CCNA - ACL question

Hi,
I'm studying for the CCNA 640-801 exam and in some study materials there is the following ACL question and I don't understand why the answer is what it is. I was hoping someone in here could help with explaining why. Thanks.
Router1-s0--------s0-Router2-s0--------s0-Router3
___|________________|_______________|____
PCA through PCF all seem to be connected to a common backbone. All three routers appear to also be connected to the same backbone as the PCs. Router1 conects to Router2 which connects to Router3.
PCA - 5.1.1.8/24
PCB - 5.1.1.10/24
PCC - 5.1.2.10/24
PCD - 5.1.2.20/24
PCE - 5.1.3.8/24
PCF - 5.1.3.10/24
You're the systems administrator at Cisco, and you create the following access control lists.
access-list 101 deny tcp 5.1.1.10 0.0.0.0 5.1.3.0 0.0.0.255 eq telnet
access-list 101 permit any any
You then enter the command "ip access-group 101 in" to apply access control list
101 to router1's e0 interface.
Which of the following Telnet sessions will be blocked as a result of your access
lists? (Select all that apply)
A. Telnet sessions from host A to host 5.1.1.10
B. Telnet sessions from host A to host 5.1.3.10
C. Telnet sessions from host B to host 5.1.2.10
D. Telnet sessions from host B to host 5.1.3.8
E. Telnet sessions from host C to host 5.1.3.10
F. Telnet sessions from host F to host 5.1.1.10
Answer D & F
I understand answer D, that is straight forward and easy to understand however I don't understand answer F. The ACL statement, 'access-list 101 deny tcp 5.1.1.10 0.0.0.0' specifically has the source host listed which is not PCF. I would think only addresses matching the source address in the ACL should be blocked. Thanks to anyone who can help.

Riley
I have an issue with their solution and an issue with your solution.
I think that the major flaw in their solution is putting the access-group on the serial interface as an inbound filter. As an inbound filter on the serial 192.168.1.1 or 192.168.118.0 would be the source address and their access list has it as the destination. Putting the access list as inbound on Ethernet 0 is effective. Putting it also on serial 1 adds no effectiveness. I am not clear whether they were again trying to point out the possibility of preventing telnet by denying the response traffic. But you can not do both in one access list which is limited to 3 statements.
Another (small) issue with their access list is in the second line:
access-list 101 deny tcp any 192.168.118.0 0.0.0.0 eq 23
The mask is for a specific host but 192.168.118.0 is not a host. It is the network/subnet address and no legitimate traffic will ever have that as a source address.
The main issue in your access list is the placement of "eq 23". You have it coming before the source address and the "eq port" comes after an address specification (after either the source or after the destination) and not before both of the addresses. Also if your access list is inbound on interface Ethernet 0 then telnet traffic to router 1 will have port 23 (telnet) as the destination port.
There is an apparent difference between your list and their list but it does not matter. You specify 192.168.134.0/24 as the source address and they specify any as the source address. Since the network explanation indicates that 192.168.134.0 is the only network behind E 0 the effect of the access lists does not change between the two source address specifications.
I agree with Kevin that there does not appear to be a lot of effective proof reading of this material. I have taught Cisco classes and I have written training material and I appreciate that this is difficult to do. But it is highly unfortunate and lowers the credibility of the material (and their source) when these kinds of mistakes are apparent.
HTH
Rick

