Using Cisco Access Control List to block a subnet

Question:

I have the following ClassB network 172.31.0.0/16 that I’m trying to create an access list for. I’d like to allow 172.31.240.0/24 but deny all else, so I’m looking the best way to accomplish this with 2 acl lines.

Answer:

The best way to accomplish the above is to explicitly allow the subnet you want and then deny the whole Class B network as following:

access-list 110 permit ip 172.31.240.0 0.0.0.255
access-list 110 deny ip 172.31.0.0 0.0.255.255

Another option with just one ACL entry would be to permit only the subnet 172.31.240.0/24 and thats it. No other ACL entries are needed since there is an implicit deny at the end of the access list statement.

FTP Disconnects Through Cisco ASA Firewall. MSS Exceeded Problem.

Each TCP device on a network has an associated ‘ceiling’ on TCP Data Size, called the MSS (Maximum Segment Size). The TCP MSS is negotiated between two communicating devices via the TCP SYN and SYN-ACK packets. After this negotiation, each TCP device must comply with the advertised MSS of the peer device, and should not send data on the segment that is larger than the advertised MSS of the device to which it is sending.

Unfortunately, there are cases that even if the two TCP endpoints negotiate a certain size of TCP MSS, one of the devices sends data to the other device which is larger than the MSS. With the new version of the Cisco ASA (or PIX) firewall with software version 7.x and up, the above situation is not accepted by the firewall which drops the packets that do not adhere to the negotiated MSS size. The firewall does this to protect the devices from buffer overflow attacks.

The problem addressed here is when an FTP Client located on the INSIDE of a Cisco ASA firewall, can not access an FTP Server machine located on the OUTSIDE of the firewall, as shown on the diagram below. The same problem can also happen with any TCP application (e.g HTTP), not just FTP.

ASA MSS Exceeded

Continue reading “FTP Disconnects Through Cisco ASA Firewall. MSS Exceeded Problem.”

Troubleshooting IPSEC VPN

This post discusses the most basic steps needed to troubleshoot a LAN-to-LAN IPSEC tunnel between Cisco Routers.

A Cisco Router with the proper IOS version can make an excellent IPSEC VPN termination device, and can be used to securely connect two distant LANs over an untrusted network, such as the Internet. In our example below, we use two Cisco 800 series broadband routers to create an IPSEC VPN tunnel between two offices over a DSL broadband connection via the Internet.

ipsec vpn

Continue reading “Troubleshooting IPSEC VPN”