NAC access list question

Similar Messages

• Access-list Question

  Hi,
  Can somebody explain me when to use "established" word at the end of access-list.

  "established" is a keyword used in the automatically generated ACLs for TCP return connections.
  check for this URL to get more infirmation.
  http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
  hope it helps ... rate if it does ...

• Simple SSH Access-List Question

  I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
  Thank you,
  Thomas Reiling

  Hi there,
  If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
  To get it exactly
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.31
  access-list 1 permit 192.168.200.32 0.0.0.15
  access-list 1 permit 192.168.200.48 0.0.0.1
  access-list 1 host 192.168.200.50
  access-list 1 deny any log
  It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.63
  access-list 1 deny   any log
  Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
  line vty 0 4
  access-class 1 in
  transport input ssh
  password blahblah
  That ought to do it.
  good luck!
  Brad

• Extended access list question

  Hello,
  any suggestions why the following ACL will not apply?
  access-list 100 permit udp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 established
  access-list 100 deny udp any host 192.168.155.18
  access-list 100 deny tcp any host 192.168.155.18
  access-list 100 permit ip any any
  interface GigabitEthernet0/2.16
  description Subnetz 192.168.155.16/28
  encapsulation dot1Q 16
  ip address 192.168.155.17 255.255.255.240
  ip access-group 100 in
  The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
  Thanks,
  Thomas

  Hi Rick,
  no there is no NAT or other things turned on on this device.
  Router#sh ip access-list 100
  Extended IP access list 100
      10 permit udp any host 192.168.155.18 eq domain (379 matches)
      20 permit tcp any host 192.168.155.18 eq domain (5 matches)
      30 permit tcp any host 192.168.155.18 established (1 match)
      40 deny udp any host 192.168.155.18 (788 matches)
      50 deny tcp any host 192.168.155.18 (79 matches)
      60 permit ip any any (562 matches)
  Router#sh ip int gi0/2.16
  GigabitEthernet0/2.16 is up, line protocol is up
    Internet address is 192.168.155.17/28
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is not set
    Proxy ARP is disabled
    Local Proxy ARP is disabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are never sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is enabled
    IP Flow switching is enabled
    IP CEF switching is enabled
    IP Flow switching turbo vector
    IP Flow CEF switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    IP route-cache flags are Fast, Flow cache, CEF, Full Flow
    Router Discovery is disabled
    IP output packet accounting is disabled
    IP access violation accounting is disabled
    TCP/IP header compression is disabled
    RTP/IP header compression is disabled
    Policy routing is disabled
    Network address translation is disabled
    BGP Policy Mapping is disabled
    WCCP Redirect outbound is disabled
    WCCP Redirect inbound is disabled
    WCCP Redirect exclude is disabled
  Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
  Thanks,
  Thomas

• IPSEC access-list question

  Hi,
  I have an access-list with the following line...
  permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
  and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
  protected vrf:
  local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
  remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
  current_peer: 62.140.138.249:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #send errors 0, #recv errors
  I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
  protected vrf:
  local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
  remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
  current_peer: 62.140.138.249:500
  PERMIT, flags={}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
  #send errors 0, #recv errors 0
  Thanks!!

  Can you post the configuration from this device.
  Regards,
  Arul

• Questions on Reflexive Access Lists

  Hi Sir,
  I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
  The config on the core router is as follows:
  int Vlan10
  description *** Server Farm ***
  ip address 172.16.10.1 255.255.255.0
  ip access-group inboundfilters in
  ip access-group outboundfilters out
  int Vlan20
  description *** Marketing Department ***
  ip address 172.16.20.1 255.255.255.0
  int Vlan30
  description *** Engineering Department ***
  ip address 172.16.30.1 255.255.255.0
  ip access-list extended outboundfilters
  permit tcp any any eq telnet
  permit tcp any any eq smtp
  evaluate iptraffic
  ip access-list extended inboundfilters
  permit ip any any reflect iptraffic
  My questions:
  (1) I yet to test the above config on an actual router. However, is it correct theoretically?
  (2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
  (3) If you have other better feature options that meet my requirements, please do recommend.
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  Hi Lim,
  CBAC is good as well, considering the following features:
  1. Traffic Filtering:
  - filters TCP and UDP packets based on application-layer protocol session information.
  - permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
  2. Traffic Inspection
  - discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
  - Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
  3. Alerts and Audit Trails
  - can send real-time alerts and audit trails to syslog server (or buffer log)
  4. Intrusion Detection
  - Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
  Limitations:
  1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
  2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
  3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
  For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
  Cheers!