Similar Messages

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE

ACLS QUESTION - 2 LAN SEGMENTS - ISSUE
I have a scenario where 2 LAN segments are separated by a router, Admin and Students. There is a DNS server and an EMAIL server on the admin segment. Students should be able to access DNS and EMAIL services (smtp, pop3 and dns). No access to any other traffic. Admin should have full access to the student LAN segment. I managed to implement all the filtering with extended ACLS placed on the router as follows:
access-list 105 permit tcp any any eq smtp
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp any any eq www
access-list 105 permit udp any host 10.20.0.2 eq 53
access-list 105 deny ip any any
int e1/1
ip access-group 105 in
But for some reason it does not allow any access from the admin segment to the students segment.
EMAIL AND DNS ARE WORKING FINE FROM THE STUDENTS SEGMENT AND PINGS FAIL AS EXPECTED AFTER THE COMMANDS MENTIONED WERE ISSUED.
ADMIN SHOULD BE ABLE TO PING STUDENTS SEGMENTS
AFTER ATTEMPTING MANY TIMES AND DIFFERENT CONFIG I TRIED THE FOLLOWING:
access-list 106 permit ip any any
int e1/0
ip access-group 106 in
I also tried
int e1/1
ip access-group 106 in
BUT ADMIN STILL HAS NO ACCESS TO THE STUDENTS SEGMENTS!!!!!!
WHY NOT?
FEW FELLOWS TRIED IT OUT AS WELL IN PACKET TRACER WITH NO SUCCESSFUL RESULTS...
:S
I WOULD REALLY APPRECIATE SOME HELP ASAP!
THANK YOU IN ADVANCE,
MIGUEL
Posted by WebUser Miguel Pcn

Hi Miguel ,
You issue is the returning packet for the session initiated by the Admin - caused by deny ip any any on access-list 105
For the "ping" from admin to student to work add :
access-list 105 permit any any echo-reply
What kind of access is need it from Admin to Student ?
Dan

CCNA Certification Question

Hi,
Firstly, this is my first post here to apologies if it is in the wrong area.
Basically, I've just finished and am awaiting results of a degree in Computer Networking. In the meantime, I would like to gain the CCNA certification.
I have looked around the internet and the general idea i'm getting is that the only requirement is to pass the 640-802 exam, or two seperate smaller exams. Is this correct.
The only reason I ask is that CCNA was offered as part of my course, and i'm pretty sure people who signed up for it had to complete a skills test (physical network lab test) to gain the certification.
Could someone clarify what is required for the CCNA certification please?
Also, I have read a couple of bits and pieces mentionning CCNA 1, 2, 3 & 4 certifications. Are these different, invidivual, certifications to just "CCNA" on its own?
Thanks in advance for any light you can shed on this!

Hi David,
You are most correct here my friend! The exam can be taken as one composite exam
or split into to seperate exams;
CCNA Exams & Recommended Training
Required Exam(s) Recommended Training
640-802 CCNA
Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.1
Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.1
OR
Required Exam(s) Recommended Training
640-822 ICND1
Interconnecting Cisco Networking Devices Part 1 (ICND1) v1.1
640-816 ICND2
Interconnecting Cisco Networking Devices Part 2 (ICND2) v1.1
https://www.cisco.com/web/learning/le3/le2/le0/le9/learning_certification_type_home.html
The CCNA1,2,3,4 notes that you saw are likely related to to the Cisco Academy learning modules
that is split into 4 sections
Your best bet for these type of questions is probably here;
https://learningnetwork.cisco.com/community/certifications
Cheers and best of luck with your CCNA studies!
Rob
"Show a little faith, there's magic in the night" - Springsteen

ACL Question in Weblogic

Hi,
From the Weblogic document, it mentioned that the ACL only work on file Realms.
Can it apply to directory like http://www.bea.com/*.
Here is what I need to do:
For http://www.bea.com:7001 is free to access,
for http://www.bea.com:7001/administrator or http://www.bea.com:7001/test can
only be access from certain IP arrange or VPN.
Can it be done by Weblogic? or I need to build my own http proxy?
Furthermore, I saw that Weblogic also support UNIX Security Realm, does I means
that I can allow only defined UNIX user to access certain directory ot files?
btw, I am using Weblogic 6.1.
Thanks a lot!!

