PIX vs Router ACL Matches

Similar Messages

• Router ACL and Port ACL

  how to find out after looking at the ACl that this is router acl and this is port acl.
  is there is any syntax difference between these two acl's? or these two look the same.

  how to find out after looking at the ACl that this is router acl and this is port acl.
  It depends on where the ACL is applied:
  Layer-3 interface (SVI, routed port): Router ACL
  Layer-2 interface (physical switch interfaces): Port ACL
  is there is any syntax difference between these two acl's?
  Both support Standard and Extended ACLs, the Port ACLs support MAC Extended ACLs in addition.
  Link: c3560 Configuring Network Security with ACLs

• Which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??

  hi
  which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??
  assume i made NBAR to match http protocol
  and assume i made acl that match port 80  and mtach any ip
  which one will get more cpu resources ??
  the NBAR
  or
  acl?
  any why ?re
  regards

• Police route and match community-list

  Hi All,
  I have a C3825, and have been using standard ACLs and a PBR to route certain HTTP traffic via an alternative default gateway:
  route-map RTRMAP-OfficeLAN permit 10
  match ip address RTRMAP-OfficeLAN-toADSL
  set ip next-hop x.x.x.x
  This is working absolutely fine, and as expected, all traffic matching the ACL is being sent to x.x.x.x
  However, we have recently expanded our network, and I am now receiving various networks via BGP from various sources.  All BGP incoming via iBGP is tagged in communities:
  Community (expanded) access list 100
      permit 37xxx:100
  Community (expanded) access list 200
      permit 37xxx:200
  Community (expanded) access list 300
      permit 37xxx:300
  Community (expanded) access list 400
      permit 37xxx:400
  Community (expanded) access list 500
      permit 37xxx:500
  All communities are also matching prefixes when executing either 'sh ip bgp community 37xxx:100' or 'sh ip bgp community-list 100'
  What I am trying to achieve, is create an EXCEPTION for the policy route.  Traffic matching the community lists, must be forwarded based on the routers routing table, whilst traffic maching the ACL, must be sent via the policy route...
  route-map RTRMAP-OfficeLAN permit 5
  match community 100 200 300 400 500
  route-map RTRMAP-OfficeLAN permit 10
  match ip address RTRMAP-OfficeLAN-toADSL
  set ip next-hop x.x.x.x
  My logic dictates to me that the above should work, but looking at the route-map, I get matches on seq 5 and pacets are exiting the route-map as expected (first matched).  However no traffic that does NOT match community 100,200,300,400 or 500 and that DOES match the RTRMAP-OfficeLAN-toADSL never matches.
  The counters on the route-map for seq 5 is increasing, but no counters are increasing at seq 10..  It's almost as if seq 5 is matching all traffic.
  Am I missing something?
  Many thanks,
  Chris.

  Hi,
  you can't use community-list for PBR afaik it only accepts ACLs for matching.
  Regards.
  Alain
  Don't forget to rate helpful posts.

• 9@ Route Pattern Matched Issues

  Unfortunately I have to deal with a lot of 9@ route patterns in our deployment.  I understand weird things happen when 9@ is used, but even this one is boggling my mind.  So I was hoping someone could help me understand why it's doing what it's doing.
  I have a CSS with a collection of partitions.   I'll call the 3 I'm interested in the following: One-PT, Two-PT, Three-PT.
  One-PT has a route pattern of 9@ with the Local filter applied going to Gateway 1.
  Two-PT has a route pattern of 9@ with the Local filter applied going to Gateway 2.
  Three-PT has a route pattern of 9.XXXXXXXXXX with no filter applied (those are 10 Xs) going to Gateway 3.
  My phone is assigned to the CSS with these 3 partitions.  When I dial 9 981 xxx xxxx DNA says that 9@ from One-PT is always matched.  If I remove One-PT from the CSS, then 9@ in Two-PT is matched.  Only if I remove those 2 partitions does Three-PT get matched.
  Now, as I said above I understand 9@ can introduce weird routing issues, but I thought that the route pattern with 9 and 10 Xs would be more specific and it would be matched.  Obviously I was wrong, but I'm trying to understand why I was wrong. Is this because the 10 digit number dialed matches the NANP and the Local filter matches a NANP area code?  Thus it's the more exact match?
  Thanks!

