Access-list through SNMP
Hi!
I have Linksys SPS224G4.
I'm trying to create mac access-list and bing to interface by using SNMP.
Please advise me in what MIB can I find OID's to operate such functions?
These OID's lie in qosclimib.mib
Similar Messages
-
Accessing Printer through SNMP in powershell???
Hi,
I want to access the printer's toner level etc. information. I have installed the service on my Windows 7 both SNMP and Traps.
What I can not find out is that how do I access the printer using SNMP. What provider to install and how in WMI or through Powershell. What is the name of the name of the snapin? where is it located? how do I import it using import-module or how do I add
its provider in the wmi so that I get access to the cmdlets of it.
Your help is appreciated and thanks in advance !
Look forward to your solutions.
SibtainThere is no support for SNMP in PowerShell. SNMP support for a printer comes from the printer vendor.
Contact you SNMP software vendor for assistance with SNMP.
¯\_(ツ)_/¯ -
I am using 4.1.1c(build b16), and testing restricting access to the SNMP MIBS. we are running inline with a separate interface for mgmt. (gi1/0). with snmp access-list defined and snmp-server access-list set.
snmp-server community public
snmp-server access-list SNMP
ip access-list standard SNMP
permit 10.10.10.2
when i walk the mib from 10.10.10.2, and then look at ACL, it doesn't show any access.
CM#sh ip access-list SNMP
Standard IP access list SNMP
1 permit 10.10.10.2
(implicit deny any: 0 matches)
total invocations: 0To define an IP ACL from the CLI, you can use the ip access-list global configuration command, and to apply the IP ACL to an interface on the WAAS device, you can use the ip access-group interface configuration command. To configure the use of an IP ACL for SNMP, you can use the snmp-server access-list global configuration command. To specify an IP ACL that the WAE applies to the inbound WCCP GRE encapsulated traffic that it receives, you can use the wccp access-list global configuration command.
-
How to access Access List information through SNMP?
Hi,
I wonder if it is possible to access a router's access lsit info (acl type, name, entries, stats) through SNMP.
Using the SNMP Object Navigator I have found a MIB and OIDs that should allow me to do just that:
Object
ciscoACLMIB
OID
1.3.6.1.4.1.9.9.808
MIB
CISCO-ACL-MIB ; - View Supporting Images
Description
"This MIB module defines objects that describe Cisco Access
Control Lists (ACL).
But clicking on the "Supported Images" link shows that this MIB is not supported in any IOS release? I have tested with an snmpwalk on a few routers with different IOS versions and I don't get any results:
SNMPv2-SMI::enterprises.9.9.808 = No Such Object available on this agent at this OID
Is there anyway to read the ACL info through SNMP? Can anybody explain me how to do this?
Thanks in advance.
AlbertoHi Alberto,
Unfortunately ,it is not possible to get ACL information via SNMP.
there is an Enhancement BUG already been filed for the same.
CSCdu44167 no corresponding MIB for show access-list on a router .
Thanks-
Afroz
***Ratings Encourages Contributors *** -
I recently downloaded the 5.1.1 and all of a sudden the contact icon has disappeared. I can still access my contact list through the phone icon, but I want the contact icon back. How can I reinstall it?
You can't delete it. Look on all your screens and inside all your folders. If you still can't find it go to Settings>General>Reset>Reset Home Screen Layout. This will restore the home screen to its original configuration but may move other apps around to do so.
-
Access provisioning through Access List
I have Inter Vlan Routing done on my Core Switch, through which subnets are restricted to access each other, Example subnet of 10.1.23.0 cannot have access to subnet of 10.1.24.0.
