Configuring ACL's on ISA550
I want to configure Bogon List and many other IP block Lists but I'm unable to do so using the GUI for example - I cannot enter following entries since the netmask isn't getting accepted:
0.0.0.0 0.255.255.255
10.0.0.0 0.255.255.255
100.64.0.0 0.63.255.255
127.0.0.0 0.255.255.255
169.254.0.0 0.0.255.255
172.16.0.0 0.15.255.255
192.0.0.0 0.0.0.255
192.0.2.0 0.0.0.255
192.168.0.0 0.0.255.255
198.18.0.0 0.1.255.255
198.51.100.0 0.0.0.255
203.0.113.0 0.0.0.255
224.0.0.0 31.255.255.255
I'm confused as to where I'm going wrong. Secondly is there a way I can configure the firewall using CLI?
Thanking you in anticipation,
Parth Maniar.
Parth,
Those are wildcard masks that you would normally see in a Cisco IOS Router. You need to utilize subnet masks.
0.0.0.0 255.0.0.0
10.0.0.0 255.0.0.0
100.64.0.0 255.192.0.0
127.0.0.0 255.0.0.0
169.254.0.0 255.255.0.0
172.16.0.0 255.240.0.0
192.0.0.0 255.255.255.0
192.0.2.0 255.255.255.0
192.168.0.0 255.255.0.0
198.18.0.0 255.254.0.0
198.51.100.0 255.255.255.0
203.0.113.0 255.255.255.0
224.0.0.0 224.0.0.0
Shawn Eftink
CCNA/CCDA
Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Similar Messages
-
Problem with Configuring ACL on ASA 5505
Dear All,
i am trying to configure access list on asa 5505
i have three interfaces
guest with dhcp server
inside static ip range
outside internet
i am trying to close the http protocol from some users in ( inside ) int by writing those command
access-list OUT extended deny tcp host 172.16.100.197 any eq http
access -group OUT out interface outside
it's working but on all the inside network 172.16.100.0/22
could you please help me to apply that on only the specific host or to create a group of hosts and assign this acl on it ?
thanx all
[BEGIN] 7/17/2012 5:31:15 PM
sho run
: Saved
ASA Version 8.2(5)
hostname ConcordeASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 12
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
<--- More --->
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.1 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Vlan12
no forward interface Vlan1
nameif Guest
security-level 50
ip address 192.168.1.1 255.255.252.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup Guest
dns server-group DefaultDNS
<--- More --->
name-server 212.77.192.59
name-server 212.77.192.60
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list Guest_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest) 1 0.0.0.0 0.0.0.0
access-group Guest_access_in in interface Guest
route outside 0.0.0.0 0.0.0.0 78.100.85.250 1
route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.100.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
<--- More --->
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
<--- More --->
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.100.5-172.16.101.4 inside
<--- More --->
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
<--- More --->
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:da1f2a6b2477754c30dfaef9172b8ed8
: endDear All
thank you very much for your replies but nothing solved my problem
Dear Ramraj
when i am trying to do this command :no route inside 172.16.100.0 255.255.252.0 172.16.100.1 it gives me an ERROR
(ERROR: Cannot remove connected route)
could you all please help me
thank you
this is the newest running-config
ASA Version 8.2(5)
hostname ConcordeASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
switchport access vlan 12
interface Ethernet0/5
switchport access vlan 12
interface Ethernet0/6
<--- More --->
<--- More --->
interface Ethernet0/7
<--- More --->
interface Vlan1
nameif inside
security-level 100
ip address 172.16.100.1 255.255.252.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 0.0.0.0
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 212.77.192.59
name-server 212.77.192.60
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside extended deny tcp host 172.16.100.197 any eq www
access-list inside extended permit ip any any
pager lines 24
<--- More --->
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1
route inside 172.16.100.0 255.255.252.0 172.16.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.100.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
<--- More --->
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
<--- More --->
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
<--- More --->
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 172.16.100.5-172.16.101.4 inside
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
<--- More --->
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
<--- More --->
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:bf1a120dc577a777b78b98d9ee887b04
: end -
ASA 5510 ignoring configured acl entry?
