ACL s on subinterfaces

Hello,
can we program ACL s on subinterfaces for a routers interface, is it possible ?
thankq,
kumar

Hi,
Yes you can do this
Rgds
PJD

Similar Messages

VPN with more than one filter / nested ACL

Dear All,
Is there a way to assign more than one ACL to a VPN profile or implement a nested ACL structure?
I am trying to avoid modifing a large list of ACLs to insert the same ACE in each ACL bound to different VPN profiles.

Hi,
I know only the few basics ways to control the VPN users traffic they basically are
Changing the global "sysopt" setting and controlling all user traffic on the external interface ACL
Use separate VPN Filter ACLs
If using subinterfaces for local interfaces then tie the VPN connection to a specific Vlan which would allow connectivity only towards that Vlan subinterface for those VPN users.
In some cases we might use a separate device to do the access control.
But I guess if the requirement is to have a specific ACL for each VPN user group then the original suggestion is not an option for you.
I was just thinking that using the same ACL would make it easier to generate the new configuration addiotion. Atleast in the sense that the ACL name for each rule would be the same. If you didnt make too broad ACL rules it would not really allow any connectivity between the different networks involved though that would also depend on the NAT configurations, not just the ACL.
- Jouni

ACLs on Sub-Interfaces

Question on IP ACL...
If you configure an IP ACL for a subinterface on a router-on-a-stick, will it affect the entire physical interface or will it only affect the sub-interface, for which the ACL has been applied to? Just a thought that's been bugging me...Advanced thanks for your response...

Hi
It will only affect the sub-interface. The ACL applies only to the logical construct which is the sub-interface.
Hope that helps - pls do remember to rate posts that help.
Paresh

ACLs on subinterfaces

Hello,
i have a three vlans ,and i would like to restrict transfer of data between the VLANs on the subinterfaces of my 2621 router,is it possible,if it works can u show me some examples or some info on documentation.
thanq,
Gandham

Assuming your 2621 the router responsible for routing between the 3 different VLANs, it is possible. You will apply access lists to your sub-interfaces just as you would if they were regular interfaces.
Here's a link on how to configure access-lists:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c0.html

Multiple Subinterfaces on same context.

Hi,
I'm having a difficult time finding examples where there is a multi-context ASA using multiple subinterfaces under the contexts. I'm running 5585-X SSP-10 in my network.
We have a license for 20 contexts, currently only using a quarter of those context. Issue is, the way they set this up was only one subinterface per context, and that's how they want to keep.
I'm already charged with adding three new vlans to our firewall for migrating some devices off our old network to our new one. Issue is if we keep doing that we're going to burn through all these contexts in no time.
I'm assuming you can have multiple vlans going to the same context with multiple subinterfaces. That being said, I would assume you can block the traffic from two vlans on the same context from each other.
Can anyone link me to some configuration examples for multiple subinterfaces, and an example of what the access rules on the same context might look like for two vlans with different subnets?
Thanks.

I feel you are overthinking this. If you have setup an ASA interface before then setting up subinterfaces in a context is not much different (other than having to allocate the interface to that given context) Then you configure the interface on the context as you would any other interface.
Your configuration would look like this:
changeto system
interface Gig0/0
no shut
int Gig0/0.1
vlan 10
ing Gig0/0.2
vlan 20
context A
allocate-interface Gig0/0.1 - Gig0/0.2
changeto context A
interface G0/0.1
security-level 100
nameif inside
ip add 10.10.10.1 255.255.255.0
interface G0/0.2
security-level 0
nameif outside
access-list TEST-ACL permit ip 10.10.10.0 255.255.255.0 any
access-list TEST-ACL2 permit ip any host 10.10.10.10
access-group TEST-ACL in interface inside
access-group TEST-ACL2 in interface outside
Please remember to select a correct answer and rate helpful posts

