq 3387
object-group service oayrollpc tcp
description payrollpc
port-object eq 3375
object-group service port1433 tcp
port-object eq 1433
object-group service port1433single
service-object tcp eq 1433
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in remark Allow SMTP access from EPA
access-list outside_access_in extended permit tcp object-group EPA host 81.71.242.253 eq smtp
access-list outside_access_in remark Allow LDAPS access from EPA
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldaps
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldap inactive
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 81.41.242.252 object-group r3389
access-list outside_access_in extended permit tcp any host 81.41.242.251 object-group r3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 81.41.242.248 255.255.255.248
access-list outside_access_in remark VPN
access-list outside_access_in extended permit gre any 81.41.242.248 255.255.255.248
access-list outside_access_in remark Fuji RDP access to Synapse Server
access-list outside_access_in extended permit ip object-group Fuji 81.71.242.248 255.255.255.248
access-list outside_access_in remark GE
access-list outside_access_in extended permit udp host 195.177.212.157 host 81.41.242.252 eq isakmp
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq pptp
access-list outside_access_in extended permit gre any host 81.41.242.253
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group fujIrequest
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group oayrollpc inactive
access-list outside_access_in extended permit tcp any host 81.41.242.253 object-group port1433 inactive
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq 1433
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound remark VLAN6
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.192 255.255.255.192
access-list outside_2_cryptomap extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list public-wifi_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public-wifi 1500
mtu linnaeus 1500
ip local pool VPN 10.0.1.220-10.0.1.230 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public-wifi) 1 0.0.0.0 0.0.0.0
nat (linnaeus) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 81.41.242.252 3389 WillowsTS 3389 netmask 255.255.255.255
static (linnaeus,outside) tcp 81.41.242.251 3389 10.0.9.9 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group public-wifi_access_in in interface public-wifi
route outside 0.0.0.0 0.0.0.0 81.41.242.254 1
route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
route inside 10.0.3.0 255.255.255.0 10.0.1.100 1
route inside 10.0.4.0 255.255.255.0 10.0.1.100 1
route inside 10.0.5.0 255.255.255.0 10.0.1.100 1
route inside 192.168.10.0 255.255.255.0 10.0.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.1.2 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
Thanks for your comment and time - it is really appreciated.
below is the config and in essence what I am trying to acheive is to allow people who are on the linnaeus network (10.0.9.x) and public (192.168.10.x) access to certain servers on the inside network.
The main one being our mailserver, on the inside network this is simple as I have a DNS entry for the mainserver (eg: mailserver.me.com) to the internal address being 10.0.2.25 and everything works.
On the public and linnaeus network when they try and resolve mailserver.me.com the publc DNS record responds with the same external IP as itself and therefore no one on the linnaues or public network can ever get their email.
The public and linnaeus networks are on their own seperate switches so there is no internal route between them .. their only 'theorietical' route connecting them could be the cicso ASA or the internet
I hope this explains things a little better and I thank you for your time.
----
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 22
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.41.242.249 255.255.255.248
!
interface Vlan12
nameif public-wifi
security-level 100
ip address 192.168.8.254 255.255.255.0
!
interface Vlan22
nameif linnaeus
security-level 100
ip address 10.0.9.100 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.1.2
domain-name willows.local
object-group network EPA
description Email Systems IP Ranges
network-object EPA3 255.255.255.0
network-object EPA1 255.255.255.240
network-object EPA2 255.255.255.192
network-object EPA9 255.255.248.0
network-object EPA10 255.255.254.0
network-object EPA11 255.255.254.0
network-object EPA12 255.255.254.0
network-object EPA4 255.255.240.0
network-object EPA8 255.255.248.0
network-object EPA5 255.255.240.0
network-object EPA6 255.255.248.0
network-object EPA7 255.255.248.0
object-group service RDP tcp
description Remote Desktop
port-object eq 3386
object-group service VNC tcp
description VNC Viewer
port-object eq 3386
port-object eq 3387
port-object eq 3388
port-object eq 3389
object-group network Fuji
network-object host FUJI2
network-object host FUJI
network-object host FUJI3
network-object host curtis
object-group network EPA-LDAP
description LDAP auth for EPA
network-object host 176.34.228.109
network-object host 176.34.228.117
network-object host 176.34.228.121
network-object host 176.34.228.76
network-object host 46.137.116.147
network-object ldaps-1 255.255.252.0
network-object LDAPS-2 255.255.248.0
network-object LDAPS-3 255.255.255.0
network-object LDAPS-4 255.255.255.0
network-object MIKETEST 255.255.255.0
object-group service rdp2 tcp
group-object RDP
port-object eq 3385
port-object eq https
object-group service r3389 tcp
port-object eq 3389