Greetings,
I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
interface Ethernet0/0.207
vlan 207
nameif SITESERVER
security-level 90
ip address 10.1.7.1 255.255.255.128
interface Ethernet0/1.311
vlan 311
nameif MOD1BMS
security-level 100
ip address 10.1.144.1 255.255.252.0
I have the following access-lists configured and applied:
access-list SITECORP_access_in extended permit ip any any
access-list SITESERVER_access_out extended permit tcp object-group SITECORP object-group SITESERVER eq www
access-list MOD1BMS_out extended permit tcp object-group SITECORP object-group MOD1BMS eq www
fw# show run object-group
object-group network SITECORP
network-object 10.1.4.0 255.255.254.0
object-group network MOD1BMS
network-object 10.1.144.0 255.255.252.0
object-group network SITESERVER
network-object 10.1.7.0 255.255.255.128
fw# show run nat-control
no nat-control
packet-tracer shows traffic from SITECORP to MOD1BMS (a higher security-level) on tcp/80 is successful, whereas it shows the same traffic from SITECORP to SITESERVER is denied, due to implicit rule.
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.144.200 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group SITECORP_access_in in interface SITECORP
access-list SITECORP_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd5641ec8, priority=12, domain=permit, deny=false
hits=1860, user_data=0xd5526cb0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
fw# packet-tracer input SITECORP tcp 10.1.4.11 1234 10.1.7.11 80 detailed
<snip>
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd544e8c8, priority=110, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
Can anyone suggest what I'm missing, how to go about making this work, or what more I might provide to troubleshoot?
Regards,
PhilHello Phil,
That is correct no matter what ACE (access-list entries) you have configured on one interface, if that interface wants to talk to another one with the same security level, the connection would not be allowed (Asa/Pix speaking)
But you do not have to change the Security level, of course that is one work-around but again the solution is :
- same-security-traffic permit inter-interface
Please mark the question as answered for future queries regarding the same issue unless you have any other question, I would be more than glad to help.
Regards,
Julio -
Configure user-defined-metadata and ACL in XML DB
Hi!
What tools are to configure ACL in XML DB Repository? and how to make it possible to set with document some extra parameters(user-defined-metadata) ?Here is a little more information:
Not in this release. The compiler can leave metadata in the
swf at compile
time, and you can read it back at runtime using describeType.
But the list
of metadata the compiler leaves in is hardcoded right now. I
expect we'll
make it extensible in a future release.
Jason Szeto
Adobe Flex SDK Developer
"Manish Jethani" <[email protected]> wrote in message
news:e4er1i$gao$[email protected]..
> "Fleks" <[email protected]> wrote in
message
> news:e4dku2$315$[email protected]..
>> I'm looking for a way to associate custom metadata
with AS properties
>> (and
>> classes). For example I would like to mark a
property as "advanced" in
>> the
>> source code, and be able access the metadata at
runtime. The following of
>> course won't work, but shows an example syntax of
what I'm looking for:
>>
>> @advanced
>> var myAdvancedProperty;
>
> The metadata is used by the MXML compiler (mxmlc) and
the internal
> document-generation tool. There's no way to add your own
metadata and
> access it at runtime (as far as I know).
>
> --
> Manish Jethani
> Developer, Flex Framework
> Adobe Systems Inc.
>
> -
ACL not Working with Keepalive Configuration
Hi,
I have configured ACL on CSS 11506 with software version 07.50.1_03.0 .After configuring we observed in show keepalive-summary all Server serivce are up except the App server service where keepalive type TCP & Port is configured we tried by removing keepalive configuration from App server afterwhich it is working fine does any specfic port needs to be allowed in ACL for Keepalive.Below is the conifguration which is done CSS.
acl enable
acl log enable
acl 1
clause 1 permit tcp any destination any eq 8080
clause 2 permit tcp any destination any eq 80
clause 3 permit tcp any destination any eq 443
clause 4 permit any any destination 224.0.0.18
clause 5 permit icmp any destination any
apply all
service WEBSERVER 1
ip address 1.1.1.11
redundant-index 1
protocol tcp
port 80
active
service WEBSERVER 2
ip address 1.1.1.12
redundant-index 2
protocol tcp
port 80
active
service APP1
ip address 1.1.2.11
redundant-index 10
Keepalive type tcp
Keepalive port 8080
active
service APP2
ip address 1.1.2.12
redundant-index 11
Keepalive type tcp
Keepalive port 8080
activeHi,
Thanks for reply kindly find the below required output & let me your views.
