ACL issue

Similar Messages

• PLM Web UI ACM/ACL issue

  Hi All,
  I am configuring PLM Business package/ Web UI in portal. Version EHP4. (PLM Web UI)
  Every screen (Material, BOM) giving me error "Authorizations are missing" . I know this trusted user issue.
  I provided the role "SAP_PLMWUI_TRUSTED_USER_ALL" in ECC System.
  How I can fix the problem? Which roles I need to assign to resolve the problem. FYI, Document are working fine. Because documents are not the part of ACM
  2. I am looking in to SAP Help for authorizations  but there are not detailed steps to set up these ACM/ACL .
  3. How I can generate Root Context. There is a program we can run in SE38. But before that I need to assign Context Admin role to in IMG. Which role I need to assign as Context Admin.
  I appreciate your help. Thanks in Advance.
  Regards
  Mark

  administrator can set up the whitelist in Customizing for SAP NetWeaver under SAP
  Web Application Server Web Dynpro ABAP Set-Up Active Controls Whitelist .
  o The whitelist has to be named DEFAULT.
  o File Extension
  All files of this type can be executed in an external program by using the
  Customizing option %auto%. For more information see Customizing for Logistics
  General under Product Lifecycle Management PLM Web User Interface
  Objects Document in PLM Web UI Define Workstation Application
  o Application
  Enter applications to be used for viewing or editing a file.
  o Download
  Enter at least one directory and one server. The system opens the directory and
  all subdirectories for the download.
  o Upload
  Enter at least one directory and one server. The system opens the directory and
  all subdirectories for the upload.
  Make an entry for each option (File Extension, Application, Download,
  Upload).
  o Find the correct server name for upload and download
  Working with a local whitelist in a SAP system requires a certificate for the system used.
  The administrator must download the certificate using transaction WDR_ACF_GEN_CERT.
  Alternatively, the administrator can create the new certificate in Customizing for SAP
  NetWeaver under Application Server Web Dynpro ABAP Generate Certificate for
  Whitelist
  3. Each user has to install the certifcate using transaction ACF_WHITELIST_SETUP.
  Alternatively, the user can install the certificate via Customizing for SAP NetWeaver
  under Application Server Web Dynpro ABAP Activate Active Controls Whitelist .
  o The provided list of whitelists is only for display reasons. The certificate is always
  installed for the DEFAULT whitelist.
  o You have to install the certificate after each change of the DEFAULT whitelist

• Acl issue in L3 Switch SVI

  HI
  I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
  I have a L3 switch with 3 vlans
  Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
  Vlan 10 - Server-Vlan - 172.16.10.1/24
  Vlan 11 - User-Vlan - 172.16.11.1/24
  I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
  I want all in my network to access any thing outside the network.
  i tried to configure acl as below-
  access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
  int vlan 1
  ip add 172.16.1.1 255.255.255.0
  ip access-group 101 in
  When i am trying from outisde (172.16.100.1) -
  Ping 172.16.10.1 - Good (expected)
  Ping 172.16.11.1 - NOT (expected)
  When I am trying to ping from inside Server-Vlan (172.16.10.1)
  Ping 172.16.100.1 - Good
  The problem -
  When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
  what is wrong happening here in this scenario?
  regards
  Sunny

  Hi Jon,
  I was working on the ACL for the above issue. i have found the below thigs-
  int vlan 1
  des Routing vlan
  ip 172.16.1.1 255.255.255.0
  ip access-group 110 in
  int vlan 10
  des server vlan
  ip 172.16.10.1 255.255.255.0
  int vlan 11
  des Users
  ip add 172.16.11.1 255.255.255.0
  ip access-group 100 in
  acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
  And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  what i understood,
  for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
  for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
  But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
  If i call inbound means the traffic coming in to that vlan initerface from Outside
  If i call outbound means the traffic that going out through that interface.
  so i ddint call any acl in outbound direction as of now.
  Dear Jon, thanks for taking time to describing the scenario in detail before.
  please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
  Thanks and Regards
  Suuny

