Hostname(with wildcards) based access-list or policy.

Similar Messages

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• Re-Rendering the entire panel with components based on list value selection

  Hi,
  I am new to swing.Wondering how to refresh the panel with modified data on selection from list.
  Here's the code I am trying .
  the function below is called withdifferent set of value s being passed in based on add,remove conditions.
  public void initGroupPanelComponents(Vector GroupListData,Object[] sourceItemsArray,Object[] sinkItemsArray)
  groupsPanel = new JPanel();
  groupsPanel.setLayout(null);
  botPanel = new JPanel(new BorderLayout());
  botPanel.setSize(500,600);
  if(sourceItemsArray.length!=0){
  sourceLabel = "New Members:";
  sinkLabel = "New Available";
  System.out.print("color change now!");
  groupsPanel.setBackground(Color.YELLOW);
  botPanel.setBackground(Color.GRAY);
  //revalidate();
  else{
  groupsPanel.setBackground(Color.BLUE);
  botPanel.setBackground(Color.WHITE);
  groupsPanel.setSize( 500, 300 );
  groupsList = new JList(groupNameListData);
  groupsList.setBorder(BorderFactory.createLineBorder(Color.gray));
  groupsList.setBounds(10,10,350,230);
  groupsPanel.add(groupsList);
  groupsList.addListSelectionListener(new groupNameListAction());
  groupsList.setListData(groupNameListData);
  addButton = new JButton("Add");
  addButton.setBounds(385,35,80, 20);
  addButton.addActionListener(new addNewGroupAction());
  removeButton = new JButton("Remove");
  removeButton.setBounds(385, 70, 80, 20);
  groupsPanel.add(addButton);
  groupsPanel.add(removeButton);
  duellist= new DualListPanel(sourceItemsArray, sinkItemsArray, sourceLabel,sinkLabel);
  botPanel.add(duellist);
  botPanel.setBounds(0, 270, 500,600);
  botPanel.setOpaque(true);
  getContentPane().add(groupsPanel);
  groupsPanel.add(botPanel,BorderLayout.SOUTH);
  getContentPane().invalidate();
  getContentPane().validate();
  setResizable(false);
  setVisible(true);
  Relevant suggestions are most welcome.
  Thanks in Advance!

  Thanks much our help.
  But,apperars to me that I have added the groupsList to the panel in the method.
  What I am trying to acheive here is, when a value is selected from the groupsList, accrodingly,in the ListActionListener, Iam trying to repaint the whole Panel with the list component above and duellist panel (a panel with 2 list components by side and buttons at the centre)obtained from dualListPanel Class .
  Appears to work fine the first time when DualListPanel is nstantiated with certain data passed in.But when a particular list value on top is selected, i would require this dualListPanel to be instantiated with a new set of data passed in.This,for some reasons fails to come up.
  Would Appreciate if you could suggest accordingly for this.
  Thanks much again!

• ASA 5510 8.2(1) Using hostnames in access-lists?

  I need to allow a specifc hostname through my firewall. I found this article: https://supportforums.cisco.com/docs/DOC-17014
  But it's only for 8.4 updated ASA's and above.
  Doing more research, I found this article: http://www.handbook.dk/block-domains-on-a-cisco-asa-152.htm
  And have been trying to reverse engineer it. Am I on the right track?
  Thanks in advance.

  Hello Adam,
  Here is the configuration you need:
  Access-list test permit tcp any any eq 80
  Regex google  \.google\.com
  policy-map type inspect http GOOGLE
  parameters
  match not request header host regex GOOGLE
    reset log
  class-map TEST
  match access-list test
  policy-map global_policy
  class TEST
  inspect http GOOGLE
  Regards
  CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.
  Julio

• Time-based access to WLAN/building for specific users using WCS/ACS

  Here's our situation:
  WCS: 7.0.172.0
  ACS: 4.2(1)
  MSE: 6.0.75.0
  For an hour or two each day during an event, we're trying to figure out how to prevent students from connecting to the wireless in a particular building.
  All students are in the same WLAN. Everybody on campus uses the same SSID. We dynamically assign users to WLANs based on who they are through ACS. In addition to 802.1x authentication, MAC address authentication is performed by way of ACS to our in-house NAC system, where all students have registered their computers with us. This currently uses the External ODBC Database option in ACS.
  Our contraints:
  - We want them to be able to access wireless at other campus areas during this time, just not in this one building.
  - Faculty/Staff needs to use the wireless in that building during that time. This prevents me from simply shutting down the radios temporarily.
  Has anybody attempted anything similar? Anybody have any thoughts or ideas?
  Ethan A. Cooper
  Network Administrator
  LeTourneau University

  Currently, IP and IPX extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. Both named or numbered access lists can reference a time range.
  For the further description following URL for the Time-Based Access Lists will help you.
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html#wp10236
  I hope it may help you.