Hi Jon,
Your issue should be raised with BEA support. With regard to your second isssue:
"and this be included in the documentation outlining the
responsibilities for implementing a custom realm."
You should raise this as an enhancement either via the support channels or via
[email protected]
Kind Regards,
Richard Wallace.
Senior Developer Relations Engineer.
BEA Support.
"Jon Wilmoth" <[email protected]> wrote:
I've implemented a custom realm on wl6.1 sp1 which extends the LDAPv2
realm
(implementing the ManageableRealm interface) for users and groups and
delegates to a rdbms delegate for aclentry management. I read an earlier
post about revoking a permission which requires a custom realm to augment
the weblogic.security.acl.AclImpl class. My question is similar in nature.
In a situation where a positive AclEntry needs to be changed to a negative
entry, what are the requirements imposed on the custom realm implementer?
Do I need to worry about the checkPermission call on the Acl implementation?
On the AclEntry implementation? Is there a BEA recommended path similar
to
that for revoking permissions?
I would also recommend that the BEA responses to the revoking permissions
post and this be included in the documentation outlining the
responsibilities for implementing a custom realm.
Thanks!
Jon
Jon Wilmoth
Software Architect
eSage Group
(206) 264-5675 (Voice & Fax)
[email protected]
http://www.esagegroup.com

CCNA Lab Question

HI all ...
I am doing some playing around with my CCNA LAB. I have a Question About Inter-VLan ROuting...
I want to Establish Communication Between the 2 Sites but Prevent Broadcasts and unnecessary traffic across the WAN link. etc...
The links between the ROuters and the Switches are Trunk Links...
Site A has a Scope of 10.130.19.0 /22
Site B has a Scope of 10.137.141.0 /20
So it the Solution as simple as
1. Make a Vlan (5) Called routing with an ip of lets say 192.168.1.1 /29. Make the 2 Switch access ports of that vlan .OR Trunk links with Allow Vlan (5) across trunks and deny all others...
2. Static routes on Routes on the routers 10.130.141.0 /22 192.168.1.1/29 vice-versa ?
Any Ideas which direction i should take ? I am still at very early stages of my CCNA so sorry for my stupid question...

Hello.
I have yet to come across this type of design after so long in the field.
Switches have been created for LAN connectivity and routers for WAN.
I believe you should probably connect the routers together and the switches face tge LAN side.
All other design stays the same.
HTH.
Please rate useful posts.

Vlan/ACL question

I am in the process of getting my guest access set up on my network and I have a couple of questions.
1) On my L3 switch I currently have the switch port with the command line of switchport access vlan 2 for my current wireless network. I am looking to add vlan 3 for the guest wireless access. Should I add/change that line to switchport trunk allow vlan 2,3 for each port I have my APs plugged into?
2) I am having issues with my ACLs. All I want my guest vlan to do is go to the internet, nothing more. Is it better to place this ACL on the WCL, L3 switch or ASA? When I try it on the WLC, even when I deny ICMP both ways, I am still able to ping and I do have the ACL applied to the interface.
Thanks,
Jim

If your ap are in local mode you won't Ned ti change the port as the traffic is ingress/egress at the WLC. So long as VLAN 3 is allowed there it will be fine.
As for the ACL, I'd put it on the Layer 3 interface of the switch/router.
Steve
Sent from Cisco Technical Support iPhone App

Iplanet web server 6.0 ACL question

Hi,
I am using ACLs to protect some of my URLs in iplanet web server 6.0.
I am getting one problem. Its not a problem actually but would like to know how to avoid authenticating the users 2 times.
In my ACL file, when ever I create an entry for a path, I am getting the following by default.
authenticate (user,group) {
database = "default";
method = "basic";
My entry is like this with the above lines.
acl "path=/www/develop/itsecurity/admin";
authenticate (user,group) {
database = "default";
method = "basic";
allow absolute (all)
(user = "modadmin");
allow absolute (all)
(user = "itsecadm");
deny (all)
(user = "anyone");
Now if the entry is like this with
authenticate (user,group) {
database = "default";
method = "basic";
after the first line, then whenever that particulaar user "itsecadm" tries to access the URL, he gets userid and password dialogue box. After entring into the page, if he tries to access or click any other link, it is asking the userid and password again.If he gives this second time, next time onwards it is not asking userid and password.
But When I remove the lines
authenticate (user,group) {
database = "default";
method = "basic";
from the file for that particular entry, it is not asking 2nd time userid/password.
Could you please tel me why this happening. Why this entry is created whenever I am adding a new one into ACL file?
Is any one facing the similar problem with iplanet web server 6.0 ACL files?
Thanks & Regards
Murthy

