Access-list searching
Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.
a) sh access-list (name )
It will show you the hitcount
inet-FW# sh access-list no-nat-dmz
access-list no-nat-dmz; 2 elements
access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0
.0.0 (hitcnt=0)
access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255
.0.0.0 (hitcnt=0)
you can use the Pipe command for specifics such as
show access-list (name ) | include ftp
it will give you all lines containing deny
Similar Messages
-
Hi All
the past few months, I have been working with permission issues related to SharePoint 2013 site permission settings using People Pickers to list, search, display users to assign or check permission.
Our environment include multiple domains and few forests. Our SharePoint farm is installed on one domain but the good thing is our AD structure are configured to have all other domains and forests with 2 ways trusts with this domain so domain
users are authenticated and can access SharePoint just fine. Also SharePoint use default claim authentication.
The problem is People Picker is not display all domains user accounts when site owners need to assign permission. So to resolve the problem, I had provisioned
SA - User profile service and Import AD domain user accounts (one way) into Sharepoint.
I configured stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
for all domains and forests (eventhough, as mentioned we do have 2 ways trust)
and sometime tried different query (user last name, domain\logonname, email address) if one is not showing.
With all that added, People Pickers seem to find and display user account for all domains now.
My question now is do UPS and all AD domains users need to be imported into SharePoint and STSadm configuration are required in order to have all domains user accounts to display in People Pickers so the site owners can
find them and assign permission when needed?
Please share your advices, comments as they are really valuable to me.
Thanks
SwanlUPS and people pickers are virtually unrelated. The only connection between them is to do with caching and updating user names and emails if they change over time, or in other words not relevant to your situation.
To answer your question directly; Nope, you do not need to set up synchronisation connections to a domain to be able to pick up a person in a people picker. As you've seen you may need to run some STSADM commands to make sure they are checking the right
places. -
Convert named access list to line numbers
I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
Thank you!Hi Emily,
I guess this is what you are looking for. I have not tried it my self but would like to test it out.
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard | extended} access-list-name
5. sequence-number permit source source-wildcard
or
sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. sequence-number deny source source-wildcard
or
sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
This link should help :
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
regards,
-amit singh -
APEX Pages - User Access List with NTLM
Hi,
I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
1. users (hold user name, and user data)
2. pages (hold APEX Applications pages)
3. access_list (hold combined data of users and pages and access flag)
The last table will give me an SQL that can be used to create page level Authorization Scheme.
The problem is:
I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
Your helps will really help me, and thanks in advance.
Regards,
AuliaThis is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum. -
Can CS-MARS perform mitigation access-list on FWSM?
Hi guys!
I have couple questions:
1)Can CS-MARS perform mitigation access-list on FWSM?
2)How I can estimate how many events and netflows in one second recieve my MARS box.
ThanksDon't do mitigation and don't have FWSM, so I can't answer your first question. Regarding the second...There are a couple ways, neither is perfect but give you a good approximation.
a) Use the "Events and NetFlow" graph on the summary page. Divide the peak "avg/min" values by 60.
b) collect the logs using the pnlog command in the CLI. in the janus-logs.tar.gz you will find a janus_log file. This is the same data shown in Admin->System Maintenance->View Log Files...except now you can search through it better. Use a tool like grep to pull out and sort the message rates. the last entry is your peak.
> grep "PN-2016" janus_log | cut -d" " -f7 | sort -n -
Show access-list | include
Couple questions on show with include
1. Can you do a show command with include and a space meaning can you search for say "permit ip"?
2. Can you do a search for an exclude say "show access-list | exclude eq"?Sure, examples:
How do you do the include for words and spaces?
When filtering you can use the underscore to refer to spaces on the lines.
Can you do a show command for access-list where you are looking for permit IP without "eq"?
You can't mix commands like, mixing "inc" & "exc". So no.
Besides, the only available option when using two or more pipes is only OR, in case you were wondering.
