Access-LIst a simple one
Hi All,
am I correct in asuming the following ACl
access-list inside_nonat_acl extended permit ip host 8.8.8.8 host 10.10.10.10
permits all ip traffic from 8.8.8.8 to 10.10.10.10? I'm a litle confused because of the nonat syntax in the acl name.
Thanks
Hi thanks for the reply,
I only have the .txt file so can't see if an interface has it applied. I dont understand what they have done as one line may have
allow 443 access to eg 10.10.10.10 from 4.4.4.4
then another line will have permit ip to from 4.4.4.4 to 10.10.10.10
signed
Confused
Similar Messages
-
We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
ThanksEric
We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
adjust addresses etc to fit your situation. Try it and let us know if it works.
HTH
Rick -
My ipod touch is being read as just a simple camera and will not let me access it, how does one go about fixing this problem? My screen has recently cracked and i need to retrieve my music from it but cant do so when my computer is reading it as a camera and only showing me its pictures.
Here:
iOS: Device not recognized in iTunes for Windows
or
iOS: Device not recognized in iTunes for Mac OS X
Also try another computer. -
Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas ReilingHi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Req help: creating access-lists
cisco 2651XM router
IOS: c2600-adventerprisek9-mz.124-15.T8.bin
connected to internet by wic1-adsl card
I would like to configure my router to block the following ranges of ip's.
Start IP End IP
69.25.60.0 69.25.61.255
208.111.154.0 208.111.154.255
209.249.86.0 209.249.86.255
problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
ip access-list extended
deny ip 62.25.60.0 0.0.1.255 any
deny ip 208.111.154.0 0.0.0.255 any
deny ip 209.249.86.0 0.0.0.255
exit
interface x/x
ip access-group
end
Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax. -
Hi,
starting a couple of weeks ago, we get the following error(s) when running applications from a network share. We don't know what causes this, we are not aware of any major changes in our network infrastructure or client/Server configuration. We did upgrade
a lot of machines to Windows 8, but the issue also occurs on older Win7 computers.
We figured out a workaround though: The applications run fine when launching from a FQDN share (like
\\share.domain.Company.com) and only cause problems when running from
\\share directly. They have worked fine for years without FQDN though.
Any ideas?
Error Details (the Kind of error differs greatly):
# 1 #
Log Name: Application
Source: Application Error
Date: ...
Event ID: 1005
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: vmDEV
Description:
Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program XYZ
because of this error.
Program: XYZ
File:
The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
- It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.
Additional data
Error value: C000020C [ also seen with code C00000C4]
#2 (German error Messages from now on, we only use German OSes, the above english one is translated based on similar error Messages I found on the web) #
Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea67c3
Name des fehlerhaften Moduls: clr.dll, Version: 4.0.30319.34014, Zeitstempel: 0x52e0b784
Ausnahmecode: 0xc0000006
Fehleroffset: 0x00026549
ID des fehlerhaften Prozesses: 0x13ac
Startzeit der fehlerhaften Anwendung: 0x01d055a854d36445
Pfad der fehlerhaften Anwendung: \\share\application.exe
Pfad des fehlerhaften Moduls: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
Berichtskennung: 949ea933-c19b-11e4-bf04-78542e186754
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
Anwendung: XYZ.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: Ausnahmecode c0000006, Ausnahmeadresse 720B6549
Stapel:
# 3 #
Anwendung: WpfApp.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
Stapel:
bei SP.Forms.AutoCompleteSelectionBase.OnEnter(System.EventArgs)
bei System.Windows.Forms.Control.NotifyEnter()
bei System.Windows.Forms.ContainerControl.UpdateFocusedControl()
# 4 #
Anwendung: WpfApp.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
Stapel:
bei System.IO.UnmanagedMemoryStream.ReadByte()
bei System.IO.BinaryReader.ReadByte()
bei System.IO.BinaryReader.Read7BitEncodedInt()
bei System.Resources.ResourceReader._LoadObjectV2(Int32, System.Resources.ResourceTypeCode ByRef)
