A possible bug related to the Cisco ASA "show access-list"?

Similar Messages

• How to configure QOS on certain IP in the Cisco ASA 5510

  Hi,
  I am need to configure QOS on certain IP in the Cisco ASA 5510. Assume the IP's are 10.0.1.5 , 10.0.1.6 , 10.0.1.7. Here i have to configure 512 KBPS for 10.0.1.5 and 2 MBPS for 10.0.1.6 and 10.0.1.7
  Can this done on a ASA 5510 series? if yes can you help me how ?
  Regards,
  Venkat

  Yes you can do it.You can match the ip addresses in an access-list, put in a class-map and the class-map in a policy map that will do policing.
  Good examples for what you want to do are here https://supportforums.cisco.com/docs/DOC-1230
  I hope it helps.
  PK

• [svn:osmf:] 10248: Fix a few bugs related to the interaction between IPlayable, IPausable, and ITemporal within a SerialElement, specifically around ensuring that the transition from child to child happens in the various permutations of these traits .

  Revision: 10248
  Author:   [email protected]
  Date:     2009-09-14 16:45:00 -0700 (Mon, 14 Sep 2009)
  Log Message:
  Fix a few bugs related to the interaction between IPlayable, IPausable, and ITemporal within a SerialElement, specifically around ensuring that the transition from child to child happens in the various permutations of these traits.  Introduce a helper class for managing this logic, as it can happen in both CompositePlayableTrait and CompositeTemporalTrait.  This lays the groundwork for a MediaElement which only implements IPlayable (e.g. to ping a tracking server) working within a serial composition.  Beef up unit tests so that these cases don't get broken in the future.
  Modified Paths:
      osmf/trunk/framework/MediaFramework/.flexLibProperties
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/composition/CompositePlayableTrai t.as
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/composition/CompositeTemporalTrai t.as
      osmf/trunk/framework/MediaFrameworkFlexTest/org/openvideoplayer/composition/TestSerialEle ment.as
  Added Paths:
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/composition/SerialElementTransiti onManager.as

  Hi,
  Found a note explaining the significance of these errors.
  It says:
  "NZE-28862: SSL connection failed
  Cause: This error occurred because the peer closed the connection.
  Action: Enable Oracle Net tracing on both sides and examine the trace output. Contact Oracle Customer support with the trace output."
  For further details you may refer the Note: 244527.1 - Explanation of "SSL call to NZ function nzos_Handshake failed" error codes
  Thanks & Regards,
  Sindhiya V.

• IP address is not on the target's allowable access list.

  when trying to deploy a lvlib or downloading code from a PC to a FP controller I get this error message "Access denied: This host computer's IP address is not on the target's allowable access list.". I have added the PC's IP address from within Max on the access list of the FP target (althoug default is full access to everyone). This did not help, I still get the same error message. Both systems are on the same IP segment.
  sincerely
  søren h. jensen

  Hello,
  Short of time right now, but I had the same problem: Here is a dump of my own notes on how I solved the pbolem (not necessary to reinstall software):
  I attempted to update these data with Measurement & Automation Explorer (MAX) using the "FieldPoint Access Control" panel in MAX: I set "*" and Read/Write and pressed "Apply": MAX Claims it has updated the Access Rightsm, but we are still unable to Deploy the CFP from the Project Explorer.
  SOLUTION:
  Use WS_FTP-PRO (or any FTP Client) and access the IP Address of the FieldPoint using anonymous login.
  Transfer the file ni-rt.ini from the root of c:\ on the Fieldpoint to the local PC and edit the settings as shown below.
  FTP the file back to the Fieldpoint.
  Set the following settings in "server.tcp.access" and "RTTarget.IPAccess":
  server.tcp.access=""+*""
  NOTE: Double Quotes here
  RTTarget.IPAccess="+*"
  NOTE: Single Quotes here
  +* means every IP address can access.
  It turned out that MAX had left the following (probably illegal) values in the fields:
  """" and ""
  Geir Ove

• Cisco ASA SFR Access control policy

  Hi All,
  I got an issue while applying access control policy on defense center . it's saying as "does not have a Protection license (required for Intrusion Policy support, File Policy support, and Security Intelligence)" . But when i checked in device management . the target device showing licensed.
  Could you any body help to solve this issue. Please find attachment for your reference.

  OK - I was talking about the module software, not the FireSIGHT Management Center. Your screenshots show it still at the 5.4.0 release.
  If that doesn't work, I'd call the TAC. It will be interesting to hear your support experience since they just completed the transition from the old Sourcefire TAC to Cisco TAC a couple of weeks ago.

