Change an extend access list in a prefix list
Hallo All,
I would like to translate an extend access list in a prefix list.
ip access-list extended x_to_y
permit ip 1.1.1.1 0.0.1.255 any
deny ip any host 3.3.3.3
Any hint?
Thanks!!!
Hi Fabio,
I am sorry but to my best knowledge, this is not going to work.
You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
Even the documentation at
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
Best regards,
Peter
Similar Messages
-
Hello all,
I am trying to apply this extended access-list to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
Interface Dialer 0
ip access-group 101 outHere is the complete configuration.
Router#sh run
Building configuration...
Current configuration : 3665 bytes
! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
crypto pki token default removal timeout 0
ip source-route
ip cef
no ipv6 cef
license udi pid C887VA-W-E-K9 sn FCZ1624C30K
username admin privilege 15 password 7 045A0F0B062F
controller VDSL 0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Loopback0
ip address 10.10.10.1 255.255.255.255
interface Tunnel4120
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile protect-gre
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
no fair-queue
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxx
ppp chap password 7 03077313552D0F411E512D
router rip
version 2
network 10.0.0.0
network 192.168.111.0
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.111.30
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input all
scheduler allocate 20000 1000
end
Router# -
LMS 4.2 Compliance check extended access-list
Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
SorenDoesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
ICMP Inspection and Extended Access-List
I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA. From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework. Is that true? I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both? Or is it best practice to do both?
What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
policy-map global_policy
class inspection_default
inspect_icmp
However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any source-quench
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
Will the PING complete?
Thank you,
T.J.Hi, T.J.
If problem is still actual, I can answer you this question.
Let's see situation without ICMP inspection enabled:
The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower. -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
When i double click on Mac HD the view has changed and my user name is no longer listed on the left. How can I reset this?
Do a factory reset .. nothing will be deleted from your backups and you will be able to get access to them again.
The Factory Reset Gen1-4.
Unplug your TC. Hold in reset. and power the TC back on.. without releasing reset for about 10sec. When the status light flashes rapidly; release it.
Be Gentle! Feel the switch click on. It has a positive feel.. add no more pressure after that.
TC will reboot after a couple of minutes with default factory settings and will wipe out previous configurations.
No files are deleted on the hard disk.. No reset of the TC deletes files.. to do that you use erase from the airport utility. -
Prefix-list; clear bgp peer-group Test soft in; no file prompt quiet
Hello everyone,
I have a few simple questions. Hope someone will help me Thank you in advance.
1) We are using prefix-set into route-maps, but how I can use a prefix-list?
2) In classic IOS we have the command: clear bgp peer-group Test soft in
I don't see it in IOS-XR (Cisco IOS XR Software, Version 4.0.1):
RP/0/RSP0/CPU0:STH02#clear bgp ipv4 unicast ?
* Clear all peers and all routes from the BGP table
A.B.C.D or X:X::X BGP neighbor address to clear
as Clear peers in a specific AS
dampening Clear route flap dampening information
external Clear all external peers
flap-statistics Clear flap statistics
nexthop Clear nexthop
self-originated Clear redistributed, network and aggregate routes originated here
shutdown Clear all peers which were shut down due to low memory
3) In classic IOS we have the command: no file prompt quiet
I don't see it in IOS-XR. What is the command for IOS-XR?
I need it for the operation like this:
copy ftp://**:***@216.*.*.*/CUST_AS-TEST-in.prefixlist compactflash:/PrefixFilters/CUST_AS-TEST-in.prefixlist
Wed Apr 18 12:02:00.936 UTC
Destination filename [/compactflash:/PrefixFilters/CUST_AS-TEST-in.prefixlist]? !!!! I don't need this question
Copy : Destination exists, overwrite ?[confirm] !!!! I don't need this question
Accessing ftp://*:*@216.*.*.*/CUST_AS-TEST-in.prefixlist
C
584 bytes copied in 0 sec
Have a nice day,
DimitryThank you Alexander for your reply. It is the good RPL description and I've got the idea of REFRESH capable peer.
