Announcement

Collapse
No announcement yet.

Anyone a Cisco IOS expert?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anyone a Cisco IOS expert?

    Our Cisco ADM Firewall is down, as in we cannot get to the GUI. Something keeps happening with it, but long story short, we can now SSH into it.

    We need to add an IP address to it, via SSH, that will allow that IP into the network. What commands would I type in, say the ip is 10.10.1.1 for this example?

  • #2
    Re: Anyone a Cisco IOS expert?

    Access in on what port(s) and to what destination IP?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Anyone a Cisco IOS expert?

      What firewall? ASA ? IOS CBAC, Zone Based? What changes need to be made?
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: Anyone a Cisco IOS expert?

        I usually dont handle it, as the developer does, but I know this:

        They need FTP (21) access to a server internally. So I would just make up one now for sake of example:

        10.10.1.10 needs access to server 192.168.1.5 on port 21. What would a command be for something like this?

        ASA5510

        Comment


        • #5
          Re: Anyone a Cisco IOS expert?

          access-list OUTSIDE_IN permit tcp host 10.10.1.10 host 192.168.1.5 eq ftp


          access-group OUTSIDE_IN in interface outside


          Depending on what version of ASA code would depend if you use the "public" ip of the server or the internal ip address of the server.

          If 8.2 and older then you specify the public ip of the server (The natted address)

          If 8.3 and newer then you use the "internal" or private address in your ACL.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Anyone a Cisco IOS expert?

            Thank you. I added it but it didnt seem to make a difference. I rebooted the firewall off hours and got the GUI back. This time, we made a group called ftpclients. Now when this happens, I can add IP's to this group.

            So my last question is, how would I add an IP (ex: 8.8.8. to a group called ftpclients?

            We have groups nested under that group for each client that has multiple IPs. would that cause a problem?

            Comment


            • #7
              Re: Anyone a Cisco IOS expert?

              So my last question is, how would I add an IP (ex: 8.8.8. to a group called ftpclients?
              object-group network FTP_CLIENTS
              network-object host 8.8.8.8


              If there are groups nested under that object-group then they will "inherit" the properties/permissions of the group when referenced in a access-list.

              To make the config very modular you could also add your internal ftp server in a group and also the required protocol and ports to reference in your ACL's


              object-group network FTP_SERVER
              network-object host x.x.x.x


              object-group service FTP_PORTS
              service-object tcp ftp


              access-list FTP_ACCESS permit object-group FTP_PORTS object-group FTP_CLIENTS object-group FTP_SERVER


              The whole config in one line of the ACL. The ASA will expand that out depending on how many clients you have.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment

              Working...
              X