Pb access-list Catalyst 4507r
Hi
I have 2 vlan : 192.168.38.0 and 192.168.31.0.
In the 38.0 network, I have an exchange server.
And in the 31.0 network, I have a clients(microsoft outlook).
The pb is when i configure the access-list, the client start a 135 port communication but it don't have an answer.
But if i open the all port, it's Ok.
Here, my access-list.
Could you confirm if it's ok
in advance, Thank you
access-list 131 remark sur interface vlan 31 Client NB
access-list 131 permit ip any 192.168.31.0 0.0.0.255
access-list 131 permit tcp any host 192.168.38.203 eq 135
access-list 131 permit icmp any 192.168.38.0 0.0.0.255
access-list 131 deny ip any any
access-list 138 remark sur interface vlan 38 Bureautique
access-list 138 permit ip any 192.168.38.0 0.0.0.255
access-list 138 permit icmp any 192.168.31.0 0.0.0.255
access-list 138 deny ip any any
Hi,
Thank you very much.
When i see with the ethereal soft, the client need to open a range port(>1024).
Please give me the access-list
In advance thanks!!
Similar Messages
-
VLAN's, subinterface, access-lists and 3560 catalyst switch?
Hi,
How can I isolate VLAN 121 from all others?
I have a cisco 2811 router connected to a 3560 catalyst switch which has 5 VLAN's of which I need to protect IP traffic of 4 from 1.
The following VLANs configured on the switch:
VLAN 0 192.168.132.0 /24
VLAN 135 ..135.0 /24
VLAN 137 ..137.0 /24
VLAN 139 ..139.0.24 and lastly,
VLAN 121 192.168.121.0 /24 which I wish to isolate all IP from VLAN 0, 135, 137, and 139 but have internet out the 2811's other interface. Currently all VLAN's and routing are working perfectly.
I need some advice please. Here is my plan: to split the FA0/0 into FA0/0.1 for VLAN 121 using dot1q and apply an access-list to deny 192.168.121.0 to the FA0/0 interface. Since I'm essentially creating VLAN's with the router can or will that interfere with the Switch VLAN configuration? router on a stick vs. a Layer 4 Cisco 3560 Catalyst switch?
Thank you!I will have to assume VLAN 0 is the native VLAN / default interface on the router? All VLANs are numbered native or not. Just ensure the VLAN numbering matches between the router and the trunking on the switch.
Yes, you could create a sub interface on the 2811 and use the router to route the VLAN. Apply an access list on the other interfaces to block access to the VLAN you want to protect. If you have routing enabled on the 3560 as well you would complicate the situation a bit more.
Please rate helpful posts! :-) -
Mac access-list enable on catalyst 2924xl ??
Does the command mac access-list run on a catalyst switch 2924 runing 2900xl ver 12.0(5)WC12 ios version
thanksHi,
2900/3500 xl's does not support ACL's.
regards,
-amit singh -
Can't make redirect-list on 4507R-E
I need to deploy WAAS between a branch and HQ.
The HQ side is a catalyst switch 6509-E (VSS) and branch side is a catalyst 4507R-E.
The 6509-E supports "Redirect Filter" (an access-list) filtering just the traffic you want. The following is my access-list on HQ side :
ip wccp 61 redirect-list WCCPLIST group-list 3
ip wccp 62 redirect-list WCCPLIST group-list 3
access-list 3 permit 10.X.X.X <--------- WAE IP address
ip access-list extended WCCPLIST
remark ** ACL used for WCCP redirect-list **
remark Deny VoIP Control Traffic
deny tcp any any eq 1300
deny tcp any any eq 2428
deny tcp any any eq 2000
deny tcp any any eq 2001
deny tcp any any eq 2002
deny tcp any any eq 2443
deny tcp any any eq 1718
deny tcp any any eq 1719
deny tcp any any eq 1720
deny tcp any any eq 5060
deny tcp any any range 11000 11999
remark Deny MGT Traffic
deny tcp any any eq telnet
deny tcp any eq telnet any
deny tcp any any eq 22
deny tcp any any eq 161
deny tcp any any eq 162
deny tcp any any eq 123
deny tcp any any eq 8443
remark Deny Routing
deny tcp any any eq bgp
remark Deny Authentication Traffic
deny tcp any any eq tacacs
remark Accelerate Traffic between Branch and HQ
permit tcp 10.Br.Br.0 0.0.0.255 10.HQ.HQ.0 0.0.0.255
permit tcp 10.HQ.HQ.0 0.0.0.255 10.Br.Br.0 0.0.0.255
Whereas on the Branch side, the platform 4507R-E doesn't support ACL with WCCP, so it means the WCCP will intercept all the TCP traffic.
What would be the impact and how do i deal with this situation.
Or is the WAEintellgent enough to pass through the unwanted traffic ?
