Access-list on CSS11501 Management port??

Hi there,
I know you can apply acl's to circuits, but is it possible to apply them to the management port as well?
regards,
Radboud

Thanks Gilles, I think I will use one of the fast ethernet ports as the management port
grtz
Radboud

Similar Messages

  • Static nat with port redirection 8.3 access-list using un-nat port?

    I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
    object network obj-10.1.1.5-06
    nat (inside,outside) static interface service tcp 3389 3398
    object network obj-10.1.1.5-06
    host 10.1.1.5
    access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
    access-group outside_access_in in interface outside
    So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
    Thanks in advance..

    Hello,
    I would be more than glad to explain you what is going on!
    The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
    After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
    Regards,
    Julio
    Rate helpful posts

  • Applying access-list to 2950 ethernet port

    When applying the following accesslist to port 22 on my 2950 I get the following message:
    access-list 101 permit tcp host 192.168.31.250 any eq www
    access-list 101 permit tcp host 192.168.31.250 any eq 443
    access-list 101 permit tcp host 192.168.31.250 any eq domain
    access-list 101 permit tcp host 192.168.31.250 any established
    access-list 101 deny ip any any
    crete-sw01(config-if)#ip access-group 101 in
    %Error: Access-list with 'TCP flags' keyword is not supported on Ethernet Interf
    ace.
    Please refer to the Software Configuration Guide for all the supported keywords
    Is it possible to get around this?

    Hello Andy,
    my mistake, it looks like the 2950 does not accept the ´established´ keyword...
    I guess you need to apply the access list inbound to the Ethernet interface on your router.
    Cisco 2950 Switches
    Configuring Network Security with ACLs
    Unsupported Features
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea5/2950scg/swacl.htm#wp1043901
    Regards,
    GP

  • WS-C3524-XL-EN , mac access-list , ssh ..

    does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
    thanks

    There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

  • Port Forwarding & Access List Problems

    Good morning all,
    I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated!  I've researched a lot lately but I'm still learning.  Side note:  I've replaced the external ip address with 1.1.1.1.
    I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail.  You may notice I dont have access-list 102 that i created on any interfaces.  This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet. 
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname pantera-office
    boot-start-marker
    boot-end-marker
    no logging buffered
    enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
    aaa new-model
    aaa authentication login default local
    aaa session-id common
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1 192.168.0.150
    ip dhcp excluded-address 192.168.0.251 192.168.0.254
    ip dhcp pool private
       import all
       network 192.168.0.0 255.255.255.0
       dns-server 8.8.8.8 8.8.4.4 
       default-router 192.168.0.1 
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip domain name network.local
    multilink bundle-name authenticated
    crypto pki trustpoint TP-self-signed-4211276024
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-4211276024
     revocation-check none
     rsakeypair TP-self-signed-4211276024
    crypto pki certificate chain TP-self-signed-4211276024
     certificate self-signed 01
      3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
      69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535 
      31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132 
      37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
      8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626 
      31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881 
      1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4 
      93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96 
      D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
      03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261 
      746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF 
      41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41 
      FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D 
      14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944 
      82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703 
      E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79 
      D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
      quit
    username pantera privilege 15 password 0 XXXX
    username aneuron privilege 15 password 0 XXXX
    archive
     log config
      hidekeys
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key xxxx address 2.2.2.2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Tunnel to 2.2.2.2
     set peer 2.2.2.2
     set transform-set ESP-3DES-SHA 
     match address 100
    interface FastEthernet0/0
     description $ETH-WAN$
     ip address 2.2.2.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map SDM_CMAP_1
    interface FastEthernet0/1
     description $ETH-LAN$
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex auto
     speed auto
    interface Serial0/0/0
     no ip address
     shutdown
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
    ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
    ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
    ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
    ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
    ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
    ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
    ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
    ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
    ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
    ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 remark Web Server ACL
    access-list 102 permit tcp any any
    snmp-server community public RO
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps vrrp
    snmp-server enable traps ds1
    snmp-server enable traps tty
    snmp-server enable traps eigrp
    snmp-server enable traps envmon
    snmp-server enable traps flash insertion removal
    snmp-server enable traps icsudsu
    snmp-server enable traps isdn call-information
    snmp-server enable traps isdn layer2
    snmp-server enable traps isdn chan-not-avail
    snmp-server enable traps isdn ietf
    snmp-server enable traps ds0-busyout
    snmp-server enable traps ds1-loopback
    snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
    snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
    snmp-server enable traps disassociate
    snmp-server enable traps deauthenticate
    snmp-server enable traps authenticate-fail
    snmp-server enable traps dot11-qos
    snmp-server enable traps switch-over
    snmp-server enable traps rogue-ap
    snmp-server enable traps wlan-wep
    snmp-server enable traps bgp
    snmp-server enable traps cnpd
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps entity
    snmp-server enable traps resource-policy
    snmp-server enable traps event-manager
    snmp-server enable traps frame-relay multilink bundle-mismatch
    snmp-server enable traps frame-relay
    snmp-server enable traps frame-relay subif
    snmp-server enable traps hsrp
    snmp-server enable traps ipmulticast
    snmp-server enable traps msdp
    snmp-server enable traps mvpn
    snmp-server enable traps ospf state-change
    snmp-server enable traps ospf errors
    snmp-server enable traps ospf retransmit
    snmp-server enable traps ospf lsa
    snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
    snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
    snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
    snmp-server enable traps ospf cisco-specific errors
    snmp-server enable traps ospf cisco-specific retransmit
    snmp-server enable traps ospf cisco-specific lsa
    snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
    snmp-server enable traps pppoe
    snmp-server enable traps cpu threshold
    snmp-server enable traps rsvp
    snmp-server enable traps syslog
    snmp-server enable traps l2tun session
    snmp-server enable traps l2tun pseudowire status
    snmp-server enable traps vtp
    snmp-server enable traps aaa_server
    snmp-server enable traps atm subif
    snmp-server enable traps firewall serverstatus
    snmp-server enable traps isakmp policy add
    snmp-server enable traps isakmp policy delete
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server enable traps ipsec cryptomap add
    snmp-server enable traps ipsec cryptomap delete
    snmp-server enable traps ipsec cryptomap attach
    snmp-server enable traps ipsec cryptomap detach
    snmp-server enable traps ipsec tunnel start
    snmp-server enable traps ipsec tunnel stop
    snmp-server enable traps ipsec too-many-sas
    snmp-server enable traps ipsla
    snmp-server enable traps rf
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    control-plane
    line con 0
     logging synchronous
    line aux 0
    line vty 0 4
    scheduler allocate 20000 1000
    end
    Any/All help is greatly appreciated!  I'm sorry if I sound like a newby!
    -Evan