VPN not working after adding subinterface - ASA 5510

Hello,
Currently I want to add a second lan (vlan) in a customers network. The new network will be for a wireless infrastructure.
There is also VPN Configured on the ASA - One with L2TP for Windows Clients and an IPsec for Cisco Clients.
Former we only had one outside (Eth0/0) and one inside interface (Eth0/1) on the ASA.
Now I want to use the Eth0/2 with subinterfaces, so that we will be flexible for future, when deploying more vlans.
But now, when i turn the first subinterface Eth0/2.2 to no-shut the VPN Connections does not work any more.
Bulding up the VPN connection works, but it seems that the traffic is not tunneled. (I checked this, because tracert to an internal adress goes to the internet)
Below there is my config, i don't know whats wrong. I think split-tunnel is configured correctly (because it works when i delete eth0/2.2)
TREV is the network of this location.
Company1,2,3 are remote locations.
: Saved
ASA Version 8.2(5)
hostname XXXXXXX
domain-name domain.lan
enable password XXXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.100.0 TREV
name 192.168.200.0 COMPANY3
name XXXXXXXX Company1
name 192.168.1.0 Company2
name XXXXXXXXX GCT
name XXXXXXXX BMD
name 192.168.110.0 Wireless
name 192.168.201.0 COMPANY3-VPN
name 192.168.11.0 COMPANY2-VPN
name 192.168.101.0 TREV-VPN
interface Ethernet0/0
description Outside
nameif outside
security-level 0
ip address XXXXX 255.255.255.248
interface Ethernet0/1
description Inside
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/2
description Trunk Interface
no nameif
no security-level
no ip address
interface Ethernet0/2.2
description Wireless
vlan 110
nameif wlan
security-level 100
ip address 192.168.110.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.10
domain-name domain.lan
dns server-group COMPANY2
name-server 192.168.1.16
domain-name domain.local
dns server-group COMPANY3
name-server 192.168.200.1
domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network VPN_Networks
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object TREV 255.255.255.0
network-object TREV-VPN 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object COMPANY2 255.255.255.0
network-object COMPANY3 255.255.255.0
network-object COMPANY3-VPN 255.255.255.0
network-object COMPANY2-VPN 255.255.255.0
network-object Wireless 255.255.255.0
access-list INCOMING remark *** ICMP Erlauben ***
access-list INCOMING extended permit icmp any any echo-reply
access-list INCOMING extended permit icmp any any time-exceeded
access-list INCOMING extended permit icmp any any unreachable
access-list INCOMING extended permit icmp any any parameter-problem
access-list INCOMING extended permit icmp any any source-quench
access-list INCOMING extended permit icmp any any echo
access-list INCOMING remark *** Wartung Company1 ***
access-list INCOMING remark *** Wartung BMD ***
access-list INCOMING remark *** Mail ***
access-list ......
access-list Trev-nat0 remark *** NoNat ***
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list DefaultRAGroup_splitTunnelAcl standard permit TREV 255.255.255.0
access-list outside_1_cryptomap extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_debug extended permit tcp any host 192.168.100.5
access-list inside_debug extended permit tcp any TREV 255.255.255.0
access-list Wireless-nat0 extended permit ip Wireless 255.255.255.0 TREV 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu wlan 1500
ip local pool VPN-Pool 192.168.101.1-192.168.101.31 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 XXXXXXXXXXX
nat (inside) 0 access-list Trev-nat0
nat (inside) 2 192.168.100.25 255.255.255.255
nat (inside) 2 192.168.100.250 255.255.255.255
nat (inside) 1 TREV 255.255.255.0
nat (wlan) 0 access-list Wireless-nat0
static (inside,outside) tcp interface 444 192.168.100.10 444 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.10 https netmask 255.255.255.255
.... a lot of statics..............
static (inside,outside) tcp XXXXXXXXXX pop3 192.168.100.25 pop3 netmask 255.255.255.255
static (inside,outside) tcp XXXXXXXXXX 995 192.168.100.25 995 netmask 255.255.255.255
access-group INCOMING in interface outside
route outside 0.0.0.0 0.0.0.0 XXXXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.100.10
timeout 5
key *****
radius-common-pw *****
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host 192.168.100.10
key *****
radius-common-pw *****
aaa authentication ssh console LOCAL
http server enable 4430
http COMPANY2 255.255.255.0 management
http TREV 255.255.255.0 inside
http Company1 255.255.255.224 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_128_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_256_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_AES_128_SHA TRANS_ESP_AES_256_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 178.188.202.78
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh bit-Studio 255.255.255.224 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh TREV 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcprelay server 192.168.100.10 inside
dhcprelay enable wlan
dhcprelay setroute wlan
dhcprelay timeout 90
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
intercept-dhcp enable
group-policy IPsecVPN internal
group-policy IPsecVPN attributes
wins-server value 192.168.100.10
dns-server value 192.168.100.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value domain.lan
username admin password XXXXXXXXXX encrypted privilege 15
username vpntest password XXXXXXXXX nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group XXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group IPsecVPN type remote-access
tunnel-group IPsecVPN general-attributes
address-pool VPN-Pool
authentication-server-group RADIUS
default-group-policy IPsecVPN
tunnel-group IPsecVPN ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f2041a5902e945a130fe25fbb8e5d368
: end

