LMS 4.2 Compliance check extended access-list

Similar Messages

• Extended access list with multiple ports

  Hello All,
  I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
  I receive the following message:
  The informations of my Switch are the following:
  Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
  12.2(52)SG, RELEASE SOFTWARE (fc1)
  Please help me to resolve this problem.
  Best regards.

  Thank you Alex for your response.
  Yes, this is an example:
  permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
  I have more ACLs and each ACL contains more conditions with multiples Por

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• Configuring Extended Access List with Any statement

  I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
  1.  Are extended access-lists always source then destination?  Like in the following statement:
  permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
  2.  Further down though there is:
  permit tcp any host 172.16.4.11 eq 443.
  In that case is the source any host and the destination 172.16.4.11 ?
  This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
  3.  Also, when you do a:
  sho ip access-list -
  Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
  Thanks!

  Thank you Alex for your response.
  Yes, this is an example:
  permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
  I have more ACLs and each ACL contains more conditions with multiples Por

• Failed Extended Access-list

  Hello all,
  I am trying to apply this extended access-list  to my router to permit the selected ports and deny the rest but my emails are not sending outside, all emails are stuck in the queue. If I remove the access-list, all emails goes freely. Whats left in my configuration?
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  Interface Dialer 0
  ip access-group 101 out

  Here is the complete configuration.
  Router#sh run
  Building configuration...
  Current configuration : 3665 bytes
  ! Last configuration change at 09:23:31 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  ! NVRAM config last updated at 06:42:17 UTC Wed May 28 2014 by admin
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  no aaa new-model
  crypto pki token default removal timeout 0
  ip source-route
  ip cef
  no ipv6 cef
  license udi pid C887VA-W-E-K9 sn FCZ1624C30K
  username admin privilege 15 password 7 045A0F0B062F
  controller VDSL 0
  crypto isakmp policy 1
   encr 3des
   hash md5
   authentication pre-share
   group 2
  crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
  crypto ipsec transform-set TS esp-3des esp-md5-hmac
  crypto ipsec profile protect-gre
   set security-association lifetime seconds 86400
   set transform-set TS
  interface Loopback0
   ip address 10.10.10.1 255.255.255.255
  interface Tunnel4120
   ip address 10.0.0.1 255.255.255.0
   no ip redirects
   ip mtu 1400
   ip nhrp authentication cisco
   ip nhrp map multicast dynamic
   ip nhrp network-id 123
   ip tcp adjust-mss 1360
   tunnel source Dialer0
   tunnel mode gre multipoint
   tunnel key 123
   tunnel protection ipsec profile protect-gre
  interface ATM0
   no ip address
   no atm ilmi-keepalive
   pvc 0/35
    pppoe-client dial-pool-number 1
  interface Ethernet0
   no ip address
   shutdown
   no fair-queue
  interface FastEthernet0
   no ip address
  interface FastEthernet1
   no ip address
  interface FastEthernet2
   no ip address
  interface FastEthernet3
   no ip address
  interface Wlan-GigabitEthernet0
   description Internal switch interface connecting to the embedded AP
   switchport mode trunk
   no ip address
  interface wlan-ap0
   description Embedded Service module interface to manage the embedded AP
   ip unnumbered Vlan1
  interface Vlan1
   ip address 192.168.111.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly in
   ip tcp adjust-mss 1360
  interface Dialer0
   ip address negotiated
   ip access-group 101 out
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 1
   ppp authentication chap callin
   ppp chap hostname xxxxxxxxxxxxxxxxx
   ppp chap password 7 03077313552D0F411E512D
  router rip
   version 2
   network 10.0.0.0
   network 192.168.111.0
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source list 1 interface Dialer0 overload
  ip nat inside source static tcp 192.168.111.30 25 xxx.xxx.xxx.xxx 25 extendable
  ip nat inside source static tcp 192.168.111.30 443 xxx.xxx.xxx.xxx 443 extendable
  ip nat inside source static tcp 192.168.111.30 587 xxx.xxx.xxx.xxx 587 extendable
  ip nat inside source static tcp 192.168.111.30 995 xxx.xxx.xxx.xxx 995 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 permit 192.168.111.30
  access-list 10 permit 192.168.111.0 0.0.0.255
  access-list 101 permit tcp host 192.168.111.30 eq 53 any
  access-list 101 permit udp host 192.168.111.30 eq 53 any
  access-list 101 permit tcp host 192.168.111.30 eq 25 any
  access-list 101 permit tcp host 192.168.111.30 eq 443 any
  access-list 101 permit tcp host 192.168.111.30 eq 587 any
  access-list 101 permit tcp host 192.168.111.30 eq 995 any
  access-list 101 deny ip any any
  line con 0
  line aux 0
  line 2
   no activation-character
   no exec
   transport preferred none
   transport input all
   stopbits 1
  line vty 0 4
   access-class 10 in
   login local
   transport input all
  scheduler allocate 20000 1000
  end
  Router#

