Assistance wth Access-list

Similar Messages

• Please assist me for access-list configuration

  Dear Team,
  Please help me to configure the access-list.
  Requirement:
  I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
  I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
  At R2:
  ip access-list exstandard 101
  deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
  permit ip any any
  int f0/0
  ip access-group 101 in
  But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
  Regards,
  Sanjib

  Hello
  I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
  R2
  ip access-list extended 101
  deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
  permit ip any any
  int f0/0
  ip access-group 101 in
  or
  ip access-list extended 101
  deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
  permit ip any any
  int f0/0
  ip access-group 101 out
  reverse the acl for R3 if applicable
  res
  Paul

• Access list hit counts

   Hello Mates,
  Am getting a very rare type problem while I implement the aCL on 3850 switch
  I do get hit matches when I put a log keyword in the ACL 102
  SW#sh ip access-lists
  Extended IP access list 102
      5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 log (28 matches)
  But when I remove the log keyword then I don't get any matches.
  SW#sh ip access-lists
  Extended IP access list 102
      5 permit tcp 192.168.0.0.0 0.0.255.255 196.189.80.0 0.0.0.15 eq 23 (no matches )
  Please assist.

  To understand your issue I think it is helpful to start from the understanding that the hit count is maintained as the access list is processed in software (as is generally the case in layer 3 routers). We get a somewhat different situation in layer 3 switches. If the access list is processed in software (as is necessary when the entry includes the log parameter) then the hit count increments. But when the decision is made in hardware then the right behavior of traffic is achieved but the hit count is not incremented.
  HTH
  Rick

• NAC access list question

  so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
  Hope my drawing is enough to assist.....
  CORE--------l3 switch--------pc
  |
  |
  |
  NAC

  That's a great idea - the ACL on the management interfaces of the devices.
  Is the ACL for the unauthenticated role on the L3 switch or the Core?
  I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
  peter

• Reflexive/established access list

  We want internal hosts that are accessing the Internet to have return traffic from the Internet. We want to have a secure access list inbound. We do not want any/all traffic comming from the Internet. We want only websites that respond from an internal host back into the network. We want to allow access from outside only if that access has been requested from inside, only response for that request. We want to restrict only traffic initiated from the outside only to VPN, SSH and email. The following caused accessing the Internet traffic to slow down and websites did not fully load. Any assistance would be appreciated.
  Thanks.
  Said
  access-list 150 permit tcp any host <firewall outside IP>
  access-list 150 permit tcp any host <Exchange server translated public IP> eq www
  access-list 150 permit tcp any host < Exchange server translated public IP> eq smtp
  access-list 150 permit tcp any host < Exchange server translated public IP> eq 22
  access-list 150 permit tcp any host < Exchange server translated public IP> eq pop3
  access-list 150 permit tcp any any eq telnet
  access-list 150 permit icmp any any
  access-list 150 permit udp any eq domain any
  access-list 150 permit udp any any eq domain
  access-list 150 permit esp any any
  access-list 150 permit gre any any
  access-list 150 permit udp any any eq non500-isakmp
  access-list 150 permit udp any any eq isakmp
  access-list 150 permit tcp any any established
  access-list 150 deny ip any any log
  interface MFR0.724
  router(config-if)#ip access-group 150 in

  Have you considered using CBAC?
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
  I like CBAC better. CBAC builds intelligence into the traffic analysis. CBAC should make your connection more secure.
  Reflex documentation
  http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfreflx.html

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• I can no longer access listing variations in Ebay after the upgrade

  After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.

  Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access list issues

  Hello,
  There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.
  The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
  Here is access list:
  ip access-list extended Quarantine_IN_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit upd any any eq domain
  permit tcp any eq 3389 any
  permit ip any host x.x.x.x (baseline server)
  permit ip any host x.x.x.x (share drive)
  permit ip any host x.x.x.x (domain controller)
  permit ip any host x.x.x.x (domain controller)
  ip access-list extended Quarantine_Out_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit udp any an any eq domain
  permit tcp any any eq 3389
  permit ip host (baseline server) any
  permit ip host (share drive) any
  permit ip host (domain controller) any
  permit ip host (domain controller) any
  As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.
  Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
  Thanks,
  Kiley

  Paul,
  When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:
  int vlan 500
  description BASELINE VLAN
  ip addres x.x.x.x x.x.x.x
  ip access-group Quarantine_IN_L1 in
  ip access-group Quarantine_Out_L1 out
  ip helper-address x.x.x.x
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  Thanks,
  Kiley

• Static nat with port redirection 8.3 access-list using un-nat port?

  I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
  object network obj-10.1.1.5-06
  nat (inside,outside) static interface service tcp 3389 3398
  object network obj-10.1.1.5-06
  host 10.1.1.5
  access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
  access-group outside_access_in in interface outside
  So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
  Thanks in advance..

  Hello,
  I would be more than glad to explain you what is going on!
  The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
  After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
  Regards,
  Julio
  Rate helpful posts

• Acl-name in access-list requirements

  Hi,
  I would ask about the acl-name in access-list,
  Does it act as a link between the ACL and an interface?
  or it could be written as any-thing, without any constrains?
  such as
  access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
  is it OK?
  or test_ACL should be defined somewhere prior using it in ACL?

  just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
  But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
  Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
  Please remember to select a correct answer and rate helpful posts

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.