Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-List to allow only wins traffic

Hi,

I have a network segmented out into two pieces.

Inside nic has a bunch of servers, one of which is a Wins server and ethernet1 has a segmented network which should have basically no access to the inside nic. I did not want to stand up another WINS server. Is there anyway to add to my access-list a rule that only allows wins lookup traffic? the purpose of this is for pinging via hostname when connected to the seperate network via VPN.

Thanks,

Jeff

  • Firewalling
2 REPLIES
New Member

Can you post your existing

Can you post your existing ACL?

New Member

hi, is that really necessary

hi,

 

is that really necessary to explain how to allow wins traffic?

i don't have the actual config as i am not home right now. i do however have my configuration script i have been building to reset/setup the configuration:

 

#open hyper terminal on machine where cisco pix is plugged into the console port
#set baud rate to 9600
#restart device

 

 

write erase

reload

#may need to do above 2 commands again to get to interactive config prompts below

#Pre-configure Firewall now through interactive prompts [yes]? Hit Enter
#Firewall Mode [Routed]: Hit Enter
#Enable password [<use current password>]: password
#Allow password recovery [yes]?
#Inside IP address: 10.1.1.1
#Inside network mask: 255.255.255.0
#Host name: thcvpn01
#Domain name: somedomain.net
#IP address of host running Device Manager:
#Use this configuration and write to flash? yes

y
Routed
password
Yes
2014

 

10.1.1.1
255.255.255.0
thcvpn01
somedomain.net

yes

 


enable
password
configure terminal
interface ethernet0
nameif outside
ip address dhcp setroute
no shutdown
exit


#configure dns
 #allow dns lookup on the inside and outside interfaces
 dns domain-lookup inside
 dns domain-lookup outside

 #set the dns servers to use globally
 dns name-server 8.8.8.8
 dns name-server 8.8.4.4

#configure dhcp
 #set the address range
 dhcpd address 10.1.1.50-10.1.1.254 inside
 
 #set the dns to use
 dhcpd dns 8.8.8.8 8.8.4.4 interface inside
 dhcpd wins 10.1.1.3

 #allow dhcpd to work on the inside interface
 dhcpd enable inside

#set up network address translation
 #enable network address translation
 nat-control
 
 #Define the inside group to be included for NAT.
 nat (inside) 101 10.0.0.0 255.0.0.0
 
 #Specify a pool of addresses on the outside interface to which the hosts defined in the NAT statement are translated.
 global (outside) 101 interface

#allow outside interfaces to access the inside interfaces
 access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
 access-list ThcInside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

#allow inside interfaces to access the outside interfaces
 access-list ThcInside-nat0 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
 access-list ThcInside-nat0 extended permit ip 10.1.3.0 255.255.255.0 10.1.1.0 255.255.255.0

#allow outside full tunnel host to outside split tunnel hosts
 access-list ThcInside-nat0 extended permit ip 10.1.3.0 255.255.255.0 10.1.2.0 255.255.255.0

#allow outside split tunnel host to outside full tunnel hosts
 access-list ThcInside-nat0 extended permit ip 10.1.2.0 255.255.255.0 10.1.3.0 255.255.255.0


#apply the access list to the inside interface
 nat (inside) 0 access-list ThcInside-nat0

#allow networks with the same security level to communicate
 same-security-traffic permit intra-interface

#allow web traffic into the network
 object-group icmp-type ICMPObject
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object unreachable

 access-list outside_access_in extended permit icmp any any object-group ICMPObject
 access-group outside_access_in in interface outside

 http server enable
 http 10.0.0.0 255.0.0.0 inside

 #allow ping packets into the network
  policy-map global_policy
  class inspection_default
  inspect icmp
  inspect icmp error
  exit
  exit

#setup authentication mechanisms for vpn access
 #part one is peer to peer communications
  isakmp policy 1 authentication pre-share
  isakmp policy 1 encryption aes-256
  isakmp policy 1 hash sha
  isakmp policy 1 group 2
  isakmp policy 1 lifetime 43200
  isakmp enable outside
  crypto isakmp nat-traversal 30