• Change an extend access list in a prefix list

  Hallo All,
  I would like to translate an extend access list in a prefix list.
  ip access-list extended x_to_y
  permit ip 1.1.1.1 0.0.1.255 any
  deny ip any host 3.3.3.3
  Any hint?
  Thanks!!!

  Hi Fabio,
  I am sorry but to my best knowledge, this is not going to work.
  You want to perform Policy Based Routing (PBR). For PBR, the packet selection is based on inspecting their header values by an ACL. A prefix-list does not inspect header values; rather, it would inspect routing update contents. This is also the reason why you cannot figure out how to rewrite the second line - because a prefix-list does not have a source-and-destination semantics. It is simply a list of network addresses you would be looking for in routing protocol updates.
  Even the documentation at
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/15-mt/iri-15-mt-book/iri-pbr.html
  clearly shows that the only supported match commands are match length and match ip address - not match ip address prefix-list.
  I wonder - how come that your platform is unable to accomodate an ACL for PBR in hardware? Can we perhaps try to make this work? A prefix-list is not the way to go.
  Best regards,
  Peter

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• Extended access list on Cisco routers

  Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
  Thanks

  Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
  For example  if you have an acces-list like this:
  Extended IP access list test
  10 deny ip 10.10.10.0 0.0.0.255 any log
  15 deny ip 11.11.11.0 0.0.0.255 any log
  you can now add a new sequence between 10 and 15
  11 deny ip 172.16.10.0 0.0.0.255 any log
  You just have to make sure to use the sequence number when you create the last access-list
  HTH

• Extended access-list error using FQDN

  Hi,
  I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.
  For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.
  This is how I normally add these rules (the ip addresses are fictive):
  access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log
  When I try to add this using the hostname on our asa I get an error:
  access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?
  ERROR: % Unrecognized command
  I've tried it without the 'www', so hostname.com but same error.
  How can I solve this?
  Thanks in advance for your time and help
  Regards,

  @zulqurnain
  Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too.

• Extended access list question

  Hello,
  any suggestions why the following ACL will not apply?
  access-list 100 permit udp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 established
  access-list 100 deny udp any host 192.168.155.18
  access-list 100 deny tcp any host 192.168.155.18
  access-list 100 permit ip any any
  interface GigabitEthernet0/2.16
  description Subnetz 192.168.155.16/28
  encapsulation dot1Q 16
  ip address 192.168.155.17 255.255.255.240
  ip access-group 100 in
  The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
  Thanks,
  Thomas