CSS11506_Backup# sh keepalive-sum
Keepalives:
AUTO_nexthop00001 State: Alive 1.1.3.1
AUTO_nexthop00002 State: Alive 1.1.3.1
AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
AUTO_WEBSERVER-01 State: Alive 1.1.4.6
AUTO_WEBSERVER-02 State: Alive 1.1.4.7
AUTO_chk-con-pix103 State: Alive 1.1.3.4
AUTO_chk-con-pix225 State: Alive 1.1.3.17
AUTO_chk-con-web104 State: Alive 1.1.4.5
AUTO_chk-con-web224 State: Alive 1.1.1.18
AUTO_chk-con-pix227 State: Alive 1.1.4.4
AUTO_chk-con-app226 State: Alive 1.1.2.4
AUTO_SEZAPP1 State: Down 1.1.2.11
AUTO_SEZAPP2 State: Dying 1.1.2.12
AUTO_nexthop00005 State: Alive 1.1.4.1
CSS11506_Backup# sh keepalive-sum
Keepalives:
AUTO_nexthop00001 State: Alive 1.1.3.1
AUTO_nexthop00002 State: Alive 1.1.3.1
AUTO_SEZ-WEBSERVER-03 State: Down 1.1.1.11
AUTO_SEZ-WEBSERVER-04 State: Down 1.1.1.12
AUTO_WEBSERVER-01 State: Alive 1.1.4.6
AUTO_WEBSERVER-02 State: Alive 1.1.4.7
AUTO_chk-con-pix103 State: Alive 1.1.3.4
AUTO_chk-con-pix225 State: Alive 1.1.3.17
AUTO_chk-con-web104 State: Alive 1.1.4.5
AUTO_chk-con-web224 State: Alive 1.1.1.18
AUTO_chk-con-pix227 State: Alive 1.1.4.4
AUTO_chk-con-app226 State: Alive 1.1.2.4
AUTO_SEZAPP1 State: Down 1.1.2.11
AUTO_SEZAPP2 State: Down 1.1.2.12
AUTO_nexthop00005 State: Alive 1.1.4.1
CSS11506_Backup# sh keepalive
Keepalives:
Name: AUTO_nexthop00001 Index: 0 State: Alive
Description: Auto generated for service nexthop00001
Address: 1.1.3.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
nexthop00001
Name: AUTO_nexthop00002 Index: 1 State: Alive
Description: Auto generated for service nexthop00002
Address: 1.1.3.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
nexthop00002
Name: AUTO_-WEBSERVER-03 Index: 2 State: Down
Description: Auto generated for service -WEBSERVER-03
Address: 1.1.1.11 Port: 80
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
-WEBSERVER-03
Name: AUTO_-WEBSERVER-04 Index: 3 State: Down
Description: Auto generated for service -WEBSERVER-04
Address: 1.1.1.12 Port: 80
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
-WEBSERVER-04
Name: AUTO_WEBSERVER-01 Index: 4 State: Alive
Description: Auto generated for service WEBSERVER-01
Address: 1.1.4.6 Port: 80
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
WEBSERVER-01
Name: AUTO_WEBSERVER-02 Index: 5 State: Alive
Description: Auto generated for service WEBSERVER-02
Address: 1.1.4.7 Port: 80
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
WEBSERVER-02
Name: AUTO_chk-con-pix103 Index: 6 State: Alive
Description: Auto generated for service chk-con-pix103
Address: 1.1.3.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.3.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix103
Name: AUTO_chk-con-pix225 Index: 7 State: Alive
Description: Auto generated for service chk-con-pix225
Address: 1.1.3.17 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.3.17"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix225
Name: AUTO_chk-con-web104 Index: 8 State: Alive
Description: Auto generated for service chk-con-web104
Address: 1.1.4.5 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.4.5"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-web104
Name: AUTO_chk-con-web224 Index: 9 State: Alive
Description: Auto generated for service chk-con-web224
Address: 1.1.1.18 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.1.18"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-web224
Name: AUTO_chk-con-pix227 Index: 10 State: Alive
Description: Auto generated for service chk-con-pix227
Address: 1.1.4.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.4.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-pix227
Name: AUTO_chk-con-app226 Index: 11 State: Alive
Description: Auto generated for service chk-con-app226
Address: 1.1.2.4 Port: Any
Type: SCRIPT ap-kal-pinglist
Script Arguments: "1.1.2.4"
Script Error: None
Script Run Time: 0 seconds
Script Using Output parsing: No
Encryption: Disabled
Frequency: 2
Max Failures: 2
Retry Frequency: 2
Dependent Services:
chk-con-app226
Name: AUTO_APP1 Index: 12 State: Down
Description: Auto generated for service APP1
Address: 1.1.2.11 Port: 8080
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
APP1
Name: AUTO_APP2 Index: 13 State: Down
Description: Auto generated for service APP2
Address: 1.1.2.12 Port: 8080
Type: TCP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services:
APP2
Name: AUTO_nexthop00005 Index: 14 State: Alive
Description: Auto generated for service nexthop00005
Address: 1.1.4.1 Port: Any
Type: ICMP
Encryption: Disabled
Frequency: 5
Max Failures: 3
Retry Frequency: 5
Dependent Services: -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
How to configure IP Address filter in Controller based Access Points ?
