ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?

Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword.

Similar Messages

  • ICMP Inspection and Extended Access-List

    I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
    What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
    policy-map global_policy
    class inspection_default
    inspect_icmp
    However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
    access-list inbound permit icmp any any echo-reply
    access-list inbound permit icmp any any source-quench
    access-list inbound permit icmp any any unreachable 
    access-list inbound permit icmp any any time-exceeded
    access-group inbound in interface outside
    Will the PING complete?
    Thank you,
    T.J.

    Hi, T.J.
    If problem is still actual, I can answer you this question.
    Let's see situation without ICMP inspection enabled:
    The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
    In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
    Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
    If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
    P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

  • ASA 5505 version 9.1(4) NAT issue

    Hi,
    I am using ASA 5505 version 9.1(4) and using dynamic NAT command to NAT(PAT) inside subnet 192.168.3.0/24 with outside interface 192.168.100.2/24
    But unable to ping from inside host to internet or router interface 192.168.100.1 . Please suggest the show running is mentioned below.
    Following is the logical diagram
                                          192.168.100.1/24                          192.168.100.2/24                192.168.3.1                          
      Internet(ISP) ------------------->------------------ Router------------------------->(e0/0)  ASA 5505 (9.1) eth0/4 ----- ---------- Host (192.168.3.22)
    ASA Version 9.1(4)
    hostname ciscoasa
    enable password 2KFQnbNIdI.2KYOU encrypted
    xlate per-session permit tcp any4 any4
    xlate per-session permit udp any4 any4
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ciscoasa(config)# object network Generic_All_Network
    ciscoasa(config-network-object)# sub
    ciscoasa(config-network-object)# subnet 0.0.0.0 0.0.0.0
    ciscoasa(config-network-object)# ex
    ciscoasa(config)# nat (inside,outside) source dynamic Generic_All_Network inte$
    ciscoasa(config)#
    ciscoasa(config)#
    ciscoasa(config)# wr
    Building configuration...
    Cryptochecksum: fe5175c6 25dfd45a 117bd6e3 867486db
    3211 bytes copied in 1.120 secs (3211 bytes/sec)
    [OK]
    ciscoasa(config)# sh run
    : Saved
    ASA Version 9.1(4)
    hostname ciscoasa
    enable password 2KFQnbNIdI.2KYOU encrypted
    xlate per-session permit tcp any4 any4
    xlate per-session permit udp any4 any4
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.100.2 255.255.255.0
    ftp mode passive
    object network inside_hosts
    subnet 192.168.3.0 255.255.255.0
    object network Generic_All_Network
    subnet 0.0.0.0 0.0.0.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit icmp any4 any4
    access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    arp permit-nonconnected
    nat (inside,outside) source dynamic Generic_All_Network interface
    object network inside_hosts
    nat (inside,outside) dynamic interface
    access-group inbound in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous prompt 2
    Cryptochecksum:fe5175c625dfd45a117bd6e3867486db
    : end

    yep I have already removed  nat (inside,outside) source dynamic Generic_All_Network interface
    Following is the latest show-running
    ciscoasa(config)# sh run
    : Saved
    ASA Version 9.1(4)
    hostname ciscoasa
    enable password 2KFQnbNIdI.2KYOU encrypted
    xlate per-session permit tcp any4 any4
    xlate per-session permit udp any4 any4
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.100.2 255.255.255.0
    ftp mode passive
    object network inside_hosts
    subnet 192.168.3.0 255.255.255.0
    access-list inbound extended permit ip any any
    access-list inbound extended permit icmp any4 any4
    access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any
    access-list capi extended permit ip host 192.168.3.22 host 192.168.100.1
    access-list capi extended permit ip host 192.168.100.1 host 192.168.3.22
    access-list capo extended permit ip host 192.168.100.2 any
    access-list capo extended permit ip any host 192.168.100.2
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    arp permit-nonconnected
    object network inside_hosts
    nat (inside,outside) dynamic interface
    access-group inside_access_in in interface inside
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.3.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca trustpool policy
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
        308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
        0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
        30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
        13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
        0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
        20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
        65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
        65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
        30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
        30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
        496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
        74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
        68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
        3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
        63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
        0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
        a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
        9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
        7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
        15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
        63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
        18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
        4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
        81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
        db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
        7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
        ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
        45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
        2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
        1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
        03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
        69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
        02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
        6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
        c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
        69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
        1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
        551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
        1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
        2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
        4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
        b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
        6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
        481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
        b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
        5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
        6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
        6c2527b9 deb78458 c61f381e a4c4cb66
      quit
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:b5958fd342c81895465887026d1423b3
    : end

  • ASA 5505 version 8.2 Base License - getting more anyconnect licensing

    Is it possible to increase the number of IPSec VPN peers from 10 to 25 on an ASA 5505 version 8.2 with the base license, simply by adding
    L-ASA-AC-E-5505= and not having to upgrade to the security plus license?
    ASA 5505
    Base License: 10 sessions (25 combined IPSec and SSL VPN1 ).
    Security Plus License: 25 sessions (25 combined IPSec and SSL VPN1).
    Thank You

    I tried  reloading the ASA but to no avail. The ISP cleared their ARP cache as well.While I had the ISP online and they didn't see the printers DHCP request.
    Of course this is all remote but I can see the interface state change when I have the users turn the printer off then on. When I plug the printer into the local LAN it obtains a local DHCP address and I can access it.
    So I'm thinking the printers DHCP request is being blocked at the ASA or somthing else is causing the issue. I am at a loss.

