Access List
Two servers are there say A & B. Both are in different VLAN. I can ping the server in both direction but I can open the shared folder through run command (\\ServerA\shareddrive). The switch having an ACL to permit only RDP and SQL traffic from Server B to A.
Please let me know which I have to enable to open the server through explorer.
Thanks
HI,
Normally, i know there is no specific Port / Service to Permit for using the shared drive access.
permit any any
will help in closing this Issue (or) if the shared drive in Server will be accessed only during certain Hrs in a day means i would recommend "Time Based ACLs".
Pls Rate if Helps
Best Regards,
Guru Prasad R
Similar Messages
-
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
I can no longer access listing variations in Ebay after the upgrade
After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.
Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.
-
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Hello,
There has been an access list in place where I work since well before I arrived and it doesn't quite work. I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches. It is also used to help in the baselining of pcs.
The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive. This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it. I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
Here is access list:
ip access-list extended Quarantine_IN_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit upd any any eq domain
permit tcp any eq 3389 any
permit ip any host x.x.x.x (baseline server)
permit ip any host x.x.x.x (share drive)
permit ip any host x.x.x.x (domain controller)
permit ip any host x.x.x.x (domain controller)
ip access-list extended Quarantine_Out_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any an any eq domain
permit tcp any any eq 3389
permit ip host (baseline server) any
permit ip host (share drive) any
permit ip host (domain controller) any
permit ip host (domain controller) any
As I said, I tried changing the permit ip host (baseline server) any and ip any host (baseline server) to permit tcp statements. That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements. That also didn't work.
Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
Thanks,
KileyPaul,
When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL. I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume. The ACL is applied to the L3 interface for baselining:
int vlan 500
description BASELINE VLAN
ip addres x.x.x.x x.x.x.x
ip access-group Quarantine_IN_L1 in
ip access-group Quarantine_Out_L1 out
ip helper-address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
Thanks,
Kiley -
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
Acl-name in access-list requirements
Hi,
I would ask about the acl-name in access-list,
Does it act as a link between the ACL and an interface?
or it could be written as any-thing, without any constrains?
such as
access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
is it OK?
or test_ACL should be defined somewhere prior using it in ACL?just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs. Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map. Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted? If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
Whether the ACL itself can be removed, I would assume it is safe to remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name. So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
Please remember to select a correct answer and rate helpful posts -
Access-List Process - Urgent Help
Dear All,
My question here in this forum , in the Process of :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
Now, My question is here :-
Was I correct in choosing the Interface that I will apply this Access-list or not ?
Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
1. Fast Ethernet 0 / 0 :-
Description : connected to My Network as MY LAN .
IP Address of this Interface : 192.168.1.10 / 255.255.255.0
2. Fast Ethernet 0 /1 :-
Description : connected to Second Network on second Building.
IP Address of this Interface : 172.16.20.10 / 255.255.0.0
3. Serial Interface ( S 0 ).
Description : connected to My Server Farm which is in another Network
IP Address of this interface : 10.1.8.20 / 255.255.255.0.
> No any serial interface or any serial connection at all on my 1841 Route.
> The Default route on My Router is
> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
As anyone knows, its an Extended Access List.
So I wrote it like that:-
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
Router(config)# access-list 102 permit ip any any
Process of choosing the interface :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
To answer and to understand the answer, for the 2 questions, here is my Process :-
First Interface f 0 / 0 :-
< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
Second Interface f 0 / 1 :-
< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
Third Interface S0:-
Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
So, final answer will be as following :-
1- Which Interface should I apply this Access-list ?
( Serial / 0 ) .
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
( Outbound ) .
Was I correct or not ? please some one is update me.The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.
-
A possible bug related to the Cisco ASA "show access-list"?
We encountered a strange problem in our ASA configuration.
