Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.
Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por
Similar Messages
-
Configuring Extended Access List with Any statement
I have several questions where I'm fuzzy on a configuration already on my network. Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
1. Are extended access-lists always source then destination? Like in the following statement:
permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
2. Further down though there is:
permit tcp any host 172.16.4.11 eq 443.
In that case is the source any host and the destination 172.16.4.11 ?
This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
3. Also, when you do a:
sho ip access-list -
Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
Thanks!Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
Access list with multiple object groups
Hello Everyone,
I am using a cisco ASA 5525 with 8.6 code. I am trying to setup access list for oubound access meaning hosts accessing the internet. I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
I am trying to use object-groups where ever i can. Here is an example.
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
object-group service obj_Meraki_outbound
service-object tcp destination eq 443
service-object tcp destination eq 80
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.x.x.x 255.255.255.240
network-object 10.x.x.x 255.255.225.240
object-group network obj_Meraki_pub
des This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
I have tried tying all these groups together in multiple ways but cannot figure out how to do this. This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub. It seems the rules completely change when you use object groups. Can someone explain this maybe with a few examples. I am already using object groups in many acls but not for every element.
ThanksHi,
Seems to work on my test ASA
Attached it to my current LAN interface.
ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 WAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound_access in interface LAN
access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
object-group service obj_Meraki_outbound
service-object tcp destination eq https
service-object tcp destination eq www
service-object tcp destination eq 7734
service-object tcp destination eq 7752
service-object udp destination eq 7351
object-group network obj_Meraki_lan
network-object 10.2.11.0 255.255.255.240
network-object 10.5.11.0 255.255.255.240
object-group network obj_Meraki_pub
description: This group lists all hosts associated with Meraki.
network-object host 64.156.192.154
network-object host 64.62.142.12
network-object host 64.62.142.2
network-object host 74.50.51.16
network-object host 74.50.56.218
Additional Information:
access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
- Jouni -
How to select value from list with multiple selections ?
HI,
i have a list with multiple selections where i show email address retrieved from database.
what i want to do is to send the selected email address to the invoiceedit.jsp.
please look at the following code which gives you the better idea.
<td class='smalltext'><select name="email" size="3" multiple="multiple">
<%
Connection conn = null;
Statement stmt = null;
Statement stmt_contactperson = null;
Statement stmt_address = null;
try{
conn = getREConnection();
stmt = conn.createStatement();
ResultSet rs = null;
rs = stmt.executeQuery("SELECT PROPERTYID, VALUE FROM PROPERTIES WHERE ENTITYID="+ g_strGroupID+" AND NAME = 'invoice_default_email'");
int numofrows = 0;
while(rs.next())
%>
<option value="<%= rs.getString("VALUE") %>" selected="selected"> <%= rs.getString("VALUE") %> </option>
<%
}//end of while
%>
</select>
<a href="invoiceedit.jsp?entityid=<%=g_strGroupID%>&add=1"><font color="#000000">Add</font></a>
<a href="invoiceedit.jsp?entityid=<%=g_strGroupID%>&email_to="><font color="#000000"> Edit</font></a> </td>thanksUse a form button instead of a link so that you can send it as a request parameter to the server. In the server side just use HttpServletRequest#getParameterValues() to obtain all values for the given parameter name. If you really need a link rather than a button, then use Javascript to submit the form on click of the link.
That said, your design is bad. Java code belongs in Java classes, not in JSP files. Database access logic belongs in a DAO class. Business and controlling logic belongs in a Servlet class. Only presentation logic belongs in the JSP file. Avoid scriptlets as much as possible and use JSP EL and/or JSTL instead. -
Creating Select List with multiple columns
I want to create a select list with multiple columns. I followed the demo application model described in the by Denes Kubicek (Currently my reference for APEX !!)