Dear Team,
Configuration:
i have 5508 series controller and joined the two Thin APs to the controller. WLAN controller is connected to PC where Multicast receiver is running for two Multicast IP addresses (IP1: 230.1.1.1, IP2: 230.1.1.2). Multicast sender is running for two IP addresses on Station.
Requirement:
When Station is associated to AP1, AP1 should block the multicast packets going to AP2 and vice versa . That is AP1 should be configured to block multicast packets going to 230.1.1.2 and AP2 should be configured to block multicast packets going to 230.1.1.1.
Thanks,
HarshaI believe you could apply ACLs and check if that helps.
For more details about configuring ACLs, please refer to the following link:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110101.html#task_AA3AFA57D51647478E0C3511137C165E
Hope that helps. -
ACLs in a Failsafe/data guard environment
Hi,
We have recently upgraded to Oracle Enterprise Edition 11.2.0.3
We had a slight issue with a few batch processes which sent success emails - we hadn't configured ACL permissions (We knew about it, and was on the log, but somehow got missed). All set up fine now in our test environment, but got a couple of queries before I set up in production.
Had a look in the documentation and tried searching
The ACLs I believe are managed as an XML file, on the database server, correct?
If so, how do we manage this on both a clustered, and a data guard environment? Or in the case of a database restore? Is the ACL file automagically regenerated out of some database metadata? Or do we need to recreate in each environment?
Any ideas?
Cheers,
CarlHi,
there is two ACL(Access Control List) one at Db level ans one is used at UNIX command for file permission , as you mentioned you have permission issue in batch execution.
so you can check below link
http://www.dartmouth.edu/~rc/help/faq/permissions.html
i am not sure which ACL you required. -
Probably super simple...ACL/VLANs
I have a VLAN 6 that is dedicated to a Partner organization (they share our bandwidth and schedule conference rooms with our Exchange).
Question is how do I configure ACLs to direct ALL traffic to and from Partner, exception of accessing our Outlook Web Access and DNS servers in VLAN 1, and our websites in VLAN 2 ?
This is probably super simple but I keep ending up with traffic going where I don't want it to. Thanks so much...
(And if anything else seems wacky about this setup, blame the last IT guy)What is the platform you are using??? ASA, router??
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Urgent: ACL on WLC 5508 + Transperant Proxy
Hello,
I'm doing some experiment on a test SSID to configure ACL for limited resources on our Wired/Wireless network.
I'm/using and I would like to use Web Authentication page. I have created an ACL under Access Control List namely, ICT. With this, I have created an ACL rules as follows;
Seq Action Source IP/Mask Destination IP/Mask Protocol Source Port Dest Port DSCP Direction Number of Hits
1 Permit 1.1.1.1 / 32 0.0.0.0 /0.0.0.0 TCP Any Any Any Outbound
2 Permit 0.0.0.0 / 32 1.1.1.1 /32 TCP Any Any Any Inbound
3 Permit 0.0.0.0 / 32 192.168.10.190 /32 UDP DNS Any Any Inbound
4 Permit 192.168.10.190/32 0.0.0.0 /0.0.0.0 UDP DNS Any Any Outbound
5 Permit 0.0.0.0 / 32 Proxy-vIP /32 Any Any Any Any Inbound
6 Permit Proxy-vIP / 32 0.0.0.0 /0.0.0.0 Any Any Any Any Outbound
The authentication page comes fine, but as soon as I entered the username and password correctly, the page it doesn't redirect and IE error shows The Page cannot be displayed.
