Clear access-list command syntax?

Similar Messages

• Clear access-list on getvpn

  hi,
  on getvpn enviroment,  ehrn we delete the access-list on key server, it takes time to effect on routers. Is that possible to clear that access-list on router immediately?

  packet-tracer input outside tcp 1.2.3.4 1234 PUBLIC-IP-OF-DATTO-DEVICE 22
  "1.2.3.4 1234" is just a random source-ip and port.

• ACL - extended access lists

  Hi, I'm working through the CCNA ICND2.  Section:  IP Access Control Lists
  On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
  in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
  I would assume that "telnet" is a word value for "port 23" (just like you can type  "eq www" instead of "port 80")
  therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
  ??? many thanks for your answers - much appreciated.

  it's a typo!!

• Problem with 'LS' command syntax for generating 'recursive' files list

  I'm having trouble getting a recursive (-R) directory listing of the contents of a flash drive --
  -- i.e., when I run the 'ls' command with the -R switch (in Terminal), I get either a recursive directory of what appears to be 'all volumes' (i.e., a very large file) or a zero-byte (empty) file.
  Terminal also keeps reporting "No such file or directory" but I don't know what it's referring to (it reports it with both the 'zero byte' listing and the 'large file' listing).
  Obviously, I'm making some 'syntax error' but I don't know what it is.
  Assuming the following . . .
  User = MK
  Flash drive = NO NAME
  . . . what is the correct command syntax to list only the contents of the flash drive (not 'all volumes')?
  My last try (it doesn't work) was:
  *ls -RTlp /Users/MK/Volumes/NO\ NAME > /Users/MK/Documents/flashdrive.dir*
  Thanks.

  Re: the original post, I should clarify that what I'm looking for is the syntax that will generate the recursive list of the flash drive's files +without first logging the flash drive+ (NO\ NAME) +as the working folder+.
  If I do the latter, I can get the recursive listing easily enough.
  What I haven't been able to do is generate the listing without first logging NO\ NAME as the working folder.
  Thanks.

• LMS 4.2 Compliance check extended access-list

  Hi,
  I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
  I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
  I have made a new compliance check like this:
  'submode': ip access-list extended 'acl-name'
  +deny tcp any any eq smtp
  But that is not working, Can some one show me the 'right path'?
  Thanks
  Soren                 

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• Access-list on secondary IP

  Hi,
  I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.
  example
  (primary blocking internet access access-list)
  ip access-list extended http100
  permit tcp host 10.99.100.1 host 10.108.20.1 eq 80
  ip access-list extended http100
  permit tcp host 10.99.102.1 host 10.108.20.1 eq 80
  permit ip any any
  would the commands above block the internet of the secondary IP 10.99.102.x?
  thanks,
  Eduard

  Hi Rick,
  I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.
  My question is how do i block secondary internet access by using an access-list?
  I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.
  Hope this is clearer.
  oh,i think i missed typed something on the access-list, let me create another example:
  ip access-list extended http101
  permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)
  permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)
  deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80
  deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80
  permit ip any any
  all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1
  thanks,
  Eduard

• Change an extend access list in a prefix list

  Hallo All,
  I would like to translate an extend access list in a prefix list.
  ip access-list extended x_to_y
  permit ip 1.1.1.1 0.0.1.255 any
  deny ip any host 3.3.3.3
  Any hint?
  Thanks!!!

  Hi Fabio,
  I am sorry but to my best knowledge, this is not going to work.
  You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
  Even the documentation at
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
  clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
  I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
  Best regards,
  Peter

• Req help: creating access-lists

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T8.bin
  connected to internet by wic1-adsl card
  I would like to configure my router to block the following ranges of ip's.
  Start IP End IP
  69.25.60.0 69.25.61.255
  208.111.154.0 208.111.154.255
  209.249.86.0 209.249.86.255
  problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

  Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
  I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
  no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
  Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
  ip access-list extended
  deny ip 62.25.60.0 0.0.1.255 any
  deny ip 208.111.154.0 0.0.0.255 any
  deny ip 209.249.86.0 0.0.0.255
  exit
  interface x/x
  ip access-group
  end
  Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Access-list port range question

  Hi,
  I would like to clarify the exact operation of the below command:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ip access-list extended VoiceACL
  permit udp any any range 16384 16387
  Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Value1] = starting port number
  [Value2] + [Value1] = end port number
  Thanks
  Nachi

  Hi Nachi,
  This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
  Regards,
  Raphael

• Access List - cisco 2600- HELP

  Hi,
  i want ask we, if the access list are bi-directional or it are one-directional?
  If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
  Thanks

  Emanuele
  When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
  I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
  If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
  If I have not understood your question correctly please clarify what you are attempting to accomplish.
  HTH
  Rick