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• Time-based access controls

  Hello all,
  Is there a time-based access control that can be configured for a 4.2 WCS+WiSM setup either in the WCS or controller? Or am I limited to the ACLs for my Wireless VLAN on the switch. Ultimately, I would like to be able to configure certain APs to accept/deny connections at specific times of the day. Any suggestions would be appreciated. Thank you in advance for your time and help.
  Charles

  Currently, IP and IPX extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. Both named or numbered access lists can reference a time range.
  For the further description following URL for the Time-Based Access Lists will help you.
  http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html#wp10236
  I hope it may help you.

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• Access-list searching

  Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.

  a) sh access-list (name )
  It will show you the hitcount
  inet-FW# sh access-list no-nat-dmz
  access-list no-nat-dmz; 2 elements
  access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0
  .0.0 (hitcnt=0)
  access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255
  .0.0.0 (hitcnt=0)
  you can use the Pipe command for specifics such as
  show access-list (name ) | include ftp
  it will give you all lines containing deny

• Strange access list debug output

  I have a router interface configured with the following access list:
  access-list 101 permit tcp any any eq 23
  access-list 101 deny ip any any
  effectively, telnet is allowed and all other protocols are denied. when I start a debug on this access-list (debug ip packet list 101 detailed) and start telnetting to the router, everything works (as it should). But when I look with "show ip access list" I see there are about 30 matches on the "...eq 23" rule, which is correct, but there are also around 30 matches on the deny ip any any rule. The debug output shows only port 23 traffic and return traffic.
  My question: what packets hit the "deny ip any any" rule when starting a telnet session?

  Hi
  Could be a name resolution issue but the easiest way to check would be to change your second line in the access-list to
  access-list 101 deny ip any any log
  HTH
  Jon

• Clear access-list command syntax?

  hello all. running 7.2(2) on an ASA5510. in the Cisco documentation here:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c1_72.html#wp2032432
  it seems to indicate that you can clear the counters on all your access-lists simultaneously with the clear access-list counters command, and that specifying a particular access-list ID is optional, however, in my ASA this does not seem to be the case, as i am forced to specify an access-list name. is this just a discrepancy in the documentation, am i misinterpreting it, or is there a way to actually accomplish this?
  thanks for your time.

  I would say that is an error in documentation. I see no way of clearing ALL counters. I checked a couple of my firewalls (different versions) and I can only clear an ACL at a time.
  #clear access-list inside_acl counters
  HTH and please rate.

• How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

  How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
  Identity provider here is Oracle identity provider 
  harika kakkireni

  Hi,
  The following materials for your reference:
  Consuming List.asmx on a claims based sharepoint site
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
  Sharepoint Claims based authentication and Single Sign on
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
  Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
  Best Regards
  Dennis Guo
  TechNet Community Support

• Nexus1000v : ip access-list with port range

  Hi,
  I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
  Can any body verify the scirpt and tell whats the problem with the script?
  vm x.x.x.x is on Veth2
  config t
  ip access-list Veth2_rc_vmfw_acl_in
  deny tcp any host x.x.x.x eq 3389
  exit
  ip access-list Veth2_rc_vmfw_acl_out
  deny tcp host x.x.x.x any eq 3389
  exit
  interface Veth2
  ip port access-group Veth2_rc_vmfw_acl_in in
  ip port access-group Veth2_rc_vmfw_acl_out out
  exit
  exit
  Thanks

  License? Check Data Features

• Need Help to create access-list based on traffic logs

  Hello,
  We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .
  Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
  I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
  Rajkumar

  Hi Rajkumar,
  That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
  How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
  If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
  Regards
  Karthik
  Regards
  Karthik

• LDAP (openldap) authorization with DAP (dymamic access policy)

  Hello,
  We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

  Hi
  I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
  Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
  Hth
  Herbert
  Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.