In the Edit Page of the WLAN ->Security -> Layer 3, I have selected the Preauthentication ACL as ICT, but still I can't browse the Internet..
Any help, highly appreciated.
Regards,Hello,
The Web Authentication proxy is for organizations who is having Explicit proxy in their browsers and want to implement Authentication Page from WLC. Sorry, this solution is not for what I'm intended to do.
I have created a test ACL as below and the internet started working, but this rule is nothing actually, becuase I started reaching everything on other vLANs.
Sequence
Source
Any
Destination
Any
Protocol
Any
DSCP
Any
Direction
Any
Action
Permit -
HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
SunnyHi Jon,
I was working on the ACL for the above issue. i have found the below thigs-
int vlan 1
des Routing vlan
ip 172.16.1.1 255.255.255.0
ip access-group 110 in
int vlan 10
des server vlan
ip 172.16.10.1 255.255.255.0
int vlan 11
des Users
ip add 172.16.11.1 255.255.255.0
ip access-group 100 in
acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
what i understood,
for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
If i call inbound means the traffic coming in to that vlan initerface from Outside
If i call outbound means the traffic that going out through that interface.
so i ddint call any acl in outbound direction as of now.
Dear Jon, thanks for taking time to describing the scenario in detail before.
please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
Thanks and Regards
Suuny -
NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded
Hi
I've got the NAC Framework NAC-L3-IP setup using an 1800 router and Cisco ACS Server 4.2. When my client attempts to reach the internet (through our NAD configured for network admission), I get a popup saying the Posture is Healthy, the ACS server says its good, yet I never get any of my configured ACLs downloaded to the router. I think my problem is with my RADIUS AUthorization Components...what should the Healthy RAC look like? This is what I've currently got;
IETF Session-Timeout (27) 36000
IETF Termination-Action (29) RADIUS-Request (1)
Cisco IOS/PIX 6.0 cisco-av-pair (1) status-query-timeout=300
I've got that RAC tied to a NAP and a downloadable ACL also associated to it through the Network Access Profiles page.
Can anyone provide help with this. ThanksOoops, nevermind, I had to enable aaa authorization network default group radius and then the ACLs downloaded as expected. Thanks!
Jason -
3850 mobility - - named ACLS From ISE
Hi all
i'm middle in the test for 3850 MC- Downloadable ACLs, i settle up at ISE and working good in 2960. But as you know
when i use DACL with WLC(3850). ISE just send ACLs name and WLC get that ACLs name then ACLs working on.
But i think ISE send a acls name but wlc not working... i already double check acls name..and.. what?
So do you have any document for this? Step by Step.
thank youthank you salodh
OK Not a downlodable ACLs in WLC, I want know is ISE give a named ACLs to WLC and ACLs works in
WLC for Wireless Client. am i clear?
i configured ACLs of WLC at ISE and also made same acl in WLC but ACLS didn't work. -
I can not push the configuration to the controllers
Involved hardware / software:
2x Cisco 6509E in VSS-1440 configuration
6509E running software version 12.2(33)SXI
2x WS-SVC-WISM-1-K9 WiSM module (1 per 6509)
WiSM running software version 4.2.205.0
1x WCS version 4.2.128.0
This is according to Cisco the WCS version to use with the WiSM software version 4.2.205.0 - it was released for this version
Configuration that makes problems:
⢠First: I configure an ACL on the WCS - this is correctly pushed to the Controller configuration
⢠Second: I set the configured ACL as âPreauthentication ACLâ for the web authentication
⢠This setting is NOT pushed to the controllers - I have to configure it via the CLI every time I apply the WLAN settings.WiSM running software version 4.2.205.0 and WCS version 4.2.128.0?
Shouldn't the WCS be of the higher version? -
Hi,
I have question regarding mixing ACL permit and deny statements. I am using network object-groups. I have a specific requirement.
a. I have to permit few port access to servers in object-groups
b I have to deny all other ports to these servers in object-groups
c. I have to permit traffic to all other network.
