Extended ACL permit ip and allowed ports

Similar Messages

• Default acl permissions for root and user?

  after running permissions i keep getting acl permissions changed and will repair. Apparently it doesn't. Is their a manual way of resetting to defaults for both root and user.

  Turns out they didn't change themselves, but authentication got out of whack. This post fixed it for me, but I just jogged access on ical and blogs. Not sure which or both is needed, but after I toggled them over and back I was up and running again.
  <SNIP>
  Solution found athttp://michaeljin.wordpress.com/2010/01/05/locked-out-of-mac-os-x-server/
  It’s blog update time! Updates have been a little scarce lately, been super busy with getting trophies on PS3
  Anyway, recently encountered the following with a Mac mini server running Snow Leopard Server:
  Despite being able to ARD / Screenshare the Mac mini, I was unable to get any further than the login window. Authentication credentials are obviously valid. No weird access permissions have been set. However, the weird thing was, I can connect to the server via Server Admin tools (from another Mac) and all other services were running without a hitch.
  After much head scratching it turns out to be a sACL (Service Access Control List) issue.
  This thread solved the mystery!
  http://discussions.apple.com/thread.jspa?threadID=1654864
  To save you the trouble, I’ll lay it out here. I cannot take credit for this, but Randall can!
  Open Server Admin on a computer (any), and connect with the local admin to the machine.
  Select the server and authenticate.
  Select Settings, then go to Access. You’ll want to make sure that Login Window and SSH have the local admin account listed if you select the option to “Allow only these users”. For now, I would suggest making sure all services have “Allow all users and groups” selected.
  If (as in my case) it was set to Allow All in the first place, simply toggle the settings – back and forth.
  Save.
  Try logging in again… should be a good one!
  </SNIP>

• Extended acl - multiple ports on same acl line

  hello
  i'm working on a (long) acl and have started looking at putting multiple ports on the same line
  e.g.
  instead of:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80
  permit tcp any host 10.10.10.1 eq 443
  i'd use:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80 443
  its shortening the acl considerably but the question is:
  does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
  what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
  thanks
  andy

  Hello
  No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
  Cisco3750#show platform tcam utilization
  CAM Utilization for ASIC# 0                      Max            Used
                                                           Masks/Values    Masks/values
  IPv4 security aces:                          1024/1024         33/33
  Note: Allocation of TCAM entries per feature uses
  a complex algorithm. The above information is meant
  to provide an abstract view of the current TCAM utilization
  As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
  thanks
  Andy

• Extended ACL TCP port control

  Hi all,
  I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
  I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
  Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.

  Hi,
  Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
  interface Vlan2
  description For Mail
  ip address 1.1.1.129 255.255.255.0
  ip access-group 2002 in
  end
  C6500#sh access-li 2002
  Extended IP access list 2002
  10 permit icmp any any (272 matches)
  20 permit tcp host 1.1.1.0 any syn (10467 matches)
  30 permit tcp host 1.1.1.0 any ack (781 matches)
  40 permit tcp host 1.1.1.190 eq smtp any
  50 permit tcp host 1.1.1.190 eq pop3 any
  60 permit tcp host 1.1.1.192 eq smtp any
  70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
  80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
  When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
  Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well.

• Standard and Extended ACLs?

  I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.
  I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,
  Please reply.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.
  Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.
  Logically the standard ACL ACE:
  access-list 10 permit host 1.1.1.1
  should be the same as this extended ACL ACE:
  permit ip host 1.1.1.1 any
  But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP.  Should this happen?  No, but such might happen because of different generations of code and/or different teams working on ACL processing.
  BTW, if there is a significant performance difference, it's just as possible extended works better.
  Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering.  (Also, if this is "discovered", it's very likely to be very device and IOS version specific.  Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.)

• Allowed ports in ACLs for Wireless IP-Phones

  I need to Apply ACL on one SSID which is used to allow the communication between just IP phones and for sure CallManger.
  So I need to know which ports should I allow in ACLs:
  I tried to allow the following ports:
  UDP>> DHCP
  udp port 69 TFTP
  tcp port 2000 SCCP
  udp range 16384 32767 FOR RTP Streaming
  shall I enable any thing else????