• Cisco 12.1 Access-list

  We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
  Thanks

  Eric
  We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
  The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
  assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
  create 2 access lists and assign one to each interface.
  access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip any any
  access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip any any
  interface faste0/0
  ip access-group 120 in
  interface faste1/0
  ip access-group 110 in
  adjust addresses etc to fit your situation. Try it and let us know if it works.
  HTH
  Rick

• I just moved my Itunes content to a computer with Win 7. I can only get "songs" in list view. How do I correct this so I can see Artist and Genre also in list view. The box to show all list in list view is checked but it only shows album view

  I just moved all my itunes content to a windows 7 computer. I can only get "songs" in list view. Genre and Artist show as Album views. The box in preferences is checked so that all lists should show as list. How can I get a list view for Artists and Genre also?

  Only when i go to a different browser (like IE) after i clear it , then all that shows up is the pages i visited in IE , that is what bugs me , why is IE browsing history sowing up in Firefox ??
  Basically , i can clear the history in Firefox , and then for a example , go to Craigslist , using IE7 (launching it from a complete different Icon , in other words at that time i never open Firefox) , then after closing out , or even leaving open as it does not seem to matter , i go into Firefox , and hit History , and there is every place i visited in IE7 , on my History in Firefox

• What is the Cisco ASA 5520's VPN ustility like?

  Hi, I have a Cisco 3015 VPN concentrator, the Web admin tool is really good. We are getting a 2 Cisco 5520 soon in failover mode and I wondered if I should move my site-to-sites to the ASA 5520 and if so how good it the tool for the ASA VPN's as I not seen it yet?

  The VPN capabilities of the ASA are very similar to that of the concentrators. Much of the management interface will have the same look and feel on both appliances. Migrating your L2L VPNs is a matter of preference and will depend on your topology. For me, I prefer to terminate my L2L VPNs into a DMZ and use the ASA to permit/deny traffic into my LAN.

• Possible Bug when selecting the "text" tab on a Line Chart

  Thought I would pass this on.  Not sure if it has been logged yet or not.  Sometimes when building a line chart, the properties field locks up when I try and select the "text" tab.  The dialog boxes in the "text" tab do not show up and the "layout" tab is also highlighted.  I do not know what causes this, but it has happened to me numerous times.  The only solution is to totally delete the line chart and start all over.  It may be related to copying and pasting.  I set up a chart the way I need it and then copy/paste it rather than making all the changes on a default settings chart when I need another chart.
  Stan

  Hi Stan,
  Are you encountering this problem in the RTM version or SP1?
  Can you list the exact steps to reproduce this problem in the most simple case?
  Example:  add line chart, bind to data, copy, paste, click on text tab...............
  Thanks,
  Gerrit

• External Table - possible bug related to record size and total bytes in fil

  I have an External Table defined with fixed record size, using Oracle 10.2.0.2.0 on HP/UX. At 279 byte records (1 or more fields, doesn't seem to matter), it can read almost 5M bytes in the file (17,421 records to be exact). At 280 byte records, it can not, but blows up with "partial record at end of file" - which is nonsense. It can read up to 3744 records, just below 1,048,320 bytes (1M bytes). 1 record over that, it blows up.
  Now, If I add READSIZE and set it to 1.5M, then it works. I found this extends further, for instance 280 recsize with READSIZE 1.5M will work for a while but blows up on 39M bytes in the file (I didn't bother figuring exactly where it stops working in this case). Increasing READSIZE to 5M works again, for 78M bytes in file. But change the definition to have 560 byte records and it blows up. Decrease the file size to 39M bytes and it still won't work with 560 byte records.
  Anyone have any explanation for this behavior? The docs say READSIZE is the read buffer, but only mentions that it is important to the largest record that can be processed - mine are only 280/560 bytes. My table definition is practically taken right out of the example in the docs for fixed length records (change the fields, sizes, names and it is identical - all clauses the same).
  We are going to be using these external tables a lot, and need them to be reliable, so increasing READSIZE to the largest value I can doesn't make me comfortable, since I can't be sure in production how large an input file may become.
  Should I report this as a bug to Oracle, or am I missing something?
  Thanks,
  Bob

  I have an External Table defined with fixed record size, using Oracle 10.2.0.2.0 on HP/UX. At 279 byte records (1 or more fields, doesn't seem to matter), it can read almost 5M bytes in the file (17,421 records to be exact). At 280 byte records, it can not, but blows up with "partial record at end of file" - which is nonsense. It can read up to 3744 records, just below 1,048,320 bytes (1M bytes). 1 record over that, it blows up.
  Now, If I add READSIZE and set it to 1.5M, then it works. I found this extends further, for instance 280 recsize with READSIZE 1.5M will work for a while but blows up on 39M bytes in the file (I didn't bother figuring exactly where it stops working in this case). Increasing READSIZE to 5M works again, for 78M bytes in file. But change the definition to have 560 byte records and it blows up. Decrease the file size to 39M bytes and it still won't work with 560 byte records.
  Anyone have any explanation for this behavior? The docs say READSIZE is the read buffer, but only mentions that it is important to the largest record that can be processed - mine are only 280/560 bytes. My table definition is practically taken right out of the example in the docs for fixed length records (change the fields, sizes, names and it is identical - all clauses the same).
  We are going to be using these external tables a lot, and need them to be reliable, so increasing READSIZE to the largest value I can doesn't make me comfortable, since I can't be sure in production how large an input file may become.
  Should I report this as a bug to Oracle, or am I missing something?
  Thanks,
  Bob