• Access-list port range question

  Hi,
  I would like to clarify the exact operation of the below command:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ip access-list extended VoiceACL
  permit udp any any range 16384 16387
  Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Value1] = starting port number
  [Value2] + [Value1] = end port number
  Thanks
  Nachi

  Hi Nachi,
  This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
  Regards,
  Raphael

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

• Acl-name in access-list requirements

  Hi,
  I would ask about the acl-name in access-list,
  Does it act as a link between the ACL and an interface?
  or it could be written as any-thing, without any constrains?
  such as
  access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
  is it OK?
  or test_ACL should be defined somewhere prior using it in ACL?

  just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs.  Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map.  Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
  But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted?  If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
  Whether the ACL itself can be removed, I would assume it is safe to  remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name.  So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
  Please remember to select a correct answer and rate helpful posts

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

• Access List - cisco 2600- HELP

  Hi,
  i want ask we, if the access list are bi-directional or it are one-directional?
  If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
  Thanks

  Emanuele
  When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
  I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
  If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
  If I have not understood your question correctly please clarify what you are attempting to accomplish.
  HTH
  Rick

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• ADF SelectOneChoice List Question

  I posted the following message in the Toplink forum and they have suggested I try over here:
  Toplink Essentials List Question
  ==================
  I am new to Toplink Essentials. I am using Toplink Essentials inside of JDeveloper 11g, against Oracle Express and ADF/Trinidad and have used JDeveloper's "Entities from Tables" wizard to reverse engineer my database into Toplink pojo objects. After this I used JDeveloper's wizard to create a JavaServiceFacade and then generate a Data Control.
  After expanding the DataControl (which is mapped to the JavaServiceFacade) I have a method queryEntityFindAll(). Under this method I have serval attributes and then a list which represents a "many-side" of this entitie's relationship with another entity. How do I create a selectOneChoice using this list?
  I've tried expanding queryEntityFindAll() and then dragging the list to a jspx page, setting the Base Data Source to "JavaServiceFacade.queryEntityFindAll.listName and then setting the List Data Source to "ListName : JavaServiceFacade.queryRelatedEntityFindAll". However, when I run the page the only thing that appears on the page is the selectOneChoice label... no drop down component appears on the page... no errors are generated to give any clue as to what my problem may be...
  Although I'm working in JDeveloper, I really believe this is a Toplink Essentials question...
  Please help!

  Thanks for the quick response!
  Using the department / employee example... I'm trying to create a form that allows a user to create a new department. I have dragged the "Department" object (located under queryDepartmentFindAll()) over to my jspx form. A form with corresponding fields is created.
  I notice that no field was created for employeeId. I expand the "Department" object (again, under queryDepartmentFindAll()) and observe that "Employee" is present, as a list (expanding Employee provides access to employee object attributes along with another list entitled departmentList).
  I know that it's unlikely that only one employee would be selected in the creation of a department... but I'm sticking to the example...
  So, I drag the "Employee" (again, under queryDepartmentFindAll()) object over to the newly created form and from the pop-up menu I choose selectOneChoice as the desired component. I run the jspx page, Internet Explorer 7 browser pops up and all labels display on the page, all fields but no selectOneChoice component appears on the screen... the space is there for it but it appears to be invisible. I have checked the Employee table and there is data to be displayed... it's just that I must be missing something...

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• Configuring Extended Access List with Any statement

  I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
  1.  Are extended access-lists always source then destination?  Like in the following statement:
  permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
  2.  Further down though there is:
  permit tcp any host 172.16.4.11 eq 443.
  In that case is the source any host and the destination 172.16.4.11 ?
  This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
  3.  Also, when you do a:
  sho ip access-list -
  Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
  Thanks!

  Thank you Alex for your response.
  Yes, this is an example:
  permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
  I have more ACLs and each ACL contains more conditions with multiples Por