Access List and Conflict Resolution Problem!
My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
Setting the Conflict Resolution Level
You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
So, I've set up my Access List services as follows:
o URL Deny is blank on all Access Lists
o URL Allow set as follows
---- isp
------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
---- acme.com organization
------- Conflict Resolution: Highest
------- http://portal.acme.com/portal/* (same as above)
---- Acme Customers Role - shared role for all Acme customers
------- Conflict Resolution: Medium
------- http://www.acme.com/*
------- http://support.acme.com/*
------- http://support2.acme.com/*
---- RoadRunner role - specific role for a specific customer
------- Conflict Resolution: Medium
------- http://roadrunnerinfo.acme.com/*
The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
Thanks!
-matt
Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.
Similar Messages
-
Reading List and bookmarks sync problems
Hello,
I have search answers to my problems and tried all the solutions but it does not work.
https://discussions.apple.com/thread/3883515?searchText=Safari%20reading%20list% 20does%20not%20sync%20with%20iPad
I have an iMac on OS 10.9.5, and iPhone 4s and iPad3 on iOS 7.1.2...
My Safari setting on iCloud are on but the reading list and bookmarks do not sync in neither way...
The strange thing is that I can see that open tabs are syncing, on the iMac, when I search for smth, I can see it displays me the iClouds open tabs from the tablet and iphone... but that is all. no sync of bookmarks and reading list...
any suggestions ?Hi,
I have the exact same problem (and not only with Safari but with the notes app as well): The information is not synced at all. I've tried toggling the check marks for "safari" and "notes" within the iCloud settings on both sides (iPhone as well as iMac) but it doesn't do anything .... the information does not sync at all!
I had this problem using Mavericks and now still have it using Yosemite. On my iPhone 4 I have the latest iOS version possible, 7.1.2.
BTW: Resetting the devices doesn't solve the problem either ... I already did a complete "restore" of the iPhone yesterday and still the syncing does not work!
BTW2: It seems that nothing gets synced anymore to my iPhone. I just notice that a new contact, added on my iMac, isn't available on my iPhone.
Any help would be welcomed ...... -
VLAN's, subinterface, access-lists and 3560 catalyst switch?
Hi,
How can I isolate VLAN 121 from all others?
I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
The following VLANs configured on the switch:
VLAN 0 192.168.132.0 /24
VLAN 135 ..135.0 /24
VLAN 137 ..137.0 /24
VLAN 139 ..139.0.24 and lastly,
VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
I need some advice please. Here is my plan: to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
Thank you!I will have to assume VLAN 0 is the native VLAN / default interface on the router? All VLANs are numbered native or not. Just ensure the VLAN numbering matches between the router and the trunking on the switch.
Yes, you could create a sub interface on the 2811 and use the router to route the VLAN. Apply an access list on the other interfaces to block access to the VLAN you want to protect. If you have routing enabled on the 3560 as well you would complicate the situation a bit more.
Please rate helpful posts! :-) -
Facebook and Twitter resolution problems in iOS 7.0.3
Yesterday i updated my iOS to 7.0.3, since the update both my Twitter and Facebook apps have shrunk to the middle of the screen with all the text overlapping.
i have rebooted iPhone several times and reinstalled both apps and still the problem is the same.
If anyone could help it would be appreciatedya we are having the same problem with one of our iphone 4's.. with ios 7.0.3, With our other iphone 4 on 7.0.1 we have no problems
-
ACE access-list and Passive FTP
Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
access-list word line x extended permit tcp source destination eq 21
access-list word line y extended permit tcp source destination eq 20
With those lines I can establish an FTP session, but unable to transfer files.
With the following statement access-list word line x extended permit ip source destination, passive ftp works?
IS this because the ACE acl does not allow for stateful inspection of an FTP session?
Thank youYou are right lack of fixup/inspect is the reason for FTP connections to fail.