  These ports are fine.
  CallManager discovery can occur several ways, one of them is DNS. If you use DNS discovery, you may want to add UDP 53. If CUCM information is fed from TFTP server files, then you are good with the ports mentioned in your list.
  hth
  J

• Our IT Director will not allow the appropriate TCP and UDP ports to be opened on the district WAN

  I have about 30 Apple TV Units and our IT Director will not allow the appropriate TCP and UDP ports to be opened on the district WAN.  When our teachers try to log on to Apple TV to broadcast lessons, websites, etc., they are booted off the network after about 20 minutes. 
  Any ideas for how I might solve this without having to hard-wire the Apple TV Units?

  Honestly, you do not.
  Either the IT director will cave and allow the appropriate ports or it doesn't work.
  Hard wiring the ATVs will not rectify the problem. 

• ACL missing fix and other general permissions fix

  i've been having huge preferences and permissions problems since upgrading to mavericks.
  i've repaired my permissions and i keep having the "ACL missing" or "ACL found but not expected" results.
  i've read some places that you don't need to fix them they don't hurt anything, but they're annoying as **** and
  i would still like to make them go away to see if it fixes my permission and preferences problems, like photoshop
  preferences resetting all the time.
  it would be great if anyone could give me a link to a fix or any ideas.  thanks.

  I found the same problem on my Mac but this did not happen immediately after installing Mavericks. I really have no clue how it happened. The fix is (appropriate buyer beware fine print) is to either use ACLr8 or to do it manually in a Terminal session. It worked with mine. I found this fix on the net somewhere (cannot remember where though).
  For example with the iTunes folder -
  sudo chmod -RN /Applications/iTunes.app
  (enter your user password when asked)
  Just repeat this with all other folders reported in Disk Utility.
  I would hesitate applying this fix at the / folder since it may be possible some files/folders require the special ACL permissions.

• PDFL - How do you secure a document's permissions AND allow page extraction?

  I was directed here by Adobe technical support.
  I am currently using PDFL 10.1.1 to try to secure a new document's permissions.
  Most of the pdPerm flags work as advertised, and enable/disable given permissions. However, for every possible combination of flags, the permission to "extract pages" remains locked. Even pdPermAll, which is documented as "all permissions," yields a document with page extraction locked.
  Is there a way to secure a document's permissions AND allow page extraction?
  Thanks in advance for your help!

  Hi SarahL,
  According to your post, my understanding is that you want to display a document library with different view as web part on some sites’ pages.
  I recommend that you can follow the steps as below to implement it in your environment.
  Go to your site, create a main document library, create different views on the document library.
  Go to “Library Settings” of the current document library, click “Save document library as template” under the “Permissions and Management” section, check “Include Content” and click “OK”.
  Go to your other sites, create new document libraries based on the new template, create new pages to insert the new document libraries web part, then respectively edit the list view web parts to select different views based on your needs and save the changes
  of the pages.
  Then, the new pages will be like below:
  Best Regards,
  Yumi Fu

• How to sync MS Exchange shared calendars and allow permissions?

  Hi Everyone,
  We have a SBS2008 and MS Exchange with which we have a BYOD (Bring Your Own Device) policy to work. We are having some issues in syncing shared calendars for conference room bookings as well as some other issues. We have an iPhone 5s and everyone has updated to iOS 8.
  How do we allow one of our managers to access a shared calendar on their iPhone to book a room from a shared calendar and ensure that that is reflected across the calendar?
  Thank you.