Hi,
First I would go through all the NAT0/NAT Exempt rules you have for VPNs. They seem to contain useless lines where either destination or source network isnt correct.
Lets look at the NAT0 ACL you have line by line
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group VPN_Networks
The above access-list has the correct source network configured Yet it has its destination addresses configured with an "object-group" which contains your LAN network
You should probably remove the LAN network from the object-group VPN_Networks
access-list Trev-nat0 extended permit ip object-group VPN_Networks TREV 255.255.255.0
To my understanding the above ACL line doesnt serve any purpose as the networks configured under VPN_Networks arent located behind your "inside" interface (Other than the one I'm asking to remove from the object-group)
access-list Trev-nat0 extended permit ip TREV 255.255.255.0 object-group DM_INLINE_NETWORK_1
The above ACL overlap with the very first ACL lines configurations and needlesly makes the configuration harder to read. It also contains the Wireless network which it shouldnt
I would suggest simplifying your NAT0 configurations for example in the following way (change the names if you want if youre going to try it out)
object-group network TREV-LAN
description Local networks
network-object 192.168.100.0 255.255.255.0
object-group network VPN-NETWORKS
description Remote networks
network-object 192.168.200.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.101.0 255.255.255.0
access-list TREV-LAN-NAT0 remark NAT0 / NAT Exempt for VPN Connections
access-list TREV-LAN-NAT0 permit ip object-group TREV-LAN object-group VPN-NETWORKS
With the above configurations
You have all NAT0 with a single line of access-list configuration (not counting the remark line as it doesnt affect anything)
If there is changes in the VPN pools, VPN remote networks or LAN networks you can simply change them under the configured object-groups instead of touching the actual ACL. There might be situations where you should change the ACL from the above if there is some bigger changes to network
So as I said, I would start with changing the above NAT configurations and then test the VPN again. If it doesnt work we will have to check some other things out.
- Jouni

Move interface ACL's, NAT's from one interface to another

Hi
I have a Cisco ASA 5515-x with IOS 9.1.
My problem is i have 6 interfaces (1 failover, 2 dmz, 1 outside, 1 inside and 1 spare) and I need to create new:
DMZ - for new LAN (subnet).
Outside interface - for new Site to Site VPN peer, there is a requirement to use a different public address rather than the one on the existing outside interface.
There is no budget to purchase additional interfaces at the present.
The solution i have come up with is to:
Divide the spare interface into 3 sub-interfaces for the 2 existing DMZ's and the new DMZ.
Use either of the spare 2 interfaces (from existing DMZ's) as the new outside interface.
Still leaving me with a spare interface for future expansion.
I have 2 questions:
Firstly, is this an acceptable solution and if not what would be a better solution?
Secondly, in my proposed solution, i will have to move all the ACLs and NATs from the existing DMZ's to the new sub-interfaces DMZ's (also one of the DMZ's is accessed by a site to site VPN on the existing outside interface). Is there an easy way to move this rules/NAT/etc or does it require going through the entire configuration renaming all the changes?
Any help would be much appreciated.
Chris

