Avpair on the end of access-list

Similar Messages

• Inherent Deny at End of Access-list 700 ?

  If I specify the following configuration:
  access-list 700 permit 5c59.4812.35fb
  access-list 700 permit 0024.d71b.de64
  dot11 association mac-list 700
  Is there an inherent DENY to all other MAC addresses at the end of access-list 700?  This configuration is going into an Aironet AP801.  I'd like to use this to specify what I permit in my home and deny any other device that attempts to connect to the AP.  I think this is a workable solution to keep out intruders that might crack my WPA2.
  Thanks for the feedback!!!
  James E

  Yes, there is an inherent deny all at the end of a 700-series ACL just like there is in all ACLs.

• Where is the Enable RESTful Access List?

  Hello,
  I am trying to expose a report in my application as a RESTful web service. I am following this guide here: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDDBGAI
  The instructions are:
  On the Workspace home page, click Application Builder.
  Select an application.
  Application Builder appears.
  Select the page that contains the report you want to enable.
  The Page Definition appears.
  Under Regions, click the name of the region that contains the report you want to enable.
  Under Attributes, enter a value for Static ID field. This value is used to access the report RESTfully.
  From the Enable RESTful Access List, select Yes.
  Click Apply Changes.
  I am not sure where I can get this "Enable RESTful Access List", it is not in my region attributes or in my page attributes. Could someone kindly point out where I can get it?
  I am using APEX 4.2
  Cheers.

  Hi William,
  That's great you're up and running now. So now you've managed to expose your Report region as a RESTful Service. I think you might find it useful to read through the section Understanding Web Service References in the same chapter - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#BABDCIBH - as it explains the various references that can be created. In your case, your Web Service reference is based on the RESTful style, and not on a Web Services Description Language (WSDL) document. If you read through the section Accessing a RESTful Enabled Report Region from a Web Service Client - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDEHFJI - the apex_rest service API can be used to discover available RESTful enabled reports for a given application. Its response is an XML document with a description of all reports that can be accessed by RESTful Web services.
  I hope this helps.
  Regards,
  Hilary

• Need to understand the nat with access-list

  Please let me know what it means as it is configured on our ASA
  global (mtaas) 5 10.224.128.4
  nat (outside) 5 access-list EXIDE-MTAAS-PAT
  access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.250
  access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.250
  access-list EXIDE-MTAAS-PAT extended permit ip host 1.1.1.4 host 10.224.128.244
  access-list EXIDE-MTAAS-PAT extended permit ip 10.0.0.0 255.0.0.0 host 10.224.128.244

  Hi,
  The configuration you mention in your post does the following:
  Its a Policy PAT for traffic entering from networks behind "outside" to networks behind "mtaas"
  Traffic that matches the access-list will get PAT translated (Port Address Translation) to the IP address of 10.224.128.4
  The access-list tells what traffic needs to be translatedIn this case ANY IP traffic coming from source networks 10.0.0.0/8 and 1.1.1.4/32 will get translated WHEN they try to connect to the hosts 10.224.128.250 and 10.224.128.244
  This Policy PAT configuration looks like a configuration for some VPN connection you have on the firewall. Its made so that the connections taken from the VPN connection get PATed to an IP address thats part of the destination network.
  - Jouni

• Empty Line at the End of a List Component

  I am using a list compenent in which I am manually adding
  items to it (i.e. addItemAt). The list is long enough to be
  scrollable. At the end of the list is a blank line, or a space big
  enough to look like the size of a line. It is not clickable or you
  can't highlight it if you click but it is there and looks a little
  funny.
  Does anyone know what is creating this and how to get rid of
  it?
  Thank you.
  Dave

  Pretty much you are creating this... Are you iterating an
  array to populate
  the list, and not stopping soon enough? Remember arrays are 0
  index based,
  you you want to go to < the length, not <= the length.
  Dave -
  Head Developer
  http://www.blurredistinction.com
  Adobe Community Expert
  http://www.adobe.com/communities/experts/

• Access-list Question

  Hi,
  Can somebody explain me when to use "established" word at the end of access-list.

  "established" is a keyword used in the automatically generated ACLs for TCP return connections.
  check for this URL to get more infirmation.
  http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
  hope it helps ... rate if it does ...

• Show  end user the corresponding elements of list  .

  Hi
  I have created two tables with relationship as following :
  SQL> create table students( stud_id number ,stud_name varchar2(220) primary key);
  Table created.
  SQL> create table class (class_id number,class_name varchar2(50) primary key);
  Table created.
  SQL> alter table class add(stud_name varchar2(220) references students(stud_name));
  Table altered.
  I created a form for each table in one block.
  I changed stud_name text item in students form to a list item
  I changed class_name text item in class form to a list item
  I changed stud_name text item in class form to a list item
  Iwant to do two things.
  first thing
  to add all students names that I saved in database to elements of the list in the students form programmaticaly
  second thing
  A suitable recordgroup query + a code to show the end user all list of corresponding stud_name when he/she chooses a specific class_name
  I will be glad if someone help me.
  regards.

  Thank you sir/andreas Weiden for your response.
  I followed your link.
  I created a new form against class table and named it class,
  I setted the item type of class_name and stud_name to list item.
  then I went to the property pallete of the class_name ,choosing elements in the list I setted the list item value to :class.class_name, and gived the initial value the same value :class.class_name.
  doing the same thing to stud_name, of course the value here is
  :class.stud_name.
  I created a pre_form trigger and wrote the following code
  DECLARE
    rg RECORDGROUP;
    nDummy NUMBER;
  BEGIN
    rg:=CREATE_GROUP_FROM_QUERY('RG', 'SELECT   stud_NAME LABEL   , TO_CHAR(class_name) VALUE FROM class   ORDER BY 2');
    nDummy:=POPULATE_GROUP(rg);
    POPULATE_LIST('class.stud_name', rg);
  END;When running the stud_name saved in database are displayed, but class_name
  are not .
  what is the problem.
  please help.
  thank you again.