    Hello,
    According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
    Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
    If your provider assigns you a dynamic ipv4 address to the wan interface you can use
    Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
    Verify the settings with show ip nat translation.
    Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
    Best Regards
    Lukasz

  • Access-list port range question

    Hi,
    I would like to clarify the exact operation of the below command:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    ip access-list extended VoiceACL
    permit udp any any range 16384 16387
    Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Value1] = starting port number
    [Value2] + [Value1] = end port number
    Thanks
    Nachi

    Hi Nachi,
    This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
    Regards,
    Raphael

  • Nexus1000v : ip access-list with port range

    Hi,
    I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
    Can any body verify the scirpt and tell whats the problem with the script?
    vm x.x.x.x is on Veth2
    config t
    ip access-list Veth2_rc_vmfw_acl_in
    deny tcp any host x.x.x.x eq 3389
    exit
    ip access-list Veth2_rc_vmfw_acl_out
    deny tcp host x.x.x.x any eq 3389
    exit
    interface Veth2
    ip port access-group Veth2_rc_vmfw_acl_in in
    ip port access-group Veth2_rc_vmfw_acl_out out
    exit
    exit
    Thanks

    License? Check Data Features

  • How to manage large access-lists on FWSM

    Team I have a rather large access-list in one of my firewalls and was wondering if anyone has any rules of thumbs to go by when building a complex access lists. I currently use object groups but what is a good rule for acls with servers, users and diffent needs for access?

    We use object-groups as well. We typically create an object for source servers (if more than 1), the ports (if more than 1 or 2) and another group for destination server(s). We have a very restrictive security policy so each rule must be specific. I think it makes it hard to see what the ACL's really do, but it shortens the config.
    Hope that helps.

  • 6509- E management port access

    Hello,
    How to configure management port of brand new 6509-E via console cable.
    i want to transfer the back up of old chassis to this new chassis through managemnet port as this new does not
    has any ethernet lan card inserted, all are sfp line card.
    kindly suggest
    Regards

    Thank you for the reply.
    But i want to take access of the chassis through management port.
    Kindly suggest the way to configure management port of 6509-E
    Thank You.

  • Extended access list with multiple ports

    Hello All,
    I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
    I receive the following message:
    The informations of my Switch are the following:
    Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
    12.2(52)SG, RELEASE SOFTWARE (fc1)
    Please help me to resolve this problem.
    Best regards.

