ASR 1002 ACL object-group for ZBFW

Similar Messages

• CSCut57898 - C897 ACL object-group leak/miss for BGP tcp 179 / causing deny

  We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
  I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
  Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.  

  We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
  I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
  Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.  

• ASR IOS-XE and object groups

  We recently installed a pair of ASR1004 routers and were somewhat (unpleasantly) surprised to find that the "object-group network" and "object-group service" were not supported.  After doing some searches on the forums here I found this discussion:
  https://supportforums.cisco.com/message/3573041#3573041
  At that time (28 Feb 2012) it was mentioned that support for object-groups for ACLs were planned for 3.9S / Q1CY2013.  We're running 3.10S and still no object groups so I was just wondering if anyone has heard an updated estimate of when this feature will be added to IOS-XE?

  As the release notes state, this feature is implemented in 3.12S:
  http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes/asr1k_feats_important_notes_312s.html#pgfId-3452835

• ASDM multiple network objects vs group for rules

  I was just curious if there are any performance benefits of using multiple network objects on multiple rules vs consolidating them into fewer rules by grouping them? 
  For example, I have about 10 lines of NAT exempt rules from the same source to multiple destinations.  Is there anything to be gained if I consolidated those into a single rule using an object group for the multiple destinations aside from cleaning up the clutter in ASDM?
  Thanks

  Hello Tony,
  Of course, it will be better because the processing that the ASA is going to use to determine witch rule to match would be decremented, also it would take less space on the configuration file (memory). those are some of the pros regarding creating groups for particular rules.
  Sometimes a huge configuration file can increment the CPU usage,etc,etc. so it is better to keep it as small and organized as possible.
  Please rate helpful posts.
  Regards,
  Julio

• Ipsec - object group

  Hello and thank you in advance
  I have a ipsec tunnel setup with the use of object groups. This ipsec tunnel is active and in production.  If I need to add one more IP to that object group will I need to do anything for it to take effect or that will be done automatically?
  Sorry for a stupid question.

  If you need to add one more IP to the object group for the crypto ACL, you would need to add the same on the remote VPN peer as crypto ACL needs to mirror image between the 2 sites.
  Once changes has been done, you would need to clear the tunnel as the SA for the new IP will only be built during the negotiation.

• IPv6 ACLs for ZBFW with changing IPv6 prefix?

  Hi all
  Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
  Background:
  6RD based residential internet access.
  Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
  A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
  No big deal, one would think...
  zone security Z-INTERNET
   description * the outside world *
  zone security Z-DMZ
  zone security Z-OUTSIDE
  zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
   service-policy type inspect PMAP-INBOUND-TRAFFIC
  policy-map type inspect PMAP-INBOUND-TRAFFIC
   class type inspect CMAP-IN-TRACE-TRAFFIC
    pass
   class type inspect CMAP-IN-INSPECT-TRAFFIC
    inspect 
   class class-default
    drop log
  class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
   match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
  class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
   match access-group name ACLv6-INBOUND-TRAFFIC 
  Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
  ipv6 access-list ACLv6-INBOUND-TRAFFIC
   sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
  ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
  For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
  However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
  router6rd(config-ipv6-acl)#permit ip any ?
    X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
    any                 Any destination prefix
    host                A single destination host
  router6rd(config-ipv6-acl)#
  D'oh. What now?
  I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
  Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
  Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
  Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
  thanks for your thoughts and ideas.
  Marc

  Hi all
  Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
  Background:
  6RD based residential internet access.
  Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
  A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
  No big deal, one would think...
  zone security Z-INTERNET
   description * the outside world *
  zone security Z-DMZ
  zone security Z-OUTSIDE
  zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
   service-policy type inspect PMAP-INBOUND-TRAFFIC
  policy-map type inspect PMAP-INBOUND-TRAFFIC
   class type inspect CMAP-IN-TRACE-TRAFFIC
    pass
   class type inspect CMAP-IN-INSPECT-TRAFFIC
    inspect 
   class class-default
    drop log
  class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
   match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
  class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
   match access-group name ACLv6-INBOUND-TRAFFIC 
  Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
  ipv6 access-list ACLv6-INBOUND-TRAFFIC
   sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
  ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
  For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
  However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
  router6rd(config-ipv6-acl)#permit ip any ?
    X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
    any                 Any destination prefix
    host                A single destination host
  router6rd(config-ipv6-acl)#
  D'oh. What now?
  I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
  Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
  Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
  Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
  thanks for your thoughts and ideas.
  Marc

