Cant use named access list

have have tried on 2 routers. 1803, and 2600 to use named access list, by typing access-list "extended" name, it will nto let me type this in, is there any reason why it wont let me do this ?

Carl,
The command is
(config)#ip access-list extended [word]

Similar Messages

  • Convert named access list to line numbers

    I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
    I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
    Thank you!

    Hi Emily,
    I guess this is what you are looking for. I have not tried it my self but would like to test it out.
    1. enable
    2. configure terminal
    3. ip access-list resequence access-list-name starting-sequence-number increment
    4. ip access-list {standard | extended} access-list-name
    5. sequence-number permit source source-wildcard
    or
    sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    6. sequence-number deny source source-wildcard
    or
    sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
    8. end
    9. show ip access-lists access-list-name
    This link should help :
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
    regards,
    -amit singh

  • ASDM versus CLI - named access-list etc

    I'm a CLI junkie now using ASDM v5.2(3) on ASA55x0. Where are the named access-lists I'm used to working with in PIX 6.3(x) CLI? I want to continue to create my named access-lists so I and my colleagues can continue to use our standard templates for configuration tasks. I'm not interested in the ones created automatically such as "access-list in_out-back_forth-UpDown-interfaceSomeWhere0.1". These only confuse my staff when trynig to complete config tasks.

    Adam - yes you are correct - strange that they have to be accessed via Split Tunnel Network List, but so be it. I can now create a named ACL with our standardized names, but how do I reference it by name later when applying to some policy?
    Typically one might have:
    access-list AllowInbound
    permit icmp any interface outside echo-reply
    permit icmp any interface outside unreachable
    permit icmp any interface outside time-exceeded
    access-group AllowInbound in interface outside
    Thx - Phil

  • Router NAT IP block using Access List

    Hi All
       Strange issue we have here. First time I've come across this.
       Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
    Thanks all!

    Anyone?

  • Access List Submodes

    I have a quick question re ACL submodes. I see that there is a config submode for named Extended ACL's, with prompt (config-ext-nacl). Is there a seperate config submode for named Standard ACL's ?
    Where is a good place to get a complete list of all the config submodes available a Cisco devices ?

    You can create named ACLs using standard access-lists(I assume this is what you are talking about). You can create a numbered access-list using the same syntax as a named acl, giving you the ability to edit on a line by line basis.

  • Access List and Conflict Resolution Problem!

    My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
    I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
    Setting the Conflict Resolution Level
    You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
    See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
    Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
    So, I've set up my Access List services as follows:
    o URL Deny is blank on all Access Lists
    o URL Allow set as follows
    ---- isp
    ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
    ---- acme.com organization
    ------- Conflict Resolution: Highest
    ------- http://portal.acme.com/portal/* (same as above)
    ---- Acme Customers Role - shared role for all Acme customers
    ------- Conflict Resolution: Medium
    ------- http://www.acme.com/*
    ------- http://support.acme.com/*
    ------- http://support2.acme.com/*
    ---- RoadRunner role - specific role for a specific customer
    ------- Conflict Resolution: Medium
    ------- http://roadrunnerinfo.acme.com/*
    The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
    The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
    If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
    If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
    So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
    Thanks!
    -matt

    Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

  • Virtual telnet/downloadable access lists: acl authorization denied error

    Hello,
    has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
    We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
    When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
    And the PIX log shows:
    109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
    109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
    This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
    Now, with or without the error, the user can use virtual telnet and everything permitted
    in the downloadable acl without any problem (so why post an error message then ?).
    thanks

    Try to disable authorization and see if this error stops

  • MAC access-list on switching platforms

    Please advise if I am in the worng group, and I'll move the post.
    I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
    Here is the link I am looking at:
    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

    Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
    A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
    DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

  • Access-list on secondary IP

    Hi,
    I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.
    example
    (primary blocking internet access access-list)
    ip access-list extended http100
    permit tcp host 10.99.100.1 host 10.108.20.1 eq 80
    ip access-list extended http100
    permit tcp host 10.99.102.1 host 10.108.20.1 eq 80
    permit ip any any
    would the commands above block the internet of the secondary IP 10.99.102.x?
    thanks,
    Eduard

    Hi Rick,
    I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.
    My question is how do i block secondary internet access by using an access-list?
    I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.
    Hope this is clearer.
    oh,i think i missed typed something on the access-list, let me create another example:
    ip access-list extended http101
    permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)
    permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)
    deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80
    deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80
    permit ip any any
    all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1
    thanks,
    Eduard

