ACE access-list and Passive FTP

Similar Messages

• ACE access-list best practice

  Hi,
  I was wondering what was the best practice for the access-list's on the Cisco ACE.
  Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:
  access-list ANY line 10 extended permit ip any any
  access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
  access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
  class-map match-all EXCH-DMZ-INTERNET-OUT
    2 match access-list EXCH-DMZ-INTERNET-OUT
  policy-map multi-match EXCH-DMZ-OUT
  class EXCH-DMZ-INTERNET-OUT
      nat dynamic 1 vlan 1001
  interface vlan 756
    description VLAN 744 EXCH DMZ BE
    ip address 10.134.11.253 255.255.255.0
    alias 10.134.11.254 255.255.255.0
    peer ip address 10.134.11.252 255.255.255.0
  access-group input ANY
    service-policy input EXCH-DMZ-OUT
  Or should we also also the access-list for the access-group in the interface as seen bellow:
  access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
  access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
  class-map match-all EXCH-DMZ-INTERNET-OUT
    2 match access-list EXCH-DMZ-INTERNET-OUT
  policy-map multi-match EXCH-DMZ-OUT
  class EXCH-DMZ-INTERNET-OUT
      nat dynamic 1 vlan 1001
  interface vlan 756
    description VLAN 744 EXCH DMZ BE
    ip address 10.134.11.253 255.255.255.0
    alias 10.134.11.254 255.255.255.0
    peer ip address 10.134.11.252 255.255.255.0
    access-group input EXCH-DMZ-INTERNET-OUT
    service-policy input EXCH-DMZ-OUT
  Regards,

  Hello,
  I don't think you'll find a "best practice" for this scenario.  It really just comes down to meeting your needs.  The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not.  The second way will only allow NAT'd traffic, and deny all others.
  Hope this helps,
  Sean

• Access List and Conflict Resolution Problem!

  My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
  I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
  Setting the Conflict Resolution Level
  You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
  See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
  Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
  So, I've set up my Access List services as follows:
  o URL Deny is blank on all Access Lists
  o URL Allow set as follows
  ---- isp
  ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
  ---- acme.com organization
  ------- Conflict Resolution: Highest
  ------- http://portal.acme.com/portal/* (same as above)
  ---- Acme Customers Role - shared role for all Acme customers
  ------- Conflict Resolution: Medium
  ------- http://www.acme.com/*
  ------- http://support.acme.com/*
  ------- http://support2.acme.com/*
  ---- RoadRunner role - specific role for a specific customer
  ------- Conflict Resolution: Medium
  ------- http://roadrunnerinfo.acme.com/*
  The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
  The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
  If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
  If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
  So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
  Thanks!
  -matt

  Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

• VLAN's, subinterface, access-lists and 3560 catalyst switch?

  Hi,
  How can I isolate VLAN 121 from all others?
  I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
  The following VLANs configured on the switch:
  VLAN 0 192.168.132.0 /24
  VLAN 135 ..135.0 /24
  VLAN 137 ..137.0 /24
  VLAN 139 ..139.0.24 and lastly,
  VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
  I need some advice please. Here is my plan:  to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
  Thank you!

  I will have to assume VLAN 0 is the native VLAN / default interface on the router?  All VLANs are numbered native or not.  Just ensure the VLAN numbering matches between the router and the trunking on the switch.
  Yes, you could create a sub interface on the 2811 and use the router to route the VLAN.  Apply an access list on the other interfaces to block access to the VLAN you want to protect.  If you have routing enabled on the 3560 as well you would complicate the situation a bit more. 
  Please rate helpful posts! :-)

• Active and Passive FTP

  Hi
  I want to setup an Passive FTP and an Active proxy service in Oracle Service Bus 10.3. What is the best way of doing this?
  Regards

  see support note 860423.1
  Oracle Service Bus FTP transport is implemented to use passive mode in proxy services (inbound) and active mode in business services (outbound).
  This behavior can be changed and OSB can be forced to use passive mode for both inbound and outbound FTP requests by applying a patch.

• Wireless Card Access List and Airport Extreme ?