BUT, I still don't find the answer on my 3-d question:
In classic IOS we have the command: no file prompt quiet
I don't see it in IOS-XR. What is the command for IOS-XR?
I need it for the operation like this:
copy ftp://**:***@216.*.*.*/CUST_AS-TEST-in.prefixlist compactflash:/PrefixFilters/CUST_AS-TEST-in.prefixlist
Wed Apr 18 12:02:00.936 UTC
Destination filename [/compactflash:/PrefixFilters/CUST_AS-TEST-in.prefixlist]? !!!! I don't need this question
Copy : Destination exists, overwrite ?[confirm] !!!! I don't need this question
Accessing ftp://*:*@216.*.*.*/CUST_AS-TEST-in.prefixlist
C
584 bytes copied in 0 sec
How can I suppress confirmations like this?
Destination filename [/compactflash:/PrefixFilters/CUST_AS-TEST-in.prefixlist]?
Copy : Destination exists, overwrite ?[confirm]
Dimitry -
Specifying Critical Transport Objects under Change Management Extend config
I'm trying to configure Change Management and I am in SPRO under SAP Solution Manager -> Config -> Scenario-specific settings -> Change Managment-> Extended config -> Change Request Management -> Specify Critical Transport Objects.
It states that you need to select the system/clients for which you want to specify critical transport objects. however, i do not see my systems listed there. I'm assuming i've missed a prior step somehow.
Any help would be appreciated! Thank you!
MargoHi.
There are several things necessary to make the system appear in this transaction (/N/TMWFLOW/CMSCONF -> critical obejcts)
You need:
- a smi project
- a logical component assigned to that project which contains your systems
- at least one system within your logical component of type "developement system"
- the project needs to be released for change request management (tx: solar_project_admin, "activate change request management")
Hope this helps.
/cheers -
Ip prefix-list modification help
i need to modify my internet edge bgp advertisements to exclude a small slice of the end of our ip space and i can't wrap my brain around what i need to do to modify the prefix list. my company uses the 192.168.0.0 thru 192.168.11.255 ip space and shown below in our existing bgp configuration (slightly modified to protect the innocent). I want to cut out the very last /29 net out of the 192.168.11.0 network.
router bgp 65001
bgp always-compare-med
bgp log-neighbor-changes
bgp bestpath as-path multipath-relax
neighbor 1.1.1.1 remote-as 65002
neighbor 1.1.1.1 ebgp-multihop 255
maximum-paths 2
address-family ipv4
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 prefix-list mycompany-list out
network 192.168.0.0 mask 255.255.248.0
network 192.168.8.0 mask 255.255.252.0
ip prefix-list mycompany-list seq 70 permit 192.168.0.0/21 le 24
ip prefix-list mycompany-list seq 71 permit 192.168.8.0/22 le 24
now, i know i could just remove the prefix-list and change the advertised networks with the following but i'd really like to know how to do it via a prefix-list.
network 192.168.0.0 255.255.248.0
network 192.168.8.0 255.255.254.0
network 192.168.10.0 255.255.255.0
network 192.168.11.0 255.255.255.128
network 192.168.11.128 255.255.255.192
network 192.168.11.192 255.255.255.224
network 192.168.11.224 255.255.255.240
network 192.168.11.240 255.255.255.248
Any help that anyone can provide is much appreciated!i tried applying your suggestion and we still saw the larger 192.168.8.0/22 supernet being advertised... still missing something.