Hi,
Thank you for your suggestion. I have tried with your option also. Still I am getting the second time userid/password dialogue box.
Is there any other solution to avoid the second time user authentication dialogue box?
Do you want to see the ACL file?
Thanks & Regards,
Murthy

RVS4000 Firewall ACL Question

I'm working to setup and configure an RVS4000 for a friend and wanted to verify my understanding of the firewall section. It <seems> by default the firewall allows traffic from any source to any destination, including from the WAN. I realize with NAT this isn't a huge concern / shouldn't be the case... however I tend to prefer tighter standards rather than looser.
I wanted to ensure that it allowed internally initiated traffic outbound, and external traffic inbound dropped so I created the rules as shown attached file. Am I looking at this correctly? Is the Firewall ACL section for setting up a stateful firewall or is it just pure ACL's and the last rule from the WAN is required for returning traffic back in which has already been through the NAT engine?
If someone could please help me clear this one little detail up I would be greatly appreciative.
Thanks in advance.

The ACL is just that ACLs. The rules you made are fine, the difference with your set up and the default is that you are explicitly denying the traffic; which is not a bed idea. On that note, that does not mean that the traffic was explicitly allowed before (default config).
Before any rules are created a "deny any any" is already in place but not displayed. This is typical of the small business and consumer routers. The only thing I would change is instead of suplying the subnet, just set it to "any".
Hope this helps.

Quick ACL question

How do I give the group Treasurers access to a folder 3 levels deep without giving them access to the parent folders? I have given Treasurers Full Control of the folder Reports (saved and propagated) and it shows such in the ACL list, but the Inspector shows no access for them. Do I have to give them some level of access to the parents folders in order to see the lower-level folder?
Thanks,
Wayne

Yes. Or relocate the folder to a higher-level location elsewhere. Or its own share, AFP or WebDAV or whatever. It's also possible to provide a path to the directory via a link, but that might not be the most obvious nor maintainable approach over the long-term.

Basic ACL question

Hi - in an extended TCP ACL - is there a way to permit or deny a range of port numbers in a single line? I know the port operators (gt, lt, eq, neq) - but they don't seem to accomplish this? Also - can someone recommend a good link for further info? Any help is greatly appreciated.
Jim Woodward

Jim
Yes there is a way to permit or deny a range of ports. There is now a range option in the configuration of extended access lists. Here is an example from one of our operational access lists which uses the range option:
access-list 121 deny tcp any range 0 65535 any range 0 65535 log-input
This particular example is used in part of our
RFP check and specifies a very wide range. Most of the time you would want a more narrow range.
You can configure a range on the source port, on the destination port, or on both (as this example does).
It works well.
HTH
Rick

ACL Question

What is the max number of users that can be added to a given directory
or file with ACLs? For example, directory named "number" what is the
max number of users that I can give write access to this directory via
the setfacl command. Just trying to think of different ways I can get
around the 32 groups per user issue.
Thanks for you help
Jeremy

The range options allows a range of ports so it just allows you to have one line in your acl per IP subnet and include both ports in that line.
Otherwise you would need two lines per subnet, one for each port.
Jon

ACL question (2)

What do the following ACLs mean?
deny or permit deny ip host 127.0.0.1 any
deny or permit deny tcp any any eq 1025
deny or permit deny tcp any any eq 445
deny or permit deny udp any any eq 445
deny or permit tcp any any range 135 139
deny or permit udp any any range 135 netbios-ss

Hi,
deny or permit deny ip host 127.0.0.1 any
- matches on packets sourced from the loopback address 127.0.0.
deny or permit deny tcp any any eq 1025
- matches on packets destined to tcp port 1025, which is used by by the Microsft RPC service
deny or permit deny tcp any any eq 445
- matches on packets destined to tcp port 445, which is used by windows for supporting Samba over TCP
deny or permit deny udp any any eq 445
- matches on packets destined to tcp port 445, which is used by windows for supporting Samba over UDP
deny or permit tcp any any range 135 139
- matches on packets destined to tcp ports 135-139, which are used by by the Microsft RPC & NetBIOS services
deny or permit udp any any range 135 netbios-ss
- matches on packets destined to udp ports 135-139, which are used by by the Microsft RPC & NetBIOS services
These entries are typically used in ACLs for the provision of security by blocking access to common Microsoft services...
Pls remember to rate posts.
Paresh

Basic ACL question:is it possible to log only 1st packet per event?

