Please assist me for access-list configuration

Similar Messages

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• Default action for access list Deny

  Hello,
  Is it possible to change the default action for an access list deny?  Can the ASA be configured to send an icmp unreachable rather than just dropping the packet if an access list denies the request?  I have a situation where I would like to restrict access to a specific server for a select number of users.  The problem is that the restricted workstations attempt to connect to the server at log in.  Since I cannot control the log in script for those users, I was hoping to use the ASA firewall instead.  However, using a deny statement causes the workstation to repeatedly send SYN requests for 60 seconds.   The restricted users experience an unacceptably long delay at log in.  I was hoping to be able to configure the ASA to send an icmp unreachable message for those users and avoid the wait.
  Thanks,
  Ann

  Hello,
  As the firewall it's supposed to be invisible there is no way the ASA could send this particular messages, sorry to inform you that but you could request this particular feature with your Cisco account Team.
  Regards,
  Julio

• Access-list configuration

  hi
  i have the following configuration:
  interface FastEthernet0/1
  description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
  no ip address
  duplex full
  speed 100
  interface FastEthernet0/1.2007
  description ***** Connect To MASTER_SHUKEI_ON *****
  encapsulation dot1Q 2007
  ip address 172.21.2.46 255.255.255.248
  interface FastEthernet0/1.2008
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2008
  ip address 172.21.2.54 255.255.255.248
  interface FastEthernet0/1.2009
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2009
  ip address 172.21.2.62 255.255.255.248
  interface FastEthernet0/1.2010
  description ***** Connect To TRAST *****
  encapsulation dot1Q 2010
  ip address 172.21.2.707 255.255.255.248
  and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
  thanks

  HI
  Configure access-list
  access-list 10 deny u r vlan2007 range
  access-list 10 permit any
  int f0/0.2007
  access-group 10 in
  same for vlan 2008
  Thanks
  Mahmood

• Best Practices for Accessing the Configuration data Modelled as XML File in

  Hi,
  I refer the couple of blof posts/Forum threads on How to model and access the Configuration data as XML inside OSB.
  One of the easiest and way is to
  Re: OSB: What is best practice for reading configuration information
  Another could be
  Uploading XML data as .xq file (Creating .xq file copy paste all the Configuration as XML )
  I need expert answers for following.
  1] I have .xsd file which is representing the Configuration data. Structure of XSD is
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue</Config>
  <FrameworkConfig>
  2] As my project will move from one env to another the property-value will change according to the Environment...
  For Dev:
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Dev</Config>
  <FrameworkConfig>
  For Stage :
  <FrameworkConfig>
  <Config type="common" key="someKey">proprtyvalue_Stage</Config>
  <FrameworkConfig>
  3] Let say I create the following Folder structure to store the Configuration file specific for dev/stage/prod instance
  OSB Project Folder
  |
  |---Dev
  |
  |--Dev_Config_file.xml
  |
  |---Stage
  |
  |--Stahe_Config_file.xml
  |
  |---Prod
  |
  |-Prod_Config_file.xml
  4] I need a way to load these property file as xml element/variable inside OSb message flow.?? I can't use XPath function fn:doc("URL") coz I don't know exact path of XMl on deployed server.
  5] Also I need to lookup/model the value which will specify the current server type(Dev/Stage/prod) on which OSB MF is running. Let say any construct which will act as a Global configuration and can be acccessible inside the OSb message flow. If I get the vaalue for the Global variable as Dev means I will load the xml config file under the Dev Directory @runtime containing key value pair for Dev environment.
  6] This Re: OSB: What is best practice for reading configuration information
  suggest the designing of the web application which will serve the xml file over the http protocol and getting the contents into variable (which in turn can be used in OSB message flow). Can we address this problem without creating the extra Project and adding the Dependencies? I read configuration file approach too..but the sample configuration file doesn't show entry of .xml file as resources
  Hope I am clear...I really appreciate your comments and suggestion..
  Sushil
  Edited by: Sushil Deshpande on Jan 24, 2011 10:56 AM

  If you can enforce some sort of naming convention for the transport endpoint for this proxy service across the environments, where the environment name is part of the endpoint you may able to retrieve it from $inbound in the message pipeline.
  eg. http://osb_host/service/prod/service1 ==> Prod and http://osb_host/service/prod/service2 ==> stage , then i think $inbound/ctx:transport/ctx:uri can give you /service/prod/service1 or /service/stage/service1 and applying appropriate xpath functions you will be able to extract the environment name.
  Chk this link for details on $inbound/ctx:transport : http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1080822