i tried writing the prefix-list explictitly stating only the networks i wanted advertised but something went wrong and we lost some internet connectivity from the outside so i had to pull things back to the way they were. this is what i tried:
first i added lines 75 thur 105 so the list looked like this:
ip prefix-list stateofnh-list seq 65 deny 192.168.11.248/29 <- your suggestion applied
ip prefix-list stateofnh-list seq 70 permit 192.168.0.0/21 le 24 <- original line
ip prefix-list stateofnh-list seq 71 permit 192.168.8.0/22 le 24 <- oiriginal line
ip prefix-list stateofnh-list seq 75 permit 192.168.8.0/23 <- new stuff starts here
ip prefix-list stateofnh-list seq 80 permit 192.168.10.0/24
ip prefix-list stateofnh-list seq 85 permit 192.168.11.0/25
ip prefix-list stateofnh-list seq 90 permit 192.168.11.128/26
ip prefix-list stateofnh-list seq 95 permit 192.168.11.192/27
ip prefix-list stateofnh-list seq 100 permit 192.168.11.224/28
ip prefix-list stateofnh-list seq 105 permit 192.168.11.240/29
then i removed lines 65 and 71 leaving just this:
ip prefix-list stateofnh-list seq 70 permit 192.168.0.0/21 le 24 <- original line
ip prefix-list stateofnh-list seq 75 permit 192.168.8.0/23 <- new stuff
ip prefix-list stateofnh-list seq 80 permit 192.168.10.0/24
ip prefix-list stateofnh-list seq 85 permit 192.168.11.0/25
ip prefix-list stateofnh-list seq 90 permit 192.168.11.128/26
ip prefix-list stateofnh-list seq 95 permit 192.168.11.192/27
ip prefix-list stateofnh-list seq 100 permit 192.168.11.224/28
ip prefix-list stateofnh-list seq 105 permit 192.168.11.240/29
but like i said, suddenly several sites we host became unavailable from and i quickly peeled everything back. suggestions? -
How to grant anonymous access on sharepoint document library/list only not for web application
Hello
How to grant anonymous access on sharepoint document library/list only not for web application.I have claim based sharepoint site and has to be but i want to grant access on document library/list only.Is this possible?
Thanks
Rajesh Kumar "Changing the Face" can change nothing.But "Facing the Change" can change everything.As i am using following code
SPSite site = SPContext.Current.Site;
SPWeb web = SPContext.Current.Web;
SPSecurity.RunWithElevatedPrivileges(delegate()
using (SPSite ospSite = new SPSite(site.ID))
using (SPWeb webs = ospSite.OpenWeb(web.ID))
// Enable anonymous access on web application
webs.AllowUnsafeUpdates = true;
SPUrlZone urlZone = SPUrlZone.Default;
SPWebApplication specifiedWebApplication = ospSite.WebApplication;
SPIisSettings iisSettings = specifiedWebApplication.IisSettings[urlZone];
//iisSettings.AuthenticationMode = AuthenticationMode.Windows;
iisSettings.AllowAnonymous = true;
specifiedWebApplication.Update();
// Get document library collection here and fetch all the document urls
SPDocumentLibrary docLib = (SPDocumentLibrary)web.Lists["Documents"];
if (docLib != null)
docLib.BreakRoleInheritance(true, false);
docLib.AllowEveryoneViewItems = true;
docLib.AnonymousPermMask64 = SPBasePermissions.ViewPages | SPBasePermissions.OpenItems | SPBasePermissions.ViewVersions
| SPBasePermissions.Open | SPBasePermissions.UseClientIntegration | SPBasePermissions.ViewFormPages | SPBasePermissions.ViewListItems;
//docLib.AnonymousPermMask64 = SPBasePermissions.EmptyMask;
docLib.Update();
Should working but getting access denied......i am totally stuck at this point.
Rajesh Kumar "Changing the Face" can change nothing.But "Facing the Change" can change everything. -
Changing tcp/ip access in run?
Hello everyone,
I'm trying to change the machine access list in a VI-Server in run (programmatically). I can add clients in run without any problems, but i cant remove clients without restarting the TCP-listener witch would cause all clients connected to get disconnected. Anyone know a way around this?
LabVIEW 8.6 (windows and linux)
Thanks,
TomasHey,
Thanks for responding.
I can try to explain a bit more what I'm trying to do. I'm trying to build a VI-Server system with a main server and a backup server on different machines and even different platforms (windows and linux). I would like to change the access list when the server is running. eg if a client are making so many connections that the performance are going down, I would like to be able to "kick" that client from the server without causing problems for the other clients. I have been experimenting a bit with this and found some strange behaviour, I can add machines/adresses to the access list without problems, but i can't remove machines/adresses (put a "-" before the names) without restarting the tcp/ip-listener. This can cause that the clients get a timeout (depending on the clients refresh rate) and jump over to the backupserver (not good).
Picture showing what i have to do to change the tcp/ip-access in windows:
Another issue regarding linux. When I restart the server (running on linux) when there are clients connected, the tcp/ip-listener get a 60 second timeout. It's not a big problem since the clients automaticly jump over to the backup server, but it is a bit annoying. Could there be a setting in a .ini file or a environment variable or something?
Cheers,
Tomas -
How can you change your line access selection? I have found where you can change your plan selection, but can you change the line access fee or is that a set amount?
DIVAB71,
Great question. The line access fees for the account are a set amount and can not be changed unless you are going from a basic to a smartphone or vice versa. If you are wondering about adding the month to month discount if you are out of contract Ann154 has provided great information on how to access and add the feature.
LindseyT_VZW
Follow us on Twitter @VZWSupport -
How to make report with access 2010 from SharePoint Discussion lists 2013
HI,
I want to make an access report from SharePoint Discussion lists 2013. When i open the list with access, the body of the list is in HTML format in access. Also if i reply something to one subject in the discussion, the reply is not mapped to that subject
but instead it is shown as a separate entry in the database.
Anyone can please help?
SAN
Santhiya
SanthiyaHi Santhiya,
I have seen a similar post from you, my understanding is that you wonder that the reply is mapped to the related subject. You can take a look at Daniel's reply in the following thread:
http://social.technet.microsoft.com/Forums/en-US/dfb5bcb9-0076-412a-b34f-46aa9cfba876/how-to-make-report-with-access-2010-from-sharepoint-discussion-lists-2013?forum=sharepointgeneral
Thanks,
Wendy
Wendy Li
TechNet Community Support -
What is the list of file prefixes that make a file appear first in the finder?
Hi!
I was just curious :
What is the list of file prefixes that make a file appear first in the finder?
For example, files and folders whose names start with "A" will appear before files whose names start with "B",
but what about a list of characters for files and folders before the letter "A"?
I'm doing some file organisation, and I need certain things to appear at the top of the list.
I have noticed that the character-prefixes "0" and "(" seem to make things appear before "A"
I would like a complete list if there is one available.
Thank you!Pretty much any number or a space character. Punctuation does too, in theory, but I'd advise to limit it to hyphens and underscores. Periods are OK in the middle of file names but you won't be able to start a file name with one at the Finder level since that would actually hide the file.
Matt
Maybe you are looking for
-
Client can not communicate with MP over https. Certification Problem
Hi All, I have been fighting with this problem for the last 3 days and couldn't solve yet. So, I hope we can solve it here. I am trying to install client manually from a usb drive by using the below command. Ccmsetup.exe /usepkicert smsmp="srvsccm20
-
Not sure which way to go for transfer.....
First; let me say that I did search for the answer to this, but I'm not sure which way to go with a lot of the answers. I'm sorry I'm asking this question for the umpteenth time. Yes; I'm one of those that understands enough about computers to make m
-
Broken touch screen on Nokia Lumia 800
I bought a Nokia Lumia 800. I also got an insurance along with it. Recently the phone fell from my pocket and landed on the top right corner to the floor. The so called Corning's gorilla glass cracked. I went to the nearest Nokia care and asked them
-
Difference in value while recording through SHDB
hi guys, well i want to know why there is difference when i do recording. I am using the transaction 'VD01' while recording i get perform bdc_field using 'BDC_CURSOR' 'ADDR1_DATA-TRANSPZONE'. perform bdc_field
-
Hello, Im running Debian's PPC version of its OS. The only java sdk i can find for PPC is blackdown sdk 1.3.1 here ... http://penguinppc.org/projects/java/ However , I write a lot of Swing apps :( Does anyone know if ther are any other SDKs avaliable