You need something in line with the following config
class-map match-all FTP-Traffic
2 match port tcp eq ftp
policy-map multi-match xyz
class FTP-Traffic
inspect ftp
Syed Iftekhar Ahmed -
List and justified text problems
I'm creating a PDF that uses justified text for all paragraphs and centered headers. One of the problems I'm having is that if the last sentance in a paragraph contains just a few words, it ends up far to spaced out. It ends up looking rediculous, in extreme cases there is a word against the left margine and one against the right margin. How do I limit the space allowed between words?
Second, how do I creat a numbered list without it indenting the left margin of the paragraph that comes after each number? I need the number to be indented, just as you would indent the first sentance of a paragraph, but the rest of the justified text needs to have the same left margin as the non-numbered paragraphs.
Third, how do I keep the space between the number and the text the same with justified text? As it is now, it changes to acount for the number of charicters in the line of text. I aso need to keep the distance for number to left margin the same, I'm just pressing the tab button twice right now. I'm not using the list function right now because of the margine issues, I'm just including the number in the text.1. To prevent the last line of text from spacing out, make sure you use a hard return at the end of the last sentence in the paragraph. That marks it as the end of a paragraph, and Buzzword won't try to justify the last line of what it recognizes as a paragraph.
2. You can use the ruler to adjust the indents and margins for paragraphs. For more details, open up the Help documentation, click on Buzzword tips (it's under Using Buzzword on the left), then click on Editing, then select the first item -- How do I create indents. It's a little tricky, but I think that you'll find that it provides the control you're looking for. Note that when you're adjusting the formatting of list paragraphs, all paragraphs in that list that are at the same list level will have the same paragraph formatting.
3. I think that if you use the paragraph formatting (via the ruler, as noted in #2) and the list functionality, the problem of the inter-character spacing will go away.
Hope this is helpful! -
HDMI support and 1900x1200 resolution problem
Hi.
I just got my Mac Mini (Late 2012) and installed all updates (including the one that solved the flickering problem). I have a Samsung monitor that supports a resolution of 1900x1200.
My Mac correctly chooses this resolution, but when connecting through HDMI,
bottom part of the screen is garbled (just below the docking area) and top of the screen does not show.
Conneting through the HDMI to DVI converter everything seems fine.
Any ideas on how to fix this?
Regards
NikosHave you tried another HDMI cable...?
Personally I use the HDMI to DVI Adapter instead of straight HDMI for one of my Samsung Monitors and then a Mini DisplayPort to DVI Adapter for the other. -
Wireless Card Access List and Airport Extreme ?
I would like to know if there is a possility to restrict to specific MAC adresses the access to a Airport Extreme N base station wifi network .
ThanksAccess control MAC address filtering) provides no real security and could lull you into the feeling that your wireless network is secure.
The MAC addresses of connected clients are easily discovered and cloned. Furthermore, access control provides zero protection for the actual wireless traffic. Anyone (regardless of MAC address) can monitor the wireless traffic. -
Port Forwarding & Access List Problems
Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-EvanHello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz -
MS Access, SharePoint and Security
Let's say I sign up for Office 365.
I use the SharePoint Site that comes with it to house my MS Access Lists and my compiled database *.accmde file.
Can I set up a separate sub-site with only admin access to house a list of userID's and passwords so that when the user runs the database, it looks up this list and identifies the user, type of user, and which filter for the data in the full access sites.
If that works, then I would also want to put the data in a limited sub-site and have the accmde file retrieve that data behind the scenes. I would like to limit accidental access to the data if at all possible.
Any suggestions on how to design the tool for this?
FrankHi FrankHayAlexcander
It seems you have the following questions about hosting Access data on Office 365
Can Access connect to multiple SharePoint sub-site?
Can you store User info in one sub-site to control what data the user sees?
Can you hide these sub-sites so that users can't accidentally see this data?
The short answer is that I'm not sure that what you are trying to do is even possible in a Web database published to SharePoint, and certainly would be very difficult in a traditional database.