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • TCAM and Access Lists

    Hi
    I am getting myself confused with the TCAM tables and access-lists. From reading the switching book I can see that the access-lists are compiled into the TCAM. What is confusing me is how a switch does a lookup in parallel when the access lists are written in a specific order. You can't parallel something which has to be done in sequence.
    Am I just misreading this part and the author means that each statement is looked up in a parallel table lookup, in serial order?
    Also how do we achieve the parrallelism, is there a multiprocessor asic doing something weird and wonderful in there with parallel code like OCCAM? (showing my age there :) )

    Hi Carl,
    As i mentioned eariler, we could say CBAC is a kind of Access list.
    Access list is just filtering some prefixes/ports. CBAC is the additional feature over ACL. We make use of the ACL in CBAC to inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions.
    Just go thro. this link for both ACL and CBAC,
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#cbac
    Rgs,
    Balaji. V

  • Cisco 3850 Switch Management Port - ACL on VTY

    Hi,
    I got these switches.
    Switch Ports Model              SW Version        SW Image              Mode   
    *    1 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
         2 32    WS-C3850-24T       03.03.02SE        cat3k_caa-universalk9 INSTALL
    SSH access to Management port G0/0 with an ACL applied on line vty 0 4 is failing, even through the ACL is permiting traffic.
    interface GigabitEthernet0/0
     vrf forwarding Mgmt-vrf
     ip address 172.16.12.3 255.255.255.0
     negotiation auto
    ip access-list standard ACLVTY
     permit any log
    line vty 0 4
     access-class ACLVTY in
     exec-timeout 15 0
     length 0
     history size 64
     transport preferred ssh
     transport input ssh
     transport output telnet ssh
    037599: *Mar 28 2014 04:59:49.919 AEDT: %SEC-6-IPACCESSLOGS: list permit-any permitted 172.16.12.100 1 packet
    # show ip access-list permit-any
    Standard IP access list permit-any
        10 permit any log (3 matches)
    If I remove the ACL under VTY "no access-class ACLVTY in", then SSH to the management port works. If I don't use the management port and use a normal port say G1/0/1 configured on management VLAN and assigned the same IP address, then SSH works with the VTY ACL still existing. 
    Any ideas ?
    Thanks, 
    Rick.

    Hi,
    IOS will accept all VTY connections by default. However, if an access-class is used, the assumption is that connections should only arrive from the global VRF. If you need control the IP source while allowing VTY connections from VRF instances, you have a try configuration option "vrf-also"
    So, you should get something like this:
    line vty 0 4
    access-class ACLVTY in vrf-also  

  • Failed Extended Access-list

    Hello all,
    I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
    access-list 101 permit tcp host 192.168.111.30 eq 53 any
    access-list 101 permit udp host 192.168.111.30 eq 53 any
    access-list 101 permit tcp host 192.168.111.30 eq 25 any
    access-list 101 permit tcp host 192.168.111.30 eq 443 any
    access-list 101 permit tcp host 192.168.111.30 eq 587 any
    access-list 101 permit tcp host 192.168.111.30 eq 995 any
    access-list 101 deny ip any any
    Interface Dialer 0
    ip access-group 101 out

    Here is the complete configuration.
    Router#sh run
    Building configuration...
    Current configuration : 3665 bytes
    ! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
    ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
    ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    no aaa new-model
    crypto pki token default removal timeout 0
    ip source-route
    ip cef
    no ipv6 cef
    license udi pid C887VA-W-E-K9 sn FCZ1624C30K
    username admin privilege 15 password 7 045A0F0B062F
    controller VDSL 0
    crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
    crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto ipsec profile protect-gre
     set security-association lifetime seconds 86400
     set transform-set TS
    interface Loopback0
     ip address 10.10.10.1 255.255.255.255
    interface Tunnel4120
     ip address 10.0.0.1 255.255.255.0
     no ip redirects
     ip mtu 1400
     ip nhrp authentication cisco
     ip nhrp map multicast dynamic
     ip nhrp network-id 123
     ip tcp adjust-mss 1360
     tunnel source Dialer0
     tunnel mode gre multipoint
     tunnel key 123
     tunnel protection ipsec profile protect-gre
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     pvc 0/35
      pppoe-client dial-pool-number 1
    interface Ethernet0
     no ip address
     shutdown
     no fair-queue
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     no ip address
    interface FastEthernet2
     no ip address
    interface FastEthernet3
     no ip address
    interface Wlan-GigabitEthernet0
     description Internal switch interface connecting to the embedded AP
     switchport mode trunk
     no ip address
    interface wlan-ap0
     description Embedded Service module interface to manage the embedded AP
     ip unnumbered Vlan1
    interface Vlan1
     ip address 192.168.111.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     ip tcp adjust-mss 1360
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     ppp authentication chap callin
     ppp chap hostname xxxxxxxxxxxxxxxxx
     ppp chap password 7 03077313552D0F411E512D
    router rip
     version 2
     network 10.0.0.0
     network 192.168.111.0
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
    ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
    ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
    ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
    ip route 0.0.0.0 0.0.0.0 Dialer0
    access-list 1 permit 192.168.111.30
    access-list 10 permit 192.168.111.0 0.0.0.255
    access-list 101 permit tcp host 192.168.111.30 eq 53 any
    access-list 101 permit udp host 192.168.111.30 eq 53 any
    access-list 101 permit tcp host 192.168.111.30 eq 25 any
    access-list 101 permit tcp host 192.168.111.30 eq 443 any
    access-list 101 permit tcp host 192.168.111.30 eq 587 any
    access-list 101 permit tcp host 192.168.111.30 eq 995 any
    access-list 101 deny ip any any
    line con 0
    line aux 0
    line 2
     no activation-character
     no exec
     transport preferred none
     transport input all
     stopbits 1
    line vty 0 4
     access-class 10 in
     login local
     transport input all
    scheduler allocate 20000 1000
    end
    Router#

