Add network object to access list
Can someone please show me how to add existing network objects to existing access control lists in a network object group using the cli in the asa version 9.x on the inside interface? The source is an already existing network object and the destination is an existing network object group. Thanks.
Hi,
I am not entirely sure of what you are asking.
What I undertood is that you have the following already
An "access-list" that is attached to the "inside" interface
An existing "object network " configured that will be used as the source for the "access-list" rule
An existing "object-group network " configured that will be used as the destination for the "access-list" rule
If the above is true then you would simply configure
access-list permit ip object object-group
The above though would permit all TCP/UDP traffic
If you want to only allow specific ports for either TCP or UDP then you would use the format
access-list permit tcp object object-group eq
access-list permit udp object object-group eq
Naturally if you want to allow multiple ports there would be further ways to group those ports together also inside "object-group" to make the configuration smaller/cleaner.
Please let me know if you were looking for something else and I missunderstood
Hope this helps
- Jouni
Similar Messages
-
Why after I add a object to a list, the whole list changes?
I tried to call the add method of ClientList from a jsp webpage,
by looking at the log file, i found that for the 2nd time insert an Object into clientlist (say
client 1 is: IPAddress= 167.30.22.33
client 2 is IPAddress=167.30.22.44), what i get from the system log is that I have two
167.30.22.44 in the list, the first one is gone,
after I add the third item, the list just contains three identical third item, the former two are gone,
What 's wrong with my code? From the system log, I know that the parameters passed to the method clientlist.add are correct.
thank you.
My code is like this :
public class ClientList {
ArrayList<Client> listitems = null;
int numberOfItems = 0;
public ClientList()
items = new HashMap<String, ClientListItem>();
listitems = new ArrayList<Client>();
public synchronized void add(
Client cl) {
if (items.containsKey(cl.getIPAddress())) {
ClientListItem clitem = (ClientListItem)items.get(cl.getIPAddress());
clitem.incrementQuantity();
} else {
System.out.println("clist.add called: " + cl.getIPAddress() + "\n");
ClientListItem newItem = new ClientListItem(cl);
items.put(cl.getIPAddress(), newItem);
listitems.add(cl);
for (Iterator i = listitems.iterator(); i.hasNext(); )
Client clt = (Client)(i.next());
System.out.println("after adding : " + clt.getIPAddress() + "\n");
}I'm willing to bet that what is happening here goes as follows:
// Step 1: Create a client 1 object
// Step 2: Call add with this client object creating a string key with a client value
// Step 3: redefine the data in the first client object with the data for the second
// In this step you probably did not create anew client object, but simply
// changed the data in the original
// Step 4: Call add with the "redefined" client object comparing the string key with
// some data from the client, determining it is not in the list adding it againWhat the above does (if this is the way you are doing it) simply places the same client
object into the hash twice with two different keys. And in step 3, by changing the original object,
you also changed the object already in the hash, because as already said, they are the same object.
Edit: And nevermind, jverd already said this. ;-) -
Is there a way to add new objects to object changeability list?
My production system is locked and I need to change object type RSFO (formula). I looked at the object changeability list and it does not contain RSFO. Is there a way to add this object to this list so I can change it directly in production? Thanks.
hi,
I hope you can create similar formula in the production. as in the production we can change the reports,proces chain,aggregates, infopackages.
Ramesh -
Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni -
Can I create a network object from CIDR format or do I need to use IP - netmask?
Have a cisco ASA running ASA V 8.3
Wondering what the correct syntax is or even if it is possible to create a network object from a list of IP's in CIDR format?
Typically just do this:
Create network-object
object-group network name
network-object 1.2.3.0 255.255.255.0
Would like to do this:
network-object 1.2.3.0/24
thanks!Hi,
As far as I know the ASA does not support entering a network/subnet mask in such format in any of its configurations.
- Jouni -
ASA 5505 version 9.1 in extended access-list I can add interface name as destination??
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni -
HT3477 Why would a Guest network need an Access Control List?
I have an Airport Extreme running software 7.6.4 and I have figured out today, to my dismay, that because I have an Access Control List active on my main network (with MAC addresses of my devices), the Guest Network feature, as implemented, becomes simply useless.
Essentially any friend coming at my place, to whom I want to share my internet connection for a while (say, a couple of hours) with an easy password, either provides me with the MAC address of his device, or has no access at all. And if he has to give me the MAC, then I could just simply add him to the main network in the first place and, BTW, I need to give him also the (complicated) password of my main network.
What is the purpose of a Guest Network then, if it is subject to the same access restrictions of the main one? I need to remove the access list on my main one, to offer quick and easy access to friends and family defeating the purpose of protecting my main network with MAC addresses and a separate guest network?
I don't get it. This is a bug. It has to be. I see no logic in it, in the way it is implemented. Or it should have 2 separate access lists, for flexibility. But a *Guest* network, should be by definition open, or easy access (with password, sure, if necessary) - and in case it should have restricted access, it should be by time maybe, not by MAC address....!Why would a Guest Network need an Access Control List
The short answer would be that it would not need an Access Control listing......if you used the default settings in Timed Access.
Sorry, but I do not understand how you have constructed your Timed Access control list.
Normally, you would use the default settings and leave the "main" (and "guest") networks set for Unlimited Access.....and then only list the devices that you want to limit separately, establishing "rules" and timeframes for each device that you want to control.
When you do it the default way, a user would be able to connect to the Guest Network at any time, provided that he/she had the password for the guest network. No MAC Address needed at all.