Hi,
Well I dont know why the requirement is to use a different public IP address for the L2L VPN connection then this seems to be the only way (use another interface). I assume then that you have another ISP link there or from same ISP but with IP from different public subnet than your current "outside"?
If you decide to use 2 WAN links on the ASA then for the L2L VPN purpose WAN link you need to configure static "route" for the remote VPN gateway and possibly also for the remote networks behind the L2L VPN unless the ASA installs those routes automatically based on the "crypto map" configurations.
With regards to moving the configurations around it seems to me that there is no easy/automatic way to migrate these configurations.
What you can essentially do atleast is
Collect all the configurations that reference the interfaces "nameif" value. These usually contains commands like "nat" , "access-group" , "route" and naturally some others
Remove the existing interfaces which means that all configurations that reference the "nameif" are removed. Notice that the ACL is not removed, only the "access-group" command
You then reconfigure the same interface somewhere else. In your case it seems to be an subinterface in some cases.
After the new interface is configured you should be able to drop the configurations that you collected earlier. What I would keep in mind in this situation is that you should keep track of the original order of the "nat" configurations (if using Manual NAT) and make sure you enter the "nat" commands in the same places they were. Depending on your current NAT configuration this might either be really simple (Mostly Auto NAT configurations) or something required a bit more planning (Manual NAT)
The above should be the main things to do on the ASA to migrate the configurations.
Naturally this is just a general description without taking into account everything that you might have in your environment.
- Jouni

CBAC on router subinterface

Does anyone know if it is possible to use cbac between router subinterfaces in router on a stick situation between two vlans as internal vlan and external vlan?

Ok Let me try to explain -might help.
                                                              --------->                            -------->
               ACL IN (permit any any)     Interface LAN -------------------- Interface ANY         ACL IN (deny any any)
                                                             <---------                           < ---------
Suppose things are allowed from LAN to any interface and deny on interface from return traffic is coming. Here inpection should work and ignore deny any any and return traffic will not be blocked by ACL.
Let me add one more statement - you need to identify two interfaces on router internal or external to make it work.
With your current config if you feel CBAC feature is not working- These command can help you to verify use-show ip inspect session
Other Show Commands
show ip inspect config
show ip inspect interfaces
show ip inspect stat
Debug Commands
debug ip inspect detail
debug ip inspect tcp
debug ip inspect object-cre
debug ip inspect object-del
debug ip inspect event
Thanks
Ajay

Subinterfaces won't communicate and only one subnet can NAT.

I have an ASA5510 which I have setup with subinterfaces on e0/0. I have had one subinterface working for sometime with PAT but I have recently added a new subinterface. I have set both of them to the same security level and I have enabled both same-security-traffic permit inter-interface
& same-security-traffic permit intra-interface. I thought the intra-interface should have done it but I guess I was wrong. The weird thing is that I have setup dhcprelay and I can get an address from the server that is located on the network connected to the other subinterface.
Also I can't seem to get NAT working with any other network except the 192.168.30.0 network. I have mimicked the configuration I setup for the 192.168.30.0 network and I get errors stating there is no translation group for 192.168.31.x.
I attached the config in hopes that someone will point out my mistakes.
Thanks

Hi,
Have you got any solutions?
I am having similar problems with the ASA5510. I created a new subinterface and connected one host. I can ping the new host from the ASA. But I cannot ping it from any other existing directly connected hosts, even though I have ACL 'permit any any' on 'in and out' directions. Capture shows ICMP hits the incoming interface, but not the outgoing interface to the new host. When I put the capture type in 'asp-drop', it shows the packets are dropped. So, the ASA is simply dropping the packets to the new subnet.
There are 10 existing subinterfaces on this ASA and they have been all working fine for years. The ASA supports 100 vlans.
Any advice is appreciated.