Due to certain requirement i want that 10.1.23.19(Users Worskstain IP) can access 10.1.24.41 (Users Workstation IP)
Is it possible to do that, without disturbing my InterVlan Routing? Please suggestBelow is the Configuration of Intervlan Routign on my core Switch, please suggest
interface Vlan2
description IAS
ip address 10.1.14.2 255.255.254.0
ip access-group IAS out
vrrp 2 ip 10.1.14.5
vrrp 2 priority 99
interface Vlan3
description MKT
no ip address
ip access-group MKT out
vrrp 3 ip 10.1.6.5
vrrp 3 priority 99
interface Vlan4
description ESG
ip address 10.1.16.2 255.255.255.128
ip access-group ESS out
vrrp 4 ip 10.1.16.5
vrrp 4 priority 99
interface Vlan5
description NMSG
ip address 10.1.24.2 255.255.255.128
vrrp 5 ip 10.1.24.5
vrrp 5 priority 99
interface Vlan6
description OAG
ip address 10.1.26.2 255.255.255.128
vrrp 6 ip 10.1.26.5
vrrp 6 priority 99
interface Vlan7
description SMG
ip address 10.1.28.2 255.255.255.128
ip access-group SMG out
vrrp 7 ip 10.1.28.5
vrrp 7 priority 99
interface Vlan8
description DMG
ip address 10.1.30.2 255.255.255.128
ip access-group DMG out
vrrp 8 ip 10.1.30.5
vrrp 8 priority 99
interface Vlan9
description DMS_UAT
ip address 10.1.32.2 255.255.255.128
ip access-group DMS_UAT out
vrrp 9 ip 10.1.32.5
vrrp 9 priority 99
interface Vlan10
description SEG
ip address 10.1.34.2 255.255.254.0
vrrp 10 ip 10.1.34.5
vrrp 10 priority 99
interface Vlan11
description SEG-2
ip address 10.1.33.2 255.255.255.128
vrrp 11 ip 10.1.33.5
vrrp 11 priority 99
interface Vlan12
description Finance_F2
ip address 10.1.2.2 255.255.255.0
vrrp 12 ip 10.1.2.5
vrrp 12 priority 99
interface Vlan13
description Operations
ip address 10.1.10.2 255.255.255.128
ip access-group OPS out
vrrp 13 ip 10.1.10.5
vrrp 13 priority 99
interface Vlan17
description PD&T
ip address 10.1.36.2 255.255.255.128
ip access-group PDT out
vrrp 17 ip 10.1.36.5
vrrp 17 priority 99
interface Vlan18
description HR&Admin
ip address 10.1.8.2 255.255.255.0
ip access-group HR&Admin out
vrrp 18 ip 10.1.8.5
vrrp 18 priority 99
interface Vlan19
no ip address
interface Vlan20
no ip address
interface Vlan21
no ip address
interface Vlan22
description SEG3
ip address 10.1.44.2 255.255.255.128
ip access-group SEG3 out
vrrp 22 ip 10.1.44.5
vrrp 22 priority 99
interface Vlan23
description Call_Center
ip address 10.1.42.2 255.255.255.0
ip access-group CC out
vrrp 23 ip 10.1.42.5
vrrp 23 priority 99
interface Vlan24
description IT_Sec
ip address 10.1.23.2 255.255.255.0
vrrp 23 ip 10.1.23.5
vrrp 23 priority 99
interface Vlan25
description Q-mgmt
ip address 10.1.9.2 255.255.255.0
ip access-group ACESSCONTROL out
vrrp 25 ip 10.1.9.5
vrrp 25 priority 99
interface Vlan26
description RTA
ip address 10.1.150.2 255.255.254.0
ip access-group RTA out
vrrp 26 ip 10.1.150.5
vrrp 26 priority 99
interface Vlan27
description P&D
ip address 10.1.45.2 255.255.255.0
ip access-group PD out
vrrp 27 ip 10.1.45.5
vrrp 27 priority 99
interface Vlan28
description Trustee
ip address 10.1.18.2 255.255.255.0
ip access-group TRUSTEE out
vrrp 28 ip 10.1.18.5
vrrp 28 priority 99
ip access-list standard CC
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard CEO
deny 10.1.2.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard CS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
ip access-list standard DMG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard DMSSCAN
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard DMS_UAT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard ESS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard FIN
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard HRADMIN
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard IAD
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard IAS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard ITSEC
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
ip access-list standard MKT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard NMSG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard OAG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
ip access-list standard OPS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard PD
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard PDT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard Q-mgmt
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
permit any
ip access-list standard RTA
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
permit any
ip access-list standard SEG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SEG2
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SEG3
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SMG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard TRUSTEE
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard static-routes
permit 10.1.136.0 0.0.1.255
permit 10.1.138.0 0.0.1.255
permit 10.1.142.0 0.0.0.255
permit 10.1.144.0 0.0.1.255
permit 10.1.160.0 0.0.1.255
permit 10.1.200.0 0.0.1.255
permit 10.1.204.0 0.0.1.255
permit 10.1.210.0 0.0.0.255
permit 10.1.222.0 0.0.1.255
permit 172.18.100.0 0.0.0.255
permit 172.18.101.0 0.0.0.255
permit 172.18.102.0 0.0.0.255
permit 172.18.103.0 0.0.0.255
permit 172.18.104.0 0.0.0.255
permit 172.18.105.0 0.0.0.255
permit 172.18.106.0 0.0.0.255
permit 10.1.146.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 10.1.145.0 0.0.0.255 -
Access Server through VIP (ACE 4710) but very slow
Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
inservice
rserver web2
inservice
rserver web3
inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
PremHi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
My iphoto9 has not been able to open for over 10 days!! I can't load my Christmas pics, etc. I know the pics are still there because I can access them through a round about way. Can anyone help me to OPEN iPHOTO!?