  Hello,
  Are the Rooms you wish to book stored as Resources in Microsoft Exchange?
  I have an app in the store called Roomr which connects to Exchange and allows you to view and book meeting rooms. This would enable your managers to book meeting rooms in advance and the data is stored in Exchange so it will sync with all users.
  I know you want to use the Calendar app provided, but Roomr has the added benefit of providing you with an at-a-glance availability of meeting rooms, enabling you to see which ones are free instantly, without having to check multiple schedules.
  It's free to try out and might help solve your problem https://itunes.apple.com/us/app/roomr-check-meeting-room-availability/id72284240 4?ls=1&mt=8
  Regards,
  Tom

• Static nat and service port groups

  I need some help with opening ports on my ASA using firmware 9.1.2.
  I read earlier today that I can create service groups and tie ports to those.  But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ? 
  I have the ACL -
  access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
  Can this statement
  object network obj-ExchangeSever-smtp
  nat (inside,outside) static interface service tcp smtp smtp
  reference the service port groups instead? 
  Thanks,
  Andrew

  Hi,
  Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
  Well you can for example configure this kind of "object-group"
  object-group service SERVER-PORTS
  service-object tcp destination eq www
  service-object tcp destination eq ftp
  service-object tcp destination eq https
  service-object icmp echo
  access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
  The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
  I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
  You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
  Hope this helps
  - Jouni

• Catalyst 3560 Extended ACLs

  I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
  I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
  Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
  I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
  access-list 101 remark Voice Bearer Signalling
  access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
  access-list 102 remark Call Control Signalling (udp 5440-5445)
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
  access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
  class-map match-any IngressCallControlSignalling
  match access-group 102
  class-map match-any IngressVoiceBearer
  description All Inbound Voice Bearer traffic on UDP 5004
  match access-group 101
  policy-map IngressVoIP
  class IngressVoiceBearer
  set dscp ef
  class IngressCallControlSignalling
  set dscp af31
  class class-default
  set dscp default
  Switch Output:
  switch#sh mls qos int g0/1 statistics
  GigabitEthernet0/1
  dscp: outgoing
  0 - 4 : 12359302 0 0 0 0
  5 - 9 : 0 0 0 0 0
  10 - 14 : 0 0 0 0 0
  15 - 19 : 0 0 0 0 0
  20 - 24 : 0 0 0 0 0
  25 - 29 : 0 0 0 0 0
  30 - 34 : 0 0 0 0 0
  35 - 39 : 0 0 0 0 0
  40 - 44 : 0 0 0 0 0
  45 - 49 : 0 1837749 0 9716 0
  50 - 54 : 0 0 0 0 0
  55 - 59 : 0 0 0 0 0
  60 - 64 : 0 0 0 0

  Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
  ip access-list extended VOICE-CONTROL
  permit tcp any any range 2000 2002
  permit tcp any range 2000 2002 any
  permit tcp any any range 11000 11999
  permit tcp any any range 1718 1720
  permit udp any any range 1718 1719
  permit udp any any range 2427 2428
  permit tcp any any range 2443 2445
  permit tcp any any range 5555 5599
  But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
  Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
  -Mark

• Extended ACL for DHCP

  Hi,
  I'm having a problem creating an ACL to allow DHCP.
  I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
  Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
  I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
  permit udp any host 172.16.30.4 log
  permit tcp any host 172.16.30.4 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
  deny ip any any (28 matches)
  172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
  I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
  The IP helper address is configured on the interface and is 172.16.30.4.
  Can some one let me know what I'm missing.
  Cheers,
  Steve

  Hi,
  Thanks for the response - I'll try the ACL for DHCP shortly.
  With regard to the ACL:
  permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
  you are correct, that is for DNS.
  However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
  Cheers,
  Steve

• Extended ACL Issue

  I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
  I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
  ip-access-list extended ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
  permit tcp any any established
  Is there a better way to do this? Does this extended ACL work for my purpose?