CAN NOT FIND DESCRIPTION DATA for ACLs in ACL VIEWS

Hi,
anyone knows where acl description data stored? (fixed_table, view, sys table)
(I know XDB.XDB$ACL and xdb.xs$securityclass objects, but I do not want to parse those xmls)
BEGIN
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl => '/sys/acls/my.xml',
description => 'ACL_DESC',

See XDS_ACL view, it does the parsing for you :
SQL> SELECT description FROM sys.xds_acl;
DESCRIPTION
Read-only privileges to anonymous
Protected:Readable by PUBLIC and all privileges to OWNER
Protected:Readable by PUBLIC and all privileges to OWNER
Public:All privileges to PUBLIC
Private:All privileges to OWNER only and not accessible to others
Read-Only:Readable by all and writeable by none
6 rows selected
And it was not that hard to do it "manually" BTW :
SQL> SELECT x.description
2 FROM XDB.XDB$ACL
3     , XMLTable(
4         XMLNamespaces(default 'http://xmlns.oracle.com/xdb/acl.xsd')
5       , '/acl'
6         passing object_value
7         columns description varchar2(4000) path '@description'
8       ) x
9 ;
DESCRIPTION
Read-only privileges to anonymous
Protected:Readable by PUBLIC and all privileges to OWNER
Protected:Readable by PUBLIC and all privileges to OWNER
Public:All privileges to PUBLIC
Private:All privileges to OWNER only and not accessible to others
Read-Only:Readable by all and writeable by none
6 rows selected

OWB 11gR2 - Internal ERROR: Can not find the ACL containter

OWB 11gR2 - Internal ERROR: Can not find the ACL containter
=======================================
I am using OWB 11gR2 (11.2.0.1) on Win XP 32 bit. I have 3.23 GB RAM. OWB design center is ver slow on my desktop. We have our OWB repository is on Unix server.
We applied the patch 10270220.
We are getting
Internal ERROR: Can not find the ACL containter for object:CMPPhysicalMap@19654/id=104020/owningFCO=104020/proxyFor=(CMPPhysicalMapGen@19f99ae/id=104020/stname=null/pname=MAPPING_1/lname=MAPPING_1/status=POSTED/committed=true/persistent=true/propsLoaded=true)
What is happening here?
Thanks in helping.

We have a map with 3 sources and 1 target. The 3 sources pass through Joiner then Expression then Target.
We are getting this error, during deployment. It shows compling for awhile, then through this error.
Here is the piece from detail window:
===========
at oracle.wh.repos.pdl.security.SecurityPolicyManager.getAccessCharMapOfPrivilegeOwner(SecurityPolicyManager.java:174)
     at oracle.wh.repos.impl.foundation.CMPElement.getAccessCharMapOfPrivilegeOwner(CMPElement.java:2806)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.hasPrivilege(OWBSecurityImpl.java:914)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.internalSecurityCheck(OWBSecurityImpl.java:1542)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.securityCheck(OWBSecurityImpl.java:694)
     at oracle.wh.repos.pdl.security.SecurityModuleImpl.securityCheck(SecurityModuleImpl.java:959)
     at oracle.wh.repos.pdl.security.SecurityModuleImpl.securityCheck(SecurityModuleImpl.java:924)
     at oracle.wh.repos.pdl.dispatcher.EventDispatcherImpl.beforeReadObject(EventDispatcherImpl.java:824)
     at oracle.wh.repos.pdl.foundation.OWBRoot.beforeRead(OWBRoot.java:1785)
     at oracle.wh.repos.owbGen.CMPStringPropertyValueGen.getValue(CMPStringPropertyValueGen.java:217)
     at oracle.wh.repos.impl.properties.CMPStringPropertyValue.getValue(CMPStringPropertyValue.java:117)
     at oracle.wh.repos.impl.extended.PropertyFactory.getStringValue(PropertyFactory.java:440)
     at oracle.wh.repos.impl.extended.CMPWBPrimitiveProperty.rawStringValue(CMPWBPrimitiveProperty.java:260)
     at oracle.wh.repos.sdk.mapping.WBMapHelper.getStringProperty(WBMapHelper.java:716)
     at oracle.wh.repos.sdk.mapping.WBMapHelper.getStringProperty(WBMapHelper.java:733)
     at oracle.wh.repos.sdk.mapping.WBMapHelper.getReferencedLocations(WBMapHelper.java:1361)
     at oracle.wh.service.impl.runtime.EnvironmentUtils.getReferencedLocations(EnvironmentUtils.java:284)
     at oracle.wh.service.impl.runtime.EnvironmentUtils.getReferencedLocations(EnvironmentUtils.java:141)
     at oracle.wh.service.impl.runtime.EnvironmentUtils.getReferencedLocations(EnvironmentUtils.java:135)
     at oracle.wh.service.impl.runtime.RuntimePlatformServiceImpl.getReferencedLocations(RuntimePlatformServiceImpl.java:1238)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandUtil.addConnectorLocations(WHRuntimeCommandUtil.java:477)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandGenerateDeploy.getSingleDeployLocations(WHRuntimeCommandGenerateDeploy.java:3408)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandGenerateDeploy.getLocationsAndNewConnectors(WHRuntimeCommandGenerateDeploy.java:3517)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandGenerateDeploy.doPreDeploymentActions(WHRuntimeCommandGenerateDeploy.java:3224)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandGenerateDeploy._internalDeploy(WHRuntimeCommandGenerateDeploy.java:2420)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandGenerateDeploy.doDeploymentAsynch(WHRuntimeCommandGenerateDeploy.java:2117)
     at oracle.wh.ui.runtime.application.WHRuntimeCommandHandler$1.construct(WHRuntimeCommandHandler.java:1005)
     at oracle.wh.ui.runtime.SwingWorker$2.run(SwingWorker.java:124)
     at java.lang.Thread.run(Thread.java:595)
===========
Did anyone receive such errors?

