Default action for access list Deny
Hello,
Is it possible to change the default action for an access list deny? Can the ASA be configured to send an icmp unreachable rather than just dropping the packet if an access list denies the request? I have a situation where I would like to restrict access to a specific server for a select number of users. The problem is that the restricted workstations attempt to connect to the server at log in. Since I cannot control the log in script for those users, I was hoping to use the ASA firewall instead. However, using a deny statement causes the workstation to repeatedly send SYN requests for 60 seconds. The restricted users experience an unacceptably long delay at log in. I was hoping to be able to configure the ASA to send an icmp unreachable message for those users and avoid the wait.
Thanks,
Ann
Hello,
As the firewall it's supposed to be invisible there is no way the ASA could send this particular messages, sorry to inform you that but you could request this particular feature with your Cisco account Team.
Regards,
Julio
Similar Messages
-
Nered to know where I can view ACL denies regarding "access-list deny any log" ?
I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. CheersHi,
Yes, with an extended access-list with the last line:
deny ip any any log
with "sh log" you can see the source address of the packets being dropped.
Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
logging console debugging
logging monitor debugging
With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
access-list 101 deny tcp any range 0 65535 any range 0 65535 log
access-list 101 deny udp any range 0 65535 any range 0 65535 log
access-list 101 deny icmp any any log
access-list 101 deny ip any any log
to log the sources and destinations IPs and port numbers.
Best Regards,
Pedro Lereno -
Setting up default connection for accessing emails...
I had a quick look and found similar problems on here, but none that I thought were the same.
I've been able to set up Gmail to be received through my 'Messaging' on my N96. Turns out its quite a handy function. Also figured out that you can get it to automatically check you mail at regular intervals. I want to use this, but I don't want to have to select the connection every time the phone wants to check for new mail. So I need to set up a preferred connection. That's no problem...
The problem occurs when I try to select my WLAN as default. However, every time I select it, the phone freezes up. Not completely, as I can change programs and even exit the messaging settings via the hang up key, but if I do that, it doesn't make any changes.
I have deleted and restored the WLAN connection, I have accessed my inbox manually, so it isn't a problem on Google's end, and I have checked the various connection options to no avail.
So, does anyone know why it my phone would freeze when trying to set up my WLAN connection as the default connection for accessing my e-mails? Any questions about my situation, just ask and I will gladly supply whatever you ask for.
Regards,
Jarvis
Message Edited by jarvis187 on 15-Jan-2009 01:24 AMNo help available out there? If you need it explained clearer just say so and I'll do so. Thanks in advance.
-
Plant maintenance - Default value for task list
Dear All ,
I am new to the forum, Can any one throw some light on where do I do customizing settings , so that I will get a pop up window asking to change workcentre while I assign a Task list to an order.
Sorry if this is a silly question.
Thanks in advanceHi,
You can define this at the following IMG path:
>Plant maintenance & customer service -Maintenance & service Processing -Maintenance and service orders -Functions and settings for order types -Default value for task list data and profile assignment
It is also possible for each user to maintain their own settings. This can be done using the following menu:
Transaction IW31/32: Extras > Settings > Default values
-Paul -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Please assist me for access-list configuration
Dear Team,
Please help me to configure the access-list.
Requirement:
I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
At R2:
ip access-list exstandard 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
Regards,
SanjibHello
I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
R2
ip access-list extended 101
deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
or
ip access-list extended 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 out
reverse the acl for R3 if applicable
res
Paul -
Hello
I would like to find out if there is a way to modify TCODE-PA48 to default customer/recruitment specific actions.
Currently, once the candidate to be hired is selected, ALL the actions in table-T529A are displayed.
Your assistance will be appreciated.
Regards.
BongisaHello Bongisa,
Within TRAN PA48, as a standard the program reads the hiring events from T529A and defaults the first one ('1'). This behaviour cannot be changed without a modification. But of course this is a default
value which can be overwritten with a customer specific value.
Transaction PA48 is used for transferring data into a HR system from SAP or any Non-SAP system. The result of this operation is hiring an employee and hence the action type '1' is taken as default.