The code is as follows:
CREATE OR REPLACE FUNCTION getcrops(p_cropid IN NUMBER)
RETURN VARCHAR2
IS
v_cropid VARCHAR2 (400);
v_fcode VARCHAR2 (400);
v_product VARCHAR2 (400);
v_var VARCHAR2 (400);
v_fname VARCHAR2 (400);
v_acres VARCHAR2 (400);
v_style_start VARCHAR2 (400);
v_style_end VARCHAR2 (400);
v_return VARCHAR2 (400);
BEGIN
FOR c IN (select "CROP"."CROPID" as "CROP ID",
"CROP"."FIELDCODE" as "FIELD CODE",
"CARROTPRODUCTLIST"."CARROTPRODUCTNAME" as "PRODUCT",
"VARIETYLIST"."VARIETYNAME" as "VARIETY",
"FIELD"."FIELDNAME" as "FIELD NAME",
"CROP"."SIZEINACRES" as "ACRES"
from "FIELD" "FIELD",
"CARROTPRODUCTLIST" "CARROTPRODUCTLIST",
"VARIETYLIST" "VARIETYLIST",
"CROP" "CROP"
where "CROP"."CARROTPRODUCTTYPE"="CARROTPRODUCTLIST"."CARROTPRODUCTID"
and "CROP"."VARIETYID"="VARIETYLIST"."VARIETYLISTID"
and "CROP"."FIELDID"="FIELD"."FIELDID")
LOOP
v_cropid := TO_CHAR (c.'CROP ID', 'FML999G999G999G999G990');
v_fcode := c.'FIELD CODE';
v_product := c.'PRODUCT';
v_var := c.'VARIETY';
v_fname :=c.'FIELD NAME';
v_acres :=c.'ACRES';
FOR i IN 1 .. 12 - LENGTH (c."CROP ID")
LOOP
v_cropid := v_cropid || ' ';
END LOOP;
FOR i IN 1 .. 12 - LENGTH (c.'FIELD CODE')
LOOP
v_fcode := v_fcode || ' ';
END LOOP;
FOR i IN 1 .. 12 - LENGTH (c.'PRODUCT')
LOOP
v_product := v_product || ' ';
END LOOP;
FOR i IN 1 .. 12 - LENGTH (c.'VARIETY')
LOOP
v_var := v_var || ' ';
END LOOP;
FOR i IN 1 .. 12 - LENGTH (c.'FIELD NAME')
LOOP
v_fname := v_fname || ' ';
END LOOP;
FOR i IN 1 .. 12 - LENGTH (c.'ACRES')
LOOP
v_acres := v_acres || ' ';
END LOOP;
v_return := v_cropid || v_fcode || v_product || v_var || v_fname || v_acres;
END LOOP;
RETURN v_return;
END;
I created this anonymous Pl/SQL function at a application level ..Then I followed up to create a select list with a function inside. However I could not create select list with the command suggested in the demo which is
select getcrops(cropid) d, cropid r from crop;
APEX (2.1) returns a error message. What am I missing ? Should the function be called from somewhere else after creating a regular select list..? Where the functions (Pl/SQL) should be ideally stored for application level access..? and for across application level access ? How can I check the function works good. Help is appreciated.Still really one column.
If they need to be independent then you've got to have three selection lists.
% -
Hi,
Is it possible can we have a List with multiple Object (CustomerVO, OrderVO and AddressVO) in a single List? If so how we will define the generics for that List?
Please clarify.
Thanks.797836 wrote:
Guys, am I correct? Please clarify.If it works, it is correct. So try it.
I was more thinking along the line of this though according to what you described in your initial post:
Class ParentVO{
private CustomerVO customer;
private OrderVO order;
private AddressVO address;
// with getters and setters
}That way you don't need any list at all, if you only want to have access to these three objects. Just slap them in a ParentVO and use that.
Looking at it again I wonder if the ParentVO is needed even, there is a strong relationship between these three objects. An order has a customer and a customer has an address / an order has a billing/shipping address... -
ICMP Inspection and Extended Access-List
I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA. From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework. Is that true? I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both? Or is it best practice to do both?
What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
policy-map global_policy
class inspection_default
inspect_icmp
However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any source-quench
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
Will the PING complete?
Thank you,
T.J.Hi, T.J.
If problem is still actual, I can answer you this question.
Let's see situation without ICMP inspection enabled:
The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower. -
Hello all,
I am trying to apply this extended access-list to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
Interface Dialer 0
ip access-group 101 outHere is the complete configuration.
Router#sh run
Building configuration...