  I would like to know if there is a possility to restrict to specific MAC adresses the access to a Airport Extreme N base station wifi network .
  Thanks

  Access control MAC address filtering) provides no real security and could lull you into the feeling that your wireless network is secure.
  The MAC addresses of connected clients are easily discovered and cloned. Furthermore, access control provides zero protection for the actual wireless traffic. Anyone (regardless of MAC address) can monitor the wireless traffic.

• Let's Revisit MacOS Server's Passive FTP Problem

  Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections. More often than not, this means that clients behind NAT routers (for a variety of complicated reasons) can't discover which of the "high ports" are being used in their passive connection. Furthermore the Mac OS X administrator would have to open every port above 1024 to anticipate connections, severly weakening the security of the system.
  The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
  Here's a primer on the difference between Active and Passive FTP:
  http://slacksite.com/other/ftp.html
  Apple introduced a "solution" to the problem by making this addition to the Network Services manual sometime around 10.3 server:
  "See if the client is using FTP passive mode, and turn it off. Passive mode causes the FTP server to open a connection on a dynamically determined port to the client, which could conflict with port filters set up in IP filter service. "
  This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations. The typical workaround was choppy, but workable: replace Apple's built-in FTP daemon with a fully configurable one like ProFTPd or PureFTPd, configure a narrow range of ports for your own security, and configure your firewall to match.
  We're on Tiger server now and that's still in the Network Services manual. Leopard or whatever is looming. Will Apple ship an FTP server that works out-of-the-box with its own firewall this time? Any new thoughts or solutions?

  I think you need to do a little more research on FTP. Most of the actual problems you describe are inherent in FTP and nothing to do with any kind of Apple-inhibited FTP server.
  For example, you say:
  > Mac OS X Server's built-in FTP server can't be configured to determine which ports above 1024 will be used for Passive FTP connections
  Not true. You can choose whatever port range you like using the portrange directive in /etc/ftpd.conf
  By default this directive isn't set so the entire port range is used. Feel free to change that.
  >The effect for the user is that their FTP client can connect, but can't list the contents of a directory or upload/download anything.
  This is an inherent flaw in FTP, suffered by every FTP server on the market. Nothing to do with Apple.
  > This was a tacit admission that MacOS's various FTP daemons over the years have unchangeable, precompiled configurations
  Again, incorrect. The suggestion was a workaround for the FTP protocol restriction, not for Apple's implementation. I've been dealing with the exact same issues for years on various Sun servers I've run.
  Most of the problems you describe regarding FTP and firewalls won't be solved at all in any future OS update - from any vendor. FTP was never designed with firewalls and security in mind. The only solution is to fix the underlying protocol, or use something different altogether.

• MS Access, SharePoint and Security

  Let's say I sign up for Office 365.
  I use the SharePoint Site that comes with it to house my MS Access Lists and my compiled database *.accmde file.
  Can I set up a separate sub-site with only admin access to house a list of userID's and passwords so that when the user runs the database, it looks up this list and identifies the user, type of user, and which filter for the data in the full access sites.
  If that works, then I would also want to put the data in a limited sub-site and have the accmde file retrieve that data behind the scenes. I would like to limit accidental access to the data if at all possible.
  Any suggestions on how to design the tool for this?
  Frank

  Hi FrankHayAlexcander
  It seems you have the following questions about hosting Access data on Office 365
  Can Access connect to multiple SharePoint sub-site?
  Can you store User info in one sub-site to control what data the user sees?
  Can you hide these sub-sites so that users can't accidentally see this data?
  The short answer is that I'm not sure that what you are trying to do is even possible in a Web database published to SharePoint, and certainly would be very difficult in a traditional database.
  If you create a Web database in Access 2010 and publish it to SharePoint, then it is limited to the tables / SharePoint Lists in that sub-site.
  In this case the credentials of the user are passed to SharePoint to retrieve data. This means that to read the list the user would have to have permissions and so they could go out the site directly and see the same data.
  Using SharePoint permissions you could control what the user can see, but Access isn't going to be able to add much to that.
  If you create a traditional database, then you can link to lists in multiple SharePoint site as well as other providers like SQL, and Excel.
  When you created the link table here you have the option to store the credentials with the linked table.
  If you do not store the credentials the user will be prompted for the credentials to use.
  You could store the credentials for an Admin user when you link the table, but the problem is that if a user opens your database in the full version of Access can get to the linked tables, they will be able to see all of the data anyway.
  When it comes to security, the best answer is always to secure the data using the native features of the data store such as SharePoint, SQL, etc.
  Best Regards,
  Nathan Ost
  Microsoft Online Community Support
  Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Time Capsule Access Control and Extended Network Question