object-group service https_and_6001 tcp
port-object eq 6001
port-object eq 6002
port-object eq 6003
port-object eq 6004
port-object eq https
object-group service fujIrequest tcp
port-object eq 2837
port-object eq 2861
port-object eq 2876
port-object eq 2898
port-object eq 3011
port-object eq 3030
port-object eq 5900
port-object eq 3387
object-group service oayrollpc tcp
description payrollpc
port-object eq 3375
object-group service port1433 tcp
port-object eq 1433
object-group service port1433single
service-object tcp eq 1433
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq www
service-object tcp eq https
access-list outside_access_in remark Allow SMTP access from EPA
access-list outside_access_in extended permit tcp object-group EPA host 81.71.242.253 eq smtp
access-list outside_access_in remark Allow LDAPS access from EPA
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldaps
access-list outside_access_in extended permit tcp object-group EPA-LDAP 81.41.242.248 255.255.255.248 eq ldap inactive
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 81.41.242.252 object-group r3389
access-list outside_access_in extended permit tcp any host 81.41.242.251 object-group r3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 81.41.242.248 255.255.255.248
access-list outside_access_in remark VPN
access-list outside_access_in extended permit gre any 81.41.242.248 255.255.255.248
access-list outside_access_in remark Fuji RDP access to Synapse Server
access-list outside_access_in extended permit ip object-group Fuji 81.71.242.248 255.255.255.248
access-list outside_access_in remark GE
access-list outside_access_in extended permit udp host 195.177.212.157 host 81.41.242.252 eq isakmp
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq pptp
access-list outside_access_in extended permit gre any host 81.41.242.253
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group fujIrequest
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 object-group oayrollpc inactive
access-list outside_access_in extended permit tcp any host 81.41.242.253 object-group port1433 inactive
access-list outside_access_in extended permit tcp any 81.41.242.248 255.255.255.248 eq 1433
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound remark VLAN6
access-list inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.192 255.255.255.192
access-list outside_2_cryptomap extended permit ip 10.0.3.48 255.255.255.240 150.2.0.0 255.255.0.0
access-list public-wifi_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public-wifi 1500
mtu linnaeus 1500
ip local pool VPN 10.0.1.220-10.0.1.230 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public-wifi) 1 0.0.0.0 0.0.0.0
nat (linnaeus) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 81.41.242.252 3389 WillowsTS 3389 netmask 255.255.255.255
static (linnaeus,outside) tcp 81.41.242.251 3389 10.0.9.9 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group public-wifi_access_in in interface public-wifi
route outside 0.0.0.0 0.0.0.0 81.41.242.254 1
route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
route inside 10.0.3.0 255.255.255.0 10.0.1.100 1
route inside 10.0.4.0 255.255.255.0 10.0.1.100 1
route inside 10.0.5.0 255.255.255.0 10.0.1.100 1
route inside 192.168.10.0 255.255.255.0 10.0.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.1.2 255.255.255.255 inside
http 10.0.0.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
Sorry for the delay in responding, I see that all the internal networks are the same security level, and you would need to use the command same-security-traffic permit inter-interface otherwise the traffic cant flow between the interfaces. Traffic flows from higher to lower with out any issue. after that you would have to do a couple other small tasks.
To control traffic you can use an access list on the interface permitting access to the server first, denying the rest of the subnet second and then allowing any any ip to permit internet traffic out.
You may need to do a no nat statement between the networks or nat the IPs to itself as it traverses the network.
To control traffic you can use an access list on the interface permitting access to the server first, denying the rest of the subnet second and then allowing any any ip to permit internet traffic out.
You may need to do a no nat statement between the networks or nat the IPs to itself as it traverses the network.
ASKER
Thanks for the comment ... but I have nooo idea about how to do that !! (Im the server guy and the network guy was involved in a car accident so is off for a few weeks .. so I have been tasked with it !!!
for the same security traffic portion
conf t
same-security-traffic permit inter-interface
access-list
conf t
access-list server_access extended permit ip any host SERVERIP
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access int linnaeus in
access-list linnaeus_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.9.0 255.255.255.0
nat (linnaeus) 0 access-list linnaeus_nat0_outbound
for simplicity sake you can skip the server_access list section but that will allow full traffic between the network.
conf t
same-security-traffic permit inter-interface
access-list
conf t
access-list server_access extended permit ip any host SERVERIP
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access int linnaeus in
access-list linnaeus_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.9.0 255.255.255.0
nat (linnaeus) 0 access-list linnaeus_nat0_outbound
for simplicity sake you can skip the server_access list section but that will allow full traffic between the network.
