Extended access list question
Hello,
any suggestions why the following ACL will not apply?
access-list 100 permit udp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 eq domain
access-list 100 permit tcp any host 192.168.155.18 established
access-list 100 deny udp any host 192.168.155.18
access-list 100 deny tcp any host 192.168.155.18
access-list 100 permit ip any any
interface GigabitEthernet0/2.16
description Subnetz 192.168.155.16/28
encapsulation dot1Q 16
ip address 192.168.155.17 255.255.255.240
ip access-group 100 in
The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
Thanks,
Thomas
Hi Rick,
no there is no NAT or other things turned on on this device.
Router#sh ip access-list 100
Extended IP access list 100
10 permit udp any host 192.168.155.18 eq domain (379 matches)
20 permit tcp any host 192.168.155.18 eq domain (5 matches)
30 permit tcp any host 192.168.155.18 established (1 match)
40 deny udp any host 192.168.155.18 (788 matches)
50 deny tcp any host 192.168.155.18 (79 matches)
60 permit ip any any (562 matches)
Router#sh ip int gi0/2.16
GigabitEthernet0/2.16 is up, line protocol is up
Internet address is 192.168.155.17/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is enabled
IP CEF switching is enabled
IP Flow switching turbo vector
IP Flow CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow cache, CEF, Full Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
Thanks,
Thomas
Similar Messages
-
ICMP Inspection and Extended Access-List
I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA. From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework. Is that true? I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both? Or is it best practice to do both?
What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
policy-map global_policy
class inspection_default
inspect_icmp
However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any source-quench
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
Will the PING complete?
Thank you,
T.J.Hi, T.J.
If problem is still actual, I can answer you this question.
Let's see situation without ICMP inspection enabled:
The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower. -
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
LMS 4.2 Compliance check extended access-list
Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
SorenDoesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Hello all,
I am trying to apply this extended access-list to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
Interface Dialer 0
ip access-group 101 outHere is the complete configuration.
Router#sh run
Building configuration...
Current configuration : 3665 bytes
! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
crypto pki token default removal timeout 0
ip source-route
ip cef
no ipv6 cef
license udi pid C887VA-W-E-K9 sn FCZ1624C30K
username admin privilege 15 password 7 045A0F0B062F
controller VDSL 0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Loopback0
ip address 10.10.10.1 255.255.255.255
interface Tunnel4120
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile protect-gre
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
no fair-queue
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxx
ppp chap password 7 03077313552D0F411E512D
router rip
version 2
network 10.0.0.0
network 192.168.111.0
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.111.30
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input all
scheduler allocate 20000 1000
end
Router# -
Change an extend access list in a prefix list
Hallo All,
I would like to translate an extend access list in a prefix list.
ip access-list extended x_to_y
permit ip 1.1.1.1 0.0.1.255 any
deny ip any host 3.3.3.3
Any hint?
Thanks!!!Hi Fabio,
I am sorry but to my best knowledge, this is not going to work.
You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
Even the documentation at
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
Best regards,
Peter -
Extended access-list error using FQDN
Hi,
I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.
For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
This is how I normally add these rules (the ip addresses are fictive):
access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
When I try to add this using the hostname on our asa I get an error:
access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com ?
ERROR: % Unrecognized command
I've tried it without the 'www', so hostname.com but same error.
How can I solve this?
Thanks in advance for your time and help
Regards,@zulqurnain
Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too. -
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Extended access list on Cisco routers
Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
ThanksYes, you can. If you do sh access-list, the router will show the sequence number. You can than add a sequence, delete a sequence or change one.
For example if you have an acces-list like this:
Extended IP access list test
10 deny ip 10.10.10.0 0.0.0.255 any log
15 deny ip 11.11.11.0 0.0.0.255 any log
you can now add a new sequence between 10 and 15
11 deny ip 172.16.10.0 0.0.0.255 any log
You just have to make sure to use the sequence number when you create the last access-list
HTH -
Hi,
Can somebody explain me when to use "established" word at the end of access-list."established" is a keyword used in the automatically generated ACLs for TCP return connections.
check for this URL to get more infirmation.
http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
hope it helps ... rate if it does ... -
so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
Hope my drawing is enough to assist.....
CORE--------l3 switch--------pc
|
|
|
NACThat's a great idea - the ACL on the management interfaces of the devices.
Is the ACL for the unauthenticated role on the L3 switch or the Core?
I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
peter -
Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas ReilingHi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad -
Hi, I'm working through the CCNA ICND2. Section: IP Access Control Lists
On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
I would assume that "telnet" is a word value for "port 23" (just like you can type "eq www" instead of "port 80")
therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
??? many thanks for your answers - much appreciated.it's a typo!!
-
Hi,
I have an access-list with the following line...
permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
protected vrf:
local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#send errors 0, #recv errors
I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
protected vrf:
local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
#send errors 0, #recv errors 0
Thanks!!Can you post the configuration from this device.
Regards,
Arul
Maybe you are looking for
-
How to Enable a Selected single record from Table control...
Hi, I have 5 records in my table control and in screen Painter in Made all the fields in Table control as Output field. and successfully all my Table control fields are disabled... Now Now i want to enable the record which i selected n rest all the
-
Generate PUBLISH from other evenement than SIP message
hello, In the SIP Servlet, is it possible to generate PUBLISH from other evenement than SIP message? I mean for example i get connected to a page web, and i generate a message SIP PUBLISH while there is a update. How can i do with this situation? Can
-
The software could not be found on any servers at this time
Hello, Within the last few days OSD from within the OS has started to fail. The error it provides is The software could not be found on any servers at this time. I find this error misleading since I can PXE, connecting to the same server, and the OS
-
Error ID: 4349254E560E43505000F4
Hi, I got an error today to crash our application server! The server is running JRun3.1, build 26414 for servlet engine, NT4 SP6, IIS 4.0 for web server, JDK1.3.1_02 and MS SQL 2000 for Java servlets web-based application. error-- # HotSpot Virtual M
-
Having issues with permissions on external hard drive.
I'm very new to my MacBook Pro, and I'm having an issue with my external hard drive. I used it to bring important files (mostly music) from my windows 7 laptop to my mac. Once I finished that I noticed that I was missing some of my music which luckil