• Maintain no. range for object j_1irg23d, for 2011, excise group,

  Hi experts,
                      I m doing a depot sales process STO done, delivery done, Invoice done and excise invoice done, Now while MIGO
  the error is coming maintain no. range for object j_1irg23d, for 2011, excise group . in j1i9 i have maintained all the no. ranges for all the registers in all the plants and excise groups. Then too the error is coming. plus in MIGO the base value in excise duty tab in not been picked, i have to give manually. is that procedure correct?
  Thanks
  Prashant

  Hi all,
  I just made a silly mistake like other no. ranges i gave the serial no. of the number range as 10 or 20 which was wrong it has to be from the start i tried putting it as 01 the no. range picked up.
  Regards
  Prashant

• Object assignments for account group

  Hi,
  In customer when I click on assigned object in additional data,I am getting the following error,
  "Account group ZSP1 is not registered for object assignments"
  Where ZSP1 is my account group.
  Where I can register my account group for object assignments
  Regards

  Hi Sandeep,
  for what you are looking for object name of release group.???
  If you want to add release group in Authorization profile,it is not possible.
  You can add Release code in authorization profile...not release group.
  If you have any specific requirement,please let me know.
  Regards,
  Manish.
  If ans is usefull,don't forget to reward.

• Object Name for Release Group

  All,
  Can anyone please tell me the object name for Release Group ?
  regards

  Hi Sandeep,
  for what you are looking for object name of release group.???
  If you want to add release group in Authorization profile,it is not possible.
  You can add Release code in authorization profile...not release group.
  If you have any specific requirement,please let me know.
  Regards,
  Manish.
  If ans is usefull,don't forget to reward.

• How to make a group for selectd Object javascript

  How to make a group for selectd Object javascript

  There is currently no native way to email groups from iPad.
  The only way to do this is if your recipients are already members a a distribution group controlled elsewhere such as a Google Group or an  Exchange Organisation, then you can email the distribution group address which will then in turn forward to the individual email address of the members.
  Does it have to be email as currently you would have to add each recipient to the email manually.
  iOS to my knowledge doesn't support contact groups in context other than organisation.

• Dynamic group for HSW object based on Site (Gateway) server

  Hi
  Using the SiteName parameter when deploying gateway servers like described in the blog post from Cameron Fuller
  http://blogs.catapultsystems.com/cfuller/archive/2015/02/12/creating-dynamic-groups-for-objects-which-exist-behind-a-gateway-in-opsmgr-part-1.aspx
  I would like to create an aditional dynamic Group with all Health Service Watcher objects related to an Site (Autocreate) Group.
  Any ideas on the XML Query or other ways of duing this?

  Yes I know this one, but the SiteName Group is not in my MP.
  So I need to reference the XML to a Group outside of my own MP.
  Like:
  http://blogs.technet.com/b/kevinholman/archive/2014/04/09/creating-groups-of-health-service-watcher-objects-based-on-other-groups.aspx
  But with the '<MonitoringClass>$MPElement[Name="grouptest.compgroup"]$</MonitoringClass>'
  Line pointing to a autocreated SiteName Group.

• ORA-23454: flavor not defined for object group "PUBLIC"."REPG" - HELP

  Hi All,
  Encountered the below error when trying to add the materialized views to the Materialized View Group in materialized view site:
  1 BEGIN
  2 DBMS_REPCAT.CREATE_MVIEW_REPOBJECT (
  3 gname => 'REPG',
  4 sname => 'FMCHC',
  5 oname => 'EMP',
  6 type => 'SNAPSHOT',
  7 min_communication => TRUE);
  8* END;
  SQL> /
  BEGIN
  ERROR at line 1:
  ORA-23454: flavor not defined for object group "PUBLIC"."REPG"
  ORA-06512: at "SYS.DBMS_SYS_ERROR", line 105
  ORA-06512: at "SYS.DBMS_REPCAT_UTL", line 452
  ORA-06512: at "SYS.DBMS_REPCAT_UTL", line 468
  ORA-06512: at "SYS.DBMS_REPCAT_SNA_UTL", line 5523
  ORA-06512: at "SYS.DBMS_REPCAT_SNA", line 82
  ORA-06512: at "SYS.DBMS_REPCAT", line 1332
  ORA-06512: at line 2
  I have verified that the MASTER DEIFINATION SITE already have the group "REPG"
  Pleae advise.
  THANKS

  I think you are going to have to provide Oracle version information before anyone will be able to help you with this question.

