Access-List Process - Urgent Help

Similar Messages

• Access List - cisco 2600- HELP

  Hi,
  i want ask we, if the access list are bi-directional or it are one-directional?
  If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
  Thanks

  Emanuele
  When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
  I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
  If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
  If I have not understood your question correctly please clarify what you are attempting to accomplish.
  HTH
  Rick

• EHP 7 upgrade - Got stuck at Pre-processing - urgent help required

  hi Everyone,
  I am upgrading my current ECC 6 EHP 6 system to EHP7. I got stuck in the Pre-processing phase "imports included Add-on and Support Packages into the shadow tables and the new tables". there is no error but it is runnign for more than 15 hours now. i dont even see a latest log showing its progress. The logs got updated 14 hours ago and there is no update after that.
  The shadow instance was down. Main instance is up and running and no Jobs running. I manually started the shadow instance and checked if that will help . but no use. so restarted the SUM tool. it gives a different problem now. I have listed out the current probelms below. please check and advise
  1. SUM tool shows, "ABAP- Starting handshake" - SAPUP.Out erro message (ERROR in GUI communication: Error in network interface: NIEINVAL (0/53 written))
  2.Shadow instance up and running but while trying to login from GUI,it says "rabax during SAPGUI logon". i can see all its WP in 'waiting' status at the OS level
  3.in DB02, "oldest Open Transaction" shows Aug 15 2014 10:30 PM, which means this transaction is there at the DB level for more than 16 hrs now.
  Please help trouleshoot and resolve this. useful inputs will be rewarded immediately
  thanks,
  Shiv

  I have resolved the 1st issue, after killing the SAPup process at os level.
  now, in the SUM tool, it gives the following info,
  Type                    |Name                          |ProcessID|Description
  =============================================================================
  Operating system process|E:\usr\sap\<SID>\SUM\abap\exe\tp|5144     |
                          |"pf=E:\usr\sap\<SID>\SUM\abap\va|         |
                          |\SHDALLIMP.TPP"               |         |
                          |put <SID> "-Dmainimp_proc=2"    |         |
                          |"-Dparallel=2"                |         |
  If additional processes are still running or background jobs are active, the
  program *must* wait for them before it is able to continue.
  Be careful with stopping any process. If a background job is scheduled but not
  running, delete this job using transaction SM37.
  01)  -  Exit program
  02)  *  Check status again
  03)  -  Processes do not exist, continue
  04)  -  Wait for processes to finish
  : Check status again
  TP program is running at OS level. but as already said, no background job runnig in Main instance and the shadow instance was already down. shal i kill this TP process and try with option 03) ?
  please advise
  thanks,
  Shiv

• Order Form Processing - Urgent help needed

  Hi All,
  I am in deep trouble trying to sort this out. Please help me get out of this as soon as possible. I am using JSP, MySQL and Tomcat for development of my company's web site. I have a dealer section where dealers can login and place orders online. Given this scenario following are my worries.
  Suppose all the entries in the form are OK and the form is submitted following has to happen.
  The entry goes to the Order table with status as NEW. This happens and works fine now.
  A copy of acknowledgement is mailed to the dealer. Also possible with JavaMail.
  The order acknowledgement letter is printed automatically without any human intervention. i.e. window.print() method is not to be used.
  Or simply put the user has to click a single button and all these 3 actions should take place, he should not be made to click "Send Message" or "Print" > OK.
  Please anybody and everybody who can help reply.
  Rgds,
  REDAM