Nternal ERROR: Can not find the ACL containter for object ...

We are using OWB 10.2.0.3. We tried to introduce two basic roles to prevent user A from accessing certain parts of our project. Somehow (I cannot really say how) we ended up in the error message below whenever we want to modify the security properties of an object.
Neither in metalink nor in the oracle forums I could find any hint about that error.
Can anyone help??
Thanks in advance, Maren
Internal ERROR: Can not find the ACL containter for object:CMPMap@1ba11bc/id=2023180/owningFCO=2023180/proxyFor=(CMPMapGen@1a4d5c6/id=2023180/stname=CMPBatchMap/pname=LOAD_XML/lname=LOAD_XML/status=CLEAN/committed=true/persistent=true/propsLoaded=false)
Internal ERROR: Can not find the ACL containter for object:CMPMap@1ba11bc/id=2023180/owningFCO=2023180/proxyFor=(CMPMapGen@1a4d5c6/id=2023180/stname=CMPBatchMap/pname=LOAD_XML/lname=LOAD_XML/status=CLEAN/committed=true/persistent=true/propsLoaded=false)
     at oracle.wh.repos.pdl.security.SecurityPolicyManager.getAccessCharMapOfPrivilegeOwner(SecurityPolicyManager.java:166)
     at oracle.wh.repos.impl.foundation.CMPElement.getAccessCharMapOfPrivilegeOwner(CMPElement.java:2743)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.hasPrivilege(OWBSecurityImpl.java:820)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.internalSecurityCheck(OWBSecurityImpl.java:1449)
     at oracle.wh.repos.pdl.security.OWBSecurityImpl.securityCheck(OWBSecurityImpl.java:649)
     at oracle.wh.repos.pdl.security.SecurityModuleImpl.securityCheck(SecurityModuleImpl.java:660)
     at oracle.wh.repos.pdl.security.SecurityModuleImpl.securityCheck(SecurityModuleImpl.java:623)
     at oracle.wh.ui.common.WhSecurityHelper.securityCheck(WhSecurityHelper.java:112)
     at oracle.wh.ui.console.commands.EditObjectCmd.performAction(EditObjectCmd.java:107)
     at oracle.wh.ui.console.commands.TreeMenuHandler$1.run(TreeMenuHandler.java:188)
     at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:189)
     at java.awt.EventQueue.dispatchEvent(EventQueue.java:478)
     at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:201)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:151)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:145)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:137)
     at java.awt.EventDispatchThread.run(EventDispatchThread.java:100)

