Extended ACL Issue

I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
ip-access-list extended ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
permit tcp any any established
Is there a better way to do this? Does this extended ACL work for my purpose?

What direction did you apply this? I'm assuming in the inbound direction?
Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
Try the following:
ip access-list ext ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
Apply to your loopback:
ip access-group ACL_TCP in
Next question:
Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
HTH,
John

Similar Messages

I am stuck. Extended ACL issues

I been at this for a long time and I simply do not know what this practice lab wants. I mean I think I input the correct information but the % does not go up.
Says for my ACL's I'm supposed to
Allow telnet to R1 and R3 from R2 only
Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.
Do not allow PC1 to receive traffic from the 10.0.0.128/25 network.
I emplemented many ACL's and tried various things but nothing is working form me.
PC1 address is - 10.0.0.10 /25 its part of the 10.0.0.0/25 network. (Pc1 is connected to R1)
R1 is connected to R2 and R3.
The R1 connection to R2 is on S0/0/0 172.16.0.1 255.255.255.252
R1 to R3 connection is going through S0/1/0 172.16.0.9 255.255.255.252
R2 is connected to R1 via S0/0/0 interface with the IP address 172.16.0.2 /30 (255.255.255.252)
R2's s0/0/1 is connected to R3 with the ip address of 172.16.0.5 255.255.255.252
R3 is connected to R1 via S0/0/0 ip address 172.16.0.10 255.255.255.252
Pc3 is connected to R3 with an ip of 10.0.0.139 255.255.128 (This is part of the 10.0.0.128/25 network
R3's connection to R2 is on S0/0/1 with the ip address of 172.16.0.6 255.255.252
The network from R1 to R2 is 172.16.0.0/30
the Network from R1 to R3 is 172.16.0.8/30
the Network from R2 to R3 is 172.16.0.4/30
The Loopback on R2 is 209.165.200.161/27
If anyone can help me I would greatly appreciate it. I am just so lost atm =/

Are you running a routing protocol? OSPF, EIGRP, RIP?
What "%" are you talking about, and what's not working for you exactly?
Can we get a drawing of you topology?
HTH,
John

Applying Extended ACL close to Destination

Hi Everyone,
Need to share something here.Mostly we use extended ACL close to the source.
Here is this scenario i need to use the extended ACL close to destination to fix the issue.
Here is info
Server 1 connected to interface X ASA1 it has wan connection to ASA2---ASA2 has connection to ASA3.
Now ASA3 is learning source server IP via its Y interface.
In order to reach the destination server ASA3 has to through its interface Z.
Now there was ACL on ASA3 which denies traffic from source server IP to destination IP on interface Y.
I apply the ACL on ASA3 to allow the traffic and it worked.
Dooes someone elase also has seen this behaviour?
Regards
Mahesh

Hi,
The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
Just as an example I could mention one real life setup that I manage.
The setup contains 4 firewalls always (at minimum)
One is customer firewall/vpn device
One is our vpn device
One is our firewall device
One is our partner firewall device
This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
- Jouni

Standard and Extended ACLs?

I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.
I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,
Please reply.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.
Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.
Logically the standard ACL ACE:
access-list 10 permit host 1.1.1.1
should be the same as this extended ACL ACE:
permit ip host 1.1.1.1 any
But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP. Should this happen? No, but such might happen because of different generations of code and/or different teams working on ACL processing.
BTW, if there is a significant performance difference, it's just as possible extended works better.
Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering. (Also, if this is "discovered", it's very likely to be very device and IOS version specific. Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.)

WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection

I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
Standard acls parse the filteration process more quickly than extended.
thanks
Ajaz

The extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.

Catalyst 3560 Extended ACLs

I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
access-list 101 remark Voice Bearer Signalling
access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
access-list 102 remark Call Control Signalling (udp 5440-5445)
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
class-map match-any IngressCallControlSignalling
match access-group 102
class-map match-any IngressVoiceBearer
description All Inbound Voice Bearer traffic on UDP 5004
match access-group 101
policy-map IngressVoIP
class IngressVoiceBearer
set dscp ef
class IngressCallControlSignalling
set dscp af31
class class-default
set dscp default
Switch Output:
switch#sh mls qos int g0/1 statistics
GigabitEthernet0/1
dscp: outgoing
0 - 4 : 12359302 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 1837749 0 9716 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0

Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
ip access-list extended VOICE-CONTROL
permit tcp any any range 2000 2002
permit tcp any range 2000 2002 any
permit tcp any any range 11000 11999
permit tcp any any range 1718 1720
permit udp any any range 1718 1719
permit udp any any range 2427 2428
permit tcp any any range 2443 2445
permit tcp any any range 5555 5599
But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
-Mark

