PIX vs Router ACL Matches
Hi,
With a PIX, I believe that each access list match is on a 'per tcp flow' basis not on a 'per matching packet' basis. Is this the same for routers or do routers match on a per packet basis??
Thanks
Hello,
Routers are generally now aware of the upper layers of the OSI model. If you had an access-list that said 'permit tcp any any eq 80' it would match each packet hitting the access list that had a destination port of 80
--Jason
Please rate this message if it helped solve some or all of your issue.
Similar Messages
-
how to find out after looking at the ACl that this is router acl and this is port acl.
is there is any syntax difference between these two acl's? or these two look the same.how to find out after looking at the ACl that this is router acl and this is port acl.
It depends on where the ACL is applied:
Layer-3 interface (SVI, routed port): Router ACL
Layer-2 interface (physical switch interfaces): Port ACL
is there is any syntax difference between these two acl's?
Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
Link: c3560 Configuring Network Security with ACLs -
Which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??
hi
which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??
assume i made NBAR to match http protocol
and assume i made acl that match port 80 and mtach any ip
which one will get more cpu resources ??
the NBAR
or
acl?
any why ?re
regards -
Police route and match community-list
Hi All,
I have a C3825, and have been using standard ACLs and a PBR to route certain HTTP traffic via an alternative default gateway:
route-map RTRMAP-OfficeLAN permit 10
match ip address RTRMAP-OfficeLAN-toADSL
set ip next-hop x.x.x.x
This is working absolutely fine, and as expected, all traffic matching the ACL is being sent to x.x.x.x
However, we have recently expanded our network, and I am now receiving various networks via BGP from various sources. All BGP incoming via iBGP is tagged in communities:
Community (expanded) access list 100
permit 37xxx:100
Community (expanded) access list 200
permit 37xxx:200
Community (expanded) access list 300
permit 37xxx:300
Community (expanded) access list 400
permit 37xxx:400
Community (expanded) access list 500
permit 37xxx:500
All communities are also matching prefixes when executing either 'sh ip bgp community 37xxx:100' or 'sh ip bgp community-list 100'
What I am trying to achieve, is create an EXCEPTION for the policy route. Traffic matching the community lists, must be forwarded based on the routers routing table, whilst traffic maching the ACL, must be sent via the policy route...
route-map RTRMAP-OfficeLAN permit 5
match community 100 200 300 400 500
route-map RTRMAP-OfficeLAN permit 10
match ip address RTRMAP-OfficeLAN-toADSL
set ip next-hop x.x.x.x
My logic dictates to me that the above should work, but looking at the route-map, I get matches on seq 5 and pacets are exiting the route-map as expected (first matched). However no traffic that does NOT match community 100,200,300,400 or 500 and that DOES match the RTRMAP-OfficeLAN-toADSL never matches.
The counters on the route-map for seq 5 is increasing, but no counters are increasing at seq 10.. It's almost as if seq 5 is matching all traffic.
Am I missing something?
Many thanks,
Chris.Hi,
you can't use community-list for PBR afaik it only accepts ACLs for matching.
Regards.
Alain
Don't forget to rate helpful posts. -
9@ Route Pattern Matched Issues
Unfortunately I have to deal with a lot of 9@ route patterns in our deployment. I understand weird things happen when 9@ is used, but even this one is boggling my mind. So I was hoping someone could help me understand why it's doing what it's doing.
I have a CSS with a collection of partitions. I'll call the 3 I'm interested in the following: One-PT, Two-PT, Three-PT.
One-PT has a route pattern of 9@ with the Local filter applied going to Gateway 1.
Two-PT has a route pattern of 9@ with the Local filter applied going to Gateway 2.
Three-PT has a route pattern of 9.XXXXXXXXXX with no filter applied (those are 10 Xs) going to Gateway 3.
My phone is assigned to the CSS with these 3 partitions. When I dial 9 981 xxx xxxx DNA says that 9@ from One-PT is always matched. If I remove One-PT from the CSS, then 9@ in Two-PT is matched. Only if I remove those 2 partitions does Three-PT get matched.
Now, as I said above I understand 9@ can introduce weird routing issues, but I thought that the route pattern with 9 and 10 Xs would be more specific and it would be matched. Obviously I was wrong, but I'm trying to understand why I was wrong. Is this because the 10 digit number dialed matches the NANP and the Local filter matches a NANP area code? Thus it's the more exact match?
Thanks!Hi,
As per the following link
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/5_0_4/ccmsys/ccmsys/a03rp.html#wp1050657
"Using the @ Wildcard Character in Route Patterns
Using the @ wildcard character in a route pattern provides a single route pattern to match all NANP numbers, and requires additional consideration.