If you create a Web database in Access 2010 and publish it to SharePoint, then it is limited to the tables / SharePoint Lists in that sub-site.
In this case the credentials of the user are passed to SharePoint to retrieve data. This means that to read the list the user would have to have permissions and so they could go out the site directly and see the same data.
Using SharePoint permissions you could control what the user can see, but Access isn't going to be able to add much to that.
If you create a traditional database, then you can link to lists in multiple SharePoint site as well as other providers like SQL, and Excel.
When you created the link table here you have the option to store the credentials with the linked table.
If you do not store the credentials the user will be prompted for the credentials to use.
You could store the credentials for an Admin user when you link the table, but the problem is that if a user opens your database in the full version of Access can get to the linked tables, they will be able to see all of the data anyway.
When it comes to security, the best answer is always to secure the data using the native features of the data store such as SharePoint, SQL, etc.
Best Regards,
Nathan Ost
Microsoft Online Community Support
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Removed ip access-list & lost network connectivity
An access-list was removed to edit and replace. Once the access-list was removed we lost network connectivity to the remote router. This list is an extensive one. But when we remove on other remote routers network connectivity remained. Can anyone tell me why? Is this a typical of access-list, and good practice is to wait until after business hours?
No problem.
I am sure that we have all had experiences of looking at things we have written, or questions answered, and realized that what we wrote was not quite what we were thinking as we created it.
Your main point is well taken that it is good practice to remove the access-group before removing and changing the content of access lists.
Sometimes I take a slightly different approach: I will build a new version of the access list using a different number (if I am changing access list 101, I may create list 102) which is the modified version of the list. I then change the access-group to reference the new version of the list. This may have a couple of advantages including the fact that the interface is always protected by some access list. Also it makes backing out changes easier if we discover that there was some flaw in our list modification.
HTH
Rick -
Hello all,
I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.
The problem is one of the System guys says it's a legit service, something to do with Active Directory.
When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.
I do "sh access-list" and the deny 445 entry has millions of hits.
We do a network wide Symantec update and scan and find nothing.
Should I disable this 445 entry? Is it a legit service?
Thanx for any helpHello,
Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.
HTH please rate any posts that were helpful.
Patrick Laidlaw -
Time Capsule Access Control and Extended Network Question
I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
Thanks for any help…this doesn't seem clear from what I've read/seen.
JamesI have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
Unfortunately, they are not automatically applied to each base station in an extended network. You would have to manually enter the exact same list in each base station. -
We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
ThanksEric
We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
adjust addresses etc to fit your situation. Try it and let us know if it works.
HTH
Rick -
Convert named access list to line numbers
I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
Thank you!Hi Emily,
I guess this is what you are looking for. I have not tried it my self but would like to test it out.
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard | extended} access-list-name
5. sequence-number permit source source-wildcard
or
sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. sequence-number deny source source-wildcard
or
sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
This link should help :
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
regards,
-amit singh
Maybe you are looking for
-
Issue in sending mail to SAP Inbox from Workflow
Hi All, I need to send the mail to the creator of the document about the user decision. If i am executing the workflow through the event ( ouput type) , the workflow processing in SWIA is complete but the mail is not sent in the SAP Inbox. But If i t
-
Unknown User Unhandled Exception
Hi all Any idea how to solve this unknown user error after Screen Locking Time? Kedalene
-
hi,please tell me how to handle the line items i.e the header data and item data in bdc? provide me a clear vision?
-
Might be switching to mac...help!
hello everyone, i just joined the discussions...i gotta say its awesome to see theres a big community of mac users that help each other...my congratulations for that, seriously. i joined mainly because ive made up my mind in a 90% to buy an Mac Mini
-
"This Apple ID has not purchased 'OS X Mountain Lion'"
So I recently initiated a reboot to my MacBook pro, in order to clean it and restore it to factory settings. I was asked to reinstall OS X Mountain Lion and when I attempted to do so this message appeared. Noticing this I went on ahead and purchased