ASDM versus CLI - named access-list etc

I'm a CLI junkie now using ASDM v5.2(3) on ASA55x0. Where are the named access-lists I'm used to working with in PIX 6.3(x) CLI? I want to continue to create my named access-lists so I and my colleagues can continue to use our standard templates for configuration tasks. I'm not interested in the ones created automatically such as "access-list in_out-back_forth-UpDown-interfaceSomeWhere0.1". These only confuse my staff when trynig to complete config tasks.

Adam - yes you are correct - strange that they have to be accessed via Split Tunnel Network List, but so be it. I can now create a named ACL with our standardized names, but how do I reference it by name later when applying to some policy?
Typically one might have:
access-list AllowInbound
permit icmp any interface outside echo-reply
permit icmp any interface outside unreachable
permit icmp any interface outside time-exceeded
access-group AllowInbound in interface outside
Thx - Phil

Similar Messages

  • Convert named access list to line numbers

    I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
    I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
    Thank you!

    Hi Emily,
    I guess this is what you are looking for. I have not tried it my self but would like to test it out.
    1. enable
    2. configure terminal
    3. ip access-list resequence access-list-name starting-sequence-number increment
    4. ip access-list {standard | extended} access-list-name
    5. sequence-number permit source source-wildcard
    or
    sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    6. sequence-number deny source source-wildcard
    or
    sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
    8. end
    9. show ip access-lists access-list-name
    This link should help :
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
    regards,
    -amit singh

  • Cant use named access list

    have have tried on 2 routers. 1803, and 2600 to use named access list, by typing access-list "extended" name, it will nto let me type this in, is there any reason why it wont let me do this ?

    Carl,
    The command is
    (config)#ip access-list extended [word]

  • I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

    I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

    Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

  • Static NAT using access-lists?

    Hi,
    i have an ASA5520 and im having an issue with static nat configuration.
    I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
    This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
    I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
    Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
    My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
    Thanks,
    Des

    Des,
    You need to create an access-list to be used with the nat 0 statement.
    access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
    - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
    then use NAT 0 statement:
    nat (inside) 0 access-list inside_nonat
    to permit outside users to see inside addresses without NAT, flip this logic.
    access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    nat (outside) 0 access-list outside_nonat
    you'll also have to permit this traffic through the ACL of the outside interface.
    access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    - Brandon

  • Access List - cisco 2600- HELP

    Hi,
    i want ask we, if the access list are bi-directional or it are one-directional?
    If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
    Thanks

    Emanuele
    When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
    I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
    If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
    If I have not understood your question correctly please clarify what you are attempting to accomplish.
    HTH
    Rick

  • AAA Authorization named authorization list

    Ladies and Gents,
    Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
    Cisco.com extract below
    When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
    Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
    My question is how do you define the Named Method List i.e. the none-default method list?
    I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
    Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
    Thanks in advance
    David

    Hi David,
    An example of a named AAA list might look something like this:
    aaa authorization exec TacExec group AAASrv local
    In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
    Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
    Below is a cut and paste from the AAA section on one of my devices:
    aaa new-model
    ip tacacs source-interface
    tacacs-server host 10.x.x.x key 7
    tacacs-server host 10.x.x.y key 7
    aaa group server tacacs+ TacSrvGrp
    server 10.x.x.x
    server 10.x.x.y
    aaa authentication login default local
    aaa authentication login TacLogin group TacSrvGrp local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default local
    aaa authorization exec TacAuth group TacSrvGrp local
    aaa authorization commands 0 default local
    aaa authorization commands 0 TacCommands0 group TacSrvGrp local
    aaa authorization commands 1 default local
    aaa authorization commands 1 TacCommands1 group TacSrvGrp local
    aaa authorization commands 15 default local
    aaa authorization commands 15 TacCommands15 group TacSrvGrp local
    aaa accounting exec default start-stop group TacSrvGrp
    aaa accounting commands 15 default start-stop group TacSrvGrp
    aaa session-id common
    Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
    line con 0
    exec-timeout 5 0
    line aux 0
    exec-timeout 5 0
    line vty 0 4
    exec-timeout 15 0
    authorization commands 0 TacCommands0
    authorization commands 1 TacCommands1
    authorization commands 15 TacCommands15
    authorization exec TacAuth
    login authentication TacLogin
    transport input ssh
    For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
    One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
    Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
    Hope this helps!

  • Packets not hitting the route-map's NAT access-list

    Hi Everyone,
    I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
    interface GigabitEthernet0/1.102
    description "xxx"
    encapsulation dot1Q 102
    ip address 10.300.301.1 255.255.255.0
    ip access-group xxx_ACL in
    ip nat inside
    ip virtual-reassembly
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool ???_POOL ??
    ip nat pool xxx_POOL ??
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip nat inside source route-map xxx pool xxx_POOL overload
    ip nat inside source route-map ??? pool ???_POOL overload
    ip access-list extended xxx-VPN
    remark VPN to xxx
    permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
    ip access-list extended xxx_ACL
    deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
    permit ip any any
    ip access-list extended xxx_NAT
    deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
    deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
    permit ip 10.300.301.0 0.0.0.255 any
    route-map ??? permit 10
    match ip address ???_NAT
    route-map xxx permit 10
    match ip address xxx_NAT
    route-map ??? permit 10
    match ip address NAT_???
    route-map ??? permit 10
    match ip address ???_NAT
    control-plane
    banner motd ^C