Hi, imagine I just want to find out which IP addresses are using trying to hit my server network on port 80.
If my syslog server is limited in storage, I am wondering whether I could just log the first packet from a given source and target IP address. Then once I learn what IP address that is, there is no need for me to log that event again showing the same IP.
Is that action possible?
I attempted to use the command in red below, but I read the document and tested and that is not what I am looking for.
R2#
ip access-list extended WATCH_PROTOCOL
permit tcp any any eq www log
permit ip any any
ip access-list log-update threshold 10
logging history size 500
logging 192.168.1.2
line con 0
line aux 0
line vty 0 4
end
R2#
*Dec 16 04:52:22.923 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11019) -> 192.168.1.2(80), 1 packet
*Dec 16 04:52:27.047 UTC: %SEC-6-IPACCESSLOGP: list WATCH_PROTOCOL permitted tcp
192.168.1.1(11020) -> 192.168.1.2(80), 1 packet

If you absolutely must use an ACL for http(tcp/80),telnet(tcp/23),rdp(tcp/3389, it would be written as follows:
access-list 100 permit tcp any any eq www syn log
access-list 100 permit tcp any any eq telnet syn log
access-list 100 permit tcp any any eq 3389 syn log
If you apply this outbound on the routed interface of your server VLAN, this will log the first packet (TCP SYN packet) of EVERY TCP connection for these three ports. This means that you will get duplicate entries if a client initiates more than one TCP session to the server, but this will log the least amount of data per connection using an ACL.
Also, it would behoove you to read the following document (well worth the 60-90 minute time investment):
http://www.ietf.org/rfc/rfc0793.txt
YEHG.Net Greasemonkey Web Page Fingerprinter [x]
[URL]
https://supportforums.cisco.com/post!reply.jspa?message=1331762
[Headers] Server: Apache-Coyote/1.1
Date: Wed, 16 Dec 2009 14:59:56 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding,User-Agent Content-Encoding: gzip JP: D=105065 t=1260975597102021 Cache-Control: no-cache, private Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Transfer-Encoding: chunkedContent-length: 47757
Cookie: CP_GUTC=198.133.219.177.1260217862454980; JSESSIONID=C8669FD7A98A18CCA3D17922BC69E821.node0; jive.server.info="serverName=supportforums.cisco.com:serverPort=443:contextPath=:localName=10.137.24.74:localPort=9000:localAddr=10.137.24.74"; BIGipServerPool_130-ENT06_7000=1243121930.22555.0000; SECQURL=HTTPS://fed.cisco.com/protectext/pfredirect.html?resumePath=%2Fidp%2FresumeSAML20%2Fidp%2FstartSSO.ping; SMCHALLENGE=YES; SMSESSION=O4ty9P00hzCw1vBnfDBs/mafQOY2w72P8FMfhW99gZiOGJpZQ2dauQBYrbCzrQnQvU2z/9/nUss4VF7xc3xoUFu/U6NG9KxntWKONCKcoXCj1YxEWyJ9lO/ypNE89J0b+BwQzmTErpFD3nvbFhV2qSUExAZkVTkz2pXptCV+zhoLZIJmCSoYH7/dz/0YaWg+0BGOvDf+U+41hlq0FmUD3olaSaDnji6XkfHbfQmBd0dNpcmjjSQG0GlcX9kucYLga9PYgUU3M8yBcRCWpWD3gcSH3ptwjY8aHmO6rbjtAoX17JmYrBPvC6wJ7R/jfsC9fdrn4A22auvd7VdU/p2M/O0Wevzr3qlEXntSWyToZt3VmGhpPCnpCP8nXFhbSGMXPsp8Y9X2CxaALeKPH/eV8a8uzOcWfwF7bZ6fHlVu9u4lOHVIkbHwrCpsT/0z+dUdIrJIX6Zjmw79uvluUR5b6tXeswxMhNjlmK/cbKn9Cruz/0oJ03cL7OL16WYrwV68ED4kMcXDg4JPMpnrZICqoOW5/luJjA/Jmbcy+J5UvzWPaENo7vPcPaFJ03lyu7tz3CQ/064JRcjGfr5mYVtQ0JXAvYP1W8AU41X3sM/mMA9VBv8iWKTP0amfcLyI7wWFIG686Q0pCEtRNGDjBwKfj4j2l4fNfU+em5Q9N/s51d0jy8YBTvSbBfIol+GG9pGCFZcHhfk8ma17Ge/vJOwH31NzazjVCn8+LdEcMkFfgae1qEiDJcCUC0Lx3Y+IHNHkDIQBbK2kMhI+j+9mBpLlP5QTTe02BhtojGM5d+nA4yyVngjWK53qxXc+QpHYd5s9y4JdXblTckq/boh39ZZxLn97dyReqSbRiesoszZAg33aVMZ1DT8mcoNgNAsKbB9yBRz87ldc2Ft8EJWkTUHiX6axBiln9BkxT9wsjNF+7I+Np7iM7DWsjEq1BuONaRHWQspHWsSqVVLlRl5+OPX0UHmP14I3ouLgtGM64yJkQLxPaOyWVJ+8IGiG5I2dJZcp5+fB5yscSYvYZ6F3OggH8YTDPotd9uOR; jive.user.loggedIn=true; jive.recentHistory.459584=312c3334363334393b
=> Edit Cookie
[RECON] ---Lookup---WebhostinfoDNSStuffRobtexDNSNetwork DNSRecordsDomainToolsSamSpadeHost2IPNetcraft WhatSiteNetcraft SiteReportNetwork TracertNetwork LookupNetwork WhoisBetterwhoisNetwork ExpressPortScan1PortScan2FlashPortScanMX ProfileMX LookupMX RecordsdirIndexingcache:link:site:emailfile:pdffile:xlsfile:xmlfile:docfile:pptfile:txtfile:rtffile:conffile:configfile:inifile:lstfile:zipfile:gzipfile:emlfile:psfile:exefile:rpmfile:dbfile:mdbfile:logfile:passwdfile:pwd [Launch all] [Prepend Proxy]
[BruteForce Scan] -- Select ---Dic-SmallDic-ComprehensiveBigCatalaCommonEuskeraMediumPasslistSpanishSubdomainsUserlistWeak_passwords_module_passlistWeak_passwords_module_userlistCommon_passNamesApacheCgiCgisColdfusionDominoFatwireFatwire_pagenamesFrontpageIisIplanetJrunNetwareOracle9iSharepointSunasTestsTomcatVignetteWeblogicWebsphereo-iiso-cfmo-jsp [Start] [View]
Loading ... Do other stuffs.
Seem slowly? As it doesn't do multi-requests,
it's likely that web server IDS may not detect scanning.
But it's for dictionary scanning only.
[Fuzz URL]
https://supportforums.cisco.com/post!reply.jspa?message=1331762 Select Fuzz Type: Fuzz [default]BackupFilesHeaderCheckCSRFCS Framing >"/> [Help] Fuzz Options Fuzz Db: -- Check --xxxyyy">1) ---!>xxx
yyy.."">2) ">"..
">alert(String.fromCharCode(86,117,108,110,101,114,97,98,108,101,32,116,111,32,88,83,83,33,32,84,114,117,115,116,32,109,101,33))// /** 3) ..alert(0);//<">4) <..;//<&lt..document.write(String.fromCharCode(86,117,108,110,101,114,97,98,108,101,32,116,111,32,88,83,83,33,32,84,114,117,115,116,32,109,101,33))">5) ..document.write(String.fromCharCode(86,117,108,110,101,114,97,98,108,101,32,116,111,32,88,83,83,33,32,84,114,117,115,116,32,109,101,33))">6) '>..<..document.write(String.fromCharCode(86,117,108,110,101,114,97,98,108,101,32,116,111,32,88,83,83,33,32,84,114,117,115,116,32,109,101,33));">7) ">..;8) \";..;//..9) %3cscript%3e..;%3c/script%3e..10) %3cscript%3e..;%3c%2fscript%3e..11) %3Cscript%3E..;%3C/script%3E..">12) &ltscript&gt..;13) &ltscript&gt..;&lt..alert('XSS')">14) alert('XSS')&lt..">15) ">16) 17) ">18) ..">19) ..">20) ">21) alert("XSS")">">22) alert(..">23) ">24) ">25) ">26) ">27) ">28) ">29)

