Access List - cisco 2600- HELP

Hi,
i want ask we, if the access list are bi-directional or it are one-directional?
If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
Thanks

Emanuele
When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
If I have not understood your question correctly please clarify what you are attempting to accomplish.
HTH
Rick

Similar Messages

  • Access-List Process - Urgent Help

    Dear All,
    My question here in this forum , in the Process of :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    Now, My question is here :-
    Was I correct in choosing the Interface that I will apply this Access-list or not ?
    Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
    I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
    1. Fast Ethernet 0 / 0 :-
    Description : connected to My Network as MY LAN .
    IP Address of this Interface : 192.168.1.10 / 255.255.255.0
    2. Fast Ethernet 0 /1 :-
    Description : connected to Second Network on second Building.
    IP Address of this Interface : 172.16.20.10 / 255.255.0.0
    3. Serial Interface ( S 0 ).
    Description : connected to My Server Farm which is in another Network
    IP Address of this interface : 10.1.8.20 / 255.255.255.0.
    > No any serial interface or any serial connection at all on my 1841 Route.
    > The Default route on My Router is
    > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
    Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
    As anyone knows, its an Extended Access List.
    So I wrote it like that:-
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
    Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
    Router(config)# access-list 102 permit ip any any
    Process of choosing the interface :-
    1- Which Interface should I apply this Access-list ?
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    To answer and to understand the answer, for the 2 questions, here is my Process :-
    First Interface f 0 / 0 :-
    < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
    Second Interface f 0 / 1 :-
    < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
    Third Interface S0:-
    Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
    So, final answer will be as following :-
    1- Which Interface should I apply this Access-list ?
    ( Serial / 0 ) .
    2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
    ( Outbound ) .
    Was I correct or not ? please some one is update me.

    The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

  • Need help for access list problem

    Cisco 2901 ISR
    I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
    I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
    Anybody can help?
             DENY       10.25.0.1 – 10.25.0.255
                              10.25.1.1 – 10.25.1.255
    Permit only 1 host for Internet
                    10.25.7.136  255.255.255.192 ------ TMG Server
    Using access-list.
    ( Current configuration  )
    object-group network IP
    description Block_IP
    range 10.25.0.2 10.25.0.255
    range 10.25.1.2 10.25.1.255
    interface GigabitEthernet0/0
    ip address 192.168.2.3 255.255.255.0
    ip nat inside
    ip virtual-reassembly in max-fragments 64 max-reassemblies 256
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    description ### ADSL WAN Interface ###
    no ip address
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface ATM0/0/0
    no ip address
    no atm ilmi-keepalive
    interface Dialer1
    description ### ADSL WAN Dialer ###
    ip address negotiated
    ip mtu 1492
    ip nat outside
    no ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
    ip nat inside source list 101 interface Dialer1 overload
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 10.25.0.0 255.255.0.0 192.168.2.1
    access-list 101 permit ip 10.25.0.0 0.0.255.255 any
    access-list 105 deny   ip object-group IP any
    From the 4500 Catalyst switch
    ( Current Configuration )
    interface GigabitEthernet0/48
    no switchport
    ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
    ip route 0.0.0.0 0.0.0.0 192.168.2.3

    Hello,
    Host will can't get internet connection
    I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
    and change the configuration ....      ip access-list extended 101
                                                                5 permit ip host 10.25.7.136 any
    In this case I will allow only host 10.25.7.136 but it isn't work.
    No internet connection from the TMG Server.

  • Cisco ISE and WLC Access-List Design/Scalability

    Hi,
    I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
    User group 1 -- Apply ACL 1 --On Vlan 1 
    User group 2 -- Apply ACL 2 -- On Vlan 1
    User group 3 -- Apply ACL 3 -- On Vlan 1
    The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
    Any suggestion is appreciated.
    Thanks.

    Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
    The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
    Overall, I see three ways to overcome your current issue:
    1. Shrink the ACLs by making them less specific
    2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
    3. Use SGT/SGA
    Hope this helps!
    Thank you for rating helpful posts!

  • Cisco 12.1 Access-list

    We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
    Thanks

    Eric
    We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
    The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
    assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
    create 2 access lists and assign one to each interface.
    access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 permit ip any any
    access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 120 permit ip any any
    interface faste0/0
    ip access-group 120 in
    interface faste1/0
    ip access-group 110 in
    adjust addresses etc to fit your situation. Try it and let us know if it works.
    HTH
    Rick

  • Ethernet port 0/0 on Cisco 2600 unable to access NM-ESW-16 ports

    Is it possible to config the E0/0 port on the Cisco 2600 router to access the FE ports on the on-board NM-ESW-16? There is only one Ethernet port on the router.