bei System.Resources.ResourceReader.LoadObjectV2(Int32, System.Resources.ResourceTypeCode ByRef)
bei System.Resources.ResourceReader.LoadObject(Int32, System.Resources.ResourceTypeCode ByRef)
bei System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean, Boolean)
bei System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean)
bei System.Resources.ResourceManager.GetObject(System.String, System.Globalization.CultureInfo, Boolean)
bei System.Resources.ResourceManager.GetStream(System.String, System.Globalization.CultureInfo)
# 5 #
Anwendung: WpfApp.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
Stapel:
bei System.Reflection.RuntimeParameterInfo.get_Name()
bei System.Diagnostics.StackTrace.ToString(TraceFormat)
bei System.Environment.GetStackTrace(System.Exception, Boolean)
bei System.Exception.GetStackTrace(Boolean)
bei System.Exception.ToString(Boolean, Boolean)
bei System.Exception.ToString(Boolean, Boolean)
bei System.Exception.ToString(Boolean, Boolean)
bei System.Exception.ToString()
# 6 #
Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea834f
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eeb460
Ausnahmecode: 0xe0434352
Fehleroffset: 0x00012f71
ID des fehlerhaften Prozesses: 0xa68
Startzeit der fehlerhaften Anwendung: 0x01d0559cb7ec4ed6
Pfad der fehlerhaften Anwendung: \\share\XYZ.exe
Pfad des fehlerhaften Moduls: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
Berichtskennung: 010514d0-c190-11e4-bf04-78542e186754
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
# 7 #
Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea7a6e
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.3.9600.17630, Zeitstempel: 0x54b0d74f
Ausnahmecode: 0xc0000006
Fehleroffset: 0x0006db27
ID des fehlerhaften Prozesses: 0x18dc
Startzeit der fehlerhaften Anwendung: 0x01d0559cb08529c3
Pfad der fehlerhaften Anwendung: \\share\xyz.exe
Pfad des fehlerhaften Moduls: C:\WINDOWS\SYSTEM32\ntdll.dll
Berichtskennung: ef389186-c18f-11e4-bf04-78542e186754
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:Hi,
>>The applications run fine when launching from a FQDN share
It sounds like a DNS suffix issue. When this issue occurs, please try to ping share on the client, then check if the corresponding IP address is correct. If the IP address is wrong, please adjust your settings of DNS to make sure that the client can resolve
the share correctly.
If it's very hard to change the settings of the DNS for some reason, as a work around, we can add the entry into the clients' hosts file.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Access-List Process - Urgent Help
Dear All,
My question here in this forum , in the Process of :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
Now, My question is here :-
Was I correct in choosing the Interface that I will apply this Access-list or not ?
Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
1. Fast Ethernet 0 / 0 :-
Description : connected to My Network as MY LAN .
IP Address of this Interface : 192.168.1.10 / 255.255.255.0
2. Fast Ethernet 0 /1 :-
Description : connected to Second Network on second Building.
IP Address of this Interface : 172.16.20.10 / 255.255.0.0
3. Serial Interface ( S 0 ).
Description : connected to My Server Farm which is in another Network
IP Address of this interface : 10.1.8.20 / 255.255.255.0.
> No any serial interface or any serial connection at all on my 1841 Route.
> The Default route on My Router is
> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
As anyone knows, its an Extended Access List.
So I wrote it like that:-
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
Router(config)# access-list 102 permit ip any any
Process of choosing the interface :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
To answer and to understand the answer, for the 2 questions, here is my Process :-
First Interface f 0 / 0 :-
< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
Second Interface f 0 / 1 :-
< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
Third Interface S0:-
Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
So, final answer will be as following :-
1- Which Interface should I apply this Access-list ?
( Serial / 0 ) .
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
( Outbound ) .
Was I correct or not ? please some one is update me.The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.