 #part two is cryptography
  crypto ipsec transform THCTransformSet esp-aes-256 esp-sha-hmac
  crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
  crypto dynamic-map THCDynamicMap 1 set reverse-route
  crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
  crypto map THCCryptoMap interface outside

 

#setup vpn user names
 username user1 password password


#setup full tunnel vpn access
 nat (outside) 101 10.1.2.0 255.255.255.0
 ip local pool ThcIPFullTunnelPool 10.1.2.1-10.1.2.254 mask 255.255.255.0
 group-policy THCFullTunnel internal
 group-policy THCFullTunnel attributes
  dns-server value 8.8.8.8 8.8.4.4
  wins-server value 10.1.1.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
 tunnel-group THCFullTunnel type ipsec-ra
 tunnel-group THCFullTunnel general-attributes
  address-pool ThcIPFullTunnelPool
  default-group-policy THCFullTunnel
  tunnel-group THCFullTunnel ipsec-attributes
  pre-shared-key password

 


#setup split tunnel vpn access
 nat (outside) 101 10.1.3.0 255.255.255.0
 access-list THCSplitTunnelAccessList standard permit 10.1.1.0 255.255.255.0
 ip local pool ThcIPSplitTunnelPool 10.1.3.1-10.1.3.254 mask 255.255.255.0
 group-policy THCSplitTunnel internal
 group-policy THCSplitTunnel attributes
  dns-server value 8.8.8.8 8.8.4.4
  wins-server value 10.1.1.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value THCSplitTunnelAccessList

 tunnel-group THCSplitTunnel type ipsec-ra
 tunnel-group THCSplitTunnel general-attributes
  address-pool ThcIPSplitTunnelPool
  default-group-policy THCSplitTunnel
  tunnel-group THCSplitTunnel ipsec-attributes
  pre-shared-key password

 


#setup web only vpn access
 nat (outside) 101 10.1.4.0 255.255.255.0
 ip local pool ThcIPWebOnlyTunnelPool 10.1.4.1-10.1.4.254 mask 255.255.255.0
 group-policy THCWebOnlyTunnel internal
 group-policy THCWebOnlyTunnel attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelall
 tunnel-group THCWebOnlyTunnel type ipsec-ra
 tunnel-group THCWebOnlyTunnel general-attributes
  address-pool ThcIPWebOnlyTunnelPool
  default-group-policy THCWebOnlyTunnel
  tunnel-group THCWebOnlyTunnel ipsec-attributes
  pre-shared-key password

 

#setup email logging of remote vpn sessions
 no logging asdm
 logging enable
 logging timestamp
 logging host inside 10.1.1.1
 logging list THCLogList message 113012
 logging list THCLogList message 113019
 smtp-server 10.1.1.3
 logging from-address someone@somewhere.com
 logging recipient-address someone@somewhere.com level debug
 logging mail THCLogList

 

 

#setup segregated network segment
 #setup and configure ethernet2 nic
  interface ethernet2
  nameif lab
  ip address 10.1.5.1 255.255.255.0
  security-level 100
  no shutdown.
  exit

 #allow dns lookup
  dns domain-lookup lab

 #allow dhcp to give out IP addresses in specified range to the lab hosts, for hosts not connecting through a tunnel
  dhcpd address 10.1.5.150-10.1.5.200 lab
  dhcpd dns 8.8.8.8 8.8.4.4 interface lab
  dhcpd enable lab


 #gets web access running from the 10.1.5.x subnet
  nat (lab) 101 10.0.0.0 255.0.0.0
 

 #allow inside interfaces to access the outside interfaces
  access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0

 #allow outside full tunnel host to lab hosts
  access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.2.0 255.255.255.0

 #allow outside split tunnel host to lab hosts
  access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.3.0 255.255.255.0
 