Hi Maren
Like you I get this error and do not know what steps caused it.In my scenario I have some mappings that give the error and some that do not - the repository user gets the error but the repository owner does not.
Thinking back over the last number of months (as this project contains 7-8 months od work - we do have exports of the project) I think the ones giving the error are those that perhaps were copied from another to start the coding but I cannot be sure.
I have read the metalink note mentioned above as well as the the queries posted by Oleg and yourself. The queries posted are slightly different, one has a where clause
fco.classname = 'CMPACLContainer' (Maren's)
and the other
fco.classname='CMPMap' (Oleg's).
Was this intentional Maren on your behalf for your problem to be fixed?
We are using 10.2.0.3.33 OWB client and 10.2.0.3.0 OWB repository.
Thanks
Edwin

ASA ACL Problems

I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration.
The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Every once in a while the ACL will start blocking traffic that is permitted by the ACL. When I do a 'sh access-list outside' it says that there are only two elements. They are there when I look at the running config. If I wait a while they start to work again and show up as 'active elements' again. I can force a failover and failback to fix it or restart the firewall. I will open a TAC case on Monday. I was hoping that maybe someone has seen this and has a quick solution.
Thanks,
Patrick

could you provide the show running-config?

SSL VPN Problem - ACL Parse Error

Hi there.
Testing some features in Cisco ASA SSL VPN(Clientless).
But when i connect to the portal, trying to login i get the following error, anybody seen this before?
It works if i ADD a ACL to the DAP, but dosn't if there is only a WEBACL applied??
It also works if i remove my "check" in "ssl-client" box in the global_policy (Group Policy).
6|Mar 20 2014|16:45:09|716002|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> WebVPN session terminated: ACL Parse Error.
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Delete WebVPN Session message user [email protected], IP X.X.X.X to standby unit
4|Mar 20 2014|16:45:09|716046|||||Group <global_policy> User <[email protected]> IP <X.X.X.X> User ACL <testcustomer_attribute> from AAA dosn't exist on the device, terminating connection.
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL List message rule DAP-web-user-E4EAC90F, line 1 to standby unit
7|Mar 20 2014|16:45:09|720041|||||(VPN-Primary) Sending Create ACL Info message DAP-web-user-E4EAC90F to standby unit
6|Mar 20 2014|16:45:09|734001|||||DAP: User [email protected], Addr X.X.X.X, Connection Clientless: The following DAP records were selected for this connection: testcustomer_common_dap
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.tunnelgroup = common_tunnelgroup
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username2 =
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username1 = [email protected]
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.username = [email protected]
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.cisco.grouppolicy = global_policy
7|Mar 20 2014|16:45:09|734003|||||DAP: User [email protected], Addr X.X.X.X: Session Attribute aaa.radius["11"]["1"] = testcustomer_attribute
6|Mar 20 2014|16:45:09|113008|||||AAA transaction status ACCEPT : user = [email protected]
6|Mar 20 2014|16:45:09|113009|||||AAA retrieved default group policy (global_policy) for user = [email protected]
6|Mar 20 2014|16:45:09|113004|||||AAA user authentication Successful : server = X.X.X.X : user = [email protected]

If you have implemented SSLVPN i18n then I think you are hitting bug.

ASA 5505 Problem ACL

Dear All,
I have a problem with the configuration of the ACL of my ASA 5505 router.
However, the syntax seems okay
access-list 121 extended deny icmp 192.168.0.0 255.255.255.0 any
Thanks for your help

Hi,
Its hard to say when I cant see your whole configuration.
Have you attached the ACL to an interface on the ASA?
access-group 102 in interface
Only then the ACL will have some effect on the traffic. Though remember to allow other traffic in the SAME ACL. Otherwise you will block all traffic from behind the interface to which you attach this ACL.
However this ACL wont block ICMP between the hosts on the same network naturally.
- Jouni

ACL s on subinterfaces

Similar Messages

Maybe you are looking for