  Hi,
  As per the following link
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/5_0_4/ccmsys/ccmsys/a03rp.html#wp1050657
  "Using the @ Wildcard Character in Route Patterns
  Using the @ wildcard character in a route pattern provides a single route pattern to match all NANP numbers, and requires additional consideration.
  The number 92578912 matches both of the following route patterns: 9.@ and 9.XXXXXXX. Even though both these route patterns seem to equally match the address, the 9.@ route pattern actually provides the closest match. The @ wildcard character encompasses many different route patterns, and one of those route patterns is [2-9][02-9]XXXXX. Because the number 2578912 more closely matches [2-9][02-9]XXXXX than it does XXXXXXX, the 9.@ route pattern provides the closest match for routing."
  Also, check the following post
  https://supportforums.cisco.com/discussion/10698966/9-route-pattern
  HTH
  Manish

• MAC ACL match in VACL -3560G

        Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition.  We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block. 
  mac access-list extended ALLPERMITL2
  permit any any
  mac access-list extended BADL2
  permit host 0000.0000.0000 any
  vlan access-map L2MAP 20
  match mac address BADL2
  action drop
  vlan access-map L2MAP 30
  match mac address ALLPERMITL2
  action forward
  vlan filter L2MAP vlan-list 61
  My concern is I dont think I am implmenting this correcting because I do the following:
  #show vlan access-log statistics
  VACL Logging Statistics:
          total packets          0
          logged                 0
          dropped                0
          buffered               0
  Dropped Packets Statistics:
          no packet buffer       0
          hash queue full        0
          flow table full        0
  Misc Information:
          free packet buffers    :8192
          log messages sent     0
          flow table size        0
  and dont see anythin incrementing.  I would think that I would at least see something in "total packets" for stuff that is getting allowed through?

  From the Cisco configuration guide:
  Creating Named MAC Extended ACLs
  You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
  Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.
  For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_1_se/configuration/guide/scg3560/swacl.html#wp1289037
  Some more information here:
  https://supportforums.cisco.com/thread/2082129
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• Amazon S3 Backup with Cisco PIX 501 Router - slowww

  We are in the process of setting up an Amazon S3 network backup of the NAS server we have in our office.  We are using a Synology NAS to backup to Amazon s3, and we use a Cisco PIX 501 to secure our network.  The backup from the NAS to Amazon is going painfully slow, so I contacted Synology to resolve the issue.  After they examined everything, they think the router is filtering outbound traffic, and this is causing the upload to slow down.  I was told the upload should happen over HTTP and HTTPS, and I made sure these ports where open through the Access Rules.  There are no rules defined in the Filter Settings.
  I looked at the settings with the PDM, and I can't find where the filtering would be. Does someone have any insight to what could be happening?   I'm not too familiar with the PIX or all the network settings involved.
  Thanks!

  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here:
  - Wireless ----> Wireless - Mobility http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Wireless_-_Mobility_discussion
    This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  THANKS

• Query on Receipt Routing and Match Approval 4 way

  Hi freinds,
  I have a doubt here.We have a PO with a Shipment line with Match
  Approval Level set as 4 way.Then by default the system would have reset
  the Receipt routing to 'Inspection Required' with a prompt message also to the user about this.
  But to my surprise,i found that the Receipt Routing has 'Standard Receipt' for that PO.
  How come this would have been possible?
  Regards,
  Bala.

  Jyoti,
  My query is not on the defaulting ,but on the the Invoice Match approval .
  If it is set to 4 way,by default it means that inspection is required and the system forces you to change the same to Inspection Reqd irrespective of whatever you say for Receipt routing.
  You cannot save and proceed ,unless until you change the routing to inspection reqd in synchronisation with match approval of 4way.
  So how has system allowed to go ahead with a value other than Inspection reqd.
  Bala.

• PIX 501 route outside command

  All,
  I have a friend trying to configure an existing PIX.  They needed to change IP addresses due to ISP switch.  Config was very basic but whenever he puts in the route outside command the PIX seems to take it but then he is saying it is disappearing when he checks the config.  Does anyone have any ideas what this could be?  He only changed outside IP address, a static translation
  All replies rated.   Thanks in advance!

  Hi Angel,
  My assumption is that you have a speed issue between the outside interface of the PIX and the new ISP equipment.
  You have statically set the outside interface "interface ethernet0 10baset"
  Please post :
  show int e0
  PS : nice software version 6.2
  Regards
  Dan

• PIX 506E routes died

  Hello experts...
  I've had a set of PIX 506E boxes holding an IPSEC tunnel for a good year or so without a hitch. Today, the tunnel dropped and I lost access to the remote site. The local PIX can only ping devices on the local [inside] subnet and all nodes on all my other subnets can't find a route to the PIX. On the local gateway, I can ping the PIX, but can't traceroute to it. I also ran an ICMP debug and could see when remote nodes ping, but the reply doesn't leave the box.
  Nothing has changed, routes all look good, i've reset everything -- no luck at all. Any idea what may be happening? I have a feeling it's a basic issue that looks more complex that it is, but i'm stumped at this point.
  Any help would be greatly appreciated!
  Thanks,
  Jad