  • Configurate cisco ipsec vpn client at asa 5505 version 8.4

    Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
    please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
    thank you.

    are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
    what version of vpn client ?

  • Extended access list with multiple ports

    Hello All,
    I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
    I receive the following message:
    The informations of my Switch are the following:
    Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
    12.2(52)SG, RELEASE SOFTWARE (fc1)
    Please help me to resolve this problem.
    Best regards.

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Failed Extended Access-list

    Hello all,
    I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
    access-list 101 permit tcp host 192.168.111.30 eq 53 any
    access-list 101 permit udp host 192.168.111.30 eq 53 any
    access-list 101 permit tcp host 192.168.111.30 eq 25 any
    access-list 101 permit tcp host 192.168.111.30 eq 443 any
    access-list 101 permit tcp host 192.168.111.30 eq 587 any
    access-list 101 permit tcp host 192.168.111.30 eq 995 any
    access-list 101 deny ip any any
    Interface Dialer 0
    ip access-group 101 out

    Here is the complete configuration.
    Router#sh run
    Building configuration...
    Current configuration : 3665 bytes
    ! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
    ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
    ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Router
    boot-start-marker
    boot-end-marker
    no aaa new-model
    crypto pki token default removal timeout 0
    ip source-route
    ip cef
    no ipv6 cef
    license udi pid C887VA-W-E-K9 sn FCZ1624C30K
    username admin privilege 15 password 7 045A0F0B062F
    controller VDSL 0
    crypto isakmp policy 1
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
    crypto ipsec transform-set TS esp-3des esp-md5-hmac
    crypto ipsec profile protect-gre
     set security-association lifetime seconds 86400
     set transform-set TS
    interface Loopback0
     ip address 10.10.10.1 255.255.255.255
    interface Tunnel4120
     ip address 10.0.0.1 255.255.255.0
     no ip redirects
     ip mtu 1400
     ip nhrp authentication cisco
     ip nhrp map multicast dynamic
     ip nhrp network-id 123
     ip tcp adjust-mss 1360
     tunnel source Dialer0
     tunnel mode gre multipoint
     tunnel key 123
     tunnel protection ipsec profile protect-gre
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     pvc 0/35
      pppoe-client dial-pool-number 1
    interface Ethernet0
     no ip address
     shutdown
     no fair-queue
    interface FastEthernet0
     no ip address
    interface FastEthernet1
     no ip address
    interface FastEthernet2
     no ip address
    interface FastEthernet3
     no ip address
    interface Wlan-GigabitEthernet0
     description Internal switch interface connecting to the embedded AP
     switchport mode trunk
     no ip address
    interface wlan-ap0
     description Embedded Service module interface to manage the embedded AP
     ip unnumbered Vlan1
    interface Vlan1
     ip address 192.168.111.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     ip tcp adjust-mss 1360
    interface Dialer0
     ip address negotiated
     ip access-group 101 out
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     ppp authentication chap callin
     ppp chap hostname xxxxxxxxxxxxxxxxx
     ppp chap password 7 03077313552D0F411E512D
    router rip
     version 2
     network 10.0.0.0
     network 192.168.111.0
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
    ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
    ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
    ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
    ip route 0.0.0.0 0.0.0.0 Dialer0
    access-list 1 permit 192.168.111.30
    access-list 10 permit 192.168.111.0 0.0.0.255
    access-list 101 permit tcp host 192.168.111.30 eq 53 any
    access-list 101 permit udp host 192.168.111.30 eq 53 any
    access-list 101 permit tcp host 192.168.111.30 eq 25 any
    access-list 101 permit tcp host 192.168.111.30 eq 443 any
    access-list 101 permit tcp host 192.168.111.30 eq 587 any
    access-list 101 permit tcp host 192.168.111.30 eq 995 any
    access-list 101 deny ip any any
    line con 0
    line aux 0
    line 2
     no activation-character
     no exec
     transport preferred none
     transport input all
     stopbits 1
    line vty 0 4
     access-class 10 in
     login local
     transport input all
    scheduler allocate 20000 1000
    end
    Router#

  • LMS 4.2 Compliance check extended access-list

    Hi,
    I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
    I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
    I have made a new compliance check like this:
    'submode': ip access-list extended 'acl-name'
    +deny tcp any any eq smtp
    But that is not working, Can some one show me the 'right path'?
    Thanks
    Soren                 

    Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
    Name:
    Archive Mgmt Job Work Order
    Summary:
    General Info
    JobId: 2704
    Owner: admin
    Description: test_acl
    Schedule Type: Immediate
    Job Type: Compliance Check
    Baseline Template Name: test_acl
    Attachment Option: Disabled
    Report Type: NAJob Policies
    ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
    Job Based Password: DisabledDevice Details
    Device
    Commands
    Sup_2T_6500
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    10.104.149.180
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Change an extend access list in a prefix list

    Hallo All,
    I would like to translate an extend access list in a prefix list.
    ip access-list extended x_to_y
    permit ip 1.1.1.1 0.0.1.255 any
    deny ip any host 3.3.3.3
    Any hint?
    Thanks!!!

    Hi Fabio,
    I am sorry but to my best knowledge, this is not going to work.
    You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
    Even the documentation at
    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
    clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
    I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
    Best regards,
    Peter

  • Extended access list question

    Hello,
    any suggestions why the following ACL will not apply?
    access-list 100 permit udp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 established
    access-list 100 deny udp any host 192.168.155.18
    access-list 100 deny tcp any host 192.168.155.18
    access-list 100 permit ip any any
    interface GigabitEthernet0/2.16
    description Subnetz 192.168.155.16/28
    encapsulation dot1Q 16
    ip address 192.168.155.17 255.255.255.240
    ip access-group 100 in
    The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
    Thanks,
    Thomas

    Hi Rick,
    no there is no NAT or other things turned on on this device.
    Router#sh ip access-list 100
    Extended IP access list 100
        10 permit udp any host 192.168.155.18 eq domain (379 matches)
        20 permit tcp any host 192.168.155.18 eq domain (5 matches)
        30 permit tcp any host 192.168.155.18 established (1 match)
        40 deny udp any host 192.168.155.18 (788 matches)
        50 deny tcp any host 192.168.155.18 (79 matches)
        60 permit ip any any (562 matches)
    Router#sh ip int gi0/2.16
    GigabitEthernet0/2.16 is up, line protocol is up
      Internet address is 192.168.155.17/28
      Broadcast address is 255.255.255.255
      Address determined by non-volatile memory
      MTU is 1500 bytes
      Helper address is not set
      Directed broadcast forwarding is disabled
      Outgoing access list is not set
      Inbound  access list is not set
      Proxy ARP is disabled
      Local Proxy ARP is disabled
      Security level is default
      Split horizon is enabled
      ICMP redirects are never sent
      ICMP unreachables are always sent
      ICMP mask replies are never sent
      IP fast switching is enabled
      IP fast switching on the same interface is enabled
      IP Flow switching is enabled
      IP CEF switching is enabled
      IP Flow switching turbo vector
      IP Flow CEF switching turbo vector
      IP multicast fast switching is enabled
      IP multicast distributed fast switching is disabled
      IP route-cache flags are Fast, Flow cache, CEF, Full Flow
      Router Discovery is disabled
      IP output packet accounting is disabled
      IP access violation accounting is disabled
      TCP/IP header compression is disabled
      RTP/IP header compression is disabled
      Policy routing is disabled
      Network address translation is disabled
      BGP Policy Mapping is disabled
      WCCP Redirect outbound is disabled
      WCCP Redirect inbound is disabled
      WCCP Redirect exclude is disabled
    Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
    Thanks,
    Thomas

  • Extended access-list error using FQDN

    Hi,
    I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.
    For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
    This is how I normally add these rules (the ip addresses are fictive):
    access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
    When I try to add this using the hostname on our asa I get an error:
    access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?
    ERROR: % Unrecognized command
    I've tried it without the 'www', so hostname.com but same error.
    How can I solve this?
    Thanks in advance for your time and help
    Regards,

    @zulqurnain
    Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too.

  • Extended access list on Cisco routers

    Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
    Thanks

    Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
    For example  if you have an acces-list like this:
    Extended IP access list test
    10 deny ip 10.10.10.0 0.0.0.255 any log
    15 deny ip 11.11.11.0 0.0.0.255 any log
    you can now add a new sequence between 10 and 15
    11 deny ip 172.16.10.0 0.0.0.255 any log
    You just have to make sure to use the sequence number when you create the last access-list
    HTH

  • ACL - extended access lists

    Hi, I'm working through the CCNA ICND2.  Section:  IP Access Control Lists
    On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
    in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
    I would assume that "telnet" is a word value for "port 23" (just like you can type  "eq www" instead of "port 80")
    therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
    ??? many thanks for your answers - much appreciated.

    it's a typo!!

  • Cisco ASA 5505 VPN help for local lan access.

    Hi all,
    I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
    I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
    Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
    What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
    Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
    Thanks all!
    Wen Qi

    Hi,
    Try adding the following configuration
    policy-map global_policy
    class inspection_default
      inspect pptp
    And then try again.
    I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
    - Jouni

Maybe you are looking for