In the "show running-config":
access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in extended permit ip object 172.31.254.2 any log
access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in extended permit ip object windowsusageVM any log
access-list inside_access_in extended permit ip any object testCSM-object
access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in extended permit ip host 172.31.254.2 any log
access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
In the "show access-list":
access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a 3bacc1
access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06 85254a
access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0 x7e7ca5a7
access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn t=0) 0x02a111af
access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt =0) 0x19244261
access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn t=0) 0x0dbff051
access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7 b798b0e
access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
There is a comment in the running config: (line 26)
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
Thanks in advance.
show version:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.1(3)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fmciscoasa up 1 hour 56 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1Could be related to the following bug:
CSCtq12090: ACL remark line is missing when range object is configured in ACL
Fixed in 8.4(6), so update to a newer version and observe it again.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
We can figure this standard access list
We can figure this standard access list that's important remember that we use a standard access list want to block all traffic or permit all traffic from a particular
source or destination let's take a look at this machine right here that is IP address say
640-554 we want to stop him from going into the Ethernet interface I'm the ad man he made me midsummer block callers traffic he can get out anymore maybe this is even the internet out
here we know people like their Internet access so to get back at them I'm a block it what I can do is I can use deny statement in my access list access list
one did not .
http://640-554cisco.com/Hi Suresh,
ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )
"At least one of the following must be true for a user to be granted a particular permission:
The user's name appears in the xClbraUserList metadata field with the appropriate permission.
The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.
The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission."
meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).
I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.
ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD
Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated. -
MAC-Adress Filtering vs. Access - Lists
We are using two WLC 4400 Series Controller for our Guest WLAN. They are installed the way Cisco Recommends . One in our LAN and one in the DMZ.
I am looking for a possibility to deny company users the access to this WLAN with their notebooks. The WLAN has direkt internet access and we don't want our notebooks to be compromised...
With MAC-Adress Filterring I can only permit access to a specific Wlan or is there a way to negogiate such a filter to use it for a denial?
Is there a possibility to use access lists for the denial of specific Mac-Adresses to a specific WLAN ?
Anyone an other good Idea how to solve this issue?Well... MAC-address filter would work, but if you have alot to input, it can be a headache. ACL's I don't think will work, because users will get an ip from the guest network and then how can you know who has what address. Create a username password webauth page. The credentials can be changed each day or week depending.... and give this out to guest users to access the guest network. Now internal user can't access this unless the username password slips out. If you really want to make it tough, use GPO and push out the wireless policy and lock out the feature to add a wireless network.
-
Need Help to create access-list based on traffic logs
Hello,
We didn't have any Firewall in our network, we recently implemented Cisco ASA (Context) firewall in our network with any any permit rule .
Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
RajkumarHi Rajkumar,
That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
Regards
Karthik
Regards
Karthik
Maybe you are looking for
-
Hi I would like to create Read Only responsibility for administration purpose. As i have seen in this forum that, there are some read only resposibilities for AR, HR, AP etc. Like wise responsibility for administration purpose. I do not want to creat
-
RH8 snippets with hyperlinks to local host page bookmarks
Hi I use RH8 (with IE8 browser) and have started to use snippets to reuse common content. I have implemented the twistie javascript where the bookmark is inside a hotspot dropdown and when link to that bookmark the content is expanded. (Love this fun
-
What's my video adapter's IO address and interrupt level?
I installed solaris8.0 for intel platform. When I logged in as root, the graphic didn't appear normally. I ran the program KConfiguration, and didn't find the item named "Standard VGA 256 colors". And the program let me input the video adapter's I/O
-
IWS 6.0 can't find J2EE
I've configured the JRD/JDK Paths as such [x]JDK JDK Path: C:\j2sdk1.4.1_03 JDK Runtime Libpath: JDK Runtime Classpath: [ ]JRE JRE Path: <Disabled> JRE Runtime Libpath: <Disabled> ...and the server start fine, but when I try to access my servlet I g
-
Apps menu of creative cloud is empty. Just have a message saying download error.
Apps menu of creative cloud is empty. Just has a message saying download error. It gives me a button for downloading creative cloud (which I already have installed!). If I try and install any app, I get the same error. I initially installed creative