Clearing tcp sessions on the cisco acs secure appliance

Hello,
is there a possibility to view the number of tcp-session which are active on an acs secure appliance?
Due to these hangups we have no connection to the appliance through web or console. So we are also interested in clearing the tcp-session instead of rebooting the appliance.
Could somebody help us.
thnx
Torsten Waibel

What is the acs software ver ?

Similar Messages

  • Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

    With Namit Agarwal and Rahul Govindan 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
    This is a continuation of the live webcast.
    Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
    Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
    Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
    Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
    Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
    Webcast related links:
    Slides from the live webcast
    Video Recording of the live webcast
    Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

    Hello Namit and Rahul,
    Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
    1)      How is ASA CX different from other UTM solutions ?
    2)      How is dynamic application inspection of CX better than other inspection engines  ?
    3)      What features or functionalities on the CX are available by default ?
    4)      what are the different ways we can run or install CX on the ASA platform ?
    5)      What VPN features are supported with multi context ASA in the 9.x release ?
    6)      What are the IPv6 Enhancements in the ASA version 9.x ?
    Request you to please provide your responses to them individually.
    Thanks.

  • Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance

    I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
    Thanks.

    Hi
    We (extraxi) offer migration and general consultancy for ACS if you need professional help.
    www.extraxi.com/contact.htm

  • SunBlade 100 to Cisco PIX Security Appliance

    I have a problem connecting a SunBlade 100 workstation with Cisco Routers, and the PIX Security Appliance at the Console ports of both a Cisco router and the Cisco PIX Security Appliance. This should be out of the serial port of the SunBlade 100 workstation..
    I have tried to use the UNIX command tip hardwire. No luck connecting to the console port. I also tried to use the UNIX cu command again no response from the console port. I tried connecting a modem temporarily to the SunBlade 100 workstation and was successful in echoing a phone number to a modem. However, I need to use a direct connection from the SunBlade 100 workstation.
    Currently, Windows 2000 workstations are used with
    Hyperterminal to connect to routers and the PIX Security Appliance. I have 24 SunBlade workstations in my classroom and need to use them to connect to the console port on Cisco routers, and the PIX Security Appliance. I would appreciate any help anyone might be able to give on this subject.

    Hello Namit and Rahul,
    Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
    1)      How is ASA CX different from other UTM solutions ?
    2)      How is dynamic application inspection of CX better than other inspection engines  ?
    3)      What features or functionalities on the CX are available by default ?
    4)      what are the different ways we can run or install CX on the ASA platform ?
    5)      What VPN features are supported with multi context ASA in the 9.x release ?
    6)      What are the IPv6 Enhancements in the ASA version 9.x ?
    Request you to please provide your responses to them individually.
    Thanks.

  • Error "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed" - help !

    hi,
    I've tried to install AnyConnect Secure Mobility Client on my computer (Mac OS 10.6.8), I've never installed it before on this computer, however when I want to install  i got the message
    "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed"
    I would be thankful if anyone could help me with this problem !!!

    Would I be correct in assuming that you are trying to do a manual install of the AnyConnect client when you get this error? Have you ever used this MAC to connect to an ASA and to establish a VPN? If so it is quite likely that AnyConnect was installed in that on line session and does not require a manual install.
    HTH
    Rick

  • Cisco Email Security Appliance (ESA) - Reporting

    In previous versions on ESA you could export data and reports in CSV formats using an API. Is that still available?
    >From the following document :
    IRONPORT ASYNCOS 6.4 REPORTING API FOR IRONPORT APPLIANCES
    REPORTING API OVERVIEW
    The Reporting API feature allows you to download the same data collected by the Email Security Monitor component of the IronPort Email Security appliance or Security Management appliance in a comma separated value (CSV) format. This format allows users to integrate the IronPort appliance's data gathering capabilities into other IT and business reporting systems. 
    DOWNLOADING REPORTING DATA
    You can retrieve the data used to build the charts and graphs in the Email Security Monitor feature via HTTP. This is useful if you plan to perform further analysis on the data via other tools. The data is available in standard comma separated value (CSV) format. The easiest way to get the HTTP query you will need is to configure one of the Email Security Monitor pages to display the type of data you want. You can then simply click the Export... link to initiate the download process.

    It went away, there's a new one (RESTful) in 9.0/9.1
    http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-0/ESA_API_1-0_Getting_Started_Guide.pdf

  • Cisco ACS Engine appliance 1120 software upgrade

    I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.

    It is highly suspicious that you would have a 1120 appliance that is running 3.3
    ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
    ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
    As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
    Nicolas

  • How to manage the Cisco ACS 3.3 from ciscoworks server ?

    i have ACS 3.3 server appliance and want to manage it from the ciscoworks server .i wanted to see it in the campus manager and can i manage ite inventory ?
    Cisco Secure Access Control Server Solution Engine.

    Hai,
    Yes absolutely right. ACS appliance cannot be managed since SNMP cannot be enabled in ACS.
    I tried but after raising TAC case with Cisco they told it is not possible.
    In campus manager u cannot view the cisco devices ACS,NIDS and PIX firewall
    Hope this information is useful

  • Cisco Adaptive Security Appliance Software Version 8.2(4)

    Dear All
    I was configure IPSEC vpn on ASA5540 and i have problem with port blocked.  I am unable to block server ports to remote users.  See below configuration.   I need to configure vpn filter list can any one help me to configure vpn filter list. 
    access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
    group-policy portal internal
    group-policy portal attributes
    dns-server value 10.1.10.33 10.1.10.34
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value portal
    default-domain value abc.com
    split-dns value abc.com
    address-pools value vpnpool
    tunnel-group portal type remote-access
    tunnel-group portal general-attributes
    address-pool vpnpool
    authentication-server-group ACS
    default-group-policy portal
    tunnel-group portal ipsec-attributes
    pre-shared-key *&******
    I need to block this access-list and open only port 53 dns
    access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
    I write this access-list but it will not work and its open all ports.
    access-list portal extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0, but this access-list will not work and its open all ports like remote desktop, ftp, icmp, etc.
    any body can help me plz.
    anybody can help me how to used vpn filter list to block port or protocol based.

    Hi,
    You can have the split tunnel ACL named as portal and configured as below:
    access-list portal extended permit ip host 10.1.xx.33 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.xx.34 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.yy.33 192.168.20.0 255.255.255.0
    access-list portal extended permit ip host 10.1.yy.34 192.168.20.0 255.255.255.0
    You can configure a vpn-filter ACL like below:
    access-list VPNF extended permit udp 10.1.yyy.33 eq 53 192.168.20.0 255.255.255.0
    and then apply this VPNF access-list under the group-policy "portal" using the command vpn-filter value VPNF. Let me know if this helps.
    Regards,
    Prapanch

  • BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

    I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
    Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
    Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
    Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
    What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
    Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
    Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
    Paul

    Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
    And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
    Also, MD5 should be disabled as it's widely considered too weak for the job.
    My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

  • Cisco Web Security Appliance Slowness issue

    Hello,
    I have a slowness issue on an Existing WSA-S170-K9 appliance , when issuing the command Rate/proxystat it displays unresponsive sometimes screenshot attached.
    software version is 8.5, i was suspecting that this issue is related to access policies applied on end users ; so i created a test policy to bypass all checks and disable all malware/antivirus checks on users flows however, the same issue is still there.
    Appreciate any assisstance,
    Thanks,
    Muayad Jallad,

    Does this happen every time you run the rate command and at the beginning of the command's output rows?
    You may want to look at your proxylogs to see what activity is occurring while the proxy is unresponsive.

  • Ask the Expert:Cisco Web Security

    With Ryan Wager
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
    Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.  
    They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

    Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
    There are two conditions:
    1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
    2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
    You may refer to the following links for more information:
    WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
    Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
    Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x

  • Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

    I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
    I am able to create the VPN connection but the connection will not allow data to be transferred.
    Stats from a manual connection:
    Cisco AnyConnect Secure Mobility Client Version 3.1.04072
    VPN Stats
        Bytes Received:  14375
        Bytes Sent:  0
        Compressed Bytes Received:  0
        Compressed Bytes Sent:  0
        Compressed Packets Received:  0
        Compressed Packets Sent:  0
        Control Bytes Received:  0
        Control Bytes Sent:  0
        Control Packets Received:  0
        Control Packets Sent:  0
        Encrypted Bytes Received:  7820
        Encrypted Bytes Sent:  1207
        Encrypted Packets Received:  9
        Encrypted Packets Sent:  3
        Inbound Bypassed Packets:  0
        Inbound Discarded Packets:  0
        Outbound Bypassed Packets:  0
        Outbound Discarded Packets:  0
        Packets Received:  4
        Packets Sent:  0
        Time Connected:  00:03:01
    Protocol Info
        Inactive Protocol
            Protocol Cipher:  RSA_3DES_168_SHA1
            Protocol Compression:  None
            Protocol State:  Disconnected
            Protocol:  DTLS
        Active Protocol
            Protocol Cipher:  RSA_3DES_168_SHA1
            Protocol Compression:  Deflate
            Protocol State:  Connected
            Protocol:  TLS
    OS Version
        Windows 8 : WinNT 6.2.9200
    Log from the data transmission software:
    24/12/2013 12:51:13 - Application version = 1.11.28.0
    24/12/2013 12:51:13 - Lodgement Library Version =  1.11.28.0
    24/12/2013 12:51:13 - Connection Method =  INTERNET
    24/12/2013 12:51:13 - DIS Connection Type = Automatic
    24/12/2013 12:51:13 - VPN Client =  ACTIVE
    24/12/2013 12:51:13 - Check Available Connections =  NOT ACTIVE
    24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
    24/12/2013 12:51:13 - Language: English (Australia)
    24/12/2013 12:51:13 -
    24/12/2013 12:51:13 - Connected to ISP via LAN
    24/12/2013 12:51:13 - Checking for presence of VPN client.
    24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
    24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
    24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
    24/12/2013 12:51:18 -
    24/12/2013 12:51:18 - Checking Cisco AnyConnect  version.
    24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
    24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.
    24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
    24/12/2013 12:51:19 -
    24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
    24/12/2013 12:51:19 -
    24/12/2013 12:51:19 - Initializing the VPN connection.
    24/12/2013 12:51:19 - Ready to connect.
    24/12/2013 12:51:19 - Ready to connect.
    24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
    24/12/2013 12:51:23 - Authenticating user.
    24/12/2013 12:51:23 - Connected to VPN concentrator.
    24/12/2013 12:51:23 - Establishing VPN session...
    24/12/2013 12:51:23 - Checking for profile updates...
    24/12/2013 12:51:23 - Checking for product updates...
    24/12/2013 12:51:23 - Checking for customization updates...
    24/12/2013 12:51:23 - Performing any required updates...
    24/12/2013 12:51:23 - Establishing VPN session...
    24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
    24/12/2013 12:51:24 - Establishing VPN - Examining system...
    24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
    24/12/2013 12:51:24 - Establishing VPN - Configuring system...
    24/12/2013 12:51:24 - Establishing VPN...
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connection to VPN client return code = 0.
    24/12/2013 12:51:24 - Connected to VPN concentrator.
    24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
    24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
    Connection timed out.
    24/12/2013 12:51:46 -
    24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
    24/12/2013 12:51:46 - Disconnect in progress, please wait...
    24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
    24/12/2013 12:51:47 - Detached.
    24/12/2013 12:51:47 - Disconnected from VPN concentrator.
    24/12/2013 12:51:47 - *****************************************************
    24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
    24/12/2013 12:51:47 - *****************************************************
    Issue history:
    - Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
    - Upgrade to Windows 8.1 stopped the VPN client working
    - Refreshed system back to Windows 8 and reinstalled all software
    - Cisco VPN client would not install on system
    - Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
    - Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
    - Data transmission software returns error code #10060
    Any assistance would be greatly appreciated.

    anyone found the fix for this?

  • Cisco AnyConnect Secure Mobility Client using discrete graphics on Mac

    Hello,
    I use your Cisco AnyConnect Secure Mobility Client to connect to my University's VPN. The programme is supplied to me by my University so I presume it licenses it for its students such as myself.
    I am writing to let you know the Cisco AnyConnect Secure Mobility Client uses the discrete graphics card on my MacBook Pro whenever it is running. I cannot quit the Client, that will end my VPN session, but at the same time using the discrete graphics card is a drain on the battery for no good reason; Cisco AnyConnect does not display any visuals that I am aware would require the use of an NVidia Kepler card with 1GB VRAM. The application's code perhaps needs to be rectified so it does not depend on the discrete graphics card when clearly (as the attachments show) it does not need a discrete graphics card to render its very simple interface.
    Cheers.

    If your company has the Cisco IPSec protocol open you can use the Mac's built-in VPN settings.
    However, if those ports are blocked by your local service (Starbucks or w/e) then you will have to use the AnyConnect VPN, which is done over SSL (https).

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

Maybe you are looking for

  • After updating to iOS 8.02 apps no longer update

    I recently updated my iPad air to iOS 8.02 and shortly after my updates stopped working.  I have restarted many times but nothing seems to work.  Has anyone else experienced this ? If so we're you able to figure out how to fix this issue?

  • How to connect to Firefox Sync if operating system was reinstalled?

    Can I connect to Firefox Sync if i have the sync key? When I go to Tools>Options>Sync>Set Up Firefox Sync I see only Create new Account and Connect that does not allow me to connect to my account. Thank you.

  • Itunes stops downloading when almost complete

    Hi there, my friend has a dell laptop brand new not sure what model running windows 7. Whenever i attempt to download itunes the download reaches around 70-90% completion and then stops. I've tried IE, firefox and google chrome and all of them fail.

  • Cheque and Payment Advice print

    Hello All, We have a requirement on Cheque printing and Payment advice printing functionality. We are converting both the standard Sap scripts of Cheque print RFFOUS_C and Payment advice to a Z program. It's like we have a cheque format which is prin

  • SAP Learning Solution u2013 Offline Player - Application size?

    Hi Guys, I've been engaged to package and distribute this software for a client and need to know the installation size (MB) of this application. They haven't ordered the software yet but expect a quote for distribution to their entire network which i