Configuring Extended Access List with Any statement

Similar Messages

• Extended access list with multiple ports

  Hello All,
  I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
  I receive the following message:
  The informations of my Switch are the following:
  Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
  12.2(52)SG, RELEASE SOFTWARE (fc1)
  Please help me to resolve this problem.
  Best regards.

  Thank you Alex for your response.
  Yes, this is an example:
  permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
  I have more ACLs and each ACL contains more conditions with multiples Por

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• Failed Extended Access-list

  Hello all,
  I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  Interface Dialer 0
  ip access-group 101 out

  Here is the complete configuration.
  Router#sh run
  Building configuration...
  Current configuration : 3665 bytes
  ! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  crypto pki token default removal timeout 0
  ip source-route
  ip cef
  no ipv6 cef
  license udi pid C887VA-W-E-K9 sn FCZ1624C30K
  username admin privilege 15 password 7 045A0F0B062F
  controller VDSL 0
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set TS esp-3des esp-md5-hmac
  crypto ipsec profile protect-gre
   set security-association lifetime seconds 86400
   set transform-set TS
  interface Loopback0
   ip address 10.10.10.1 255.255.255.255
  interface Tunnel4120
   ip address 10.0.0.1 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication cisco
   ip nhrp map multicast dynamic
   ip nhrp network-id 123
   ip tcp adjust-mss 1360
   tunnel source Dialer0
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile protect-gre
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   pvc 0/35
    pppoe-client dial-pool-number 1
  interface Ethernet0
   no ip address
   shutdown
   no fair-queue
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
   switchport mode trunk
   no ip address
  interface wlan-ap0
   description Embedded Service module interface to manage the embedded AP
   ip unnumbered Vlan1
  interface Vlan1
   ip address 192.168.111.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1360
  interface Dialer0
   ip address negotiated
   ip access-group 101 out
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   ppp authentication chap callin
   ppp chap hostname xxxxxxxxxxxxxxxxx
   ppp chap password 7 03077313552D0F411E512D
  router rip
   version 2
   network 10.0.0.0
   network 192.168.111.0
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
  ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
  ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
  ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 permit 192.168.111.30
  access-list 10 permit 192.168.111.0 0.0.0.255
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   stopbits 1
  line vty 0 4
   access-class 10 in
   login local
   transport input all
  scheduler allocate 20000 1000
  end
  Router#

• Nexus1000v : ip access-list with port range

  Hi,
  I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
  Can any body verify the scirpt and tell whats the problem with the script?
  vm x.x.x.x is on Veth2
  config t
  ip access-list Veth2_rc_vmfw_acl_in
  deny tcp any host x.x.x.x eq 3389
  exit
  ip access-list Veth2_rc_vmfw_acl_out
  deny tcp host x.x.x.x any eq 3389
  exit
  interface Veth2
  ip port access-group Veth2_rc_vmfw_acl_in in
  ip port access-group Veth2_rc_vmfw_acl_out out
  exit
  exit
  Thanks

  License? Check Data Features

• Change an extend access list in a prefix list

  Hallo All,
  I would like to translate an extend access list in a prefix list.
  ip access-list extended x_to_y
  permit ip 1.1.1.1 0.0.1.255 any
  deny ip any host 3.3.3.3
  Any hint?
  Thanks!!!

  Hi Fabio,
  I am sorry but to my best knowledge, this is not going to work.
  You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
  Even the documentation at
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
  clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
  I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
  Best regards,
  Peter

• LMS 4.2 Compliance check extended access-list

  Hi,
  I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
  I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
  I have made a new compliance check like this:
  'submode': ip access-list extended 'acl-name'
  +deny tcp any any eq smtp
  But that is not working, Can some one show me the 'right path'?
  Thanks
  Soren                 

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• APEX Pages - User Access List with NTLM

  Hi,
  I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
  I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
  1. users (hold user name, and user data)
  2. pages (hold APEX Applications pages)
  3. access_list (hold combined data of users and pages and access flag)
  The last table will give me an SQL that can be used to create page level Authorization Scheme.
  The problem is:
  I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
  Your helps will really help me, and thanks in advance.
  Regards,
  Aulia

  This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
  You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
  That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
  If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
  Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
  I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Access list with multiple object groups

