The redirect acl should permit as following:
ip access-list extended redirect-acl
Permit tcp any host 1.1.1.1 eq 80
With regards
Kings
On Wed, May 2, 2012 at 2:42 AM, Imre Oszkar oszk...@gmail.com wrote:
Hi Kings,
Based on your e-mail this is what I understood. Is this correct?
1.
Is 10.X.X.0/24 outside network?
The format for vpn filter is always
access-list name permit outside IP outside port inside IP inside
port irrespective of whatever is the direction of traffic
(inbound/outbound).
Is this what you said?
With regards
Kings
On Wed, May 2, 2012 at 7:21 AM, Fawad
Not the outside network specifically, by remote I mean ip address from the
VPN pool (which is from perspective outside of the network but another
perspective it's now part of the network after connecting to VPN.
On Wednesday, May 2, 2012, Kingsley Charles wrote:
Is 10.X.X.0/24 outside
ASA VPN filter is tricky, but one think to remember is that is directional.
permit tcp any host 10.20.30.40 eq 23
Now this ACL will permit outside user to connect to
10.20.30.40@23(inbound/post decrypt) and at the same time allow
10.20.30.40@23(outbound/pre-encrypt) to any one outside.
Have
There are two ways to handle that situation which You mentioned.
1. An outbound acl on the inside/DMz interface. So that inside hosts cannot
initiate the traffic because of the unnecessary hole created by acl.
2. This one is not very restrictive but still better than something I.e
instead of
Are you talking about GETVPN?
With regards
Kings
On Wed, May 2, 2012 at 6:18 PM, Fawad Khan fawa...@gmail.com wrote:
There are two ways to handle that situation which You mentioned.
1. An outbound acl on the inside/DMz interface. So that inside hosts
cannot initiate the traffic because of
Hi all
The task asks to allow ssh only from 4.8.6.0/24 and the restriction is that
we should not use access-lists. So FPM is the only answer.
In the following config, class-map get's matched and 4.8.6.0/24 is allowed
in. The issue is that I need a wildcard class-map to block other ssh
Guys,
I am trying to work through the practice VPN lab “4.8 Easy VPN with
External Group Authorization and XAUTH.” In regards to performing external
authentication, where can I find a list/documentation for the RADIUS
attributes to add to the [009\001] cisco-av-pair box under Group
Matt,
You can find the most regular ones here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
Make sure you have cisco-av-pair enabled with
these attributes:
ipsec:key-exchange=ike
According to Cisco FPM can not be applied to a control-plane.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html
Restrictions for Flexible Packet Matching
snip
*Mapping of FPM policies to control-plane is not supported.
From: ccie_security-boun...@onlinestudylist.com
Take a look at this document, Matt.
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
I have never found any place in Cisco documentation where they would provide a
full list of Cisco VSA for IPSec.
Eugene
From:
Just an observation and comment on Cisco documentation with regard to FPM
configuration. Would it be acceptable NOT to match on ETHER type under the
stack type class-map if we filter only IP and TCP traffic ?
I saw the majority of examples in Cisco documentation starting with match
field ip
Thanks Mike.
Do you know of any documentation that lists out all of the optional
attributes?
Thanks,
*Matt Manire*
*CCSP, CCNP, CCDP, MCSE* *2003 MCSE 2000*
*Information Systems Security Manager*
mman...@firstrate.com
*t*: 817.525.1863
*f*: 817.525.1903
*m*: 817.271.9165
*First Rate* |
It's r choice, unless the task is specific.
With regards
Kings
On Thu, May 3, 2012 at 1:33 AM, Eugene Pefti eug...@koiossystems.comwrote:
Just an observation and comment on Cisco documentation with regard to
FPM configuration. Would it be acceptable NOT to match on ETHER type under
the
That should be CPPr not CoPP. It can be applied to CoPP. If you disable
cef, you can see that only CPPr features get's disabled.
With regards
Kings
On Thu, May 3, 2012 at 1:10 AM, Eugene Pefti eug...@koiossystems.comwrote:
According to Cisco FPM can not be applied to a control-plane.
**
Interesting,
It never occurred to me that I access that page as a partner as my browser
cached my Cisco CCO credentials.
It raises a legitimate question how can CCIE candidates get access to Cisco
documentation without a partner status?
Eugene
From: Matt Manire [mailto:mman...@firstrate.com]
I'm confused, Kings,
For me CPPr and CoPP is still control-plane. Why would I need to disable CEF if
FPM is implemented purely in CEF ?
Eugene
From: Kingsley Charles [mailto:kingsley.char...@gmail.com]
Sent: 02 May 2012 13:16
To: Eugene Pefti
Cc: ccie_security@onlinestudylist.com
Subject: Re:
I think copp or coppr would do the job and not fpm.
On Wednesday, May 2, 2012, Kingsley Charles wrote:
Hi all
The task asks to allow ssh only from 4.8.6.0/24 and the restriction is
that we should not use access-lists. So FPM is the only answer.
In the following config, class-map get's
Eugene and all of the ones that have doubts about it:
This is the non partner document (which is the same I posted before to Matt)
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml
If you follow the path on the Left, you will get there from
Is this what you guys are looking for ?
R4#show aaa attributes protocol radius
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Protocol:RADIUS
Unknown Type=195 Name=Ascend-Disconnect-Cau Format=Enum
Cisco VSA Type=1
20 matches
Mail list logo
