Extended IP access list for NAT

Hi, all.
Give me informations on access list for NAT.
Cisco IOS Master Command List, Release 12.4 describes the ip nat inside destination command, the ip nat inside source command, and the ip nat outside source command use standerd IP access list for dynamic NAT.
But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
They leave me in confusion.
Regards

>But the document follws uses extended IP access list for dynamic NAT in Difference between One-to-One Mapping and Many-to-Many section.
Hyperlinking slipped my mind.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Regards

Similar Messages

  • ASR 5000 access list for ssh and telnet

    Dears,
    how can we  apply an access list for telnet and ssh on asr 5k ?
    please advise if this is feasible.
    thx.

    Hello Joseph,
    Sorry for the delay in response.
    To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
    For example:
    config
    context local
    no server telnetd
    #exit
    System Administration Guide of the relevant version will give you detailed information in this regard.
    Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
    You can find other guides here:  http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
    Hope this helps..
    Regards
    Aneesh

  • Access list for ACS 3.3

    i wish to secure my ACS using access-list. however, allowing just tcp port 49 and/or tcp/udp port 65 doesnt seem to work. is there any other ports i need to open?

    When you say "it doesn't seem to work", what are you refering to, TACACS authentication or access to the ACS server for admin purposes?
    Can you add a "deny ip any any log" rule to the bottom of your access-list and check which protocols are being dropped?
    Thanks
    PD

  • Extended access list question

    Hello,
    any suggestions why the following ACL will not apply?
    access-list 100 permit udp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 eq domain
    access-list 100 permit tcp any host 192.168.155.18 established
    access-list 100 deny udp any host 192.168.155.18
    access-list 100 deny tcp any host 192.168.155.18
    access-list 100 permit ip any any
    interface GigabitEthernet0/2.16
    description Subnetz 192.168.155.16/28
    encapsulation dot1Q 16
    ip address 192.168.155.17 255.255.255.240
    ip access-group 100 in
    The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
    Thanks,
    Thomas

    Hi Rick,
    no there is no NAT or other things turned on on this device.
    Router#sh ip access-list 100
    Extended IP access list 100
        10 permit udp any host 192.168.155.18 eq domain (379 matches)
        20 permit tcp any host 192.168.155.18 eq domain (5 matches)
        30 permit tcp any host 192.168.155.18 established (1 match)
        40 deny udp any host 192.168.155.18 (788 matches)
        50 deny tcp any host 192.168.155.18 (79 matches)
        60 permit ip any any (562 matches)
    Router#sh ip int gi0/2.16
    GigabitEthernet0/2.16 is up, line protocol is up
      Internet address is 192.168.155.17/28
      Broadcast address is 255.255.255.255
      Address determined by non-volatile memory
      MTU is 1500 bytes
      Helper address is not set
      Directed broadcast forwarding is disabled
      Outgoing access list is not set
      Inbound  access list is not set
      Proxy ARP is disabled
      Local Proxy ARP is disabled
      Security level is default
      Split horizon is enabled
      ICMP redirects are never sent
      ICMP unreachables are always sent
      ICMP mask replies are never sent
      IP fast switching is enabled
      IP fast switching on the same interface is enabled
      IP Flow switching is enabled
      IP CEF switching is enabled
      IP Flow switching turbo vector
      IP Flow CEF switching turbo vector
      IP multicast fast switching is enabled
      IP multicast distributed fast switching is disabled
      IP route-cache flags are Fast, Flow cache, CEF, Full Flow
      Router Discovery is disabled
      IP output packet accounting is disabled
      IP access violation accounting is disabled
      TCP/IP header compression is disabled
      RTP/IP header compression is disabled
      Policy routing is disabled
      Network address translation is disabled
      BGP Policy Mapping is disabled
      WCCP Redirect outbound is disabled
      WCCP Redirect inbound is disabled
      WCCP Redirect exclude is disabled
    Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
    Thanks,
    Thomas

  • Extended access list on Cisco routers

    Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
    Thanks

    Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
    For example  if you have an acces-list like this:
    Extended IP access list test
    10 deny ip 10.10.10.0 0.0.0.255 any log
    15 deny ip 11.11.11.0 0.0.0.255 any log
    you can now add a new sequence between 10 and 15
    11 deny ip 172.16.10.0 0.0.0.255 any log
    You just have to make sure to use the sequence number when you create the last access-list
    HTH

