Association Access List

Similar Messages

• Access list with multiple object groups

  Hello Everyone,
  I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
  I am trying to use object-groups where ever i can.  Here is an example.
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.x.x.x 255.255.255.240
  network-object 10.x.x.x 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
  What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
  Thanks

  Hi,
  Seems to work on my test ASA
  Attached it to my current LAN interface.
  ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         WAN
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outbound_access in interface LAN
  access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
  object-group service obj_Meraki_outbound
  service-object tcp destination eq https
  service-object tcp destination eq www
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.255.240
  object-group network obj_Meraki_pub
  description: This group lists all hosts associated with Meraki.
  network-object host 64.156.192.154
  network-object host 64.62.142.12
  network-object host 64.62.142.2
  network-object host 74.50.51.16
  network-object host 74.50.56.218
  Additional Information:
  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
  Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
  - Jouni

• Different "access-list outside_cryptomap" for every VPN?

  Hi,
  Just for my understanding.
  I have one VPN connected to my Cisco ASA 5520, when I tried to add another VPN the I have to create a 2nd cryptomap, can I not create a group so there is one crypto map?
  Currently I have:
  access-list outside_cryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
  I have just added access-list outside_cryptomap_2 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0
  But wondered if I could use some thing like:
  access-list outside_mycryptomap line 1 extended permit ip 0.0.0.0 0.0.0.0 object-group VPN_Remote_Networks
  When I do this though I guess it will cause a problem with the peer address?

  Is there a certain order I need to add the config into the CLI aswell?
  I have this to add:
  access-list outside_MYcryptomap_1 line 1 extended permit ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0
  crypto map outside_map 1 match address outside_MYcryptomap_1
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 1.2.3.4
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map 1 set security-association lifetime seconds 86400
  tunnel-group 1.2.3.4 type ipsec-l2l
  tunnel-group 1.2.3.4 general-attributes
  default-group-policy CBSO-L2L
  tunnel-group 1.2.3.4 ipsec-attributes
  pre-shared-key abcdefgh

• Failed Extended Access-list

  Hello all,
  I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  Interface Dialer 0
  ip access-group 101 out

  Here is the complete configuration.
  Router#sh run
  Building configuration...
  Current configuration : 3665 bytes
  ! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  crypto pki token default removal timeout 0
  ip source-route
  ip cef
  no ipv6 cef
  license udi pid C887VA-W-E-K9 sn FCZ1624C30K
  username admin privilege 15 password 7 045A0F0B062F
  controller VDSL 0
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set TS esp-3des esp-md5-hmac
  crypto ipsec profile protect-gre
   set security-association lifetime seconds 86400
   set transform-set TS
  interface Loopback0
   ip address 10.10.10.1 255.255.255.255
  interface Tunnel4120
   ip address 10.0.0.1 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication cisco
   ip nhrp map multicast dynamic
   ip nhrp network-id 123
   ip tcp adjust-mss 1360
   tunnel source Dialer0
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile protect-gre
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   pvc 0/35
    pppoe-client dial-pool-number 1
  interface Ethernet0
   no ip address
   shutdown
   no fair-queue
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
   switchport mode trunk
   no ip address
  interface wlan-ap0
   description Embedded Service module interface to manage the embedded AP
   ip unnumbered Vlan1
  interface Vlan1
   ip address 192.168.111.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1360
  interface Dialer0
   ip address negotiated
   ip access-group 101 out
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   ppp authentication chap callin
   ppp chap hostname xxxxxxxxxxxxxxxxx
   ppp chap password 7 03077313552D0F411E512D
  router rip
   version 2
   network 10.0.0.0
   network 192.168.111.0
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
  ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
  ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
  ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 permit 192.168.111.30
  access-list 10 permit 192.168.111.0 0.0.0.255
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   stopbits 1
  line vty 0 4
   access-class 10 in
   login local
   transport input all
  scheduler allocate 20000 1000
  end
  Router#

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• Inherent Deny at End of Access-list 700 ?

  If I specify the following configuration:
  access-list 700 permit 5c59.4812.35fb
  access-list 700 permit 0024.d71b.de64
  dot11 association mac-list 700
  Is there an inherent DENY to all other MAC addresses at the end of access-list 700?  This configuration is going into an Aironet AP801.  I'd like to use this to specify what I permit in my home and deny any other device that attempts to connect to the AP.  I think this is a workable solution to keep out intruders that might crack my WPA2.
  Thanks for the feedback!!!
  James E

  Yes, there is an inherent deny all at the end of a 700-series ACL just like there is in all ACLs.

