Access-LIst a simple one

Similar Messages

• Cisco 12.1 Access-list

  We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
  Thanks

  Eric
  We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
  The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
  assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
  create 2 access lists and assign one to each interface.
  access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip any any
  access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip any any
  interface faste0/0
  ip access-group 120 in
  interface faste1/0
  ip access-group 110 in
  adjust addresses etc to fit your situation. Try it and let us know if it works.
  HTH
  Rick

• My ipod touch is being read as just a simple camera and will not let me access it, how does one go about fixing this problem

  My ipod touch is being read as just a simple camera and will not let me access it, how does one go about fixing this problem? My screen has recently cracked and i need to retrieve my music from it but cant do so when my computer is reading it as a camera and only showing me its pictures.

  Here:
  iOS: Device not recognized in iTunes for Windows
  or
  iOS: Device not recognized in iTunes for Mac OS X
  Also try another computer.

• Simple SSH Access-List Question

  I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
  Thank you,
  Thomas Reiling

  Hi there,
  If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
  To get it exactly
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.31
  access-list 1 permit 192.168.200.32 0.0.0.15
  access-list 1 permit 192.168.200.48 0.0.0.1
  access-list 1 host 192.168.200.50
  access-list 1 deny any log
  It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.63
  access-list 1 deny   any log
  Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
  line vty 0 4
  access-class 1 in
  transport input ssh
  password blahblah
  That ought to do it.
  good luck!
  Brad

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• Req help: creating access-lists

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T8.bin
  connected to internet by wic1-adsl card
  I would like to configure my router to block the following ranges of ip's.
  Start IP End IP
  69.25.60.0 69.25.61.255
  208.111.154.0 208.111.154.255
  209.249.86.0 209.249.86.255
  problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

  Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
  I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
  no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
  Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
  ip access-list extended
  deny ip 62.25.60.0 0.0.1.255 any
  deny ip 208.111.154.0 0.0.0.255 any
  deny ip 209.249.86.0 0.0.0.255
  exit
  interface x/x
  ip access-group
  end
  Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

• Crashes when running applications from network share - "Windows cannot access the file for one of the following reasons"