  • ACE access-list best practice

    Hi,
    I was wondering what was the best practice for the access-list's on the Cisco ACE.
    Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:
    access-list ANY line 10 extended permit ip any any
    access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
    access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
    class-map match-all EXCH-DMZ-INTERNET-OUT
      2 match access-list EXCH-DMZ-INTERNET-OUT
    policy-map multi-match EXCH-DMZ-OUT
    class EXCH-DMZ-INTERNET-OUT
        nat dynamic 1 vlan 1001
    interface vlan 756
      description VLAN 744 EXCH DMZ BE
      ip address 10.134.11.253 255.255.255.0
      alias 10.134.11.254 255.255.255.0
      peer ip address 10.134.11.252 255.255.255.0
    access-group input ANY
      service-policy input EXCH-DMZ-OUT
    Or should we also also the access-list for the access-group in the interface as seen bellow:
    access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
    access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
    class-map match-all EXCH-DMZ-INTERNET-OUT
      2 match access-list EXCH-DMZ-INTERNET-OUT
    policy-map multi-match EXCH-DMZ-OUT
    class EXCH-DMZ-INTERNET-OUT
        nat dynamic 1 vlan 1001
    interface vlan 756
      description VLAN 744 EXCH DMZ BE
      ip address 10.134.11.253 255.255.255.0
      alias 10.134.11.254 255.255.255.0
      peer ip address 10.134.11.252 255.255.255.0
      access-group input EXCH-DMZ-INTERNET-OUT
      service-policy input EXCH-DMZ-OUT
    Regards,

    Hello,
    I don't think you'll find a "best practice" for this scenario.  It really just comes down to meeting your needs.  The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not.  The second way will only allow NAT'd traffic, and deny all others.
    Hope this helps,
    Sean

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Access-list in Cisco 3560 Series Switch

    Guys,
    I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
    Hope you can help me guys.
    Thanks,
    John

    and then dont forget to call this access-list on the interface or vlan you want to apply it.
    You can use a number for the ACL > 100 or a name as indicated earlier.
    If you go with just a number :
    access-list 100 permit tcp any any eq 80 81 ...
    access-list 100 permit udp any any eq 23
    int g1/0/1
    ip access-group NAME in
    OR
    ip access-group 100 in
    As for example :
    NMS-3750-A(config-if)#ip acc
    NMS-3750-A(config-if)#ip access-group ?
    <1-199> IP access list (standard or extended)
    <1300-2699> IP expanded access list (standard or extended)
    WORD Access-list name

  • Access list with multiple object groups

    Hello Everyone,
    I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
    I am trying to use object-groups where ever i can.  Here is an example.
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.x.x.x 255.255.255.240
    network-object 10.x.x.x 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
    What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
    Thanks

    Hi,
    Seems to work on my test ASA
    Attached it to my current LAN interface.
    ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         WAN
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outbound_access in interface LAN
    access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
    object-group service obj_Meraki_outbound
    service-object tcp destination eq https
    service-object tcp destination eq www
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.255.240
    object-group network obj_Meraki_pub
    description: This group lists all hosts associated with Meraki.
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
    Additional Information:
    access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
    Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
    - Jouni

  • Convert named access list to line numbers

    I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
    I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
    Thank you!

    Hi Emily,
    I guess this is what you are looking for. I have not tried it my self but would like to test it out.
    1. enable
    2. configure terminal
    3. ip access-list resequence access-list-name starting-sequence-number increment
    4. ip access-list {standard | extended} access-list-name
    5. sequence-number permit source source-wildcard
    or
    sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    6. sequence-number deny source source-wildcard
    or
    sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
    8. end
    9. show ip access-lists access-list-name
    This link should help :
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
    regards,
    -amit singh

  • LMS compliance check on all access lists

    Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.     
    thanks.           

    I forgot to mention that i am running this against Cisco ASA devices which displays like this:
    access-list TEST_ACL extended deny ip any any
    I have tried:
    access-list [#.*#] extended deny ip any any
    but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
    Any ideas?

  • ASA5520 access-list configuration?