  What direction did you apply this? I'm assuming in the inbound direction?
  Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
  Try the following:
  ip access-list ext ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
  Apply to your loopback:
  ip access-group ACL_TCP in
  Next question:
  Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
  HTH,
  John

• Powershell & ACL permissions

  So, not sure if this is actually a PowerShell issue or a simple lack of understanding of permissions on my part. So, when you look at permissions manually you have some base permissions; Modify, Read & Execute, Read, Write, etc. You also have Special
  Permissions, like Full Control and Read Attributes.
  I have a script that is pushing out changed permissions, and 
  Get-ACL $Target | Format-List
  gives me what looks to be correct permissions. But if, for example, I do
  $ACRights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
  I would expect to see Read and Write in the basic permissions via the UI, and what I get in Special permissions only, and some that I didn't expect, but that are related, like Read Attributes. So, am I actually getting the results I should, and because I
  am applying this via ACL it's all Special permissions? Or is there some other mechanism for setting simple Read & Write permissions?
  Also, my need here is to make just a few files and folders available to users in ProgramData in an office where IT has generally locked down ProgramData (which then breaks functionality of some Autodesk products this year). Autodesk suggested manually setting
  the required permissions for All Users on the files and folders, but my sense is that using Authenticated Users would be better, because it limits the permissions a bit. Or is the Authenticated Users group an old concept, and there is a better practice here?
  I wouldn't be surprised if the same technique needs to be used on some Program Files folders, as Autodesk basically works form the assumption that everyone is a Local Admin, which is just insanity in my book and I would rather target specific files for access
  rather than throwing the gates open as Autodesk wants.
  Thanks!
  Gordon

  It's probably showing up as "Special" because the access control entry isn't set to apply to sub folders and files. Container objects (folders, registry keys, AD objects, and WMI namespaces) need their ACEs to apply to their children as well in order for
  them to not show up as "special". Here's how to create an ACE that gives Read and Write permissions that apply to a folder, its sub folders (ContainerInherit), and sub files (ObjectInherit):
  New-Object System.Security.AccessControl.FileSystemAccessRule (
  "Authenticated Users",
  "Read, Write", # Access enumeration string/numeric value
  "ContainerInherit, ObjectInherit", # InheritanceFlags (apply to sub folders and files)
  "None", # PropagationFlags (None simply means that this will apply to the object)
  "Allow" # ACE type
  The reason you're seeing more rights than you expect is because "Read" is actually multiple specific access rights being combined (specifically list directory, read extended attributes, read attributes,  and read permissions). To see that it translates
  to more than one right, you can convert it to binary:
  [convert]::ToString([System.Security.AccessControl.FileSystemRights]::Read.value__, 2)
  Notice that more than one bit is set. If you want to see what each of those bits means, you can use this function:
  function TranslateRights {
  param(
  $Rights = "Read",
  [Type] $Enumeration = [System.Security.AccessControl.FileSystemRights],
  [switch] $ListAll
  # Files/folders use the same enumeration, and the numeric access masks can mean slightly different things, e.g.,
  # bit 0 set means list directory for a folder or read data for a file. For that reason, it helps to have a collection
  # of the different meanings:
  $GroupedRights = @{}
  [enum]::GetNames($Enumeration) | ForEach-Object {
  $IntValue = [int] ($_ -as $Enumeration)
  # Only interested in numbers that are powers of 2
  if ($IntValue -band ($IntValue - 1)) { return }
  if ($GroupedRights.ContainsKey($IntValue)) {
  $GroupedRights.$IntValue += $_
  else {
  $GroupedRights.$IntValue = @($_)
  $GroupedRights.GetEnumerator() | sort Name | ForEach-Object {
  if ($_.Name -band ($Rights -as $Enumeration)) {
  $Granted = $true
  else {
  $Granted = $false
  $RightsString = $_.Value -join " / "
  if ($ListAll) {
  [PSCustomObject] @{
  Bit = [System.Math]::Log($_.Name, 2)
  Rights = $RightsString
  Granted = $Granted
  elseif ($Granted) {
  $RightsString
  And you could use it like this:
  TranslateRights -Rights Modify
  TranslateRights -Rights Modify -ListAll
  TranslateRights -Rights ReadKey -Enumeration ([System.Security.AccessControl.RegistryRights]) -ListAll