• Assistance wth Access-list

  Need configuration assistance on 6509: Goal is to block inbound traffic on interface except from 10.60.0.0 and 10.90.0.0
  This is what I have but is not working - what am I missing
  6509
  interface vlan xx
  ip access-group 100 in
  ip access-list standard 100
  permit ip 10.60.0.0 any
  permit ip 10.90.0.0 any
  deny ip any any
  on pix
  access-list 100 permit ip 10.60.0.0
  access-list 100 permit ip 10.90.0.0

  Hi Johanna,
  The access-list would be the following:
  ip access-list standard traffic_in
  permit 10.60.0.0 0.0.255.255
  permit 10.90.0.0 0.0.255.255
  interface vlan xx
  ip access-group traffic_in in
  If you use "permit 10.60.0.0" only in the access-list, then it will permit the 10.60.0.0 source address only, not the entire subnet.
  My supposition is that the subnets are:
  10.60.0.0 255.255.0.0
  10.90.0.0 255.255.0.0
  This is why I chose the given wildcard mask in the access-list.
  You don't have to put "deny any" at the end of the access-list, because there is an implicit deny at the end anyway.
  Cheers:
  Istvan

• Static NAT using access-lists?

  Hi,
  i have an ASA5520 and im having an issue with static nat configuration.
  I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
  This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
  I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
  Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
  My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
  Thanks,
  Des

  Des,
  You need to create an access-list to be used with the nat 0 statement.
  access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
  - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
  then use NAT 0 statement:
  nat (inside) 0 access-list inside_nonat
  to permit outside users to see inside addresses without NAT, flip this logic.
  access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
  nat (outside) 0 access-list outside_nonat
  you'll also have to permit this traffic through the ACL of the outside interface.
  access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
  - Brandon

• Access-LIst a simple one

                     Hi All,
  am I correct in asuming the following ACl
  access-list inside_nonat_acl extended permit ip host 8.8.8.8 host 10.10.10.10
  permits all ip traffic from 8.8.8.8 to 10.10.10.10? I'm a litle confused because of the nonat syntax in the acl name.
  Thanks

  Hi thanks for the reply,
  I only have the .txt file so can't see if an interface has it applied.  I dont understand what they have done as one line may have
  allow 443 access to eg 10.10.10.10 from 4.4.4.4
  then another line will have permit ip to from 4.4.4.4 to 10.10.10.10
  signed
  Confused

• Enabling end - user access in Sun One Web Server 6.1 SP2

  Hi,
  I am new to Sun One Web Server 6.1 SP2 and I can't figure how to enable the end user access so that the end users can change their password.
  On iPlanet 6.0 SP2, in the Distributed Admin page, I could enable Distrubuted Administration as well as end user access on the webserver. The end users could then change their own password. I can't find a similar feature in Sun One Web server 6.1 SP2.
  Could anyone out there tell me how to get this done?
  Thanks in advance!

  Hi,
  I just found from release notes that End user administration feature (which was under Distributed Administration ) is no longer supported in Sun One Web Server 6.1. [Problem ID 4865295 in release notes]
  Could anyone provide a workaround to get over this and allow the end users to change their passwords?
  Many thanks in advance,
  auporna.

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• ACE access-list and Passive FTP

  Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
  access-list word line x extended permit tcp source destination eq 21
  access-list word line y extended permit tcp source destination eq 20
  With those lines I can establish an FTP session, but unable to transfer files.
  With the following statement access-list word line x extended permit ip source destination, passive ftp works?
  IS this because the ACE acl does not allow for stateful inspection of an FTP session?
  Thank you

  You are right lack of fixup/inspect is the reason for FTP connections to fail.
  You need something in line with the following config
  class-map match-all FTP-Traffic
  2 match port tcp eq ftp
  policy-map multi-match xyz
  class FTP-Traffic
  inspect ftp
  Syed Iftekhar Ahmed

• Force file/folder to end of alphabetical list?

  Once upon a time, I could start a file name with a tilde and force the file to the end of a list in a Finder window. I understand why I can't do that with Unix, but I wonder if there's some other symbol that will accomplish the same thing?
  I'm getting this done by prefacing the files with zz, but it doesn't look nearly as good. ;-}

  It might depend on the language you are using, but if all of your "Finder" items are named in English, I find Ω (omega), generated by option-z (⌥z) to be fairly convenient, though again, it might depend on your language or keyboard layout...

• Removed ip access-list & lost network connectivity

  An access-list was removed to edit and replace. Once the access-list was removed we lost network connectivity to the remote router. This list is an extensive one. But when we remove on other remote routers network connectivity remained. Can anyone tell me why? Is this a typical of access-list, and good practice is to wait until after business hours?

  No problem.
  I am sure that we have all had experiences of looking at things we have written, or questions answered, and realized that what we wrote was not quite what we were thinking as we created it.
  Your main point is well taken that it is good practice to remove the access-group before removing and changing the content of access lists.
  Sometimes I take a slightly different approach: I will build a new version of the access list using a different number (if I am changing access list 101, I may create list 102) which is the modified version of the list. I then change the access-group to reference the new version of the list. This may have a couple of advantages including the fact that the interface is always protected by some access list. Also it makes backing out changes easier if we discover that there was some flaw in our list modification.
  HTH
  Rick