To re-install iPhoto
1. Put the iPhoto.app in the trash (Drag it from your Applications Folder to the trash)
2a: On 10.5: Go to HD/Library/Receipts and remove any pkg file there with iPhoto in the name.
2b: On 10.6: Those receipts may be found as follows: In the Finder use the Go menu and select Go To Folder. In the resulting window type
/var/db/receipts/
2c: on 10.7 they're at
/private/var/db/receipts
A Finder Window will open at that location and you can remove the iPhoto pkg files.
3. Re-install.
If you purchased an iLife Disk, then iPhoto is on it.
If iPhoto was installed on your Mac when you go it then it’s on the System Restore disks that came with your Mac. Insert the first one and opt to ‘Install Bundled Applications Only.
If you purchased it on the App Store or have a Recent Mac you can find it in your Purchases List. -
ASA 5510 8.2(1) Using hostnames in access-lists?
I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014
But it's only for 8.4 updated ASA's and above.
Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
And have been trying to reverse engineer it. Am I on the right track?
Thanks in advance.Hello Adam,
Here is the configuration you need:
Access-list test permit tcp any any eq 80
Regex google \.google\.com
policy-map type inspect http GOOGLE
parameters
match not request header host regex GOOGLE
reset log
class-map TEST
match access-list test
policy-map global_policy
class TEST
inspect http GOOGLE
Regards
CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.
Julio -
Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
endHello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help ! -
Static NAT using access-lists?
Hi,
i have an ASA5520 and im having an issue with static nat configuration.
I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
Thanks,
DesDes,
You need to create an access-list to be used with the nat 0 statement.
access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
- this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
then use NAT 0 statement:
nat (inside) 0 access-list inside_nonat
to permit outside users to see inside addresses without NAT, flip this logic.
access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
nat (outside) 0 access-list outside_nonat
you'll also have to permit this traffic through the ACL of the outside interface.
access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
- Brandon -
Nered to know where I can view ACL denies regarding "access-list deny any log" ?
I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. CheersHi,
Yes, with an extended access-list with the last line:
deny ip any any log
with "sh log" you can see the source address of the packets being dropped.
Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
logging console debugging
logging monitor debugging
With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
access-list 101 deny tcp any range 0 65535 any range 0 65535 log
access-list 101 deny udp any range 0 65535 any range 0 65535 log
access-list 101 deny icmp any any log
access-list 101 deny ip any any log
to log the sources and destinations IPs and port numbers.
Best Regards,
Pedro Lereno -
Access List and Conflict Resolution Problem!
My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
Setting the Conflict Resolution Level
You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
So, I've set up my Access List services as follows:
o URL Deny is blank on all Access Lists
o URL Allow set as follows
---- isp
------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
---- acme.com organization
------- Conflict Resolution: Highest
------- http://portal.acme.com/portal/* (same as above)
---- Acme Customers Role - shared role for all Acme customers
------- Conflict Resolution: Medium
------- http://www.acme.com/*
------- http://support.acme.com/*
------- http://support2.acme.com/*
---- RoadRunner role - specific role for a specific customer
------- Conflict Resolution: Medium
------- http://roadrunnerinfo.acme.com/*
The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
Thanks!
-mattDid you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.
-
We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
ThanksEric
We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
create 2 access lists and assign one to each interface.
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any any
interface faste0/0
ip access-group 120 in
interface faste1/0
ip access-group 110 in
adjust addresses etc to fit your situation. Try it and let us know if it works.
HTH
Rick
Maybe you are looking for
-
0.41GB of my iPod Touch 4G's capacity is taken up by something callked 'Others'. What are 'Others' and will it be o.k to delete them? If so how do I go about doing it as there is no trace of a file on either iTunes or my iPod?
-
Hello, I'm using a Sony VAIO-VGNFE41Z notebook with the NVIDIA GeForce Go 7600 graphics card. Approximately four days ago the card started to display artifacts on the screen even before the appearance of the VAIO logo during the BIOS initialization p
-
Query on adding custom fields of the BP Screen
Hi Group, I have a requirement to add a couple of new fields to <b>BP</b> screen. I came to know that, <b>EEWB</b> is not a recommended way of doing this, as if some error occurs it is difficult to revert back. And also, <b>BDT tool</b> also cannot b
-
Recently anything typed in Word is no longer retreivible (randomly). 15 minutes after typing a document, I get: "this document could not be registered. It will not be possible to create links from other documents to this document." Sometimes the doc
-
Jdbc connection pool ping error in sun application server
hi, i have done the appropriate settings for my connection pool and i have got ping succeded................but it is only for sometimes. while pinging with the same set of data during another time i have got different errors.......... they are the f