  Use this Cisco PIX 500 Series Security Appliances Troubleshoot and Alerts
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_troubleshoot_and_alerts.html

• PIX - IOS Router Redundancy

  PIX at remote, Dual Interface/Dual ISP IOS Router at core.
  Is there a way to have an IPSEC Tunnel fromt he PIX to the Dual ISP Router at the core?
  Can't get the PIX to pass traffic over the second IPSEC Tunnel when one ISP/Interface goes down at the IOS Router.
  Help!
  Thanks,
  Bob

  PIX-501 at the remote
  Cisco1721 with Dual ISP feeds at Central site.
  I want two tunnels from the PIX to the Cisco1721.
  One ISP goes down, tarffic goes over the second tunnel.
  Thanks,
  Bob

• ACL matching for traffic-shape...bug?

  I am using a C6503-E.
  My goal:  create a traffic-shape rule on an interface (in this case g3/7) which will restrict all traffic between two internal addresses (10.0.0.7 and 10.1.0.6) on port 2152 to 128Kbps, and allow all other traffic to pass unfettered.
  I am aware that the 6500 series ACLs are hardware based, and that some counters will not show up in the normal 'show access-list' display.
  I have created an access list which increments when tagged with a 'log' modifier, so i know that it is hit when placed on the interface, but when referenced in a traffic-shape command, the traffic is not shaped.  Unfortunately, the traffic-shape command will not allow the use of the 'log' modifier, so I'm stuck with my imperfect 'the ACL works in this scenario, but not this scenario' method.
  Extended IP access list 195
      10 permit udp host 10.0.0.7 eq 2152 host 10.1.0.6 eq 2152 log (2822 matches)
  interface GigabitEthernet3/7
   ip address 10.2.0.1 255.255.255.252
   no ip redirects
   traffic-shape group 195 128000 7936 7936 1000
                    Acc. Queue Packets   Bytes     Packets   Bytes     Shaping
  I/F               List Depth                     Delayed   Delayed   Active
  Gi3/7               195 0     0         0         0         0         no
  Any ideas on why an ACL wouldn't get hit in a traffic-shape rule, when it clearly gets hit when used strictly for access?
  Thanks!

  Please post your entire QoS config.
  Your access list is just doing matching; it is not doing any setting for your DSCP values.
  Also, I think the Polycom's are IP precedence aware and set their outgoing VC packets to 5.
  Also, matching protocol 46 (RSVP) isn't really going to help - RSVP does not transport application data. It is only used for requesting resources from the network.
  Also, a Cisco search for QoS and Polycom returns this url: http://www.cisco.com/en/US/tech/tk652/tk701/technologies_tech_note09186a0080111c1b.shtml
  -Eric

• Moving a dial-in PPTP from PIX to Router (IOS)

  I've moved a dial-in PPTP config from a PIX to a IOS router, but I cannot find the equivalent IOS commands for the PIX config:
  vpdn group 1 client configuration dns x.x.x.x
  and
  vpdn group 1 client configuration wins x.x.x.x
  Anybody know what the equivalent IOS config is?

  Following URL will help you for the details of the PPTP configuration :
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

• Crypto map on PIX versus router

  Hi all,
  i am looking for eqvivalent of IOS command:
  crypto map xxx local-address Loopback0
  Is it possible to link crypto map with other IP address as real interface address on PIX?
  Thank you in advance.

  Hi Rick,
  now we have two gateways in our company. One is used for VPN traffic, x.x.x.254 and second is used for normal traffic.
  Now we want to unified these gateways to one PIX ... and i am looking for simplest way.
  For us, the simplest way is to use crypto map on PIX with IP address x.x.x.254 but with ip address of physical interface x.x.x.y.
  Now i know, that it is not possible to do it on PIX ... so i am looking for another solutions.
  Problem is, that we have our bussines partners, that know our actual IP ... and have firewalls opened for that IP :)
  I think that best solution will be NATing traffic to these customers to old IP.
  Thanks for your info.

• Why there is a difference between Router and PIX ACL

  Hi,
  I have a very basic question about the differences beween ACL behaviour in PIX and Router.
  In Router if we put an extended acl entry and want to remove an mid entry then either we have to clear the entire ACL or remove the entries all the below.
  Whereas in case of PIX we can remove any of the entry.
  Why this difference is there.
  Would appreciate your quick answers.
  Thanks
  Irshad

  The PIX OS is designed such a way. Anyway, even in routers you can remove a mid entry by configuring named access-lists. You need not clear the entire ACL in this case.
  ip access-list extended ROUTER-ACL
  permit ip host x.x.x.x host y.y.y.y any