  Hi Rick,
  no there is no NAT or other things turned on on this device.
  Router#sh ip access-list 100
  Extended IP access list 100
      10 permit udp any host 192.168.155.18 eq domain (379 matches)
      20 permit tcp any host 192.168.155.18 eq domain (5 matches)
      30 permit tcp any host 192.168.155.18 established (1 match)
      40 deny udp any host 192.168.155.18 (788 matches)
      50 deny tcp any host 192.168.155.18 (79 matches)
      60 permit ip any any (562 matches)
  Router#sh ip int gi0/2.16
  GigabitEthernet0/2.16 is up, line protocol is up
    Internet address is 192.168.155.17/28
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is not set
    Proxy ARP is disabled
    Local Proxy ARP is disabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are never sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is enabled
    IP Flow switching is enabled
    IP CEF switching is enabled
    IP Flow switching turbo vector
    IP Flow CEF switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    IP route-cache flags are Fast, Flow cache, CEF, Full Flow
    Router Discovery is disabled
    IP output packet accounting is disabled
    IP access violation accounting is disabled
    TCP/IP header compression is disabled
    RTP/IP header compression is disabled
    Policy routing is disabled
    Network address translation is disabled
    BGP Policy Mapping is disabled
    WCCP Redirect outbound is disabled
    WCCP Redirect inbound is disabled
    WCCP Redirect exclude is disabled
  Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
  Thanks,
  Thomas

• ACL - extended access lists

  Hi, I'm working through the CCNA ICND2.  Section:  IP Access Control Lists
  On p246 it says "the access-list command must use protocol keywork tcp to be able to match TCP ports and the udp keyword to be able to match UPD ports"
  in an example on p264 they list the statement "access-list 101 permit any any eq telnet"
  I would assume that "telnet" is a word value for "port 23" (just like you can type  "eq www" instead of "port 80")
  therefore does it not have to read "access-list 101 permit tcp any any eq telnet"
  ??? many thanks for your answers - much appreciated.

  it's a typo!!

• LMS compliance check on all access lists

  Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.     
  thanks.           

  I forgot to mention that i am running this against Cisco ASA devices which displays like this:
  access-list TEST_ACL extended deny ip any any
  I have tried:
  access-list [#.*#] extended deny ip any any
  but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
  Any ideas?

• Port Forwarding & Access List Problems

  Good morning all,
  I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated!  I've researched a lot lately but I'm still learning.  Side note:  I've replaced the external ip address with 1.1.1.1.
  I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail.  You may notice I dont have access-list 102 that i created on any interfaces.  This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet. 
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname pantera-office
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.0.1 192.168.0.150
  ip dhcp excluded-address 192.168.0.251 192.168.0.254
  ip dhcp pool private
     import all
     network 192.168.0.0 255.255.255.0
     dns-server 8.8.8.8 8.8.4.4 
     default-router 192.168.0.1 
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  ip domain name network.local
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-4211276024
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-4211276024
   revocation-check none
   rsakeypair TP-self-signed-4211276024
  crypto pki certificate chain TP-self-signed-4211276024
   certificate self-signed 01
    3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
    69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535 
    31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132 
    37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
    8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626 
    31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881 
    1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4 
    93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96 
    D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
    03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261 
    746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF 
    41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41 
    FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D 
    14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944 
    82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703 
    E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79 
    D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
    quit
  username pantera privilege 15 password 0 XXXX
  username aneuron privilege 15 password 0 XXXX
  archive
   log config
    hidekeys
  crypto isakmp policy 1
   encr 3des
   authentication pre-share
   group 2
  crypto isakmp key xxxx address 2.2.2.2
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  crypto map SDM_CMAP_1 1 ipsec-isakmp 
   description Tunnel to 2.2.2.2
   set peer 2.2.2.2
   set transform-set ESP-3DES-SHA 
   match address 100
  interface FastEthernet0/0
   description $ETH-WAN$
   ip address 2.2.2.2 255.255.255.0
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   crypto map SDM_CMAP_1
  interface FastEthernet0/1
   description $ETH-LAN$
   ip address 192.168.0.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
  interface Serial0/0/0
   no ip address
   shutdown
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.1.1.1
  no ip http server
  ip http authentication local
  no ip http secure-server
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
  ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
  ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
  ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
  ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
  ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
  ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
  ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
  ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
  ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
  ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
  ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
  access-list 101 permit ip 192.168.0.0 0.0.0.255 any
  access-list 102 remark Web Server ACL
  access-list 102 permit tcp any any
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps ds1
  snmp-server enable traps tty
  snmp-server enable traps eigrp
  snmp-server enable traps envmon
  snmp-server enable traps flash insertion removal
  snmp-server enable traps icsudsu
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps ds0-busyout
  snmp-server enable traps ds1-loopback
  snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
  snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
  snmp-server enable traps disassociate
  snmp-server enable traps deauthenticate
  snmp-server enable traps authenticate-fail
  snmp-server enable traps dot11-qos
  snmp-server enable traps switch-over
  snmp-server enable traps rogue-ap
  snmp-server enable traps wlan-wep
  snmp-server enable traps bgp
  snmp-server enable traps cnpd
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps entity
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps frame-relay multilink bundle-mismatch
  snmp-server enable traps frame-relay
  snmp-server enable traps frame-relay subif
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
  snmp-server enable traps pppoe
  snmp-server enable traps cpu threshold
  snmp-server enable traps rsvp
  snmp-server enable traps syslog
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps ipsla
  snmp-server enable traps rf
  route-map SDM_RMAP_1 permit 1
   match ip address 101
  control-plane
  line con 0
   logging synchronous
  line aux 0
  line vty 0 4
  scheduler allocate 20000 1000
  end
  Any/All help is greatly appreciated!  I'm sorry if I sound like a newby!
  -Evan