The number 92578912 matches both of the following route patterns: 9.@ and 9.XXXXXXX. Even though both these route patterns seem to equally match the address, the 9.@ route pattern actually provides the closest match. The @ wildcard character encompasses many different route patterns, and one of those route patterns is [2-9][02-9]XXXXX. Because the number 2578912 more closely matches [2-9][02-9]XXXXX than it does XXXXXXX, the 9.@ route pattern provides the closest match for routing."
Also, check the following post
https://supportforums.cisco.com/discussion/10698966/9-route-pattern
HTH
Manish -
Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition. We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block.
mac access-list extended ALLPERMITL2
permit any any
mac access-list extended BADL2
permit host 0000.0000.0000 any
vlan access-map L2MAP 20
match mac address BADL2
action drop
vlan access-map L2MAP 30
match mac address ALLPERMITL2
action forward
vlan filter L2MAP vlan-list 61
My concern is I dont think I am implmenting this correcting because I do the following:
#show vlan access-log statistics
VACL Logging Statistics:
total packets 0
logged 0
dropped 0
buffered 0
Dropped Packets Statistics:
no packet buffer 0
hash queue full 0
flow table full 0
Misc Information:
free packet buffers :8192
log messages sent 0
flow table size 0
and dont see anythin incrementing. I would think that I would at least see something in "total packets" for stuff that is getting allowed through?From the Cisco configuration guide:
Creating Named MAC Extended ACLs
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.
For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_1_se/configuration/guide/scg3560/swacl.html#wp1289037
Some more information here:
https://supportforums.cisco.com/thread/2082129
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Amazon S3 Backup with Cisco PIX 501 Router - slowww
We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office. We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network. The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue. After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down. I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules. There are no rules defined in the Filter Settings.
I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening? I'm not too familiar with the PIX or all the network settings involved.
Thanks!Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here:
- Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
THANKS -
Query on Receipt Routing and Match Approval 4 way
Hi freinds,
I have a doubt here.We have a PO with a Shipment line with Match
Approval Level set as 4 way.Then by default the system would have reset
the Receipt routing to 'Inspection Required' with a prompt message also to the user about this.
But to my surprise,i found that the Receipt Routing has 'Standard Receipt' for that PO.
How come this would have been possible?
Regards,
Bala.Jyoti,
My query is not on the defaulting ,but on the the Invoice Match approval .
If it is set to 4 way,by default it means that inspection is required and the system forces you to change the same to Inspection Reqd irrespective of whatever you say for Receipt routing.
You cannot save and proceed ,unless until you change the routing to inspection reqd in synchronisation with match approval of 4way.
So how has system allowed to go ahead with a value other than Inspection reqd.
Bala. -
All,
I have a friend trying to configure an existing PIX. They needed to change IP addresses due to ISP switch. Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config. Does anyone have any ideas what this could be? He only changed outside IP address, a static translation
All replies rated. Thanks in advance!Hi Angel,
My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
You have statically set the outside interface "interface ethernet0 10baset"
Please post :
show int e0
PS : nice software version 6.2
Regards
Dan -
Hello experts...
I've had a set of PIX 506E boxes holding an IPSEC tunnel for a good year or so without a hitch. Today, the tunnel dropped and I lost access to the remote site. The local PIX can only ping devices on the local [inside] subnet and all nodes on all my other subnets can't find a route to the PIX. On the local gateway, I can ping the PIX, but can't traceroute to it. I also ran an ICMP debug and could see when remote nodes ping, but the reply doesn't leave the box.
Nothing has changed, routes all look good, i've reset everything -- no luck at all. Any idea what may be happening? I have a feeling it's a basic issue that looks more complex that it is, but i'm stumped at this point.
Any help would be greatly appreciated!
Thanks,
JadUse this Cisco PIX 500 Series Security Appliances Troubleshoot and Alerts
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_troubleshoot_and_alerts.html -
PIX at remote, Dual Interface/Dual ISP IOS Router at core.
Is there a way to have an IPSEC Tunnel fromt he PIX to the Dual ISP Router at the core?
Can't get the PIX to pass traffic over the second IPSEC Tunnel when one ISP/Interface goes down at the IOS Router.
Help!
Thanks,
BobPIX-501 at the remote
Cisco1721 with Dual ISP feeds at Central site.
I want two tunnels from the PIX to the Cisco1721.
One ISP goes down, tarffic goes over the second tunnel.
Thanks,
Bob -
ACL matching for traffic-shape...bug?
I am using a C6503-E.