-
We can figure this standard access list
We can figure this standard access list that's important remember that we use a standard access list want to block all traffic or permit all traffic from a particular
source or destination let's take a look at this machine right here that is IP address say
640-554 we want to stop him from going into the Ethernet interface I'm the ad man he made me midsummer block callers traffic he can get out anymore maybe this is even the internet out
here we know people like their Internet access so to get back at them I'm a block it what I can do is I can use deny statement in my access list access list
one did not .
http://640-554cisco.com/Hi Suresh,
ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )
"At least one of the following must be true for a user to be granted a particular permission:
The user's name appears in the xClbraUserList metadata field with the appropriate permission.
The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.
The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission."
meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).
I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.
ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD
Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated. -
MAC-Adress Filtering vs. Access - Lists
We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
Anyone an other good Idea how to solve this issue?Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.
-
LMS 4.2 Compliance check extended access-list
Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
SorenDoesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Unknown devices appearing in my access list
I have a WPN824 wireless router and in the last two weeks, I've found three devices in the access list that I didn't put there. I first found the three devices last week and deleted them from the list. Tonight, I found them again. All three devices have different MAC address, but use the same device name: "NMADDR." My access list has 12 devices that I added for all the devices I've want to connect
The router is connected to a broadband cable (ComCast) modem.
I manage the router and am the only one with the password. The passsword is a strong 10 character password.
I use Cisco's Network Magic Pro v5.5.9 to manage my home network.
I was wondering if anyone else has run across something like this and can explain how these devices can be "automagically" added to what I thought was a secure router?
Thanks.May I suggest that this could be either a PDA device, an Apple iTouch or perhaps a WiFi mobile - I had a similiar issue a little time back and this was the ghost in the system.
-
Access-list port range question
Hi,
I would like to clarify the exact operation of the below command:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ip access-list extended VoiceACL
permit udp any any range 16384 16387
Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Value1] = starting port number
[Value2] + [Value1] = end port number
Thanks
NachiHi Nachi,
This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
Regards,
Raphael -
Access-list block range of hosts
cisco 2600 router with wic1-adsl card
I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
In the past I've been able to deny a host using:
access-list 105 deny ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
I tried:
access-list 10 deny 123.125.0.0 0.0.0.255
access-list 10 deny 220.181.0.0 0.0.0.255
access-list 10 deny 61.135.0.0 0.0.0.255
access-list 10 permit any
all web traffic comes via the adsl-wic card in the router so I put:
ip access-group 10 out
into the dialer0 config but this didn't work.
thanks for any help.it looks like I've done it. I was using the wrong subnet mask.
I changed the access list to:
access-list 10 deny A.B.0.0 0.0.255.255 and from that moment baidu disappeared from the web log.
Maybe you are looking for
-
Best Pactice for Connecting ASA to Catalyst Switch with Mulitple VLANs
Hi all, Have the following network topology that was in place when I started the job (See attached pdf). Am thinking it might be better if I could eliminate the Cisco 2811 router and connect directly from the ASA to my 12 port fiber switch (192.168.
-
Hi experts, i have a file to file scenario. The third party wants the IDOC data as a IDOC file. So we have created file port and posting the idoc to that file port which creates file in the application server. here is my doubt when it comes to PI des
-
Max no of calls - Busy Trigger
Hi, I don't know if this is a standard settings or not? When I put 6 to maximum nr and 2 to Busy trigger & when I am on the call and somebody trying to call me he receive busy and the call is remaining on missed calls. But when I put 6 to maximum nr
-
EHP4 by using SAPEhpi is too slow
Dear All, I'm in the middle of implementing EHP4 by using SAPehpi. I found out some of the steps involved takes too long to do their job for instance:- MAIN_INT/JOB_RSVBCHCK2 takes about 8 hours MAIN_SHDRUN/ACT_UPG takes about 10 hours MAIN_SHDRUN/PA
-
Hi fellas. It's been a while! I tend not to use groups (layer sets) myself, but other people do. I've got several scripts that loop over all layers in a psd and then peform various tasks. Of course they fall over if layersets are involved; so I need