I am using following ACLs. Is this going to achieve that and I am trying to do by mxing permits and deny statements.
access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 465
access-list OUTSIDE_IN extended permit tcp any object-group SMTP_SERVERS eq 587
access-list OUTSIDE_IN extended deny ip any object-group SMTP_SERVERS log
access-list OUTSIDE_IN extended permit tcp any object-group WEB_SERVERS-2 object-group http-https
access-list OUTSIDE_IN extended deny ip any object-group WEB_SERVERS-2 log
access-list OUTSIDE_IN permit ip any any
Is this workable on FWSMs? Any drawbacks for this method.
What is best way to implement ACLs so deleting an ACE or adding an ACE is simpler and manageable.
ThanksHi,
The above configuration does the following
Allows connections to IPs/Networks under SMTP_SERVERS from "any" source address while using destination port TCP/465 or TCP/587
Deny all other TCP/UDP connections to the IPs/Networks under SMTP_SERVERS
Allows connections to IPs/Networks under WEB_SERVERS-2 from "any" source address while using destination ports configured under http-https
Deny all other TCP/UDP connections to the IPs/Networks under WEB_SERVERS-2
Permit all the rest of the traffic no matter what the source and destination IP/Port are
It seems to me that this is an ACL to limit traffic from Internet to your servers. The ACL configured for "outside" interface usually only contains permit statements and all other traffic is denied by default. I wouldnt suggest using an ACE such as "permit ip any any" in an ACL that is controlling traffic that will be entering your LAN network.
I'd say the above configuration you listed is more common for traffic leaving your network/server than traffic entering your network/server. In some DMZs for example you might want to allow the servers to communicate to the LAN only with certain destination ports and block all other traffic to the LAN. And after that you would still want to give the server full access to Internet.
One example of such might be
access-list DMZ-IN remark Allow TCP/80 traffic to LAN
access-list DMZ-IN permit tcp host 10.10.10.10 10.10.20.0 255.255.255.0 eq 80
access-list DMZ-IN remark Deny all other TCP/UDP traffic to LAN
access-list DMZ-IN deny ip host 10.10.10.10 10.10.20.0 255.255.255.0
access-list DMZ-IN remark Allow all TCP/UDP traffic to other networks
access-list DMZ-IN permit ip host 10.10.10.10 any
Object-groups are a good way to keep the running-configuration in clear format when ACL statements need to include many address ranges/IPs/ports/port ranges and you cant handle it with just simply configuring them line by line.
Drawback for using object-groups could be when you have a lot of object-groups containing alot of entries and the same object-groups are used frequently. This will eventually eat up resources from the FWSM though I'd imagine it requires alot of them. I have run into such a problem in a FWSM with multiple contexts where a single context reached it maximum amount of configure ACL rules. (This could have been changed by reallocating resources but instead the other party agreed to "optimize" the ACL )
Please rate if you have found any of the information helpfull
- Jouni
Maybe you are looking for
-
Hi All, I have project & WBS data in my Datasource. I have checked using RSA3 for a Datasource, and i c that the Project and Wbs data appear exactly as the Table Data like For Ex: Refer this Record values for WBS and Project respectuvely. (WBS)P00025
-
Deferred Constraints - error on inserting
Hi there, i've got a very courios problem with deferred constraints. My table creates are: CREATE TABLE mitglied ( svnr NUMBER(10) NOT NULL, instr VARCHAR(20) NOT NULL, CONSTRAINT mitglied_pk PRIMARY KEY (svnr)); CREATE TABLE abteilung ( instr VA
-
I am unable to load GRAPHIC files using the transaction SFP.
I am unable to load GRAPHIC files using the transaction SFP. The error message says that there is no connection to the below given url. http://<hostname:8000>/sap/bc/fp/ is it something like i have to activate this service in transaction sicf ?
-
On ADSL but supposed to be linked to Fibre (new ca...
OK so suffering with 1 to 1.5 speeds even with SNR adjusting, occasionally rises to 2 and then drops. For a while I was with EE and had the line checked by BT Engineer, everything was fine, his parting comment was "why dont you contact your ISP and t
-
How to make HDivide Box Bars clickable?
Does anyone know how to make the bars of a HDivide box click able so I can collapse or open the children. Basically when clicked I want to collapse the bars and change the bar image and then if it's closed have it open... Similar to Editing tools in