  Hi,
  starting a couple of weeks ago, we get the following error(s) when running applications from a network share. We don't know what causes this, we are not aware of any major changes in our network infrastructure or client/Server configuration. We did upgrade
  a lot of machines to Windows 8, but the issue also occurs on older Win7 computers.
  We figured out a workaround though: The applications run fine when launching from a FQDN share (like
  \\share.domain.Company.com) and only cause problems when running from
  \\share directly. They have worked fine for years without FQDN though.
  Any ideas?
  Error Details (the Kind of error differs greatly):
  # 1 #
  Log Name: Application
  Source: Application Error
  Date: ...
  Event ID: 1005
  Task Category: (100)
  Level: Error
  Keywords: Classic
  User: N/A
  Computer: vmDEV
  Description:
  Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program XYZ
  because of this error.
  Program: XYZ
  File:
  The error value is listed in the Additional Data section.
  User Action
  1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
  2. If the file still cannot be accessed and
  - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
  - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
  3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
  4. If the problem persists, restore the file from a backup copy.
  5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.
  Additional data
  Error value: C000020C [ also seen with code C00000C4]
  #2 (German error Messages from now on, we only use German OSes, the above english one is translated based on similar error Messages I found on the web) #
  Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea67c3
  Name des fehlerhaften Moduls: clr.dll, Version: 4.0.30319.34014, Zeitstempel: 0x52e0b784
  Ausnahmecode: 0xc0000006
  Fehleroffset: 0x00026549
  ID des fehlerhaften Prozesses: 0x13ac
  Startzeit der fehlerhaften Anwendung: 0x01d055a854d36445
  Pfad der fehlerhaften Anwendung: \\share\application.exe
  Pfad des fehlerhaften Moduls: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  Berichtskennung: 949ea933-c19b-11e4-bf04-78542e186754
  Vollständiger Name des fehlerhaften Pakets:
  Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
  Anwendung: XYZ.exe
  Frameworkversion: v4.0.30319
  Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
  Ausnahmeinformationen: Ausnahmecode c0000006, Ausnahmeadresse 720B6549
  Stapel:
  # 3 #
  Anwendung: WpfApp.exe
  Frameworkversion: v4.0.30319
  Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
  Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
  Stapel:
     bei SP.Forms.AutoCompleteSelectionBase.OnEnter(System.EventArgs)
     bei System.Windows.Forms.Control.NotifyEnter()
     bei System.Windows.Forms.ContainerControl.UpdateFocusedControl()
  # 4 #
  Anwendung: WpfApp.exe
  Frameworkversion: v4.0.30319
  Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
  Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
  Stapel:
     bei System.IO.UnmanagedMemoryStream.ReadByte()
     bei System.IO.BinaryReader.ReadByte()
     bei System.IO.BinaryReader.Read7BitEncodedInt()
     bei System.Resources.ResourceReader._LoadObjectV2(Int32, System.Resources.ResourceTypeCode ByRef)
     bei System.Resources.ResourceReader.LoadObjectV2(Int32, System.Resources.ResourceTypeCode ByRef)
     bei System.Resources.ResourceReader.LoadObject(Int32, System.Resources.ResourceTypeCode ByRef)
     bei System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean, Boolean)
     bei System.Resources.RuntimeResourceSet.GetObject(System.String, Boolean)
     bei System.Resources.ResourceManager.GetObject(System.String, System.Globalization.CultureInfo, Boolean)
     bei System.Resources.ResourceManager.GetStream(System.String, System.Globalization.CultureInfo)
  # 5 #
  Anwendung: WpfApp.exe
  Frameworkversion: v4.0.30319
  Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
  Ausnahmeinformationen: System.Runtime.InteropServices.SEHException
  Stapel:
     bei System.Reflection.RuntimeParameterInfo.get_Name()
     bei System.Diagnostics.StackTrace.ToString(TraceFormat)
     bei System.Environment.GetStackTrace(System.Exception, Boolean)
     bei System.Exception.GetStackTrace(Boolean)
     bei System.Exception.ToString(Boolean, Boolean)
     bei System.Exception.ToString(Boolean, Boolean)
     bei System.Exception.ToString(Boolean, Boolean)
     bei System.Exception.ToString()
  # 6 #
  Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea834f
  Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eeb460
  Ausnahmecode: 0xe0434352
  Fehleroffset: 0x00012f71
  ID des fehlerhaften Prozesses: 0xa68
  Startzeit der fehlerhaften Anwendung: 0x01d0559cb7ec4ed6
  Pfad der fehlerhaften Anwendung: \\share\XYZ.exe
  Pfad des fehlerhaften Moduls: C:\WINDOWS\SYSTEM32\KERNELBASE.dll
  Berichtskennung: 010514d0-c190-11e4-bf04-78542e186754
  Vollständiger Name des fehlerhaften Pakets:
  Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
  # 7 #
  Name der fehlerhaften Anwendung: XYZ.exe, Version: 2015.0.496.5054, Zeitstempel: 0x54ea7a6e
  Name des fehlerhaften Moduls: ntdll.dll, Version: 6.3.9600.17630, Zeitstempel: 0x54b0d74f
  Ausnahmecode: 0xc0000006
  Fehleroffset: 0x0006db27
  ID des fehlerhaften Prozesses: 0x18dc
  Startzeit der fehlerhaften Anwendung: 0x01d0559cb08529c3
  Pfad der fehlerhaften Anwendung: \\share\xyz.exe
  Pfad des fehlerhaften Moduls: C:\WINDOWS\SYSTEM32\ntdll.dll
  Berichtskennung: ef389186-c18f-11e4-bf04-78542e186754
  Vollständiger Name des fehlerhaften Pakets:
  Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