ASKER
Hi
All worked except:
access-list
ERROR: % Incomplete command
-AND-
access-group server_access int linnaeus in
^
ERROR: % Invalid input detected at '^' marker.
Any suggestions :)
All worked except:
access-list
ERROR: % Incomplete command
-AND-
access-group server_access int linnaeus in
^
ERROR: % Invalid input detected at '^' marker.
Any suggestions :)
Sorry the first part was just a header forgot to bold it.... the access-list didn't need entered
access-group server_access int linnaeus in
References access-list server_access did you create the access list?
access-group server_access int linnaeus in
References access-list server_access did you create the access list?
ASKER
Hi
Also .. with the commands entered all traffic from 10.0.1.x can get to 10.0.9.x (and vice versa) not just the traffic from 10.0.9.x to 10.0.1.178
Sorry if I sound confusing .. I am totally confused
Also .. with the commands entered all traffic from 10.0.1.x can get to 10.0.9.x (and vice versa) not just the traffic from 10.0.9.x to 10.0.1.178
Sorry if I sound confusing .. I am totally confused
Yes that was the what the access list was for.
access-list server_access extended permit ip any host SERVERIP --- This was the server in this case 10.1.178 I just put the word there so you could put all you needed
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
This line below applies that rule in the inbound direction I wrote it wrong the first time sorry just doing it from memeory
access-group server_access in int linnaeus
access-list server_access extended permit ip any host SERVERIP --- This was the server in this case 10.1.178 I just put the word there so you could put all you needed
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
This line below applies that rule in the inbound direction I wrote it wrong the first time sorry just doing it from memeory
access-group server_access in int linnaeus
access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
ASKER
Ah ... I got it ... now I can only ping 10.0.1.178 from the PC opn the 10.0.9 network
So if I wanted to say allow a second machine on the 10.0.1.x network (say 10.0.1.159) .. I simply type:
access-list server_access extended permit ip any host 10.0.1.151 ?
I think I will be adding 10.0.1.151 and 10.0.1.161 as these are the 3 main servers (this way I have covered all issues and can forget all about this cisco and get back to playing with my servers) :-)
So if I wanted to say allow a second machine on the 10.0.1.x network (say 10.0.1.159) .. I simply type:
access-list server_access extended permit ip any host 10.0.1.151 ?
I think I will be adding 10.0.1.151 and 10.0.1.161 as these are the 3 main servers (this way I have covered all issues and can forget all about this cisco and get back to playing with my servers) :-)
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Excellent .. thanks for ALL your help ...
This thing has been doing my HEAD in for 3 days !!!!!
A1 ****
This thing has been doing my HEAD in for 3 days !!!!!
A1 ****
ASKER
Can I just ask 1 quick thing ..
From the 10.0.1.x network ... they can contact everything on the 10.0.9 network
Can I do the same to restrict to the 10.0.9 network .. .would it be (so only people on the 10.0.1 network can for example contact 10.0.9.1)
access-list linnaeus_server_access extended permit ip any host 10.0.9.1
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
This would create a new group called linnaeus_server_access ?
Or would I have to do something with the nat commands ?
From the 10.0.1.x network ... they can contact everything on the 10.0.9 network
Can I do the same to restrict to the 10.0.9 network .. .would it be (so only people on the 10.0.1 network can for example contact 10.0.9.1)
access-list linnaeus_server_access extended permit ip any host 10.0.9.1
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
This would create a new group called linnaeus_server_access ?
Or would I have to do something with the nat commands ?
you can do that access list the item on the other side should have been blocking the return traffic though. just remember to switch the rule
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
and so on
Then apply the list on on that side via the access group command
access-group linnaeus_server_access in int inside
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
and so on
Then apply the list on on that side via the access group command
access-group linnaeus_server_access in int inside
ASKER
OK .. so its one of the other then ...
I apply that and it locks down so only 10.0.1.151 can ping a machine on the 10.0.9 network but then everything from the 10.0.9 network can no longer ping anything on the 10.0.1 network.