  Hello Everyone,
  I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
  I am trying to use object-groups where ever i can.  Here is an example.
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  object-group service obj_Meraki_outbound
  service-object tcp destination eq 443
  service-object tcp destination eq 80
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.x.x.x 255.255.255.240
  network-object 10.x.x.x 255.255.225.240
  object-group network obj_Meraki_pub
  des This group lists all hosts associated with Meraki. 
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
  I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
  What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
  Thanks

  Hi,
  Seems to work on my test ASA
  Attached it to my current LAN interface.
  ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   0.0.0.0         0.0.0.0         WAN
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outbound_access in interface LAN
  access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
  object-group service obj_Meraki_outbound
  service-object tcp destination eq https
  service-object tcp destination eq www
  service-object tcp destination eq 7734
  service-object tcp destination eq 7752
  service-object udp destination eq 7351
  object-group network obj_Meraki_lan
  network-object 10.2.11.0 255.255.255.240
  network-object 10.5.11.0 255.255.255.240
  object-group network obj_Meraki_pub
  description: This group lists all hosts associated with Meraki.
  network-object host 64.156.192.154
  network-object host 64.62.142.12
  network-object host 64.62.142.2
  network-object host 74.50.51.16
  network-object host 74.50.56.218
  Additional Information:
  access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
  Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
  - Jouni

• Extended access list on Cisco routers

  Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
  Thanks

  Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
  For example  if you have an acces-list like this:
  Extended IP access list test
  10 deny ip 10.10.10.0 0.0.0.255 any log
  15 deny ip 11.11.11.0 0.0.0.255 any log
  you can now add a new sequence between 10 and 15
  11 deny ip 172.16.10.0 0.0.0.255 any log
  You just have to make sure to use the sequence number when you create the last access-list
  HTH

• Extended access-list error using FQDN

  Hi,
  I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.
  For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
  This is how I normally add these rules (the ip addresses are fictive):
  access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
  When I try to add this using the hostname on our asa I get an error:
  access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?
  ERROR: % Unrecognized command
  I've tried it without the 'www', so hostname.com but same error.
  How can I solve this?
  Thanks in advance for your time and help
  Regards,

  @zulqurnain
  Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too.

• ACL - extended access lists

  Hi, I'm working through the CCNA ICND2.  Section:  IP Access Control Lists
  On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
  in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
  I would assume that "telnet" is a word value for "port 23" (just like you can type  "eq www" instead of "port 80")
  therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
  ??? many thanks for your answers - much appreciated.

  it's a typo!!

• Extended access list question

  Hello,
  any suggestions why the following ACL will not apply?
  access-list 100 permit udp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 established
  access-list 100 deny udp any host 192.168.155.18
  access-list 100 deny tcp any host 192.168.155.18
  access-list 100 permit ip any any
  interface GigabitEthernet0/2.16
  description Subnetz 192.168.155.16/28
  encapsulation dot1Q 16
  ip address 192.168.155.17 255.255.255.240
  ip access-group 100 in
  The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
  Thanks,
  Thomas

  Hi Rick,
  no there is no NAT or other things turned on on this device.
  Router#sh ip access-list 100
  Extended IP access list 100
      10 permit udp any host 192.168.155.18 eq domain (379 matches)
      20 permit tcp any host 192.168.155.18 eq domain (5 matches)
      30 permit tcp any host 192.168.155.18 established (1 match)
      40 deny udp any host 192.168.155.18 (788 matches)
      50 deny tcp any host 192.168.155.18 (79 matches)
      60 permit ip any any (562 matches)
  Router#sh ip int gi0/2.16
  GigabitEthernet0/2.16 is up, line protocol is up
    Internet address is 192.168.155.17/28
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is not set
    Proxy ARP is disabled
    Local Proxy ARP is disabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are never sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is enabled
    IP Flow switching is enabled
    IP CEF switching is enabled
    IP Flow switching turbo vector
    IP Flow CEF switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    IP route-cache flags are Fast, Flow cache, CEF, Full Flow
    Router Discovery is disabled
    IP output packet accounting is disabled
    IP access violation accounting is disabled
    TCP/IP header compression is disabled
    RTP/IP header compression is disabled
    Policy routing is disabled
    Network address translation is disabled
    BGP Policy Mapping is disabled
    WCCP Redirect outbound is disabled
    WCCP Redirect inbound is disabled
    WCCP Redirect exclude is disabled
  Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
  Thanks,
  Thomas