Or do i need to make individual policy for pass-through for each of the unwanted traffic ?
Regards,
JilaniHi Jilani,
Can't see from your mail what kind of supervisor you are using in your 45xx switch.
But please be aware that if your're using af SUP-7-E or a SUP-7-L-E WCCP is NOT supported for the time being.
WCCP is supported in Hardware but we're waiting for a software release, which supports this.
This is according to the release notes :
SUP-7-L-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_25346.html
SUP-7-E : http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst4500/release/note/OL_24726.html
Strange thing is that you can actually "configure" some WCCP stuff, but the config will never hit the running-config.
And you cannot enable WCCP.
Feature navigator states that WCCP is available in IOS XE 3.2.0XO (for SUP-7-L-E) but release notes tend to be more trustworthy that feature navigator.
Best Regards
Finn Poulsen -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Cisco ISE and WLC Access-List Design/Scalability
Hi,
I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
User group 1 -- Apply ACL 1 --On Vlan 1
User group 2 -- Apply ACL 2 -- On Vlan 1
User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
Any suggestion is appreciated.
Thanks.Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues.
Overall, I see three ways to overcome your current issue:
1. Shrink the ACLs by making them less specific
2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
3. Use SGT/SGA
Hope this helps!
Thank you for rating helpful posts! -
Extended access list with multiple ports
Hello All,
I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
I receive the following message:
The informations of my Switch are the following:
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
12.2(52)SG, RELEASE SOFTWARE (fc1)
Please help me to resolve this problem.
Best regards.Thank you Alex for your response.
Yes, this is an example:
permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
I have more ACLs and each ACL contains more conditions with multiples Por -
I have the following configuration in the msfc of a catalyst 6509:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
In the subnet 172.23.8.0/22 I have the server 172.23.11.3 and in the subnet 172.23.60.0/24 I have meters of electricity.
I have the following request: The hosts active of the subnet 172.23.60.0/24 alone should have access to server 172.23.11.3, and alone the server 172.23.11.3 should have access to the hosts active of the network 172.23.60.0/24.
I think to carry out the following configuration:
interface Vlan5
description Vlan Medidores Electricos
ip address 172.23.60.1 255.255.255.0
ip access-group 103 in
no ip unreachables
no ip directed-broadcast
interface Vlan1
description Vlan Usuarios Pz-Jose
ip address 172.23.8.1 255.255.252.0
no ip unreachables
no ip directed-broadcast
access-list 103 permit ip host 172.23.60.2 host 172.23.11.3
access-list 103 permit ip host 172.23.60.3 host 172.23.11.3
access-list 103 permit ip host 172.23.60.4 host 172.23.11.3
access-list 103 permit ip host 172.23.60.5 host 172.23.11.3
access-list 103 permit ip host 172.23.60.6 host 172.23.11.3
access-list 103 permit ip host 172.23.60.7 host 172.23.11.3
access-list 103 permit ip host 172.23.60.8 host 172.23.11.3
access-list 103 permit ip host 172.23.60.9 host 172.23.11.3
access-list 103 permit ip host 172.23.60.10 host 172.23.11.3
access-list 103 permit ip host 172.23.60.11 host 172.23.11.3
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.255
access-list 103 deny any any
Is correct?
Some recomendation?I don't believe your source/destination address logic matches your access-group 3 in statement. Your configuration states inbound traffic on interface VLAN 5 sourced as 172.23.60.x destined for 172.23.11.3 is allowed. Using Leo's recommendations I suggest you reverse source and destination address.
access-list 103 permit ip host 172.23.11.3 172.23.60.0 0.0.0.15
Interface Vlan5
ip access-group 3 in
HTH,
Ryan -
WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanksThere is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
-
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
I can no longer access listing variations in Ebay after the upgrade
After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.
Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.
-
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander
Maybe you are looking for
-
Additional fields in SAP Query
Hi , We have a requirement in HR reporting wherein we are providing the late attendance records of the employees. That is the person is scheduled to come at a respective time but he comes in late and this record is created in attendence infotype . No
-
Error in idoc with status 20 "Error triggering EDI Subsystem"
Dear All, I have query related to IDOC Status 20. I am tirggering IDOC with standard t-code from IS-Retail system. I have created two ports a) TRFC port and b)File port . <b>We are having sending and receiveing application on two different OS i.e one
-
Hey guys! i just bought a copy of ProTools 11 and it gave some recommendation on changing your default Mac settings to make ProTools run at its peek performance, for example it says to turn on wifi and wired ethernet connection. There at quite a few
-
TS3297 my itunes store isnt working any ideas?
my itunes store isnt working any ideas i really need help i want to download apps and things like that i need it asap as i have my ipad ipod and i phone to put apps on thanks x
-
How can I convert imovie into photo's
How can I convert imovie into photo's