  I can help u for sending acknowledgement on clicking submit button.
  u add following code in ur form and ucan send the mail.
  But other things are not clear pl. make them clear,
  Bye
  Samir
  //put mail api and set the classpath, if u need help write again
  <%@ page import="java.awt.*,java.util.*, javax.mail.*, javax.mail.internet.*" %>//import these
  Properties props = new Properties();
  props.put("mail.smtp.host", "urmailserver");//add here ur mail server ip aa 198.1.1.xx or name
  Session s = Session.getInstance(props,null);
       /*String      NAME=request.getParameter("NAME");
       String      COMMANDO=request.getParameter("COMMANDO");
       String      GGBS=request.getParameter("GGBS");
       String      ADDRESS=request.getParameter("ADDRESS");
       //String      NAME=request.getParameter("NAME");
       ///String      NAME=request.getParameter("NAME");*/ change it according to ur need
  MimeMessage message = new MimeMessage(s);
  InternetAddress from = new InternetAddress("[email protected]");
  message.setFrom(from);
  InternetAddress to = new InternetAddress("[email protected]");
  message.addRecipient(Message.RecipientType.TO, to);
  message.setSubject("Test from JavaMail.");
  message.setText("Order from * "+DEL_NAME+ " *\n\n "+"Commando Quantity= "+COMMANDO_QTY+"\n\n "+"GGBS Quantity= "+GGBS_QTY+"\n\n "+"Delivery At # "+REC_ADDR1+"\n"+REC_ADDR2+" #\n\n ");//change this to ur need
  Transport.send(message);
       response.sendRedirect("/indorama/jsp/orderconfirm.jsp");

• Need urgent help in listing out checklist from DBA prespective for BI Implementation Project

  Hello Guys,
  We are in Designing phase Data Modeling of PDW/APS Implementation Project.
  I need urgent help in making a checklist from a DBA perspective.
  Like what are things ill be needing at a time of implementation/Deployment.
  Your expert comments and help will be highly appreciated.
  Thank you,
  Anish.S
  Asandeen

  You can get good summary of checklist from this article about
  DBA checklist for data warehousing.
  Which highlights on below pointers:
  New system or old. (I.e. Up-gradation vs starting from scratch)
  Complexity of SQL Server architecture 
  SQL Server storage
  Determining SQL Server processing power
  SQL Server installation consideration 
  SQL Server configuration parameter
  SQL Server security
  SQL Server Database property
  SQL Server jobs and automation
  Protecting SQL Server data
  SQL Server health monitoring and check ups
  SQL Server ownership and control 
  based on my real time experience, I will suggest you to keep an eye on 
  Load performance (It will be useful when your database(Warehouse) will have huge amount of data)
  System availability (Check for Windows update and up time configuration) 
  Deployment methodology should be planned in advance. Development of packages and respective objects should be done systematically.
  Source control mechanism 
  Disk space and memory usage
  You might or might not have full rights on production environment, so be prepared to analyze production environment via Select statements [I guess you got my point]
  Proper implementation of Landing , Staging and Mart tables.
  Column size (this can drastically decrease your database size)
  Usage of indexes (Index are good, but at what cost?)
  I hope this will assist you in building your check list.

• ACL-list syntax error in PIX after upgrade, need urgent help!

  Hello everyone
  We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)
  We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.
  When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.
  "deny ip any 192.168.0.0 0.0.255.255"
  PIX refused to process their auth request when encountering this line.
  Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0
  This made the PIX process the ACL.
  We were happy for awhile until VPN users started to complain.
  It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!
  The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !
  It can only handle "deny ip any 192.168.0.0 0.0.255.255" !
  Which the PIX cant handle..
  I'm a loss at what to do here..
  We got VPN users who cant surf now with these ACL problems.
  What can I do? Anyone else encountered this?
  We upgraded the VPN 3005 to the lastest SW version
  Really need some help here guys!
  Thanks

  I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).
  http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944
  Please Rate if helpful.
  Regards
  Farrukh

• Urgent Help with network access to FileOutputStream

  URGENT HELP NEEDED GUYS...I am stuck on this past 2 days. I tried several alternatives but to vain.
  I am trying to access a Folder on a user's computer which is lying in a different Domain.
  For accessing this folder, I have the following information with me.
  Domain name, PC name, folder name, windows username, windows password.
  Note: This username and password will give me rights to read + write to that folder.
  How to use these information to open a fileoutputstream ? Does the java.io package allow programs to pass a username, password , domainname, pcname and then the folder and filename to create/read/write files..
  Pls. suggest code examples. Sometime back I posted this query but didnt get an answer to my satisfaction. I have tried at my end but unsuccessful yet. Help would be appreciated.
  I am trying this on a Windows File System and Network domain
  THIS IS V. URGENT
  Thanks,