• Move a mac access-list

                     Ok we have a mac-access list that is set and we want it only set on a specific ssid but it does not seem to be working that way and is hitting both ssid's.  The issue appears to be with this line as it is not defined to the ssid nor any interface for that ssid:
  dot11 association mac-list 701
  I just can't figure out where to move it and how.  Any help would be great.
  Here is my config:
  BER-AP18#show running-config
  Building configuration...
  Current configuration : 11695 bytes
  ! Last configuration change at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  ! NVRAM config last updated at 11:04:00 EDT Wed Jun 6 2012 by WirelessAdmin
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname BER-AP18
  enable secret 5 SECRET
  clock timezone EST -5
  clock summer-time EDT recurring
  ip subnet-zero
  ip domain name domain.com
  ip name-server 10.0.36.73
  ip name-server 10.0.36.38
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 association mac-list 701
  dot11 vlan-name Wireless vlan 22
  dot11 ssid SWLAN
     vlan 36
     authentication open mac-address mac_methods
  dot11 ssid WSLAN
     vlan 22
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 SECRET
  crypto pki trustpoint TP-self-signed-689020510
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-689020510
  revocation-check none
  rsakeypair TP-self-signed-689020510
  username WirelessAdmin privilege 15 password 7 SECRET
  username 00166f44ec4f password 7 075F711D185F1F514317085802
  username 00166f44ec4f autocommand exit
  username 00166f46e83c password 7 15425B5D527C2D707E366D7110
  username 00166f46e83c autocommand exit
  username 00166f6bc2be password 7 091C1E584F531144090F56282E
  username 00166f6bc2be autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 128bit 7 SECRET transmit-key
  encryption mode wep mandatory
  encryption vlan 2 mode ciphers tkip
  encryption vlan 36 key 1 size 128bit 7 SECRET transmit-key
  encryption vlan 36 mode wep mandatory
  encryption vlan 22 mode ciphers tkip
  broadcast-key change 30
  ssid SWLAN
  ssid WSLAN
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  power local 1
  no power client local
  power client 100
  channel 2427
  station-role root
  rts threshold 2312
  l2-filter bridge-group-acl
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  bridge-group 22 subscriber-loop-control
  bridge-group 22 block-unknown-source
  no bridge-group 22 source-learning
  no bridge-group 22 unicast-flooding
  bridge-group 22 spanning-disabled
  interface Dot11Radio0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  bridge-group 36 subscriber-loop-control
  bridge-group 36 block-unknown-source
  no bridge-group 36 source-learning
  no bridge-group 36 unicast-flooding
  bridge-group 36 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  l2-filter bridge-group-acl
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface FastEthernet0.22
  encapsulation dot1Q 22
  no ip route-cache
  bridge-group 22
  no bridge-group 22 source-learning
  bridge-group 22 spanning-disabled
  interface FastEthernet0.36
  encapsulation dot1Q 36
  no ip route-cache
  bridge-group 36
  no bridge-group 36 source-learning
  bridge-group 36 spanning-disabled
  interface BVI1
  ip address 10.0.0.18 255.255.255.0
  no ip route-cache
  interface BVI22
  no ip address
  no ip route-cache
  ip default-gateway 10.0.0.1
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  access-list 701 permit 0016.6f38.5a75   0000.0000.0000
  access-list 701 permit 0016.6f47.2f5a   0000.0000.0000
  access-list 701 permit 0016.6f72.8730   0000.0000.0000
  access-list 701 permit 0016.6f6b.c156   0000.0000.0000
  access-list 701 deny   0000.0000.0000   ffff.ffff.ffff
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  control-plane
  bridge 1 route ip
  line con 0
  access-class 111 in
  line vty 0 4
  access-class 111 in
  line vty 5 15
  access-class 111 in
  sntp server 10.0.36.38
  end

  that looks good.  I always get input vs output backwards.  If it doesn't block the correct traffic, reverse the direction.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• I can no longer access listing variations in Ebay after the upgrade

  After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.

  Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access list issues

  Hello,
  There has been an access list in place where I work since well before I arrived and it doesn't quite work.  I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches.  It is also used to help in the baselining of pcs.
  The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive.  This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it.  I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
  Here is access list:
  ip access-list extended Quarantine_IN_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit upd any any eq domain
  permit tcp any eq 3389 any
  permit ip any host x.x.x.x (baseline server)
  permit ip any host x.x.x.x (share drive)
  permit ip any host x.x.x.x (domain controller)
  permit ip any host x.x.x.x (domain controller)
  ip access-list extended Quarantine_Out_L1
  permit icmp any any
  permit udp any any eq bootps
  permit udp any any eq bootpc
  permit udp any an any eq domain
  permit tcp any any eq 3389
  permit ip host (baseline server) any
  permit ip host (share drive) any
  permit ip host (domain controller) any
  permit ip host (domain controller) any
  As I said, I tried changing the permit ip host (baseline server) any and ip  any host (baseline server) to permit tcp statements.  That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements.  That also didn't work.
  Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
  Thanks,
  Kiley

  Paul,
  When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL.  I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume.  The ACL is applied to the L3 interface for baselining:
  int vlan 500
  description BASELINE VLAN
  ip addres x.x.x.x x.x.x.x
  ip access-group Quarantine_IN_L1 in
  ip access-group Quarantine_Out_L1 out
  ip helper-address x.x.x.x
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  Thanks,
  Kiley

• Static nat with port redirection 8.3 access-list using un-nat port?

  I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
  object network obj-10.1.1.5-06
  nat (inside,outside) static interface service tcp 3389 3398
  object network obj-10.1.1.5-06
  host 10.1.1.5
  access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
  access-group outside_access_in in interface outside
  So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
  Thanks in advance..

  Hello,
  I would be more than glad to explain you what is going on!
  The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
  After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
  Regards,
  Julio
  Rate helpful posts