• Robocopy ACL Issue

  Hello,
  I am trying to copy a folder from one server to another using Robocopy in Windows 2008.  The security permissions on the folder (ACLs) are not copying properly.
  Folder Details:
  Folder #1 on Server A has the following ACLs: Domain Admin -> Full Control, UserX -> Full Control
  When I use robocopy with the /copyall parameter and copy Folder #1 from Server A to Server B it is missing the "UserX" permission under the security tab.  The parent folder on Server B does not have inheritance turned on and its security is set to Domain Admin -> Full Control.  Why aren't my security/ACLs (namely the permissions ofr USERX) copying properly?
  Thanks in advance,
  D

  I came across this thread because I have been researching the very same issue. Likewise I am running Windows Server 2008 X64 SP2 on both servers.
  Be wary of those who throw out suggestions to check your syntax, yet are not intimately familiar with this issue. Many people making such suggestions often do not know what the different versions of Robocopy are, what limitations each version has, how to get each version or what has changed syntax-wise from version to version. Yet they talk with authority. This has always been and will always be part of open public forums. Of course we should always look at our syntax. However this seems to be an issue with the new version of Robocopy.
  I haven't hammered the solution down yet, but here are some things to try:
  1) Note that many people on other forums are saying that if the source has inheritance turned on, then Robocopy will not copy the permissions over, especially those at the root of a drive. Others have suggested turning off inheritance on the source. I don't like that solution. I turn on inheritance for a reason.
  2) I have tried copying one level down from the root with some success. For example, instead of this:
  Robocopy.exe \\server1\e$  e:   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1 (or whatever your parameters are...)
  try going down one level...
  Robocopy.exe \\server1\e$\folder1  e:\folder1   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1
  I don't like this solution either. It is so much simpler to copy from the root of one drive to the root of another drive on another server. I don't want to have to do extra scripting to gather the names of the folders one level below the root and then add For Loops to my script.
  3) In some forums people are suggesting to use Robocopy to copy data and icacls.exe to handle the permisssions, at least on the root. I plan to explore this option next. Once again, I don't like the solution. I expect Robocopy to be able to handle this.
  Of course I'll eat my shoe if it turns out that Robocopy works just fine and I simply don't have the right syntax.

• Complex NAT and ACL issue with multiple VLANS

  Hello Forum. 
  We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
  From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
  From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
  The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
  WHAT WORKS:
  Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
  Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
  I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

  Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

• ACE ACL issue

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.
  I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.
  Unfortunately I can still ping and access some resources in the OOB network from the ACE context.
  Do you know what else should I do to make it works ?
  Thanks in advance for any help.
  Regards
  Lucas

  Hello
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.
  Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.
  Thank you for the answer.
  Ragards
  Lucas

• ACL issue in EasyDMS 7.0

  Hi all,
  I had created one DIR in Easy DMS and later given the Read access to one of the user. but when i had logged on from his id to view the DIR. It says you do not have necessary authorization.
  How it comes when i had given him the rights to read DIR.
  Does i have to control it from PFCG, then what is the use of giving ACL Feature at Doc level. What i believe is, if Access rights are defined in ACL then it should by pass other object authorization. Pls correct me if i'm wrong.
  Pls note: User has following OBJECTS Authorization from PFCG.
  ACO_SUPER profile with ACO_ACT_S value ' ' and ACO_OTYP_S value ' '.
  C_DRAD_OBJ  , C_DRAW_BGR ,  C_DRAW_DOK,  C_DRAW_MUP, C_DRAW_STA, C_DRAW_TCD, C_DRAW_TCS
  In the above object list, all activities are assigned.
  Regards,
  S Anand

  check http://wiki.sdn.sap.com/wiki/display/PLM/CADMS-AuthorizationObjects

• Cannot get into development Infrastructure (ACL Issue)

  Hi We are on SP15. When I try to get into the development infrastructure using the URL
  http://<server>:<port>/devinf and input the login ID and password
  , it says not authorized.
  The ID is the Admin ID and is assigned to the groups NWDI.Administrator.
  I understand you need to do some ACL settings through the DTR prespective in the developer studio to grant the permissions. Can someone let me know step by step how to do this..
  Thanks

