show user | include 60:67:20:a4:2b:9c
192.168.250.97 60:67:20:a4:2b:9c 606720a42b9c GUEST-CP 00:04:41 MAC AP-080-SPARE Wireless TST-GUEST/04:bd:88:42:ae:90/a-HT TST-GUEST-aaa_prof tunnel Windows
(MASTER-CONTROLLER) #show rights GUEST-CP
Derived Role = 'GUEST-CP'
Up BW contract = mrmc-guest-upstream (1000000 bits/sec) (per-user) Down BW contract = mrmc-guest-downstream (3000000 bits/sec) (per-user)
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
DPI Classification: Enabled
Web Content Classification: Enabled
ACL Number = 115/0
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Captive Portal profile = TST-GUEST-cp_prof
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 TST-GUEST-cp_prof_list_operations session
2 global-sacl session
3 apprf-GUEST-CP-sacl session
4 Airwatch session
5 block-internal-access session
6 Block-72.50.232.243 session
7 mrmc-guest-logon-access session
8 RDP session
9 JunosPulse session
10 vpnlogon session
11 email_client session
12 auth-mrmc-guest-access session
13 EMAIL-ACL session
14 drop-and-log session
TST-GUEST-cp_prof_list_operations
---------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user CPPM svc-http permit Low 4
2 user CPPM svc-https permit Low 4
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-GUEST-CP-sacl
-------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
Airwatch
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 172.16.146.51 any permit Yes High 4
2 any 172.16.146.29 any permit Yes High 4
3 any Airwatch-svr any permit High 4
block-internal-access
---------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user internal-networks any deny Low 4
Block-72.50.232.243
-------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
mrmc-guest-logon-access
-----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
3 user Private-DNS svc-dns permit Low 4
4 user public-dns svc-dns permit Low 4
RDP
---
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 75.149.140.49 any permit Low 4
JunosPulse
----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any 172.16.6.100 any permit High 4
vpnlogon
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any svc-ike permit Low 4
2 user any svc-esp permit Low 4
3 any any svc-l2tp permit Low 4
4 any any svc-pptp permit Low 4
5 any any svc-gre permit Low 4
email_client
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-smtp permit Low 4
2 any any svc-pop3 permit Low 4
3 any any tcp 143 permit Low 4
4 any any svc-auth-smtp permit Low 4
5 any any svc-imap-ssl permit Low 4
6 any any svc-pop-ssl permit Low 4
7 any any svc-imap permit Low 4
auth-mrmc-guest-access
----------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any svc-http permit Low 4
2 user any svc-https permit Low 4
3 user any svc-ike permit Low 4
4 user any svc-natt permit Low 4
EMAIL-ACL
---------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any svc-smtp permit Low 4
2 any any svc-pop3 permit Low 4
3 any any tcp 143 permit Low 4
4 any any svc-auth-smtp permit Low 4
5 any any svc-imap-ssl permit Low 4
6 any any svc-pop-ssl permit Low 4
7 any any svc-imap permit Low 4
drop-and-log
------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 user any any deny Yes Low 4
Expired Policies (due to time constraints) = 0
(MASTER-CONTROLLER) # show datapath session table 192.168.250.97 | include 172.16.146.29
(MASTER-CONTROLLER) # show datapath session table 192.168.250.97 | include 107.0.205.28
(MASTER-CONTROLLER) # show datapath session table 192.168.250.97
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
A - Application Firewall Inspect
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
192.168.250.97 8.8.8.8 17 62041 53 1/73 0 0 1 tunnel 2168 11 0 0 FSCI
192.168.250.97 107.0.205.28 6 62644 443 1/73 0 0 1 tunnel 2168 f 0 0 SYHC
192.168.250.97 107.0.205.28 6 62645 443 1/73 0 0 1 tunnel 2168 8 3 152 SYHC
192.168.250.97 8.8.8.8 17 52875 53 1/73 0 0 1 tunnel 2168 11 0 0 FSCI
I ran the show datapath session with the internal and external IP address.
I ran aaa user add 192.168.250.97 role authenticated. I was able to get to the server.