Extended ACL permit ip and allowed ports

Hi everyone
Need to confirm if we have extended ACL with object group below
access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
will above ACL allow all the ports on the destination object group?
Thanks
mahesh

And to illustrate the situation above
Situation 1 - Only allow rule exists on the ACL
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
Allow ALL TCP/UDP source and destination ports
Allow those from the source networks of SOURCE to the destination networks of DESTINATION
Situation 2 - Deny rules exist before the allowing rule
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
- Jouni

Use extended ACL with NAT

Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
thanks in advance,
Han
access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_5
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 0.0.0.0 0.0.0.0

Hi Han,
If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
standard ACL:
access-list 10 standard permit ip 172.16.0.0
Extended ACL:
access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
Please do rate if the given information helps.
By
Karthik

Extended acl - multiple ports on same acl line

hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line
e.g.
instead of:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443
i'd use:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443
its shortening the acl considerably but the question is:
does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
thanks
andy

Hello
No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
Cisco3750#show platform tcam utilization
CAM Utilization for ASIC# 0                      Max            Used
                                                         Masks/Values    Masks/values
IPv4 security aces:                          1024/1024         33/33
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
thanks
Andy

Acrobat 9 Pro Extended Forms Issue

Hello, I'm having an issue with two simple forms that I have created in Acrobat 9 Pro Extended. I am using Windows XP SP2. The forms have a submit button that is supposed to send to a specified e-mail address. Everything tests fine until the link is posted on our Intranet. Once the user clicks Submit after filling out the form, they are presented with a box with two buttons: Send Link and Send Copy. Does anyone know how to stop this box from popping up? What is happening is they do not read the box and click Send Link, which only sends a blank form back to us and they lose what they have filled out. Any help would be much appreciated, and thank you in advance.

I finally got our webmaster to put the link to the form online so that I could test the form. It is not sending to the address specified. I have setup the Submit button as follows: in the window under Enter a URL for this link: the URL was input as MailTo: [email protected] (there is a space between MailTo: and the e-mail address). After submitting Outlook 2k3 sends back an undeliverable message. Is the space in the URL causing the issue or is it something I need to run by our security people due to the way the form is being submitted?
Many thanks,
Mike

PLM Web UI ACM/ACL issue

Hi All,
I am configuring PLM Business package/ Web UI in portal. Version EHP4. (PLM Web UI)
Every screen (Material, BOM) giving me error "Authorizations are missing" . I know this trusted user issue.
I provided the role "SAP_PLMWUI_TRUSTED_USER_ALL" in ECC System.
How I can fix the problem? Which roles I need to assign to resolve the problem. FYI, Document are working fine. Because documents are not the part of ACM
2. I am looking in to SAP Help for authorizations but there are not detailed steps to set up these ACM/ACL .
3. How I can generate Root Context. There is a program we can run in SE38. But before that I need to assign Context Admin role to in IMG. Which role I need to assign as Context Admin.
I appreciate your help. Thanks in Advance.
Regards
Mark

administrator can set up the whitelist in Customizing for SAP NetWeaver under SAP
Web Application Server Web Dynpro ABAP Set-Up Active Controls Whitelist .
o The whitelist has to be named DEFAULT.
o File Extension
All files of this type can be executed in an external program by using the
Customizing option %auto%. For more information see Customizing for Logistics
General under Product Lifecycle Management PLM Web User Interface
Objects Document in PLM Web UI Define Workstation Application
o Application
Enter applications to be used for viewing or editing a file.
o Download
Enter at least one directory and one server. The system opens the directory and
all subdirectories for the download.
o Upload
Enter at least one directory and one server. The system opens the directory and
all subdirectories for the upload.
Make an entry for each option (File Extension, Application, Download,
Upload).
o Find the correct server name for upload and download
Working with a local whitelist in a SAP system requires a certificate for the system used.
The administrator must download the certificate using transaction WDR_ACF_GEN_CERT.
Alternatively, the administrator can create the new certificate in Customizing for SAP
NetWeaver under Application Server Web Dynpro ABAP Generate Certificate for
Whitelist
3. Each user has to install the certifcate using transaction ACF_WHITELIST_SETUP.
Alternatively, the user can install the certificate via Customizing for SAP NetWeaver
under Application Server Web Dynpro ABAP Activate Active Controls Whitelist .
o The provided list of whitelists is only for display reasons. The certificate is always
installed for the DEFAULT whitelist.
o You have to install the certificate after each change of the DEFAULT whitelist

MacBook Extended Desktop Issue (ViewSonic vx2235)

MacBook as far as i know only supports mini-DVI to "_" adapters. I'm using the midi-DVI to DVI adapter. i find myself clicking detect display multiple times before the mac initialize the external monitor. ...and when it does it sometimes doesn't recognize the name of the monitor and labels it display, or it starts up at a 90 degree angle. could it be a driver issue thats causes this?
In addition, I use some audio editing software in windows. It shows that the computer supports extended desktop, but no action is on the monitor. Could it just be a hardware problem?