  • Questions on Reflexive Access Lists

    Hi Sir,
    I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
    The config on the core router is as follows:
    int Vlan10
    description *** Server Farm ***
    ip address 172.16.10.1 255.255.255.0
    ip access-group inboundfilters in
    ip access-group outboundfilters out
    int Vlan20
    description *** Marketing Department ***
    ip address 172.16.20.1 255.255.255.0
    int Vlan30
    description *** Engineering Department ***
    ip address 172.16.30.1 255.255.255.0
    ip access-list extended outboundfilters
    permit tcp any any eq telnet
    permit tcp any any eq smtp
    evaluate iptraffic
    ip access-list extended inboundfilters
    permit ip any any reflect iptraffic
    My questions:
    (1) I yet to test the above config on an actual router. However, is it correct theoretically?
    (2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
    (3) If you have other better feature options that meet my requirements, please do recommend.
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

    Hi Lim,
    CBAC is good as well, considering the following features:
    1. Traffic Filtering:
    - filters TCP and UDP packets based on application-layer protocol session information.
    - permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
    2. Traffic Inspection
    - discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
    - Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
    3. Alerts and Audit Trails
    - can send real-time alerts and audit trails to syslog server (or buffer log)
    4. Intrusion Detection
    - Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
    Limitations:
    1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
    2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
    3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
    For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
    Cheers!

  • MAC access-list to deny appletalk

    can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?

    Hi,
    I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
    cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
    As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
    Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
    mac access-list extended DenyAppletalk
    deny   any any aarp
    permit any any
    And then apply that ACL to each interface:
    #(config-if) mac access-group DenyAppletalk in
    So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
    I've never tried this or seen this work myself but you may want to give it a go and let us know?
    Herbert

  • When i use view as list in finder and open a folder with many files i cant right click with mouse without selecting or highlighting a file....i just want to right click to paste an item or create a new folder...what can i do?

    When i use view as list in finder and open a folder with many files i cant right click with mouse without selecting or highlighting a file....i just want to right click to paste an item or create a new folder...what can i do?

    Thx for that im gonna try it....but is there a way to do it without using toolbar or cmd-c...? i mean using only the mouse?why does it have to highlight the file even though i click a bit next to it....?using icon view i can right click next to the folder and i wont have a problem but with list view that i prefer using it will highlight the whole row.....and i dont find free space to right click cause i got many files

  • I want to buy an in-app purchase but i don`t remember my security questions and i cant access my recovery email either, what can i do? i have 100$ on my account and cant use it because of that problem, please help URGENT

    I want to buy an in-app purchase but i don`t remember my security questions and i cant access my recovery email either, what can i do? i have 100$ on my account and cant use it because of that problem, please help URGENT

    If you have a rescue email address on your account then you can use that - follow steps 1 to 5 half-way down this page will give you a reset link on your account : http://support.apple.com/kb/HT5312
    If you don't have a rescue email address (you won't be able to add one until you can answer your questions) then you will need to contact Support in your country to get the questions reset : http://support.apple.com/kb/HT5699

  • As i upgraded my iphone 4 to ios5 i cant edit my phone list  and the i message won't use my phone number, what shall i do

    as i upgraded my iphone 4 to ios5 i cant edit my phone list  and the i message won't use my phone number, what shall i do

    Hi drgpeck,
    This article is for a similar issue, and the troubleshooting steps would be recommended for your specific issue:
    iTunes for Windows: iTunes cannot contact the iPhone, iPad, or iPod software update server
    http://support.apple.com/kb/TS1814
    Cheers!
    - Ari

  • Illegal dependency access list does not allow use of caf/eu/gp/api

    I am using NWDS 2004s and working with GP implementation.
    I am also able to see the development components as caf/eu/gp/api and sap.com/caf/gp/api/wd after copying the required files.
    But while selecting caf/eu/gp/api i am getting following exception
    Illegal dependency access list does not allow use of caf/eu/gp/api
    Please suggest if you have any idea regarding this.
    Regards
    Satya

    Hi Satyabrata,
    Are you using NWDI for development, or local development?
    I had the same problem when using local development components. I read somewhere in the documentation that for this you have to use the NWDI.
    Now I am using NWDI and this is working correctly.
    Johan

Maybe you are looking for