  Hi Angel,
  First of all, thanks for trying to help.
  defaultTrace.trc gives 2 entries when I try to reach http://host:port/devinf.
  The first is:
  User Guest, IP address
  HTTP request processing failed. HTTP error [401] will be returned. The error is [No login module succeeded.No details available].
  The second is:
  User Administrator, IP address
  HTTP request processing failed. HTTP error [403] will be returned. The error is [You are not authorized to view the requested resource.No details available].
  Besides that: no users are locked.
  Do you have a clue now?
  Regards, Fred

• Named ACL issue

  Hi all
  ---R1------R2
  Both R1 and R2 run EIGRP. now there is the prefix 172.16.(1~255).0/24,and the summary prefix 172.16.0.0/16 coming into R1,
  Here has a problem: they require only can use "PERMIT" and named ACL at R1's interface which links to R2 to deny the prefix 172.16.10.0/24 into the R2.
  what shall i do?
  thanks advance!

  Hi Matthew,
  Could you please explain the task more clearly. I'm a little confused:
  The summary prefix 172.16.0.0/16 comes from R2-to-R1.
  I believe the task is to deny prefix 172.16.10.0/24 coming from R2-to-R1.
  Are there any other conditions?
  Can I remove and change the summarization on R2?
  Is there a limitation on the number of acl statements on R1?
  Cheers:
  Istvan

• Extended ACL Issue

  I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
  I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
  ip-access-list extended ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
  permit tcp any any established
  Is there a better way to do this? Does this extended ACL work for my purpose?

  What direction did you apply this? I'm assuming in the inbound direction?
  Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
  Try the following:
  ip access-list ext ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
  Apply to your loopback:
  ip access-group ACL_TCP in
  Next question:
  Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
  HTH,
  John

• OID - ACL issue

  Has anyone applied acl's via ldapmodify syntax and then looked in the "Oracle Directory Manager" java tool and noticed that they are not displayed correctly?
  Thanks :(

  Hi,
  Though a bit risky, you can try using the 'remtool'.
  'remtool -pdelnode/pcleanup' and add the 2nd node as the master using 'remtool -asrsetup'.
  -- Pramod Aravind

• ACL issue on 3750x

  Hi All,
  i have 5 vlan on 3750x switch, (vlan 10,20,30,40,50 )
  and i had applied ACL on Switch so that no user can access vlan 30.
  All things are working fine but all LAN user can access vlan 30 server ip, but unable to access vlan 30 users.
  Please help ...
  let me know required things to be configure.

  Hi,
  Below is the config which is correct please solve this one and last 1 was incorrect.
  the IP address of the LAN user accessing the server IP (172.24.10.0 255.255.248.0)
  the above subnet is able to access that server ip (172.24.30.5) but not able to access the other user of vlan 30.
  so i want that none of the lan user should able to access vlan 30 and its server ip.
  interface Vlan10
  ip address 172.24.1.1 255.255.255.0
  ip access-group 101 in
  interface Vlan20
  ip address 172.24.2.1 255.255.255.0
  ip access-group 102 in
  interface Vlan30
  ip address 172.24.3.1 255.255.255.0
  ip access-group 103 in
  ip access-group 150 out
  interface Vlan40
  ip address 172.24.4.1 255.255.255.0
  ip access-group 104 in
  interface Vlan50
  ip address 172.24.16.1 255.255.255.192
  ip access-group 100 in
  interface Vlan100
  ip address 172.24.10.250 255.255.248.0
  access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
  access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
  access-list 100 deny   ip 172.24.16.0 0.0.0.63 172.24.8.0 0.0.7.255
  access-list 100 permit ip any any
  access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.2.0 0.0.0.255
  access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.3.0 0.0.0.255
  access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.4.0 0.0.0.255
  access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.16.0 0.0.0.63
  access-list 101 permit ip any any
  access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.1.0 0.0.0.255
  access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.3.0 0.0.0.255
  access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.4.0 0.0.0.255
  access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.16.0 0.0.0.63
  access-list 102 permit ip any any
  access-list 103 permit ip host 172.24.3.26 any
  access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.1.0 0.0.0.255
  access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.2.0 0.0.0.255
  access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.4.0 0.0.0.255
  access-list 103 deny   ip 172.24.3.0 0.0.0.63 172.24.16.0 0.0.0.63
  access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
  access-list 103 permit ip any any
  access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.1.0 0.0.0.255
  access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.2.0 0.0.0.255
  access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.3.0 0.0.0.255
  access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.16.0 0.0.0.63
  access-list 104 permit ip any any
  access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.1.0 0.0.0.255
  access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.2.0 0.0.0.255
  access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.3.0 0.0.0.255
  access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.4.0 0.0.0.255
  access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.10.0 0.0.0.255
  access-list 105 permit ip any any
  access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
  access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
  access-list 150 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
  access-list 150 permit ip any any