Go to System Preferences -> Displays -> Arrangement
and check/adjust the positions.

Photoshop cs5 extended 3d issue

Hi,
i made a selection then i made it into a 3d layer with reproussé and then turn it into a 3d object , this part works all fine
but as soon as i accept the changes i make, and start to use the 3d rotation tool and start rotate it. my background goes transparent while dragging/rotating my object . this is very enoying coz i cannot see my background while doing this.. anyone has the same problem and or a solution to it?
i checked photoshop preferences ( CTRL + K ... performance) and played with the settings. nothing usefull. also i updated my system to the latest video drivers. everything runs smooth even photoshop.
my hardware specs are pretty decent im sure it isnt that, although i could enable or check something somewhere , who can help me about this issue...
my specs :
software :
windows 7 x64 bit
adobe photoshop cs5 extended x64 bit
Mainboard: Mainboard Model MS-7380 ( msi p7n platinum silent )
memory : 4gb dual channel
cpu : q9450 quadcore 12mb cache
video :
NVIDIA GeForce 9800 GTX/9800 GTX+
Revision A2
Codename G92
Technology 65 nm
Memory size 512 MB
Memory type GDDR3
Memory bus width 256 bits
PCI device bus 3 (0x3), device 0 (0x0), function 0 (0x0)
Vendor ID 0x10DE (0x1682)
Model ID 0x0612 (0x2371)
Performance Level 3D Applications
Core clock 740.0 MHz
Shader clock 1850.0 MHz
Memory clock 1140.0 MHz

Generally good advice is to check with nVidia on their web site and see if they have released any recent video drivers that fix the problem you're seeing.
http://www.nvidia.com/Download/index.aspx?lang=en-us
Many people are finding that new video drivers solve problems they're seeing with Photoshop.
-Noel

Extender Tool Issues

Once I select the oject I want to extend and switch the button from move to extend it will not let me extend the object. It stays on move no matter what. Can you please help me resolve this issue?

What operating system are you using?
Have you tried resetting the Content Aware Move Tool?
Or resetting the pse 12 editor preferences by going to Photoshop elements Editor (Edit)>Preferences>General, clicking on Reset Preferences on next launch and then restarting pse 12

Using X3500 as a Wireless Extender DHCP issue iPhone 6

Hi
Hopefully a simple question with a simple answer.
Background:
I've transitioned away from my ADSL ISP to a cable provider (VirginMedia). My new ISP comes with a cable modem (SuperHub 2 ac) and I've connected the two devices together to extend my home wireless network. The cable modem is The two routers are physically remote from each other - connected via just their Ethernet ports - via power-line technology (Devolo dLAN 1200+). The two routers have the same broadcast SSID albeit on separate channels.
Issue:
All devices in my house, laptops tablets, phones roam between the two wi-fi zones seamlessly *except* the iPhone 6 (iOS8.1), this works on the cable modem wi-fi - but not on the X3500 wi-fi. I also have an iPad Mini 2 (also iOS8.1) which also works - so rightly / wrongly I've ruled out iO8.1 as the issue. Oddly the iPhone 6 connects to the x3500 but doesn't obtain an IP address (the cable modem is the DHCP server). Even setting a static IP address doesn't help.
Observation(s):
If the X3500 is setup as a DHCP server, the iPhoen connects (and gets an IP address), but then the default gateway is incorrect (gatway is the IP address of the X3500 not the remote cable modem). I can't find anywhere to specify a default gateway in the setup.
Question
I'm beginning to think this is an issue with the iPhone 6 (knowing all other devices work correctly), but I just want to make sure I'm configuring the X3500 correctly. I'm specifically interested in the whether I'm using the right "Mode"ADSL / Ethernet. I've tried "Bridged Mode Only" (ADSL) and "Automatic DCHP Only" (Ethernet) but neither seem to resolve the issue that the iPhone 6 is having.
any suggestions on how to resolve / troubleshoot would be most welcomed.
Thanks!
Solved!
Go to Solution.

Yes, there's a way for you to override the IP Address. It is on Router Address under Network Setup on the Basic Setup tab. If I'm not mistaken, one end of the Ethernet cable should be connected to the regular Ethernet port of the cable modem and the other end to the cable port of the X3500.
But if it's just the iPhone that won't connect to the X3500, it might be okay to retain the current configuration of the router, but try adjusting the wireless security mode or set the wireless channel to 11 and observe what happens.

Extended ACL Issue

Similar Messages

Maybe you are looking for