Acl-name in access-list requirements

Similar Messages

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• Access-list needed for vpn

  Hi,
  if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
  i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
  Thanks

  There are two way you can filter traffic which is moving over VPN.
  1) Filter at source ofcourse ACLs are required.
    For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where  10.0.0.0/24  is configured .Lets assume port 80 we want to deny.
  ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
                                                                              permit any any
                                acess-group xxxx in inside
  So this will deny port 80 and permit rest of the traffic.
  2) You can configure VPN filter which is called under group policy .
  Thanks
  Ajay

• Access List Submodes

  I have a quick question re ACL submodes. I see that there is a config submode for named Extended ACL's, with prompt (config-ext-nacl). Is there a seperate config submode for named Standard ACL's ?
  Where is a good place to get a complete list of all the config submodes available a Cisco devices ?

  You can create named ACLs using standard access-lists(I assume this is what you are talking about). You can create a numbered access-list using the same syntax as a named acl, giving you the ability to edit on a line by line basis.

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Downloadable Access-list (ACL) on 440x/WiSM

  I need a wireless solution where an Access-list is downloaded / refered to on a per-user or per-group basis in order to do filtering.
  Does unified wireless (aka airespace) support this.
  To make it worse - is it support while using H-REAP AP's.
  TIA.
  Anders

  You can configure ACS 4.0 to return an ACL name after the user authenticates, and ensure that the ACS also returns the Tunnel Type attributes which tell which VLAN to use.

• I have mac 10.6.8 and safari 5.1.10. on checking help website i am told latest flash player 16.0.0.305 is already installed BUT is not listed in my applications and unable to access sites requiring flash player. can anyone help?

  i have mac 10.6.8 and safari 5.1.10. on checking help website i am told latest flash player 16.0.0.305 is already installed BUT does not appear on my list of applications and am unable to access websites requiring it. have also downloaded flash player installer app but unable to download the flash player itself. can anyone help? thank you!

  Hi Anne,
  Your version of Safari is still supported.  Please see Adobe Flash Player | Tech specs for supported OS and browsers.
  If the Flash Player plugin is in the Plug-ins (disabled) folder it's because it's an older version that Apple has disabled in Safari.  This has nothing to do with whether or not Flash Player supports the browser.
  I'm not sure what you mean by "when i click on flash player itself i am told there is no application to open it."  Flash Player.plugin only works in the browser to view Flash content in the browser.  The plugin does not open files outside of the browser.  If you have SWF files you'd like to view outside of the browser, then you'll need the Flash Player projector. However, based on your previous comments this doesn't appear to be what you are trying to do.
  Google Chrome does embed Flash Player in it, while Firefox does not.   Mozilla has also recently started blocking older versions of Flash Player in Firefox similar to what Apple is doing in Safari.
  Following the 'clean install' instructions should result in you having the latest version of Flash Player installed that will not be blocked by the browser.
  Maria

• Virtual telnet/downloadable access lists: acl authorization denied error

  Hello,
  has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
  We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
  When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
  And the PIX log shows:
  109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
  109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
  This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
  Now, with or without the error, the user can use virtual telnet and everything permitted
  in the downloadable acl without any problem (so why post an error message then ?).
  thanks

  Try to disable authorization and see if this error stops

• ACL - extended access lists

  Hi, I'm working through the CCNA ICND2.  Section:  IP Access Control Lists
  On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
  in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
  I would assume that "telnet" is a word value for "port 23" (just like you can type  "eq www" instead of "port 80")
  therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
  ??? many thanks for your answers - much appreciated.

  it's a typo!!

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

• We can figure this standard access list

  We can figure this standard access list that's important remember that we use a standard access list  want to block all traffic or permit all traffic from a particular
  source or destination let's take a look at this machine right here   that  is IP address say
  640-554 we want to stop him from going into the Ethernet interface I'm the ad man he made me midsummer block callers traffic he can get out anymore maybe this is even the internet out
  here we know people like their Internet access so to get back at them I'm a block it what I can do is I can use deny statement in my access list access list
  one did not .
  http://640-554cisco.com/

  Hi Suresh,
  ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )
  "At least one of the following must be true for a user to be granted a particular permission:
  The user's name appears in the xClbraUserList metadata field with the appropriate permission.
  The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.
  The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission."
  meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).
  I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.
  ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD
  Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated.

• Access-list in Cisco 3560 Series Switch

  Guys,
  I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
  Hope you can help me guys.
  Thanks,
  John

  and then dont forget to call this access-list on the interface or vlan you want to apply it.
  You can use a number for the ACL > 100 or a name as indicated earlier.
  If you go with just a number :
  access-list 100 permit tcp any any eq 80 81 ...
  access-list 100 permit udp any any eq 23
  int g1/0/1
  ip access-group NAME in
  OR
  ip access-group 100 in
  As for example :
  NMS-3750-A(config-if)#ip acc
  NMS-3750-A(config-if)#ip access-group ?
  <1-199> IP access list (standard or extended)
  <1300-2699> IP expanded access list (standard or extended)
  WORD Access-list name

• LMS 4.2 Compliance check extended access-list

  Hi,
  I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
  I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
  I have made a new compliance check like this:
  'submode': ip access-list extended 'acl-name'
  +deny tcp any any eq smtp
  But that is not working, Can some one show me the 'right path'?
  Thanks
  Soren                 

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **