Configuring Access List
I have the following configuration in the msfc of a catalyst 6509:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
I think to carry out the following configuration:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
ip access-group 103 in
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
access-list 103 deny any any
Is correct?
Some recomendation?
I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
Interface Vlan5
ip access-group 3 in
HTH,
Ryan
Similar Messages
-
hi
i have the following configuration:
interface FastEthernet0/1
description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
no ip address
duplex full
speed 100
interface FastEthernet0/1.2007
description ***** Connect To MASTER_SHUKEI_ON *****
encapsulation dot1Q 2007
ip address 172.21.2.46 255.255.255.248
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
interface FastEthernet0/1.2009
description ***** Connect To TRAST *****
encapsulation dot1Q 2009
ip address 172.21.2.62 255.255.255.248
interface FastEthernet0/1.2010
description ***** Connect To TRAST *****
encapsulation dot1Q 2010
ip address 172.21.2.707 255.255.255.248
and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
thanksHI
Configure access-list
access-list 10 deny u r vlan2007 range
access-list 10 permit any
int f0/0.2007
access-group 10 in
same for vlan 2008
Thanks
Mahmood -
Inherent Deny at End of Access-list 700 ?
If I specify the following configuration:
access-list 700 permit 5c59.4812.35fb
access-list 700 permit 0024.d71b.de64
dot11 association mac-list 700
Is there an inherent DENY to all other MAC addresses at the end of access-list 700? This configuration is going into an Aironet AP801. I'd like to use this to specify what I permit in my home and deny any other device that attempts to connect to the AP. I think this is a workable solution to keep out intruders that might crack my WPA2.
Thanks for the feedback!!!
James EYes, there is an inherent deny all at the end of a 700-series ACL just like there is in all ACLs.
-
Add network object to access list
Can someone please show me how to add existing network objects to existing access control lists in a network object group using the cli in the asa version 9.x on the inside interface? The source is an already existing network object and the destination is an existing network object group. Thanks.
Hi,
I am not entirely sure of what you are asking.
What I undertood is that you have the following already
An "access-list" that is attached to the "inside" interface
An existing "object network " configured that will be used as the source for the "access-list" rule
An existing "object-group network " configured that will be used as the destination for the "access-list" rule
If the above is true then you would simply configure
access-list permit ip object object-group
The above though would permit all TCP/UDP traffic
If you want to only allow specific ports for either TCP or UDP then you would use the format
access-list permit tcp object object-group eq
access-list permit udp object object-group eq
Naturally if you want to allow multiple ports there would be further ways to group those ports together also inside "object-group" to make the configuration smaller/cleaner.
Please let me know if you were looking for something else and I missunderstood
Hope this helps
- Jouni -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Access-List configuration on ASR9k
hello All,
I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.
and which is the command that refer to it?
So is it possible to create objects and then to refer at the acl
Regards,
meryHi Mery,
here is an example.
RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1
Mon Feb 24 00:06:10.681 UTC
Building configuration...
!! IOS XR Configuration 5.1.0
object-group network ipv4 real
host 100.1.1.1
ipv4 access-list real
10 permit icmp any any
20 permit tcp any net-group real eq www
30 permit tcp any net-group real eq www log
40 permit tcp any net-group real eq ftp
50 permit tcp any net-group real eq telnet
60 permit tcp any net-group real eq pop3
70 permit tcp any net-group real eq smtp
80 permit tcp any net-group real eq domain
90 permit tcp any net-group real eq ftp-data
100 permit tcp any net-group real established
110 permit tcp any net-group real eq 389
111 permit udp any net-group real eq 389
120 permit tcp any net-group real eq 636
121 permit udp any net-group real eq 636
200 permit ipv4 any any
end
RP/0/RSP0/CPU0:ASR9K-PE2-R1# -
Please assist me for access-list configuration
Dear Team,
Please help me to configure the access-list.
Requirement:
I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
At R2:
ip access-list exstandard 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
Regards,
SanjibHello
I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
R2
ip access-list extended 101
deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
or
ip access-list extended 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 out
reverse the acl for R3 if applicable
res
Paul -
ASA5520 access-list configuration?
I have two asa5520s, version 7.2(2).
I have use access-list for the firewall as:
access-list outside extended permit ip object-group mydomain any
access-list outside extended permit icmp object-group mydomain any
access-group outside in interface outside.
I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
(private) AA->asa5520->BB (public)
However, it seems works for most of case, but, it do not work for certain port.
telnet AA 80 -> it seems working fine
telnet AA 3816 -> it is not work.
when I do the packet trace on asa5520, it said access-list not allowed.
Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
any comments will be appreciated
Thanks in advanceplease upload/copy your config so we can see
-
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
Acl-name in access-list requirements
Hi,
I would ask about the acl-name in access-list,
Does it act as a link between the ACL and an interface?
or it could be written as any-thing, without any constrains?
such as
access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
is it OK?
or test_ACL should be defined somewhere prior using it in ACL?just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs. Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map. Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted? If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
Whether the ACL itself can be removed, I would assume it is safe to remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name. So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
Please remember to select a correct answer and rate helpful posts -
A possible bug related to the Cisco ASA "show access-list"?
We encountered a strange problem in our ASA configuration.
In the "show running-config":
access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in extended permit ip object 172.31.254.2 any log
access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in extended permit ip object windowsusageVM any log
access-list inside_access_in extended permit ip any object testCSM-object
access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in extended permit ip host 172.31.254.2 any log
access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
In the "show access-list":
access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a 3bacc1
access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06 85254a
access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0 x7e7ca5a7
access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn t=0) 0x02a111af
access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt =0) 0x19244261
access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn t=0) 0x0dbff051
access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7 b798b0e
access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
There is a comment in the running config: (line 26)
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
Thanks in advance.
show version:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.1(3)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fmciscoasa up 1 hour 56 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1Could be related to the following bug:
CSCtq12090: ACL remark line is missing when range object is configured in ACL
Fixed in 8.4(6), so update to a newer version and observe it again.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Access-list in Cisco 3560 Series Switch
Guys,
I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
Hope you can help me guys.
Thanks,
Johnand then dont forget to call this access-list on the interface or vlan you want to apply it.
You can use a number for the ACL > 100 or a name as indicated earlier.
If you go with just a number :
access-list 100 permit tcp any any eq 80 81 ...
access-list 100 permit udp any any eq 23
int g1/0/1
ip access-group NAME in
OR
ip access-group 100 in
As for example :
NMS-3750-A(config-if)#ip acc
NMS-3750-A(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
Maybe you are looking for
-
Curve 9320 issue (hang problem)
Hello, i have purchased curve 9320 3G 1 month back but i couldn't use this more than 1 day, i use to freeze frequently, after inserting sim, it was running fine for 10-12 Hrs, after than when i received incoming call, it showed me the number and cont
-
Unable to view uploaded resume
Hi sdn, We are facing a problem of downloading employee Resume. Through OAAD transaction we have created the Business object as PAPL. HRIRESUAPL document class was a fax we changed to doc. When we do it from T-Code OAAD as store and assign we are abl
-
I'm running JES Q42005, the whole messaging stack. When I import an ICS file using both csimport, and the webmail (via UWC and directly to CS) interface, the time isn't coming over properly. As a control, I used two identical calendar entries that we
-
Print script data in ocr format
Hi, I wanted to print one line in script in OCR format. Wanted to know how to do this. Thanks in advance
-
Swing questions: passing inputs(parameters) betwen classes
Hi, I am writing a program that needs GUI. It is very new to me. And many simple questions I couldn't find answer. Part of the reason is that I don't even know how to ask questions. So, I hope you can help me. First question: I have the application (