Access-list searching

Similar Messages

• SharePoint 2013 - What are all requirement components for People Pickers to list, search, display, and assign users permission

  Hi All
  the past few months, I have been working with permission issues related to SharePoint 2013 site permission settings using People Pickers to list, search, display users to assign or check permission.
  Our environment include multiple domains and few forests. Our SharePoint farm is installed on one domain but the good thing is our AD structure are configured to have all other domains and forests with 2 ways trusts with this domain so domain
  users are authenticated and can access SharePoint just fine. Also SharePoint use default claim authentication.
  The problem is People Picker is not display all domains user accounts when site owners need to assign permission. So to resolve the problem, I had provisioned
  SA - User profile service and Import AD domain user accounts (one way) into Sharepoint.
  I configured stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv
  for all domains and forests (eventhough, as mentioned we do have 2 ways trust)
  and sometime tried different query (user last name, domain\logonname, email address) if one is not showing.
  With all that added, People Pickers seem to find and display user account for all domains now.
  My question now is do UPS and all AD domains users need to be imported into SharePoint and STSadm configuration are required in order to have all domains user accounts to display in People Pickers so the site owners can
  find them and assign permission when needed?
  Please share your advices, comments as they are really valuable to me.
  Thanks
  Swanl

  UPS and people pickers are virtually unrelated. The only connection between them is to do with caching and updating user names and emails if they change over time, or in other words not relevant to your situation.
  To answer your question directly; Nope, you do not need to set up synchronisation connections to a domain to be able to pick up a person in a people picker. As you've seen you may need to run some STSADM commands to make sure they are checking the right
  places.

• Convert named access list to line numbers

  I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
  I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
  Thank you!

  Hi Emily,
  I guess this is what you are looking for. I have not tried it my self but would like to test it out.
  1. enable
  2. configure terminal
  3. ip access-list resequence access-list-name starting-sequence-number increment
  4. ip access-list {standard | extended} access-list-name
  5. sequence-number permit source source-wildcard
  or
  sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  6. sequence-number deny source source-wildcard
  or
  sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
  8. end
  9. show ip access-lists access-list-name
  This link should help :
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
  regards,
  -amit singh

• APEX Pages - User Access List with NTLM

  Hi,
  I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
  I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
  1. users (hold user name, and user data)
  2. pages (hold APEX Applications pages)
  3. access_list (hold combined data of users and pages and access flag)
  The last table will give me an SQL that can be used to create page level Authorization Scheme.
  The problem is:
  I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
  Your helps will really help me, and thanks in advance.
  Regards,
  Aulia

  This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
  You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
  That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
  If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
  Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
  I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

• Can CS-MARS perform mitigation access-list on FWSM?

  Hi guys!
  I have couple questions:
  1)Can CS-MARS perform mitigation access-list on FWSM?
  2)How I can estimate how many events and netflows in one second recieve my MARS box.
  Thanks

  Don't do mitigation and don't have FWSM, so I can't answer your first question. Regarding the second...There are a couple ways, neither is perfect but give you a good approximation.
  a) Use the "Events and NetFlow" graph on the summary page. Divide the peak "avg/min" values by 60.
  b) collect the logs using the pnlog command in the CLI. in the janus-logs.tar.gz you will find a janus_log file. This is the same data shown in Admin->System Maintenance->View Log Files...except now you can search through it better. Use a tool like grep to pull out and sort the message rates. the last entry is your peak.
  > grep "PN-2016" janus_log | cut -d" " -f7 | sort -n

• Show access-list | include

  Couple questions on show with include
  1. Can you do a show command with include and a space meaning can you search for say "permit ip"?
  2. Can you do a search for an exclude say "show access-list | exclude eq"?                  

  Sure, examples:
  How do you do the include for words and spaces?
  When filtering you can use the underscore to refer to spaces on the lines.
  Can you do a show command for access-list where you are looking for permit IP without "eq"?
  You can't mix commands like, mixing "inc" & "exc".  So no.
  Besides, the only available option when using two or more pipes is only OR, in case you were wondering.
  Now, examples
  show run access-list test
  access-list test remark hello world
  access-list test remark helloworld
  access-list  test remark hey hello world
  access-list  test remark heyhelloworld
  Now, filtering:
  show runnaccess-list | i hello
  access-list test remark hello world
  access-list test remark helloworld
  access-list test remark hey hello world
  access-list test remark heyhelloworld
  show run access-list | i _world
  access-list test remark hello world
  access-list  test remark hey hello world
  show run access-list | i hey |  world
  access-list test remark hello world
  access-list test remark hey hello world
  I think that covers it.
  Here is a good articule about the topic:
  http://stack.nil.com/ipcorner/EnhanceIOSUI/

• Req help: creating access-lists

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T8.bin
  connected to internet by wic1-adsl card
  I would like to configure my router to block the following ranges of ip's.
  Start IP End IP
  69.25.60.0 69.25.61.255
  208.111.154.0 208.111.154.255
  209.249.86.0 209.249.86.255
  problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

  Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
  I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
  no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
  Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
  ip access-list extended
  deny ip 62.25.60.0 0.0.1.255 any
  deny ip 208.111.154.0 0.0.0.255 any
  deny ip 209.249.86.0 0.0.0.255
  exit
  interface x/x
  ip access-group
  end
  Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• I can no longer access listing variations in Ebay after the upgrade

  After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.

  Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.

• TV listing search no longer working correctly

  Has anyone else noticed that the TV listing search doesn't work correctly?  For example, if I'm looking for a football game with a team I want to watch (e.g. Penn State), no matches come up.  The only way to find the game is to look for "College Football" and then read the descriptions for each game.
  Very annoying.  Anyone else have this issue?

  I have found the exact issue you have stated regarding the Penn State games.  Try searching for Nittany for the search word instead of Penn State - this has worked for me.
  I agree there are many weaknesses in the FiOS search algorithm including not listing the HD version during search
  If a forum member gives an answer you like, give them the Kudos they deserve. If a member gives you the answer to your question, mark the answer as Accepted Solution so others can see the solution to the problem.

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access list issues

  Hello,
  There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.
  The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
  Here is access list:
  ip access-list extended Quarantine_IN_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit upd any any eq domain
  permit tcp any eq 3389 any
  permit ip any host x.x.x.x (baseline server)
  permit ip any host x.x.x.x (share drive)
  permit ip any host x.x.x.x (domain controller)
  permit ip any host x.x.x.x (domain controller)
  ip access-list extended Quarantine_Out_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit udp any an any eq domain
  permit tcp any any eq 3389
  permit ip host (baseline server) any
  permit ip host (share drive) any
  permit ip host (domain controller) any
  permit ip host (domain controller) any
  As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.
  Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
  Thanks,
  Kiley

  Paul,
  When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:
  int vlan 500
  description BASELINE VLAN
  ip addres x.x.x.x x.x.x.x
  ip access-group Quarantine_IN_L1 in
  ip access-group Quarantine_Out_L1 out
  ip helper-address x.x.x.x
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  Thanks,
  Kiley