  I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
  Thanks for any help…this doesn't seem clear from what I've read/seen.
  James

  I have a Time Capsule where I have set up a wireless network access list…and extended the network using an Airport Express unit. The Airport Express unit also has settings for an Access Control list. Do these need to be the same as the those for the network from TC that it is extending…or does that happen automatically…and if not what on earth are they for?
  Unfortunately, they are not automatically applied to each base station in an extended network. You would have to manually enter the exact same list in each base station.

• Cisco 12.1 Access-list

  We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
  Thanks

  Eric
  We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
  The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
  assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
  create 2 access lists and assign one to each interface.
  access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 110 permit ip any any
  access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip any any
  interface faste0/0
  ip access-group 120 in
  interface faste1/0
  ip access-group 110 in
  adjust addresses etc to fit your situation. Try it and let us know if it works.
  HTH
  Rick

• Port Forwarding & Access List Problems

  Good morning all,
  I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated!  I've researched a lot lately but I'm still learning.  Side note:  I've replaced the external ip address with 1.1.1.1.
  I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail.  You may notice I dont have access-list 102 that i created on any interfaces.  This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet. 
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname pantera-office
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.0.1 192.168.0.150
  ip dhcp excluded-address 192.168.0.251 192.168.0.254
  ip dhcp pool private
     import all
     network 192.168.0.0 255.255.255.0
     dns-server 8.8.8.8 8.8.4.4 
     default-router 192.168.0.1 
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip domain name network.local
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-4211276024
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-4211276024
   revocation-check none
   rsakeypair TP-self-signed-4211276024
  crypto pki certificate chain TP-self-signed-4211276024
   certificate self-signed 01
    3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
    69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535 
    31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132 
    37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
    8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626 
    31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881 
    1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4 
    93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96 
    D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
    03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261 
    746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF 
    41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41 
    FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D 
    14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944 
    82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703 
    E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79 
    D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
    quit
  username pantera privilege 15 password 0 XXXX
  username aneuron privilege 15 password 0 XXXX
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key xxxx address 2.2.2.2
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto map SDM_CMAP_1 1 ipsec-isakmp 
   description Tunnel to 2.2.2.2
   set peer 2.2.2.2
   set transform-set ESP-3DES-SHA 
   match address 100
  interface FastEthernet0/0
   description $ETH-WAN$
   ip address 2.2.2.2 255.255.255.0
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
  interface FastEthernet0/1
   description $ETH-LAN$
   ip address 192.168.0.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
  interface Serial0/0/0
   no ip address
   shutdown
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  no ip http server
  ip http authentication local
  no ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
  ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
  ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
  ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
  ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
  ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
  ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
  ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
  ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
  ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
  ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
  ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
  access-list 101 permit ip 192.168.0.0 0.0.0.255 any
  access-list 102 remark Web Server ACL
  access-list 102 permit tcp any any
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps ds1
  snmp-server enable traps tty
  snmp-server enable traps eigrp
  snmp-server enable traps envmon
  snmp-server enable traps flash insertion removal
  snmp-server enable traps icsudsu
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps ds0-busyout
  snmp-server enable traps ds1-loopback
  snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
  snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps dot11-qos
  snmp-server enable traps switch-over
  snmp-server enable traps rogue-ap
  snmp-server enable traps wlan-wep
  snmp-server enable traps bgp
  snmp-server enable traps cnpd
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps entity
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps frame-relay multilink bundle-mismatch
  snmp-server enable traps frame-relay
  snmp-server enable traps frame-relay subif
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
  snmp-server enable traps pppoe
  snmp-server enable traps cpu threshold
  snmp-server enable traps rsvp
  snmp-server enable traps syslog
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps ipsla
  snmp-server enable traps rf
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  line con 0
   logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  end
  Any/All help is greatly appreciated!  I'm sorry if I sound like a newby!
  -Evan

  Hello,
  According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
  Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
  If your provider assigns you a dynamic ipv4 address to the wan interface you can use
  Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
  Verify the settings with show ip nat translation.
  Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
  Best Regards
  Lukasz

• Convert named access list to line numbers

  I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
  I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
  Thank you!