Also the list of actions and the infogroup assigned to this action type are nothing but the same shown when an employee is hired. In addition to this, other flexible customizing options based on user
group are also applicable.
Kind regards,
Graziela Dondoni -
IDOC to file...Error for Access is denied
Hello Friends,
I am triggering IDOC WBBDLD from SAP ECC. It is successfully sending IDOC to XI
In XI, in SXMB_MONI, message is successful.
But when I am checking in message monitoring with message ID in adaptor level. I am facing given below error.
2010-06-15 18:38:30 Error Attempt to process file failed with com.sap.aii.adapter.file.ftp.FTPEx: 550 XREFTXN.asc: Access is denied.
2010-06-15 18:38:31 Error Exception caught by adapter framework: XREFTXN.asc: Access is denied.
2010-06-15 18:38:31 Error Delivery of the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: XREFTXN.asc: Access is denied. : com.sap.aii.adapter.file.ftp.FTPEx: 550 XREFTXN.asc: Access is denied..
Receiver side, I used file adaptor.
When I check the receiver side communication channel in component monitoring. I receive below error
An error occurred while connecting to the FTP server '10.1.45.36:21'. The FTP server returned the following error message: 'com.sap.aii.adapter.file.ftp.FTPEx: 550 XREFTXN.asc: Access is denied. '. For details, contact your FTP server vendor.
Kindly suggest me about the issue and how can I resolve it.
Regards,
Narendra
Edited by: Narendra GSTIT on Jun 16, 2010 7:00 AMDear Narendra,
An error occurred while connecting to the FTP server '10.1.45.36:21'. The FTP server returned the following error message: 'com.sap.aii.adapter.file.ftp.FTPEx: 550 XREFTXN.asc: Access is denied. '. For details, contact your FTP server vendor.
The above error clearly telling you to contact FTP Server vendor. So call your FTP Server administrator and tell that the user you are using in receiver File communication channel not having authorization to create file in FTP server. so that he will grant authorization to the FTP user full authorizationt to create file in FTP Directory.
thanks,
madhu -
When I am at a website that contains a button for printing (Gmail, for example), is there a way to change the way that functions, so that when I click "Print", Firefox will open Print Preview instead of taking me to the default system printer?
You can apply system-wise "negative" color effect under Settings > General > Accessibility, by toggling the White and Black switch - and, in iCab Mobile (and some other, better browsers / PDF readers), its own "night mode" negative color scheme.
Otherwise, no, you can't do anything else except for asking third party app authors to add selectable back/froeground (=text) colors to their apps.
There is an article dedicated to this question: http://www.iphonelife.com/blog/87/do-you-find-your-idevices-screen-be-too-blueis h-or-just-too-harsh-bedtime-reading -
Default value for choice list in af:query panel
Hi all,
I have af:queryPanel in which i made one choicelist with static list.i want to have the first value of the static list as a default value to the field in af:queryPanel.how can i achieve this.
I am using jdev11.1.1.5
Thanks in advanceHi,
In your model project, create a view criteria (on the VO which you would be using for displaying values in the LOV). In your view criteria add the attributes and set default value (say add Empno and set its value to literal 1111). Now, when creating LOV for the next view object, select the view criteria you've created in previous step (instead of using all queryable attributes).
Refer : http://docs.oracle.com/cd/E23943_01/web.1111/b31974/lists.htm#BEIBAFDD
-Arun -
Possible bug ? - Default value for select list
4.2.1
Hi, I have one page with a couple of reports. I have a time period filter on top. Its a select list with values 7 days, 3 months and 12 months. Default value is set to 3 (where return values of select list is 1,2,3 resp).
Now in page 1 which has this select list, :P1_SELECT it has a report which shows counts of number of items purchased. When the user clicks on the count(hyperlinked column), it takes the user to another page which runs the details of the items and also uses the Page 1 select. It works fine when I change the time period. However, if I dont change the time period in the select list when I first login, althought I have set the default value to 3, the interactive report on page shows no data found, because the select list default value I guess it does not recognize.