Mac ACL's and other acl questions

I can't for the life of me get a mac acl to be accepted. I keep getting the
"MIB index is out of range...index must be bigger then 0 and Existing ifindex"
This error message is meaningless to me and gives No clue as to what the real
issue is. I have filled in ALL the ungrayed boxes.
I am running 1.1.2.0 on SF302-08
Can someone post a screenshot or provide fields of a mac acl that was actually
excepted ?? I need to figure out what i'm doing wrong.
thanks,
walter

Got to the bottom of it....Seems that the issue is a an incompatability between the Gui/Firefox and the
switch. If I use Chrome or IE, I can create the mac ace.

Simple Port Forwarding / ACL Question

Hi Everyone,
I'm kind of a novice when it comes to Cisco configuration. I went to college for networking but haven't used it enough since graduating and I'm having some trouble with opening some ports for email to my home PC.
Specifically i'm trying to set up IMAP with Gmail to be downloaded to my Mozilla Thunderbird client. I'm using a similar syntax for other ports that i've opened but it isn't working. I also did a "show access list" and saw that one of my rules had hit counts on it but i'm not sure what this means as far as troubleshooting goes.
Can someone lend a hand and explain what i'm doing wrong? If you're feeling extra nice could you let me know what I would need to do to open some Xbox Live ports as well? The rules aren't set up yet but the ports are present in my config. I've bolded the relevant ports below.
*** Config ****
ASA Version 8.2(5)
hostname RyansFirewall
enable password C5OQraC02mISnP8p encrypted
passwd 3mBdM08UO1apR0bB encrypted
names
name 192.168.1.130 theking
name 192.168.1.240 wap
name 192.168.1.252 cam
name 192.168.1.253 switch
name 192.168.1.150 xbox
name x.x.x.x vpnreactor
name x.x.x.x HSoftware
name x.x.x.x Mom_and_Dad
interface Ethernet0/0
description Connection_to_Cable_Modem
switchport access vlan 10
interface Ethernet0/1
description Cisco_Catalyst_2960
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Guest_Wireless
switchport access vlan 20
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
description Private_Internal_Lan
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan10
description WOW_Internet
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
description Guest_Wireless
no forward interface Vlan1
nameif dmz
security-level 30
ip address 172.16.1.254 255.255.255.0
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone Eastern -5
object-group network outside_ip_group
description This group contains a list of allowed public IP Addresses
network-object HSoftware 255.255.255.255
network-object Mom_and_Dad 255.255.255.255
object-group service Xbox_Ports tcp-udp
description Ports needed for Xbox Live
port-object eq www
port-object eq 88
port-object eq domain
port-object eq 3074
object-group service Email_Ports tcp-udp
description Ports needed for Email
port-object eq 143
port-object eq 465
port-object eq 587
port-object eq 993
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 1024
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit gre host vpnreactor host theking
access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 5900
access-list outside_access_in extended permit tcp any any object-group Email_Ports
access-list outside_access_in extended permit udp any any object-group Email_Ports
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_access_in
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp theking ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 cam 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 theking 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 143 theking 143 netmask 255.255.255.255
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
static (inside,outside) tcp interface 587 theking 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 theking 993 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh Mom_and_Dad 255.255.255.255 outside
ssh HSoftware 255.255.255.255 outside
ssh timeout 10
console timeout 10
dhcpd address 192.168.1.2-192.168.1.25 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd lease 10800 interface inside
dhcpd domain RyanJohn interface inside
dhcpd enable inside
dhcpd address 172.16.1.2-172.16.1.25 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd domain RyanJohnGuest interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXX password ZpRIy72StEDDpdfG encrypted
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3c7abf7d5d55aba0e19d5da340132000
: end
*** Show Access List ****
RyansFirewall# show access-list outside_access_in
access-list outside_access_in; 19 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp object-group outside_ip_group any eq 1024 0xf13a69fb
access-list outside_access_in line 1 extended permit tcp host HSoftware any eq 1024 (hitcnt=0) 0xc8c42900
access-list outside_access_in line 1 extended permit tcp host Mom_and_Dad any eq 1024 (hitcnt=0) 0x7e777675
access-list outside_access_in line 2 extended permit tcp any any eq 3389 (hitcnt=7451) 0x51a647d7
access-list outside_access_in line 3 extended permit tcp any any eq ftp (hitcnt=11) 0x8d0d5aac
access-list outside_access_in line 4 extended permit gre host vpnreactor host theking (hitcnt=0) 0x894a4bbb
access-list outside_access_in line 5 extended permit tcp host vpnreactor host theking eq pptp (hitcnt=0) 0xcb0322a8
access-list outside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=563) 0x54b872f3
access-list outside_access_in line 7 extended permit icmp any any time-exceeded (hitcnt=703) 0x03690eb3
access-list outside_access_in line 8 extended permit icmp any any unreachable (hitcnt=7408) 0x5c2fa603
access-list outside_access_in line 9 extended permit tcp object-group outside_ip_group any eq 5900 0xe88875b2
access-list outside_access_in line 9 extended permit tcp host HSoftware any eq 5900 (hitcnt=0) 0x2208e16f
access-list outside_access_in line 9 extended permit tcp host Mom_and_Dad any eq 5900 (hitcnt=0) 0xa3aaaedd
access-list outside_access_in line 10 extended permit tcp any any object-group Email_Ports 0x91529965
access-list outside_access_in line 10 extended permit tcp any any eq imap4 (hitcnt=17) 0x53d153bd
access-list outside_access_in line 10 extended permit tcp any any eq 465 (hitcnt=0) 0x4d992f5e
access-list outside_access_in line 10 extended permit tcp any any eq 587 (hitcnt=0) 0x734d200d
access-list outside_access_in line 10 extended permit tcp any any eq 993 (hitcnt=0) 0xb91930a9
access-list outside_access_in line 11 extended permit udp any any object-group Email_Ports 0xe12dbb9d
access-list outside_access_in line 11 extended permit udp any any eq 143 (hitcnt=0) 0x34d1c49d
access-list outside_access_in line 11 extended permit udp any any eq 465 (hitcnt=0) 0x5cc4b908
access-list outside_access_in line 11 extended permit udp any any eq 587 (hitcnt=0) 0x6e3b53a3
access-list outside_access_in line 11 extended permit udp any any eq 993 (hitcnt=0) 0x7f9dd9b7