Current configuration : 3665 bytes
! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Router
boot-start-marker
boot-end-marker
no aaa new-model
crypto pki token default removal timeout 0
ip source-route
ip cef
no ipv6 cef
license udi pid C887VA-W-E-K9 sn FCZ1624C30K
username admin privilege 15 password 7 045A0F0B062F
controller VDSL 0
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS
interface Loopback0
ip address 10.10.10.1 255.255.255.255
interface Tunnel4120
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 123
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 123
tunnel protection ipsec profile protect-gre
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
no fair-queue
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxx
ppp chap password 7 03077313552D0F411E512D
router rip
version 2
network 10.0.0.0
network 192.168.111.0
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.111.30
access-list 10 permit 192.168.111.0 0.0.0.255
access-list 101 permit tcp host 192.168.111.30 eq 53 any
access-list 101 permit udp host 192.168.111.30 eq 53 any
access-list 101 permit tcp host 192.168.111.30 eq 25 any
access-list 101 permit tcp host 192.168.111.30 eq 443 any
access-list 101 permit tcp host 192.168.111.30 eq 587 any
access-list 101 permit tcp host 192.168.111.30 eq 995 any
access-list 101 deny ip any any
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 10 in
login local
transport input all
scheduler allocate 20000 1000
end
Router# -
LMS 4.2 Compliance check extended access-list
Hi,
I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
I have made a new compliance check like this:
'submode': ip access-list extended 'acl-name'
+deny tcp any any eq smtp
But that is not working, Can some one show me the 'right path'?
Thanks
SorenDoesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
[svn:fx-trunk] 10943: Fix to dragging from List with multiple-selection
Revision: 10943
Author: [email protected]
Date: 2009-10-08 15:46:27 -0700 (Thu, 08 Oct 2009)
Log Message:
Fix to dragging from List with multiple-selection
- The fix is to postpone the selection commit until we make sure the user has not started a drag gesture.
- Exclude the dragEnabled, dropEnabled, dragMoveEnabled properties for DropDownList
QE notes: None
Doc notes: None
Bugs: None
Reviewer: Deepa
Tests run: checkintests, mustella List, DropDownList
Is noteworthy for integration: No
Modified Paths:
flex/sdk/trunk/frameworks/projects/spark/src/spark/components/DropDownList.as
flex/sdk/trunk/frameworks/projects/spark/src/spark/components/List.as -
Selection list with multiple columns
How can i create a selection list with multiple columns?
Still really one column.
If they need to be independent then you've got to have three selection lists.
% -
Select list with multiple columns
I want to create a select list with multiple column option. What are the options. Any developments in apex 3.0.1 ? Thanks in advance. I tried the tutorials by Kubicek.
I am kind of stuck to see the function entry inside LOV definition returns a error.Still really one column.
If they need to be independent then you've got to have three selection lists.
% -
Hello;
I seek a code to implement a list with multiple selection for a browser Web (HTML is imited).
I have a list containing of the years, the user can select one or several years and I created dynamically a array : for each year a column.
Thank you;Look at JList.
http://java.sun.com/j2se/1.4.2/docs/api/javax/swing/JList.html
� {� -
hello all ,
how to create a list with multiple columns ? can anyone share some examples or code snippetsWhat I would usually do is create a movieclip/sprite that contains a row with every column in it (each column being a textfield). Then pile up the rows one atop the other (using Actionscript) as they are populated with data.
-
APEX Pages - User Access List with NTLM
Hi,
I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
1. users (hold user name, and user data)
2. pages (hold APEX Applications pages)
3. access_list (hold combined data of users and pages and access flag)
The last table will give me an SQL that can be used to create page level Authorization Scheme.
The problem is:
I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
Your helps will really help me, and thanks in advance.
Regards,
AuliaThis is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.
Maybe you are looking for
-
Hi friends, How to find out the hard disk number the real one through java. tell me ......... thanks in advance selvin
-
Setting "Aggregation For Plan" for Scenario members in Dimension Library
In the Dimension Library, I have a Scenario which has two members (B and C) which roll up to a parent member (A). Unlike the other types of dimensions, I am unable set the Aggregation as the properties (Aggregation for Plan 1, Aggregation for Plan 2,
-
Oracle profile - IDLE_TIME DEFAULT - value ?
Friends How can I determine the value of DEFAULT for the IDLE_TIME in Oracle profile. CREATE PROFILE DEFAULT LIMIT idle_time <value | UNLIMITED | DEFAULT> Thanks Vishal V.
-
Your documentation says the method tag must follow the following signature: public static EventResult myEventHandler(BajaContext context,Page page,PageEvent event)throws Throwable; The following syntax is also valid for the method tag: public static
-
LabVIEW Internal SCC broken & files are locked
I'm working with LabVIEW 6.0.2, using the Internal SCC System. I've lost my SCC storage and I'm not likely to recover it. I've got local copies, but they have been locked by the SCC system. I am searching my archives for unlocked versions. The questi