My goal: create a traffic-shape rule on an interface (in this case g3/7) which will restrict all traffic between two internal addresses (10.0.0.7 and 10.1.0.6) on port 2152 to 128Kbps, and allow all other traffic to pass unfettered.
I am aware that the 6500 series ACLs are hardware based, and that some counters will not show up in the normal 'show access-list' display.
I have created an access list which increments when tagged with a 'log' modifier, so i know that it is hit when placed on the interface, but when referenced in a traffic-shape command, the traffic is not shaped. Unfortunately, the traffic-shape command will not allow the use of the 'log' modifier, so I'm stuck with my imperfect 'the ACL works in this scenario, but not this scenario' method.
Extended IP access list 195
10 permit udp host 10.0.0.7 eq 2152 host 10.1.0.6 eq 2152 log (2822 matches)
interface GigabitEthernet3/7
ip address 10.2.0.1 255.255.255.252
no ip redirects
traffic-shape group 195 128000 7936 7936 1000
Acc. Queue Packets Bytes Packets Bytes Shaping
I/F List Depth Delayed Delayed Active
Gi3/7 195 0 0 0 0 0 no
Any ideas on why an ACL wouldn't get hit in a traffic-shape rule, when it clearly gets hit when used strictly for access?
Thanks!Please post your entire QoS config.
Your access list is just doing matching; it is not doing any setting for your DSCP values.
Also, I think the Polycom's are IP precedence aware and set their outgoing VC packets to 5.
Also, matching protocol 46 (RSVP) isn't really going to help - RSVP does not transport application data. It is only used for requesting resources from the network.
Also, a Cisco search for QoS and Polycom returns this url: http://www.cisco.com/en/US/tech/tk652/tk701/technologies_tech_note09186a0080111c1b.shtml
-Eric -
Moving a dial-in PPTP from PIX to Router (IOS)
I've moved a dial-in PPTP config from a PIX to a IOS router, but I cannot find the equivalent IOS commands for the PIX config:
vpdn group 1 client configuration dns x.x.x.x
and
vpdn group 1 client configuration wins x.x.x.x
Anybody know what the equivalent IOS config is?Following URL will help you for the details of the PPTP configuration :
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml -
Crypto map on PIX versus router
Hi all,
i am looking for eqvivalent of IOS command:
crypto map xxx local-address Loopback0
Is it possible to link crypto map with other IP address as real interface address on PIX?
Thank you in advance.Hi Rick,
now we have two gateways in our company. One is used for VPN traffic, x.x.x.254 and second is used for normal traffic.
Now we want to unified these gateways to one PIX ... and i am looking for simplest way.
For us, the simplest way is to use crypto map on PIX with IP address x.x.x.254 but with ip address of physical interface x.x.x.y.
Now i know, that it is not possible to do it on PIX ... so i am looking for another solutions.
Problem is, that we have our bussines partners, that know our actual IP ... and have firewalls opened for that IP :)
I think that best solution will be NATing traffic to these customers to old IP.
Thanks for your info. -
Why there is a difference between Router and PIX ACL
Hi,
I have a very basic question about the differences beween ACL behaviour in PIX and Router.
In Router if we put an extended acl entry and want to remove an mid entry then either we have to clear the entire ACL or remove the entries all the below.
Whereas in case of PIX we can remove any of the entry.
Why this difference is there.
Would appreciate your quick answers.
Thanks
IrshadThe PIX OS is designed such a way. Anyway, even in routers you can remove a mid entry by configuring named access-lists. You need not clear the entire ACL in this case.
ip access-list extended ROUTER-ACL
permit ip host x.x.x.x host y.y.y.y any
Maybe you are looking for
-
How to reset the response status and response header
Dear Masters Actually we are using NTLM Authentication process to get the system login id for our web application. The problem which I am getting is after running the NTLM Authentication Code I am not able to call the action class. It is telling 400
-
Hi I need to use OLE object (VSFlexGrid) in my forms 6i. can anybody help with some code by which I can achieve this. Warm Regards Vivek Bajaj
-
I am in the process of building an application where all of the functions will be eventually exported into seperate AS files. I am having issues with a Sub Navigation that is attached and managed dynamically. The Sub Navigation is in an MC which cont
-
FCP7 General Error working in 720p timeline
Hi, Ive been using FP7 for years now and just coming across this stupid problem. I created a slideshow using iphoto. I exported the slideshow in HD 720p as its default. I Imported the movie into FCP7 cause i want to add orther stuff to it, other cli
-
Looking for D7000 and Tokina 11-16mm Lens Profile
I would think by now someone would have posted this lens profile but I can't find it for the life of me, sorry. I am sure this has been discussed to death but I have downloaded the lens profile creator (haven't figured out how to use it yet) and the