    I have two asa5520s, version 7.2(2).
    I have use access-list for the firewall as:
    access-list outside extended permit ip object-group mydomain any
    access-list outside extended permit icmp object-group mydomain any
    access-group outside in interface outside.
    I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
    (private) AA->asa5520->BB (public)
    However, it seems works for most of case, but, it do not work for certain port.
    telnet AA 80 -> it seems working fine
    telnet AA 3816 -> it is not work.
    when I do the packet trace on asa5520, it said access-list not allowed.
    Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
    any comments will be appreciated
    Thanks in advance

    please upload/copy your config so we can see

  • Access-list searching

    Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.

    a) sh access-list (name )
    It will show you the hitcount
    inet-FW# sh access-list no-nat-dmz
    access-list no-nat-dmz; 2 elements
    access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0
    .0.0 (hitcnt=0)
    access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255
    .0.0.0 (hitcnt=0)
    you can use the Pipe command for specifics such as
    show access-list (name ) | include ftp
    it will give you all lines containing deny

  • Is correct the next access list?

    I have the next vlan configuration:
    interface Vlan1
    ip address 172.23.8.1 255.255.252.0
    no ip unreachables
    no ip directed-broadcast
    interface Vlan5
    ip address 172.23.60.1 255.255.255.0
    no ip unreachables
    no ip directed-broadcast
    In the Vlan 1 I Have the Server 172.23.11.24 and I need that the Ip address of the PLC 172.23.60.1-15 (VLan 5) communicate with the Server 172.23.11.24 (Vlan 1) only and with the ports TCP and UPD specific.
    The SERVER 172.23.11.24 should be connected with the remainder of the network and with the Ports TCP and UDP that be required to have communication 172.23.60.1-5
    In Attachment are the listing of ports and protoclos TCP / UDP of the Applications that run in the SERVER and the ones that handles the PLC. This information was supplied by Rockwell
    In the Board 1788-ENBT is the PLC that are utilizing and the Remainder are applications that run in the Servant, except 17xx that are models of PLc.
    I am going to configure the following list of access, ?This correct one?
    interface Vlan5
    ip address 172.23.60.1 255.255.255.0
    ip access-group Control_Plc_Sub_electricas in
    no ip unreachables
    no ip directed-broadcast
    ip access-list extended Control_Plc_Sub_electricas
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
    permit udp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
    permit tcp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
    permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
    permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 2222
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 27000
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1234
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1330
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1331
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1332
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 3060
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 6543
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7600
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7700
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7710
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7720
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7721
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7722
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7723
    permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 135

    Hello,
    When checking your access list, it seems to me that the access-list is used as "in" for VLAN 5, i.e. "in" towards the VLAN.
    I understand this to be traffic from the PLCs towards the switch.
    Therefore the lines starting with "permit tcp/udp host 172.23.11.24" seem unnecessary, as no such traffic will enter the switch via vlan 5 (unless vlan 5 is also defined on a trunk towards some other switch behind which the server is situated.
    If you want to control outgoing traffic also, a separate access-list is needed.
    You can apply this list in the outgoing direction on Vlan 5, or, alternately, develop an access list for the incoming vlan where the server is situated.

  • Vpn site to site and remote access , access lists

    Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

    If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

Maybe you are looking for

  • Search doesn't work properly in iOS SMS app

    For many many years I've used search in the SMS app to find the name of someone I want to text. So I'll type "Jon" in the search area expecting it to pull up all of the my conversations with people named "Jon" in descending order by date. This has AL

  • B1 8.8 crystal report publishing issue

    upgraded to 8.8 last night from b1 2007 have crystal reports that were working with the old CR reports addon for B1 version 2007. I imported the same crystal reports into 8.8 using the report and layout manager. When I go to run the report, the input

  • CS3, VBS, Selecting multiple text frames in a region is very slow

    Hello, I'm writing a script that selects a large crossword grid (19cm x 19cm), and changes the font and alignment before exporting out as an eps. When I run the code below, it starts off selecting the frames quickly and then gradually slows to a craw

  • SSF Digital Signature

    Dear Experts, Am trying to invoke digital signature process using SSF with SAP username/password. When i give by SAP password and do a signing i get the following error message: Ssf_GetOwnCertificate: SsfOpenProfile failed with rc=23 I also have a ex

  • Help in mapping with 'createIf' node function

    Hi gurus ! I am using a 'createIf' node function to create a node in the target if a source field equates to a particular value. Normally, it would mean that only those fields in the source node that satisfies the condition of the 'createIf' would be