Its a shame I cant do both, so
Anything on the 10.0.9 network can contact 10.0.1.151, 161 and 178
-AND-
Anything on the 10.0.1 network can contact 10.0.9.9 and 10.0.9.10
I apply that and it locks down so only 10.0.1.151 can ping a machine on the 10.0.9 network but then everything from the 10.0.9 network can no longer ping anything on the 10.0.1 network.
Its a shame I cant do both, so
Anything on the 10.0.9 network can contact 10.0.1.151, 161 and 178
-AND-
Anything on the 10.0.1 network can contact 10.0.9.9 and 10.0.9.10
you should be able to ping 10.0.1.151 from the 9 network. You will need to write more in the list.
for example
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.9
access-list linnaeus_server_access extended permit ip any host 10.0.9.10
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
for example
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.9
access-list linnaeus_server_access extended permit ip any host 10.0.9.10
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
ASKER
Ok, so I get now you delete the previous then readd.
This now works, if I understand .. 10.0.1.151 can contact anything on the 10.0.9 network but 10.0.1.10 cant do anything ..
so if I wanted to have this the other way around, so anything on the 10.0.1 network to access only specific things on the 10.0.9 network (in a similar way as anything on the 10.0.9) ... eg: anything on the .1 to ping 10.0.9.5 would it be:
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-group linnaeus_server_access in int inside
This now works, if I understand .. 10.0.1.151 can contact anything on the 10.0.9 network but 10.0.1.10 cant do anything ..
so if I wanted to have this the other way around, so anything on the 10.0.1 network to access only specific things on the 10.0.9 network (in a similar way as anything on the 10.0.9) ... eg: anything on the .1 to ping 10.0.9.5 would it be:
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-group linnaeus_server_access in int inside
I do believe you have it.
ASKER
OK, tested it and if I am 10.0.1.151, 161 and 178 I can ping anything in the 10.0.9 network (RESULT) !!
But ... and I say this with great regret with a pair if wirecutters and hammer at hand :)
I am on another machine IP: 10.0.1.80 and I cant ping anything on the 10.0.9 network !!!
But ... and I say this with great regret with a pair if wirecutters and hammer at hand :)
I am on another machine IP: 10.0.1.80 and I cant ping anything on the 10.0.9 network !!!
give the access list you wrote it should only ping the 9.5 but you would have to make that work from the other side too editing the list permiting the 10.0.9.5 server to reach everything on the other side, I was actually surprised it worked in the beginning, given that you were only allowing that network to reach the few IP addresses and them back,
ASKER
this would be the server_access or the linnaeus_server access ?
at the moment .. the machines on the 10.0.9 network can ping the 3 servers I want, so thats a semi result I think ...
The servers .151, 161 and .178 can ping anything on the .9 network .. again another semi result
The only issue is the other machines on the .1 network they cant ping anything on the .9
not sure if I am making sense, I am not making sense to myself with all this
at the moment .. the machines on the 10.0.9 network can ping the 3 servers I want, so thats a semi result I think ...
The servers .151, 161 and .178 can ping anything on the .9 network .. again another semi result
The only issue is the other machines on the .1 network they cant ping anything on the .9
not sure if I am making sense, I am not making sense to myself with all this
The yeah you have to allow the access back and forth, so you allowed only .1 to 9.5 outside of the servers
but you need to allow 9.5 back to the whole 1 network. I know it is confusing, by the time you are done this project you will be an ACL expert.
but you need to allow 9.5 back to the whole 1 network. I know it is confusing, by the time you are done this project you will be an ACL expert.
ASKER
So ... does this look OK ?
access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended permit ip any host 10.0.1.151
access-list server_access extended permit ip any host 10.0.1.161
access-list server_access extended permit ip host 10.0.9.5 10.0.1.0 255.255.255.0
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access in int linnaeus
then
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
access-group linnaeus_server_access in int inside
access-list server_access extended permit ip any host 10.0.1.178
access-list server_access extended permit ip any host 10.0.1.151
access-list server_access extended permit ip any host 10.0.1.161
access-list server_access extended permit ip host 10.0.9.5 10.0.1.0 255.255.255.0
access-list server_access extended deny ip any 10.0.1.0 255.255.255.0
access-list server_access extended permit ip any any
access-group server_access in int linnaeus
then
access-list linnaeus_server_access extended permit ip host 10.0.1.151 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.161 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip host 10.0.1.178 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any host 10.0.9.5
access-list linnaeus_server_access extended deny ip any 10.0.9.0 255.255.255.0
access-list linnaeus_server_access extended permit ip any any
access-group linnaeus_server_access in int inside
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