Is this a bug?
Thanks,
Sunilryansun wrote:
4.2.1
Hi, I have one page with a couple of reports. I have a time period filter on top. Its a select list with values 7 days, 3 months and 12 months. Default value is set to 3 (where return values of select list is 1,2,3 resp).
Now in page 1 which has this select list, :P1_SELECT it has a report which shows counts of number of items purchased. When the user clicks on the count(hyperlinked column), it takes the user to another page which runs the details of the items and also uses the Page 1 select. It works fine when I change the time period. However, if I dont change the time period in the select list when I first login, althought I have set the default value to 3, the interactive report on page shows no data found, because the select list default value I guess it does not recognize.
Is this a bug?NO.
Default values is only populated on the clien side and NOT in the session.
This has been discussed thousands of times in the forum..found this with a simple search {message:id=4440597} -
Define default value for Select List
Hello,
I have an Item on the page, which is a Select list
And I have a LOV associated with this item, which is a database query.
How do I make one of the values of this LOV to be a default value of this Select list?
I need this value to be displayed first, instead of a Null value.
Thanks!That's right - use the Default value area of your Item definition.
Have a look at this post:
Re: previous selected option as default value
May be you will find it useful... -
How can I make the default action for Real Player (etc.) to be not to play?
While browsing with Mozilla, I would prefer not to have videos play unless I start the video. This goes for commercials or any video.
Is there a preference to set this? If not, can you make one that does that?By default plugins.click_to_play should be default set to true. However, please also contact Apple support to make sure that this is expected.
If there is not an option to override this, it is also possible to set the preference in about:plugins:
*[https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins Why do I have to click to activate plugins? ] -
Resolved:how to set default LAYOUT for ALV list display
hey guys,
In my alv report there are 20 cloumns.
after display i usualy choose 12 of them from CHOOSE LAYOUT option and then give it to print...
how to set this LAYOUT as default
sorry guys i figured it out..
but can we give it programiticlay?
Edited by: kumar gaurav on May 27, 2008 8:15 AMhi,
you can do it.
after declaring the catlog table you will give as
wa_catlog-seltext_l = 'material'.
wa_catlog-datatype = 'char'.
wa_catlog-outputlen = 18.
wa_catlog-fieldname = 'matnr'.
append wa_catlog to i_catlog.
clear wa_catlog.
wa_catlog-seltext_l = 'plantl'.
wa_catlog-datatype = 'char'.
wa_catlog-outputlen = 4.
wa_catlog-fieldname = 'werks'.
append wa_catlog to i_catlog.
clear wa_catlog.
similarly what sequence you give here i.e. material , plant etc. you get the output in the same oder you can even give only the fields you want in the output.
rewards points if useful.
siri -
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander
Maybe you are looking for
-
Reading Numeric UDF null value in DI
We have a UDF of Numeric(4) that can be NULL, 0, 1, 2, etc. We try to read it from DI, and if it is NULL, then set the result to be -1 (the default value we difined), so we can differentiate NULL and 0. The C# code we have look like this: int LineNum
-
I would like to find date between from_date and to_date like if a user what's to see dates between '26-SEP-2005' TO '05-OCT-2005' then the result shows following 26-SEP-2005 27-SEP-2005 28-SEP-2005 29-SEP-2005 30-SEP-2005 01-OCT-2005 02-OCT-2005 03-O
-
A grid (2*2 for example) with a circle in a selected place
Dear Forum members, Please tell me how to make (in swing , but NOT applet) a grid (2*2 for example) with a circle in a selected place (in one or more of the 4 cells). I want to be able to turn on and off (circle or no circle) any cell in the grid. Th
-
NW 7.3 vs Unicode - Question for SAP
Hi, Is it true that we have to convert to Unicode before we start the upgrade for NW BW 7.3? Please confirm. Regards, SC
-
Recommended approach for validating page content on activation?
Hi, Is there a recommended approach to implementing validation in CQ5 (we are using 5.5) that will run when a Page is activated? I have been reading up on different approaches for this, but have not been able to find a clear solution. The requiremen