    Thanks for the reply. However, we are unclear how to accomplish this. I tried the no switchport mode command on a FE port on the switch. Afterwards, I tried to assign an IP adddress and mask to the port. The switch responded saying that an IP address cannot be applied to a L2 port. What I need to understand is how to re-assign a L2 port as a L3 port. Thanks for any added help.
    kjjscharff

  • Cisco ASR 1002- performance issue due to access list

    Hi,
    We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.
    I want to know, would there be any performance or latency issues after applying 16k lines of acl?
    Is there a good document where I can read more about ACL limitations and performance issues on ASR.
    This is for ASR1002, running IOS-XE 15.3(1)S1.
    Thanks

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation.  See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo

  • Req help: creating access-lists

    cisco 2651XM router
    IOS: c2600-adventerprisek9-mz.124-15.T8.bin
    connected to internet by wic1-adsl card
    I would like to configure my router to block the following ranges of ip's.
    Start IP End IP
    69.25.60.0 69.25.61.255
    208.111.154.0 208.111.154.255
    209.249.86.0 209.249.86.255
    problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

    Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
    I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
    no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
    Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
    ip access-list extended
    deny ip 62.25.60.0 0.0.1.255 any
    deny ip 208.111.154.0 0.0.0.255 any
    deny ip 209.249.86.0 0.0.0.255
    exit
    interface x/x
    ip access-group
    end
    Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Need Help to create access-list based on traffic logs

    Hello,
    We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .
    Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
    I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
    Rajkumar

    Hi Rajkumar,
    That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
    How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
    If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
    Regards
    Karthik
    Regards
    Karthik

  • Access-list in Cisco 3560 Series Switch

    Guys,
    I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
    Hope you can help me guys.
    Thanks,
    John

    and then dont forget to call this access-list on the interface or vlan you want to apply it.
    You can use a number for the ACL > 100 or a name as indicated earlier.
    If you go with just a number :
    access-list 100 permit tcp any any eq 80 81 ...
    access-list 100 permit udp any any eq 23
    int g1/0/1
    ip access-group NAME in
    OR
    ip access-group 100 in
    As for example :
    NMS-3750-A(config-if)#ip acc
    NMS-3750-A(config-if)#ip access-group ?
    <1-199> IP access list (standard or extended)
    <1300-2699> IP expanded access list (standard or extended)
    WORD Access-list name

  • Help with an access list please

    Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
    access-list 101 permit ip 10.10.0.0 0.0.255.255 any
    access-list 101 permit ip host 10.13.1.254 any
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
    access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
    access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
    access-list 101 deny ip any any
    From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
    Any help you could offer would be appreciated.

    I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
    And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
    I do agree with your second suggestion that:
    access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
    should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
    HTH
    Rick

  • Virus access-list help

    Hello all,
    I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.
    The problem is one of the System guys says it's a legit service, something to do with Active Directory.
    When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.
    I do "sh access-list" and the deny 445 entry has millions of hits.
    We do a network wide Symantec update and scan and find nothing.
    Should I disable this 445 entry? Is it a legit service?
    Thanx for any help

    Hello,
    Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.
    HTH please rate any posts that were helpful.
    Patrick Laidlaw

  • Extended access list on Cisco routers

    Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
    Thanks

    Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
    For example  if you have an acces-list like this:
    Extended IP access list test
    10 deny ip 10.10.10.0 0.0.0.255 any log
    15 deny ip 11.11.11.0 0.0.0.255 any log
    you can now add a new sequence between 10 and 15
    11 deny ip 172.16.10.0 0.0.0.255 any log
    You just have to make sure to use the sequence number when you create the last access-list
    HTH