Now, examples
show run access-list test
access-list test remark hello world
access-list test remark helloworld
access-list test remark hey hello world
access-list test remark heyhelloworld
Now, filtering:
show runnaccess-list | i hello
access-list test remark hello world
access-list test remark helloworld
access-list test remark hey hello world
access-list test remark heyhelloworld
show run access-list | i _world
access-list test remark hello world
access-list test remark hey hello world
show run access-list | i hey | world
access-list test remark hello world
access-list test remark hey hello world
I think that covers it.
Here is a good articule about the topic:
http://stack.nil.com/ipcorner/EnhanceIOSUI/ -
Req help: creating access-lists
cisco 2651XM router
IOS: c2600-adventerprisek9-mz.124-15.T8.bin
connected to internet by wic1-adsl card
I would like to configure my router to block the following ranges of ip's.
Start IP End IP
69.25.60.0 69.25.61.255
208.111.154.0 208.111.154.255
209.249.86.0 209.249.86.255
problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
ip access-list extended
deny ip 62.25.60.0 0.0.1.255 any
deny ip 208.111.154.0 0.0.0.255 any
deny ip 209.249.86.0 0.0.0.255
exit
interface x/x
ip access-group
end
Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax. -
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
I can no longer access listing variations in Ebay after the upgrade
After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.
Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.
-
TV listing search no longer working correctly
Has anyone else noticed that the TV listing search doesn't work correctly? For example, if I'm looking for a football game with a team I want to watch (e.g. Penn State), no matches come up. The only way to find the game is to look for "College Football" and then read the descriptions for each game.
Very annoying. Anyone else have this issue?I have found the exact issue you have stated regarding the Penn State games. Try searching for Nittany for the search word instead of Penn State - this has worked for me.
I agree there are many weaknesses in the FiOS search algorithm including not listing the HD version during search
If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem. -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Hello,
There has been an access list in place where I work since well before I arrived and it doesn't quite work. I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches. It is also used to help in the baselining of pcs.
The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive. This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it. I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
Here is access list:
ip access-list extended Quarantine_IN_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit upd any any eq domain
permit tcp any eq 3389 any
permit ip any host x.x.x.x (baseline server)
permit ip any host x.x.x.x (share drive)
permit ip any host x.x.x.x (domain controller)
permit ip any host x.x.x.x (domain controller)
ip access-list extended Quarantine_Out_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any an any eq domain
permit tcp any any eq 3389
permit ip host (baseline server) any
permit ip host (share drive) any
permit ip host (domain controller) any
permit ip host (domain controller) any
As I said, I tried changing the permit ip host (baseline server) any and ip any host (baseline server) to permit tcp statements. That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements. That also didn't work.
Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
Thanks,
KileyPaul,
When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL. I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume. The ACL is applied to the L3 interface for baselining:
int vlan 500
description BASELINE VLAN
ip addres x.x.x.x x.x.x.x
ip access-group Quarantine_IN_L1 in
ip access-group Quarantine_Out_L1 out
ip helper-address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
Thanks,
Kiley
Maybe you are looking for
-
Safari Won't Open and Can't Reinstall
All of a sudden Safari will not open and ends with the following message:Safari cannot open a browser window and may be missing important resources. Try installing Safari again.I have tried to install it from my original Tiger disk but it starts and
-
i have old ipod touch which has software version 1.1.5 i would like to know which version i can update in that and ipod and how
-
I have a MIFI 2000 and it is running real slow. If buffers forever when trying to view any vedio on the net. It downloads real slow. Is there a reason for this? Does VZ slow down the speed now they have 4G?
-
Facing problem in define Release Rule
I have completely defined all the things in OM, but when i am going to define the Release rule,in the warehouse...the LOV is blank... as far as the Inv. Org are concerned... i am finding it on every screen...but in this partcular screen ... it`s not
-
Need Help - I think my zen microphoto 8gb may be seriously screw
It froze whilst playing a song and NO buttons work, it can only be turned off by removing the battery. However, when i turn it back on it Re-builds library, and returns to being totally frozen at the beginning of the same song. Any advice? Thanks in