  Hi,
  >>The applications run fine when launching from a FQDN share
  It sounds like a DNS suffix issue. When this issue occurs, please try to ping share on the client, then check if the corresponding IP address is correct. If the IP address is wrong, please adjust your settings of DNS to make sure that the client can resolve
  the share correctly.
  If it's very hard to change the settings of the DNS for some reason, as a work around, we can add the entry into the clients' hosts file.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

• We can figure this standard access list

  We can figure this standard access list that's important remember that we use a standard access list  want to block all traffic or permit all traffic from a particular
  source or destination let's take a look at this machine right here   that  is IP address say
  640-554 we want to stop him from going into the Ethernet interface I'm the ad man he made me midsummer block callers traffic he can get out anymore maybe this is even the internet out
  here we know people like their Internet access so to get back at them I'm a block it what I can do is I can use deny statement in my access list access list
  one did not .
  http://640-554cisco.com/

  Hi Suresh,
  ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )
  "At least one of the following must be true for a user to be granted a particular permission:
  The user's name appears in the xClbraUserList metadata field with the appropriate permission.
  The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.
  The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission."
  meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).
  I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.
  ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD
  Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated.

• MAC-Adress Filtering vs. Access - Lists

  We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
  I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
  With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
  Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
  Anyone an other good Idea how to solve this issue?

  Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.

• LMS 4.2 Compliance check extended access-list

  Hi,
  I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
  I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
  I have made a new compliance check like this:
  'submode': ip access-list extended 'acl-name'
  +deny tcp any any eq smtp
  But that is not working, Can some one show me the 'right path'?
  Thanks
  Soren                 

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• Unknown devices appearing in my access list

  I have a WPN824 wireless router and in the last two weeks, I've found three devices in the access list that I didn't put there.  I first found the three devices last week and deleted them from the list.  Tonight, I found them again.  All three devices have different MAC address, but use the same device name: "NMADDR."  My access list has 12 devices that I added for all the devices I've want to connect
  The router is connected to a broadband cable (ComCast) modem. 
  I manage the router and am the only one with the password. The passsword is a strong 10 character password.
  I use Cisco's Network Magic Pro v5.5.9 to manage my home network.  
  I was wondering if anyone else has run across something like this and can explain how these devices can be "automagically" added to what I thought was a secure router?
  Thanks.

  May I suggest that this could be either a PDA device, an Apple iTouch or perhaps a WiFi mobile - I had a similiar issue a little time back and this was the ghost in the system.

• Access-list port range question

  Hi,
  I would like to clarify the exact operation of the below command:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ip access-list extended VoiceACL
  permit udp any any range 16384 16387
  Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Value1] = starting port number
  [Value2] + [Value1] = end port number
  Thanks
  Nachi

  Hi Nachi,
  This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
  Regards,
  Raphael

• Access-list block range of hosts

  cisco 2600 router with wic1-adsl card
  I'm having difficulty creating an access-list that will block a range of specified internet ip's but allow evrything else. Google finds loads of acl's showing how to permit a range but nothing about how to deny.
  In the past I've been able to deny a host using:
  access-list 105 deny   ip any host A.B.C.D. but that only blocks one host and not a range (unless you have loads of entries)
  My reason for this is to block baiduspider.com from accessing my server. Baidu uses a large range of ip's but so far they're confined to 123.125.*.*, 61.135.*.* and 220.181.*.*
  I tried:
  access-list 10 deny   123.125.0.0 0.0.0.255
  access-list 10 deny   220.181.0.0 0.0.0.255
  access-list 10 deny   61.135.0.0 0.0.0.255
  access-list 10 permit any
  all web traffic comes via the adsl-wic card in the router so I put:
  ip access-group 10 out
  into the dialer0 config but this didn't work.
  thanks for any help.

  it looks like I've done it. I was using the wrong subnet mask.
  I changed the access list to:
  access-list 10 deny   A.B.0.0    0.0.255.255 and from that moment baidu disappeared from the web log.