  • Thoroughly Confused with ADSM created access-lists when viewing ASA config

    Background:
    I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
    None of them ever removed any lines from the configuration, and none did any documentation.
    I have several basic questions, which show my ignorance.
    When examining the actual configuration from a CLI perspective:
    1. Does an ADSM-created access list end with any specific ADSM-added suffix?
    2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
    3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
    4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

    Actually, I don't think I ever made myself clear.
    I am working with a hard copy of the CLI.
    I have no acccess to the devices to run any commands, nor access to the ADSM.
    I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
    As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
    I have probably 10-15 different access lists in this config.
    Some look to be affiliated with specific ports. Some of these ports are up, some down.
    I have the same rule sets appearing in 3 separate access lists, in some cases.
    Of course, each of these 3 access lists is slightly different.
    Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
    An example:
    3 access lists:
    Prmary_Public_access_in
    Primary_Public_access_in_tmp
    Arin_Primary_Public_access_in
    Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
    Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
    Primary_Public_access_in does not appear to be directly associated with any one port
    So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

  • CSC-SSM Default Management Port...

    Does anyone know how to change this port from it's default of 8443?
    Please let me know, it's urgent!
    Thanks,
    Eddie

    Even i went through the doc again and again. And the only one reference i seem to notice is this :
    1. Network Settings
    2. Date/Time Settings
    3. Product Information
    4. Service Status
    5. Change Password for Command Line Interface
    6. Restore Factory Default Settings
    7. Troubleshooting Tools
    8. Reset Management Port Access Control List
    9. Ping
    10. Exit ...
    The 8th point.
    Reset Management Port Access Control
    Choose option 8 to reset the management port access control list. The following appears:
    Resetting management port access control list: OK
    Press Enter to continue ...
    If the ASDM is unable to communication with the SSM, try resetting port access via this option
    But even that doesn't explain if we could change the port. I have a CSC to configure next week, wish i had this box looks fun to play with.
    Cheers
    Hoogen

Maybe you are looking for

  • Remote desktop connects, black screen, disconnects after a few seconds

    I have several servers running Windows Server 2012 R2. These servers are used for testing, and are members of a domain which has two DCs, each of which are running DNS Server. Yesterday I noticed one of the servers was having an issue with its remote

  • NO RFC Destination for BAPI

    Hi, I am working on ALE for Activity allocation. I am using 3 methods in my distribution model. I need to transfer data from ECC 6.0 source system to R/3 4.7. BUS6010 Method POST & CHECK BUS2072 Method FINDDETAILS I am using the Program RHINLV00_LSO

  • HINDI Language Support In Translation Builder??

    Can by any means existing Forms 6 application be converted in to "Hindi" or any other Indian language (ONLY GUI PART) by using Translation Builder.

  • Problem with Youtube videos loading...

    I have had problems with Youtube since I have gotten my new Mac in November. (My old Mac would play them fine.) The videos will start loading and then stop. If I want to continue trying to watch a video I have to move the button around on the bottom

  • Unable to print Contact Sheets from iPhoto

    Hi there, Since installing Lion 10.7.5 on my Mac Pro I no longer get the option to print Contact Sheets from iPhoto. I'm running quite an old version of it I think (Version 6.0.6), however this was no problem before the upgrade. Can anyone suggest a