  • Radius-Authentication / Cisco 2600 fails MiscError -1642

    Hi,
    Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
    authenticate a Cisco 2600 against my BM. Under BM 3.7 this
    setup is working fine, but now with 3.8 I get the following
    error:
    Access rejected, Miscellaneous error (-1642)
    Ive configured the LPO with the following sequences:
    NDS acceptable, simple acceptable
    A test with NTRADPING:
    with CHAP disabled, it works fine (LPO sequence is NDS)
    with CHAP enabled, Ive got the error above
    I tried the simple login sequence also (like a posting
    in this newsgroup), but no change.
    Hope you can help me, I need chap-authentication...
    From Radius-Debug:
    This one works (without CHAP):
    [2005-07-28 05:52:43 PM] (->)Cacher:
    NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
    succeeded, time:7
    [2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
    (Access-Request (1))
    [2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
    (rej=0)]
    [2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
    172.24.4.2:2642]: time:2611012
    [2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
    172.24.4.2:2642]: time:640356694---
    [2005-07-28 05:52:43 PM] CACHE:
    CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
    [2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
    NewRequestHandler.
    [2005-07-28 05:52:43 PM] CACHE:
    CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
    cache
    [2005-07-28 05:52:43 PM]
    (->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
    [2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
    (RADIUS.BMANAGER.INFORMATIK.KLI_PA)
    [2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
    (RADIUS.BMANAGER.INFORMATIK.KLI_PA),
    contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
    [2005-07-28 05:52:43 PM] Handling local authentication request.
    [2005-07-28 05:52:43 PM] CACHE:
    CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
    using cache
    [2005-07-28 05:52:43 PM]
    (->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
    Access Group) succeeded, time:47
    [2005-07-28 05:52:43 PM]
    (->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
    time:42
    [2005-07-28 05:52:43 PM]
    (->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
    Attr) succeeded, time:45
    [2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
    NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
    [2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
    [2005-07-28 05:52:43 PM]
    (->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
    succeeded, time:961
    [2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
    NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
    [2005-07-28 05:52:43 PM]
    (->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
    Limit) failed, no such attribute (-603), time:50
    [2005-07-28 05:52:43 PM] CACHE:
    CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
    using cache
    [2005-07-28 05:52:43 PM]
    User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
    Limit:-1, succeeded
    [2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
    [2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
    "DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
    [2005-07-28 05:52:43 PM] FDN:
    CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
    [2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
    [2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
    [2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
    [2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
    [2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
    172.24.4.2(2642)] count=32
    [2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
    [2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
    172.24.4.2:2642]: time:640358122---
    This one dont work (chap enabled):
    [2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
    (Access-Request (1))
    [2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
    (rej=0)]
    [2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
    172.24.4.2:2647]: time:2426593
    [2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
    172.24.4.2:2647]: time:640481075---
    [2005-07-28 05:52:55 PM] CACHE:
    CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
    [2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
    NewRequestHandler.
    [2005-07-28 05:52:55 PM] CACHE:
    CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
    cache
    [2005-07-28 05:52:55 PM]
    (->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
    [2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
    (RADIUS.BMANAGER.INFORMATIK.KLI_PA)
    [2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
    (RADIUS.BMANAGER.INFORMATIK.KLI_PA),
    contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
    [2005-07-28 05:52:55 PM] Handling local authentication request.
    [2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
    [2005-07-28 05:52:55 PM] CACHE:
    CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
    using cache
    [2005-07-28 05:52:55 PM] CHAP chapCSize: 16
    [2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
    NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
    [2005-07-28 05:52:55 PM]
    (->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
    Access Group) succeeded, time:53
    [2005-07-28 05:52:55 PM]
    (->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
    time:42
    [2005-07-28 05:52:55 PM]
    (->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
    Attr) succeeded, time:44
    [2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
    [2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
    172.24.4.2(2647)] count=20
    [2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
    [2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
    172.24.4.2:2647]: time:640512029---
    I cannt see an error with chap enabled..
    Regards
    Guenther

    I'm having the same problem. radping works with chap and simple passwords
    but gives the -1642 error when I'm authenticating from my cisco vpn router.
    BTW, I had everything working for YEARS with nds passwords and earlier
    versions of bordermanager. BM 3.8 broke it.
    Thanks
    David
    > Hi Jake,
    >
    > yes, its a cisco-issue. For downloading dynamic routes with
    > radius you need the cisco-default-pw called "cisco". Strange
    > and a big security leak....
    >
    > The authentication with ppp-user and chap / simple password
    > works fine now.
    >
    > Regards
    > Guenther
    >
    > Jake Speed schrieb:
    > > Hi,
    > > yes it's woking fine !
    > > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
    > > and simple password used.
    > > Seems to be a problem on the cisco site, so if radping works NW Radius
    > > and the objects are ok.
    > >
    > > by
    > > Jake
    > >
    > > Guenther Rasch wrote:
    > >
    > >> Hi Craig,
    > >>
    > >> I dont know why, but now CHAP works with ntradping.exe
    > >> - Cisco router still doesnt work. Ive configured
    > >> "simple password" in the lp-object...
    > >>
    > >> Does anyone have a working configuration nmas radius /
    > >> cisco nas-router?
    > >>
    > >> Regards
    > >> Guenther
    > >>
    > >> Craig Johnson schrieb:
    > >>
    > >>> In article <Yg0He.13962$[email protected]>,
    > >>> Guenther Rasch wrote:
    > >>>
    > >>>> is it possible in BM 3.8? Which password / login sequence do I need
    to
    > >>>> get CHAP working?
    > >>>>
    > >>>
    > >>> As far as I know, you cannot make CHAP work against an NDS password,
    > >>> in any version of Novell RADIUS.
    > >>> I don't really know about getting the dial access system password
    > >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
    > >>> policy object rule for it.
    > >>>
    > >>> Craig Johnson
    > >>> Novell Support Connection SysOp
    > >>> *** For a current patch list, tips, handy files and books on
    > >>> BorderManager, go to http://www.craigjconsulting.com ***
    > >>>
    > >>>

Maybe you are looking for