• Possible bug related to firefox mime list

  When I was using the gnome3->system settings->system info->default applications I notice several occurrence of firefox. So I browsed my .local/share/applications/ folder to find that sth like:
  userapp-Firefox-NHQB1V.desktop
  userapp-Firefox-Y2ZC1V.desktop
  Those .desktop file actually reflects different version of firefox:
  userapp-Firefox-Y2ZC1V.desktop -> Exec=/usr/lib/firefox-6.0.2/firefox %u
  userapp-Firefox-NHQB1V.desktop-> Exec=/usr/lib/firefox-6.0.1/firefox %u
  Thus I guess whenever I receive a firefox update, gnome is going to create a new firefox phantom desktop file, which is really annoying. Why the damn icon in the application list is not pointed to /usr/bin/firefox instead?

  wonder wrote:those are created by firefox when you answer positive when the browser asks to set it up as default. I personally answer NO and disable that feature and let gnome handle it.
  I was wondering if this should be addressed to gnome or to firefox...After firefox being updated those orphaned .desktop file just remains there and inside the mimeapp.list.

• SharePoint "Change the Look" Only Shows a List

  Hi,
  I would like to change the look of my sharepoint 2013 site. When I click the gear->Change the Look. I get a screen that only shows the filenames of the different templates - no thumbnails or way to select a new template to apply to my site. I would post
  a screenshot, but the forum won't let me for some reason.
  What am I doing wrong here? I have tried creating a new site collection and changing the look there but I get the same screen. Any help would be appreciated.
  Thanks!

  Hi Smeyer,
  Thanks for your question, Kindly find the steps in below mentioned URL to change the look and feel of your SharePoint 2013 site.
  http://bniaulin.wordpress.com/2012/12/16/step-by-step-create-a-sharepoint-2013-composed-look/
  I hope this is helpful to you. If this works, Please mark it as Answered.
  Regards,
  Dharmendra Singh (MCPD-EA | MCTS)
  Blog : http://sharepoint-community.net/profile/DharmendraSingh

• Cisco ASA 5505: How to change the default OS

  Hello,
  I'm learning how to work on the Cisco ASA 5505. My machine has two OS images: the old 7. whatever image and a more recent 8.2 image. The 8.2 image is lower in the index on disk0 so whenever I reboot the machine, the start up points it towards the older image and I have to go into ROMMON to boot the newer OS. Could someone please guide me on how to change the position of the newer OS so that it's the default image? I'd like to do this without deleting the older image so that I can have a proof of concept.
  Thank you!

  Hi Colin,
  You could use the 'boot system' global command to force the ASA to the pointed image file.
  boot system flash:/image.bin
  Sent from Cisco Technical Support iPhone App

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

  Hi,
  I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
  When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
  After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
  They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
  Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
  3
  Nov 21 2012
  07:11:09
  713902
  Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
  3
  Nov 21 2012
  07:11:09
  713061
  Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
  5
  Nov 21 2012
  07:11:09
  713119
  Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
  Here is from the syntax: show crypto isakmp sa
  Result of the command: "show crypto isakmp sa"
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 195.149.180.254
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Result of the command: "show crypto ipsec sa"
  interface: outside
      Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
        access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
        local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
        current_peer:195.149.180.254
        #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
        #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
        path mtu 1500, ipsec overhead 74, media mtu 1500
        current outbound spi: E715B315
      inbound esp sas:
        spi: 0xFAC769EB (4207372779)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38738/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xE715B315 (3876958997)
           transform: esp-aes-256 esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, PFS Group 5, }
           slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
           sa timing: remaining key lifetime (kB/sec): (38673/2061)
           IV size: 16 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  And here are my Accesslists and vpn site to site config:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 84600
  crypto isakmp nat-traversal 40
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map CustomerCryptoMap 10 match address VPN_Tunnel
  crypto map CustomerCryptoMap 10 set pfs group5
  crypto map CustomerCryptoMap 10 set peer 195.149.180.254
  crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
  crypto map CustomerCryptoMap interface outside
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
  access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
  nat (inside) 0 access-list nonat
  All these remote networks are at the Main Site Clavister Firewall.
  Best Regards
  Michael

  Hi,
  I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
  If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
  Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
  I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
  Maybe you could try to change the Encryption Domain configurations a bit and test it then.
  You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
  - Jouni