    As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
    So just a guess:
    The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
    HTH, Karsten

  • Cleaning up Access Lists

    Here is an access list I want to know if I can "clean up" :
    access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
    access-list outside_access_in extended permit object RDP any any
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
    access-list outside_access_in_1 extended permit object RDP any object FileServer
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
    access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
    access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
    access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
    access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
    access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
    access-list outside_access_in_1 extended permit icmp any object DattoDevice
    access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
    access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
    What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

    Hi,
    To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
    The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
    I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
    show run access-group
    You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
    The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
    Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
    The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
    The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
    At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
    You can check what is in use with the command
    show run crypto map
    Hope this helps :)
    - Jouni

  • Req help: creating access-lists

    cisco 2651XM router
    IOS: c2600-adventerprisek9-mz.124-15.T8.bin
    connected to internet by wic1-adsl card
    I would like to configure my router to block the following ranges of ip's.
    Start IP End IP
    69.25.60.0 69.25.61.255
    208.111.154.0 208.111.154.255
    209.249.86.0 209.249.86.255
    problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

    Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
    I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
    no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
    Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
    ip access-list extended
    deny ip 62.25.60.0 0.0.1.255 any
    deny ip 208.111.154.0 0.0.0.255 any
    deny ip 209.249.86.0 0.0.0.255
    exit
    interface x/x
    ip access-group
    end
    Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

  • Setting the access-list on a IDSM blade

    I have a IDSM blade for a 6500 series switch. I need to modify the administrative access-list from the CLI so I can get into it remotely and with CME
    I see in the config entries like this
    access-list 192.168.100.10/32
    I assume this is the section for authorized hosts to access the IDSM
    but I can't figure out how to add an entry?
    any advice would be great

    on the console you can add entries the following way:
    in conf-mode:
    service host
    network-settings
    access-list 10.10.10.0/24 ! or whatever you want to add
    exit
    exit
    answer "yes" to apply changes
    exit
    !(ready)
    Sent from Cisco Technical Support iPad App

  • Access List and Conflict Resolution Problem!

    My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
    I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
    Setting the Conflict Resolution Level
    You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
    See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
    Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
    So, I've set up my Access List services as follows:
    o URL Deny is blank on all Access Lists
    o URL Allow set as follows
    ---- isp
    ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
    ---- acme.com organization
    ------- Conflict Resolution: Highest
    ------- http://portal.acme.com/portal/* (same as above)
    ---- Acme Customers Role - shared role for all Acme customers
    ------- Conflict Resolution: Medium
    ------- http://www.acme.com/*
    ------- http://support.acme.com/*
    ------- http://support2.acme.com/*
    ---- RoadRunner role - specific role for a specific customer
    ------- Conflict Resolution: Medium
    ------- http://roadrunnerinfo.acme.com/*
    The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
    The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
    If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
    If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
    So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
    Thanks!
    -matt

    Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

  • Cisco 12.1 Access-list

    We currently have a ip address on the other interface of a Cisco 2600 running 12.1 that we need to isolate so it cannot communicate via ip with our interface. Would this be possible with an ACL? I have written many of them for our PIX, but I was wondering how to do this on 12.1. If Someone could walk me through my first ACL to do this on 12.1 I would greatly appreciate it.
    Thanks

    Eric
    We need a bit of clarification. It may sound picky but it is an important distinction: are you attempting to prevent interface FastE0/0 from communicating with inteface FastE1/0 or are you attempting to prevent end stations on the subnet connected to FastE0/0 from communicating with end stations connected to FastE1/0?
    The first case is not possible with access lists. (There may be a way to do it with Policy Based Routing). The second case is possible and could be done with something like this:
    assume that the subnet on FastE0/0 is 192.168.1.0/24 and assume that the subnet on FastE1/0 is 192.168.2.0/24
    create 2 access lists and assign one to each interface.
    access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 permit ip any any
    access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 120 permit ip any any
    interface faste0/0
    ip access-group 120 in
    interface faste1/0
    ip access-group 110 in
    adjust addresses etc to fit your situation. Try it and let us know if it works.
    HTH
    Rick

  • Different "access-list outside_cryptomap" for every VPN?

    Hi,
    Just for my understanding.
    I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?
    Currently I have:
    access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
    I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
    But wondered if I could use some thing like:
    access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks
    When I do this though I guess it will cause a problem with the peer address?

    Is there a certain order I need to add the config into the CLI aswell?
    I have this to add:
    access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
    crypto map outside_map 1 match address outside_MYcryptomap_1
    crypto map outside_map 1 set pfs group5
    crypto map outside_map 1 set peer 1.2.3.4
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 86400
    tunnel-group 1.2.3.4 type ipsec-l2l
    tunnel-group 1.2.3.4 general-attributes
    default-group-policy CBSO-L2L
    tunnel-group 1.2.3.4 ipsec-attributes
    pre-shared-key abcdefgh

  • APEX Pages - User Access List with NTLM

    Hi,
    I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
    I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
    1. users (hold user name, and user data)
    2. pages (hold APEX Applications pages)
    3. access_list (hold combined data of users and pages and access flag)
    The last table will give me an SQL that can be used to create page level Authorization Scheme.
    The problem is:
    I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
    Your helps will really help me, and thanks in advance.
    Regards,
    Aulia

    This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
    You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
    That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
    If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
    Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
    I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

Maybe you are looking for