  Hi HJK,
  I am referring to the last reply of yours.
  " Hi, there are three approaches I can think of offhand:
  1) make sure the user-context under which you run the java app has the right to access the remote drive.
  2) Do the network connection in a batch or c program and call that at the start of your java app with Runtime#exec.
  3) Write some c/c++ code to open the connection and integrate that via JNI.
  Let me know what (other) solution you came up with in the end!
  Regarding the 1st.
  I am supposed to write a remote installation utility actually. There are around 200 PC(s) in a network on which I need to copy these java class files. My problem statement is such that at runtime I only have username, passwords, domain access. I am not supposed to map any drives. Its supposed to be done dynamically. No manual intervention required. :(
  How do I do the network connection in a batch mode ? Let me know that?
  If 2nd option can be done, probably I can think of action-3 at the moment I am quite blurr :(

• My BB9810 refuse to load OS7.1 software on my phone after the download has completed. My phone has freezed/stucked since morning. Pls urgent help/assistant needed as I can not access/use my phone for over 24hrs now.

  My BB9810 refuse to load OS7.1 software on my phone after the download has completed. My phone has freezed/stucked since morning. Pls  urgent help/assistant needed as I can not access/use my phone for over 24hrs now.

  Hi there,
  Use the method described in the link below to get back up and running:
  http://supportforums.blackberry.com/t5/Device-software-for-BlackBerry/How-To-Reload-Your-Operating-S...
  I hope this info helps!
  If you want to thank someone for their comment, do so by clicking the Thumbs Up icon.
  If your issue is resolved, don't forget to click the Solution button on the resolution!

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• Urgent Help; Everyone has access to restricted rooms

  Hi Everybody,
  I need some urgent help.
  I have created some collaboration rooms based on a restricted room template and everyone seems to have access to the room.
  It is behaving as if it is a public room.
  Now we are just a couple of days from go-live and it is extremely urgent to resolve these issues.
  Any help would be appropriately rewarded.
  Regards,
  Vibhu

  Hi Vibhu,
  you should check the room role assignments and page
  permissions. You need to log in as a room administrator
  and go to the "Admin: Room" page.
  Regards,
  Darin

• Help with an access list please

  Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
  access-list 101 permit ip 10.10.0.0 0.0.255.255 any
  access-list 101 permit ip host 10.13.1.254 any
  access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
  access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
  access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
  access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
  access-list 101 deny ip any any
  From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
  Any help you could offer would be appreciated.

  I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
  And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
  I do agree with your second suggestion that:
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
  should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
  HTH
  Rick

• Virus access-list help

  Hello all,
  I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.
  The problem is one of the System guys says it's a legit service, something to do with Active Directory.
  When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.
  I do "sh access-list" and the deny 445 entry has millions of hits.
  We do a network wide Symantec update and scan and find nothing.
  Should I disable this 445 entry? Is it a legit service?
  Thanx for any help

  Hello,
  Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.
  HTH please rate any posts that were helpful.
  Patrick Laidlaw

• Req help: creating access-lists

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T8.bin
  connected to internet by wic1-adsl card
  I would like to configure my router to block the following ranges of ip's.
  Start IP End IP
  69.25.60.0 69.25.61.255
  208.111.154.0 208.111.154.255
  209.249.86.0 209.249.86.255
  problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

  Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
  I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
  no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
  Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
  ip access-list extended
  deny ip 62.25.60.0 0.0.1.255 any
  deny ip 208.111.154.0 0.0.0.255 any
  deny ip 209.249.86.0 0.0.0.255
  exit
  interface x/x
  ip access-group
  end
  Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

• Need Help to create access-list based on traffic logs

  Hello,
  We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .
  Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
  I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
  Rajkumar

  Hi Rajkumar,
  That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
  How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
  If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
  Regards
  Karthik
  Regards
  Karthik

• Re RBA in BOP processing- need urgent help

  Hi ,
  i want to rerun RBA in BOP , but dont want to loose previous partial confirmation , is there any way to do ?
  Ex
  Mat1 quantity req = 100  confirmed 60
  my SO appear as
  10   100       main item  requested quantity
  11    60        sub-item confirmation
  12    40        sub-item  un confirm
  I want to rerun rule in BOP only for sub-item 12 only .
  I dont wana loose previous confirmation for 11 n nor i want any change in delivery date for 11 .
  Is there any way to achieve this coz in re rule evaluation system consider main item .
  Need urgent help .
  Thanks n Regards
  Nitesh

  Someone please reply .
  Thanks
  Edited by: Ng Guan Meng on Mar 12, 2008 4:16 AM