  Hello,
  According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
  Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
  If your provider assigns you a dynamic ipv4 address to the wan interface you can use
  Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
  Verify the settings with show ip nat translation.
  Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
  Best Regards
  Lukasz

• Is correct the next access list?

  I have the next vlan configuration:
  interface Vlan1
  ip address 172.23.8.1 255.255.252.0
  no ip unreachables
  no ip directed-broadcast
  interface Vlan5
  ip address 172.23.60.1 255.255.255.0
  no ip unreachables
  no ip directed-broadcast
  In the Vlan 1 I Have the Server 172.23.11.24 and I need that the Ip address of the PLC 172.23.60.1-15 (VLan 5) communicate with the Server 172.23.11.24 (Vlan 1) only and with the ports TCP and UPD specific.
  The SERVER 172.23.11.24 should be connected with the remainder of the network and with the Ports TCP and UDP that be required to have communication 172.23.60.1-5
  In Attachment are the listing of ports and protoclos TCP / UDP of the Applications that run in the SERVER and the ones that handles the PLC. This information was supplied by Rockwell
  In the Board 1788-ENBT is the PLC that are utilizing and the Remainder are applications that run in the Servant, except 17xx that are models of PLc.
  I am going to configure the following list of access, ?This correct one?
  interface Vlan5
  ip address 172.23.60.1 255.255.255.0
  ip access-group Control_Plc_Sub_electricas in
  no ip unreachables
  no ip directed-broadcast
  ip access-list extended Control_Plc_Sub_electricas
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
  permit udp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 44818
  permit tcp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
  permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 44818
  permit udp host 172.23.11.24 172.23.60.0 0.0.0.15 eq 2222
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 27000
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1234
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1330
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1331
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 1332
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 3060
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 6543
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7600
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7700
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7710
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7720
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7721
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7722
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 7723
  permit tcp 172.23.60.0 0.0.0.15 host 172.23.11.24 eq 135

  Hello,
  When checking your access list, it seems to me that the access-list is used as "in" for VLAN 5, i.e. "in" towards the VLAN.
  I understand this to be traffic from the PLCs towards the switch.
  Therefore the lines starting with "permit tcp/udp host 172.23.11.24" seem unnecessary, as no such traffic will enter the switch via vlan 5 (unless vlan 5 is also defined on a trunk towards some other switch behind which the server is situated.
  If you want to control outgoing traffic also, a separate access-list is needed.
  You can apply this list in the outgoing direction on Vlan 5, or, alternately, develop an access list for the incoming vlan where the server is situated.

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.