 #allow hosts on the lab tunnel to access lab hosts in the lab, that are not in the tunnel
  access-list ThcInside-nat0 extended permit ip 10.1.5.0 255.255.255.0 10.1.5.0 255.255.255.0

 #apply the access list to the inside interface and the lab interface
  nat (lab) 0 access-list ThcInside-nat0


 #define the ip address pool to use when connecting through a tunnel
  ip local pool ThcIPLabOnlyTunnelPool 10.1.5.201-10.1.5.254 mask 255.255.255.0

 #set up seperate vpn group with full tunnel that only has access to the lab
  group-policy THCLabOnlyTunnel internal
  group-policy THCLabOnlyTunnel attributes
   dns-server value 8.8.8.8 8.8.4.4
   wins-server value 10.1.1.3
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelall
  tunnel-group THCLabOnlyTunnel type ipsec-ra
  tunnel-group THCLabOnlyTunnel general-attributes
   address-pool ThcIPLabOnlyTunnelPool
   default-group-policy THCLabOnlyTunnel
   tunnel-group THCLabOnlyTunnel ipsec-attributes
   pre-shared-key password

 #setup seperate vpn group with split tunnel that only has access to the lab
  access-list THCLabSplitTunnelAccessList standard permit 10.1.5.0 255.255.255.0
  group-policy THCLabSplitTunnel internal
  group-policy THCLabSplitTunnel attributes
   dns-server value 8.8.8.8 8.8.4.4
   wins-server value 10.1.1.3
   vpn-tunnel-protocol IPSec
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value THCLabSplitTunnelAccessList
  tunnel-group THCLabSplitTunnel type ipsec-ra
  tunnel-group THCLabSplitTunnel general-attributes
   address-pool ThcIPLabOnlyTunnelPool
   default-group-policy THCLabSplitTunnel
   tunnel-group THCLabSplitTunnel ipsec-attributes
   pre-shared-key password

 #add users that can use the lab
  username someone1 password password1
  username someone2 password password2

#copy the current config so it always starts up with this configuration
 copy running-config startup-config
#make backup of the configuration
 copy running-config config-backup

 


====================
#debug and stat commands
 show uauth
 show ipsec sa
 show isakmp sa
 show ipsec stats
 show isakmp stats
 show isakmp ipsec-over-tcp stats
 debug crypto ipsec
 debug crypto isakmp

#test cases
 full tunnel
  can ping all 10.1.1.1 hosts by ip and host name
  ping from remotely connected host to another host on 10.1.2.x by host name and ip
  ping from 10.1.2.1 to 10.1.3.x, 10.1.4.x and 10.1.5.x
  tracert where all web traffic goes to the house first and then out to the internet

 split tunnel
  can ping all 10.1.1.1 hosts by ip and host name
  ping from remotely connected host to another host on 10.1.2.x by host name and ip
  ping from 10.1.2.1 to 10.1.3.x, 10.1.4.x and 10.1.5.x
  tracert goes directly out to the internet

 web only tunnel
  can't ping any hosts by ip or host name on 10.1.1.x, 10.1.2.x, 10.1.3.x or 10.1.5.x
  tracert where all web traffic goes to the house first and then out to the internet

 lab only full tunnel
  can ping all 10.1.5.x hosts by ip and host name
  ping from remotely connected host to another host on 10.1.5.x by host name and ip
  can not ping any 10.1.1.x, 10.1.2.1, 10.1.3.x, or 10.1.4.x hosts
  tracert where all web traffic goes to the house first and then out to the internet

 lab only split tunnel
  can ping all 10.1.5.x hosts by ip and host name
  ping from remotely connected host to another host on 10.1.5.x by host name and ip
  can not ping any 10.1.1.x, 10.1.2.1, 10.1.3.x, or 10.1.4.x hosts
  tracert goes directly out to the internet

#current issues needing resolution
 lab via, can't lookup host names
 


 

158
Views
0
Helpful
2
Replies
This widget could not be displayed.