If you wanted to limit the time that the "guest" could connect to the guest network, you would have to set up a "rule" for the guest. I would not normally think of limiting the time that a guest could connect.....(unless the guest were one of the grandkids).
It sounds to me as if you might have set the default network setting to No Access, and you have then set up each device with the times that they would be allowed to connect.
If you did it this way, then the default No Access would also apply to the Guest Network....and any guest would have to then be set up by MAC Address with a rule set for the times that they were allowed to connect.
Personally, I have changed the default rule for the "main" (and guest) networks from Unlimited Access to Everyday between 7:00 AM and 11:30 PM. So no one on either the main or guest network can connect before 7:00 AM or after 11:30 PM.
Then, there are a few rules that I have for devices that connect to the guest network to further limit them to certain times each day. You could do this as well for devices that you want to control on the "main" network. -
How do I add a printer connected to another iMac on the network to my printer list?
How do I add an Epson printer connected to an iMac on the network to the printer list on my MacBook Pro? I cannot get it to show up in the list for printers to add.
That only works if the printer is itself a network printer. You can't do it if it is directly connected to another computer on the network unless it is configured to be a Shared Printer on the other computer.
-
New objects in selection list to add to qualification subprofile
Hi all,
I am trying to add a object (e.g. person) to a qualification subprofile (e.g. Potentials). How can I add a new object to the selection list (by creating a new object) so I can choose this new object to be added to the subprofile.
Thanks in AdvancePandit
There are more than one ways of doing this.
The best option is to create a freely definable attribute (Spro --- APO >> Master data >> Freely definable attributes) at material location level and now you will automatically be able to see the attribute when your create a selection id. But you have to make sure you add logic in your material cIF user exit or create a custom program in APO to populate the desired values for the freely definable attribute for all materials in the selection
Thanks
Saradha -
With Timed Access List on, Guest users cannot access Guest network.
I have a ABS with 7.5 version. In the Timed Access window i have default set to "no access". Then, all the computers that are allowed access to the main network are on the list. Then i have the main network hidden. My guest network is broadcasting but when a user tries to connect to it, they get a "Unable to connect". If I change the default access in Timed Access to "Everyday", users are then able to connect to the Guest network again.
Obviously, this is a bug. I don't want people accessing the main network that aren't on the timed access list. However, I still want guest users to access the Guest Network.
It looks to me that the Timed Access window is controlling the restriction of the Guest and Main network, when it should only be controlling the Main only.
Hopefully, apple has noted this issue and will be fixed on the new update. If other people are experiencing this problem, Please let me know.
-GhostApple just updated the airport to 7.5.1. But there is still a problem with the the guest network not allowing access. If the "Unlimited" is set to "No Access" in the access list it prevents anybody from accessing the guest network. It should only deny your Main wireless Network.
In other words, the Access List is controlling the access for both wireless networks(Guest and Main network)
Either apple needs to create two Access Lists, One for Main network, and One for guest network. Or just have to option to choose which Network you want to restrict leaving the second one open for all.
-Ghost -
Removed ip access-list & lost network connectivity
An access-list was removed to edit and replace. Once the access-list was removed we lost network connectivity to the remote router. This list is an extensive one. But when we remove on other remote routers network connectivity remained. Can anyone tell me why? Is this a typical of access-list, and good practice is to wait until after business hours?
No problem.
I am sure that we have all had experiences of looking at things we have written, or questions answered, and realized that what we wrote was not quite what we were thinking as we created it.
Your main point is well taken that it is good practice to remove the access-group before removing and changing the content of access lists.
Sometimes I take a slightly different approach: I will build a new version of the access list using a different number (if I am changing access list 101, I may create list 102) which is the modified version of the list. I then change the access-group to reference the new version of the list. This may have a couple of advantages including the fact that the interface is always protected by some access list. Also it makes backing out changes easier if we discover that there was some flaw in our list modification.
HTH
Rick -
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
Object-group with network-object containing an IP address range
Hello,
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.
-JohnHello,
Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:
192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.
With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".
To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.
Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:
access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4
access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
Packet trace results in allowing the "range" of IP address:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmztest
output-status: up
output-line-status: up
Action: allow
Now with the "correct" configuration:
access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd
access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmztest
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thank you.
-John
Maybe you are looking for
-
G U I ( I need to add a gui) please help
I am trying to design an implement a GUI for this program. This program should let the user input the interest rate, principle, and period, and should accumalate value of interest. * File: CDInterest.java * Tamar Thompson * Description: This applicat
-
Errors while Executing a scenario thruogh command prompt...Pls help!!
hi, i am trying to execute a scenario in my command prompt.i am using windows operating system. i am getting the the following error when i run this command.. startscen COM_IFLEX_LIMITS 001 GLOBAL "-V=2"OracleDI: Starting scenario COM_IFLEX_LIMITS 00
-
Want to move TM backup from USB drive to network drive
[I tried searching and didn't see anything specific to my question.] I have a Mac Mini backup up to an external USB hard drive and it has a history going back 7 months. It backs up to a folder Backups.backupdb. This folder resides w/ the rest of my f
-
Release strategy for PO on Payment terms..
Dear friends, Is it possible to have Release strategy for PO on Payment terms..... I checked in CEKKO, no field availble for payment terms. Is there any other way.......... Plz help Rgds, Navin
-
Option Explicit Sub BatchProcess() Dim strFileName As String Dim strPath As String Dim oDoc As Document Dim oLog As Document Dim oRng As Range Dim oHeader As HeaderFooter Dim oSection As Section Dim fDialog As FileDialog Set fDialog = Application.Fil