Hi Riyasat,
Here is the result of the command. I'm a little confused though as it said it passed through although this port is still not open to my inside host.
RyansFirewall# packet-tracer input outside tcp 8.8.8.8 465 Outside_IP 465 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate Outside_IP/465 to theking/465 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq 465
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd863ac20, priority=12, domain=permit, deny=false
        hits=9, user_data=0xd613bd70, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=465, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7de9018, priority=0, domain=inspect-ip-options, deny=true
        hits=20003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 1 access-list outside_access_in
match tcp outside any outside any eq 3389
    dynamic translation to pool 1 (Outside_IP [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7e62278, priority=2, domain=host, deny=false
        hits=25913, user_data=0xd7e61e60, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7debf90, priority=0, domain=host-limit, deny=false
        hits=143, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7e84380, priority=5, domain=nat-reverse, deny=false
        hits=3, user_data=0xd7e58b08, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=theking, mask=255.255.255.255, port=465, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
match tcp inside host theking eq 3389 outside any
    static translation to 0.0.0.0/3389
    translate_hits = 0, untranslate_hits = 107
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7e70e30, priority=5, domain=host, deny=false
        hits=1642, user_data=0xd7e6c678, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=theking, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7d9e160, priority=0, domain=inspect-ip-options, deny=true
        hits=30929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31012, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

CCNA - ACL question

Similar Messages

Maybe you are looking for