• I am stuck. Extended ACL issues

  I been at this for a long time and I simply do not know what this practice lab wants. I mean I think I input the correct information but the % does not go up.
  Says for my ACL's I'm supposed to
  Allow telnet to R1 and R3 from R2 only
  Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.
  Do not allow PC1 to receive traffic from the 10.0.0.128/25 network.
  I emplemented many ACL's and tried various things but nothing is working form me.
  PC1 address is - 10.0.0.10 /25 its part of the 10.0.0.0/25 network. (Pc1 is connected to R1)
  R1 is connected to R2 and R3.
  The R1 connection to R2 is on S0/0/0 172.16.0.1 255.255.255.252
  R1 to R3 connection is going through S0/1/0 172.16.0.9 255.255.255.252
  R2 is connected to R1 via S0/0/0 interface with the IP address 172.16.0.2 /30 (255.255.255.252)
  R2's s0/0/1 is connected to R3 with the ip address of 172.16.0.5 255.255.255.252
  R3 is connected to R1 via S0/0/0 ip address 172.16.0.10 255.255.255.252
  Pc3 is connected to R3 with an ip of 10.0.0.139 255.255.128 (This is part of the 10.0.0.128/25 network
  R3's connection to R2 is on S0/0/1 with the ip address of 172.16.0.6 255.255.252
  The network from R1 to R2 is 172.16.0.0/30
  the Network from R1 to R3 is 172.16.0.8/30
  the Network from R2 to R3 is 172.16.0.4/30
  The Loopback on R2 is 209.165.200.161/27
  If anyone can help me I would greatly appreciate it. I am just so lost atm =/

  Are you running a routing protocol? OSPF, EIGRP, RIP?
  What "%" are you talking about, and what's not working for you exactly?
  Can we get a drawing of you topology?
  HTH,
  John

• Is anyone else having ACL issues?

  I am having trouble getting my ACL adjustments to apply.
  When I try to use the "server" tool remotely it appears that my ACL adjustmets are being made but then when I go back to the server and look, NO changes were applied, virtually forcing me to make all ACL changes from the server itself. (or through VNC or remote desktop)
  This new "server" tool is about as cumbersome as they come, especially for attempting to make large scale adjustments to ACLs.

  You may want to ry a restore to correct many of them...
  http://docs.info.apple.com/article.html?artnum=60983
  Sometimes the iPod is loading something or the HD is busy, causing a small delay, like you describe in 3 and 5
  Happy Holidays
  btabz

• Strange Inside ACL Issue

  We've been having a few problems over the past week or so which Objects and Object groups.
  What we have is an object group called HTTP out which contains around 120 objects and 10 object groups, this object group is part of a rule any source to HTTP out on IP service.
  One of the boject groups contains a class C subnet an external application along with other addresses for this application.
  What we've found is that no users trying to connect to an address in this subnet works, but if we put the same subnet in its own rule above the HTTP out rule it works fine.
  Are there any limits on the number of objects you can have in any one object group and what else can I look to see why connections to this subnet don't work when its part of the HTTP out object group?
  Any help or advice would be much appreciated.
  Thanks
  Jon

  Hello,
  I need the detailed packet tracer to see where it matches the object group but the packet does not pass through, also will be needing the logs to see whats the reason for the packet to be dropped.
  Let me know if you would be able to do testing (If this does not work, we would be persuing a lab recreate and try to see if this could be a new defect)
  Mike