  Hi Emily,
  I guess this is what you are looking for. I have not tried it my self but would like to test it out.
  1. enable
  2. configure terminal
  3. ip access-list resequence access-list-name starting-sequence-number increment
  4. ip access-list {standard | extended} access-list-name
  5. sequence-number permit source source-wildcard
  or
  sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  6. sequence-number deny source source-wildcard
  or
  sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
  7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
  8. end
  9. show ip access-lists access-list-name
  This link should help :
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
  regards,
  -amit singh

• WCS Error when clicking on Access List

  When I log into the WCS and under Security open up Access List and then click on one of the Access List to edit it I get the error message Attached.  And this is also causing an Audit mismatch too.  Any ideas?

  Is your WCS version equal to or higher than the wlc? Make sure all the services are running fine, but I get errors when te command fails due to the fact that something else has to be disabled or removed first.
  Thanks,
  Scott Fella
  Sent from my iPhone

• How to specify target host in Access-list on 1700 router

  I want to be able to specify the target host on an access list and when I try to enter the IP and sub-net mask I get wierd result. This is on a 1700 router. I type: access-list 100 permit tcp any XXX.XXX.XXX.XXX 255.255.255.248 eq smtp where XXX.XXX.XXX.XXX is a public IP of a virtual email server on my inside.
  I get:
  access-list 100 permit tcp any 0.0.0.2 255.255.255.248 eq smtp
  Why does XXX.XXX.XXX.XXX get interpreted as 0.0.0.2?
  Thanks,
  Dave

  Dave,
  The address got converted to 0.0.0.2 because you used a subnet mask (255.255.255.248) where you should have used a wildcard mask (0.0.0.7).
  Regardless of what the network portion of the address was, when the router sees "255" in any position in the wildcard mask, it interprets that as "it really doesn't matter what number is in this part of the IP address". So it corrects your notation and replaces that part of the IP address with the placeholder "0".
  The fact that it put a ".2" at the end of the address indicates that the binary pattern of whatever XXX.XXX.XXX.XXX was ended in "010". The last octet was one of the numbers in this sequence: .2, .10, .18, ... (increments of 8), .114, or .122. The "248" in the last part of your wildcard mask told the router "it doesn't matter what number's here, as long as the last three binary bits match". The router just simplified the last .XXX you entered to the smallest number that had a matching binary pattern; in this case it was ".2".
  Something to remember: Use subnet masks for static routes and interface addressing; and wildcard masks for ACLs.
  The easiest way to calculate the wildcard mask you want, if you're used to seeing things in subnet mask format, is to subtract the subnet mask from 255.255.255.255. For example:
  255.255.255.255
  -255.255.255.248 (subnet mask)
  0.0.0.7 (wildcard mask)
  If you want to specify a single host address rather than a masked range of addresses, use the notation "host XXX.XXX.XXX.XXX". If you use the notation "XXX.XXX.XXX.XXX 0.0.0.0" where 0.0.0.0 is the wildcard mask, the router will convert it to "host XXX.XXX.XXX.XXX". (Go ahead, try it and see.)
  Similarly, if you want to specify all host addresses, use "any" as you have already done; or you can try "0.0.0.0 255.255.255.255" and the router will convert it to "any" for you. (Try this one too.)
  Check out the useful IP Subnet Calculator download at http://www.Boson.com -- it's free:
  Wildcard Mask Checker & Decimal-to-IP Calculator
  a neat little utility to check what your wildcard mask actually matches, and, converts from Decimal to IP address format.
  http://www.boson.com/promo/utilities.htm
  Hope this helps.

• Access-list MGCP?

  On my Cat6500 do I need to do create an access-list to allow MGCP traffic on ports 2427 and 2727 through? I know this sounds dumb but for some reason on my Allied switch MGCP traffic flow fine with no access list and it doesn't on the Cat6500.
  Thanks!

  u dont unless u have FWSM, or any kind of ACLs, or maybe VLANs issue, or ip routing, vlan routing
  check those issues
  Rate if helpful