• ASR 1002 current license for LNS router ???

  hi i want to ask about ASR 1002 license for LNS router .
  i want to know how many pppoe session can handle without any license
  i mean wts the current  sessions allowed on the current router
  and wt other options i have to upgrade this router so that it support more sessions and its prices.
  regards

  here is my current router :
  Gateway-ASR1002#sh inventory 
  NAME: "Chassis", DESCR: "Cisco ASR1002 Chassis"
  PID: ASR1002           , VID: V06, SN: FOX1807GBZW
  NAME: "module F0", DESCR: "Cisco ASR1000 Embedded Services Processor, 5Gbps"
  PID: ASR1000-ESP5      , VID: V04, SN: JAE18110AU1
  NAME: "Power Supply Module 0", DESCR: "Cisco ASR1002 AC Power Supply"
  PID: ASR1002-PWR-AC    , VID: V03, SN: ART1804U03P
  NAME: "Power Supply Module 1", DESCR: "Cisco ASR1002 AC Power Supply"
  PID: ASR1002-PWR-AC    , VID: V03, SN: ART1804U05H
  NAME: "module 0", DESCR: "Cisco ASR1002 SPA Interface Processor 10"
  PID: ASR1002-SIP10     , VID:    , SN:            
  NAME: "SPA subslot 0/0", DESCR: "4-port Gigabit Ethernet Shared Port Adapter"
  PID: 4XGE-BUILT-IN     , VID:    , SN:            
  NAME: "subslot 0/0 transceiver 0", DESCR: "GE T"
  PID: SFP-GE-T          , VID:     , SN: MTC1229019N     
  NAME: "subslot 0/0 transceiver 1", DESCR: "GE T"
  PID: SFP-GE-T          , VID:     , SN: MTC1231005A     
  NAME: "subslot 0/0 transceiver 2", DESCR: "GE T"
  PID: SFP-GE-T          , VID:     , SN: MTC1229019M     
  NAME: "module R0", DESCR: "Cisco ASR1002 Route Processor 1"
  PID: ASR1002-RP1       , VID: V06, SN: JAE18110F7G
  Gateway-ASR1002#

• Adding responsibility objects for the Notification Groups for a PA

  Hi Gurus,
  I am supposed to add responsibility objects for the notiifcation groups for a PA.. Could you please confirm the steps I am planning to follow
  1. Find out the Workflow
  2. Add the responsibilities objects ( Where can Add  those ( in the workflow or in Org Management?)
  3. Edit the rule to point to that PA..
  I am new to workflows ..points are assured for the help

  Just write your own composite Icon class:
  public class CompositeIcon implements Icon
    private Icon icon1;
    private Icon icon2;
    public CompositeIcon(Icon icon1, Icon icon2)
      this.icon1 = icon1;
      this.icon2 = icon2;
    public int getIconHeight()
      return Math.max(icon1.getIconHeight(), icon2.getIconHeight());
    public int getIconWidth()
      return icon1.getIconWidth() + icon2.getIconWidth();
    public void paintIcon(Component c, Graphics g, int x, int y)
      icon1.paintIcon(c, g, x, y);
      icon2.paintIcon(c, g, x + icon1.getIconWidth, y);
  }Hopefully a slightly more reusable solution. You could write all sorts of different layouts in this way.
  Hope this helps.

• Breaking Subclass/Removing Object Group/Without loss of code for child form

  Hi all..
  This is regarding Forms 10g (breaking inheritance)
  I have a base form as well as client form.
  The child form is having some properties as common to the base form. so child form is having sub class(inheritance) from the base class with the help of Object Group. This is the exiting setup
  Now, client wants the same information as child form with out link with base form.
  i.e., they want to remove the Object Group with out distrubing the child form.
  Finally, they want the child form as independant from base form. i.e., child form should not have inheritance from the base form and at the same time they don't want to loss of any code to the child form.
  There are 1000's of forms like that are need to re-work.
  Is there any tool/script available to do this process of work automatically.
  Please provide the necessary deatils and help me regarding this.
  Regards
  Madhava

  You CAN add new items to the subclassed block or change triggers code or even add new triggers. Form Builder won't let you create items in-between existing subclassed items or triggers. So if you need to create a new item, create at the end of subclassed item or trigger...
  You can not DELETE items of subclassed block or the block itself if it is subclassed. But you can remove the subclassed object from your child module --- by removing class info from the object group in child module --- but it will also remove all the subclassed child objects.
  If you delete or change anything in master object, it will directly affect the subclassed object and you can see the change immediatly in the child modules.
  When you drag the master object to child, it asks you if you need to subclass or copy, selecting copy will create a separate copy which you can play with in the child module.
  And below is brief help on the matter:
  If you don't want all the objects in the subclassed object group, then you might consider either subclassing the desired objects individually, or creating an object group which contains only the desired objects.
  Edited by: Zaafran Ahmed on Oct 13, 2010 12:41 PM