• Access-List configuration on ASR9k

  hello All,
  I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.
  and which is the command that refer to it?
  So is it possible to create objects and then to refer at the acl
  Regards,
  mery

  Hi Mery,
  here is an example.           
  RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1
  Mon Feb 24 00:06:10.681 UTC
  Building configuration...
  !! IOS XR Configuration 5.1.0
  object-group network ipv4 real
  host 100.1.1.1
  ipv4 access-list real
  10 permit icmp any any
  20 permit tcp any net-group real eq www
  30 permit tcp any net-group real eq www log
  40 permit tcp any net-group real eq ftp
  50 permit tcp any net-group real eq telnet
  60 permit tcp any net-group real eq pop3
  70 permit tcp any net-group real eq smtp
  80 permit tcp any net-group real eq domain
  90 permit tcp any net-group real eq ftp-data
  100 permit tcp any net-group real established
  110 permit tcp any net-group real eq 389
  111 permit udp any net-group real eq 389
  120 permit tcp any net-group real eq 636
  121 permit udp any net-group real eq 636
  200 permit ipv4 any any
  end
  RP/0/RSP0/CPU0:ASR9K-PE2-R1#

• ASA5520 access-list configuration?

  I have two asa5520s, version 7.2(2).
  I have use access-list for the firewall as:
  access-list outside extended permit ip object-group mydomain any
  access-list outside extended permit icmp object-group mydomain any
  access-group outside in interface outside.
  I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
  (private) AA->asa5520->BB (public)
  However, it seems works for most of case, but, it do not work for certain port.
  telnet AA 80 -> it seems working fine
  telnet AA 3816 -> it is not work.
  when I do the packet trace on asa5520, it said access-list not allowed.
  Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
  any comments will be appreciated
  Thanks in advance

  please upload/copy your config so we can see

• Simple SSH Access-List Question

  I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50.  I forgot the exact access-list configuration to accomplish this.  The subnet is /24 and I don't want the whole subnet - just .1 - .50.
  Thank you,
  Thomas Reiling

  Hi there,
  If using ssh make sure you have a domain name, host name and a generated rsa key.  Assuing you've done that, the the following ACL and line vty command will do the trick.  Note that the 1-50 host list is not on a subnet barrier.
  To get it exactly
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.31
  access-list 1 permit 192.168.200.32 0.0.0.15
  access-list 1 permit 192.168.200.48 0.0.0.1
  access-list 1 host 192.168.200.50
  access-list 1 deny any log
  It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
  access-list 1 remark ALLOW MANAGEMENT
  access-list 1 permit 192.168.200.0 0.0.0.63
  access-list 1 deny   any log
  Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
  line vty 0 4
  access-class 1 in
  transport input ssh
  password blahblah
  That ought to do it.
  good luck!
  Brad

• My computer crashed and was reset to factory settings. I downloaded itunes to computer. now my ipod does not synch to my cds that I imported. please assist. thanks.

  My IPOD Classic is not synching to my itunes library so the songs in the library are not placed into my IPOD. This happened subsequent to my laptop crash and it was restored. I downloaded Itunes and was able to transfer songs and  I also imported music from cds into library. However, when I click on SYNCH nothing happens and the songs in itunes library are not imported into my ipod.
  Please assist. Thanks.

  Are they configured to sync to your iPod from under the iPod's music configuration tab in iTunes?  See this article for more help and assistance on syncing music to your iPod Classic.
  Syncing music to iPod or iPhone
  B-rock

• Pb access-list Catalyst 4507r

  Hi
  I have 2 vlan : 192.168.38.0 and 192.168.31.0.
  In the 38.0 network, I have an exchange server.
  And in the 31.0 network, I have a clients(microsoft outlook).
  The pb is when i configure the access-list, the client start a 135 port communication but it don't have an answer.
  But if i open the all port, it's Ok.
  Here, my access-list.
  Could you confirm if it's ok
  in advance, Thank you
  access-list 131 remark sur interface vlan 31 Client NB
  access-list 131 permit ip any 192.168.31.0 0.0.0.255
  access-list 131 permit tcp any host 192.168.38.203 eq 135
  access-list 131 permit icmp any 192.168.38.0 0.0.0.255
  access-list 131 deny ip any any
  access-list 138 remark sur interface vlan 38 Bureautique
  access-list 138 permit ip any 192.168.38.0 0.0.0.255
  access-list 138 permit icmp any 192.168.31.0 0.0.0.255
  access-list 138 deny ip any any

  Hi,
  Thank you very much.
  When i see with the ethereal soft, the client need to open a range port(>1024).
  Please give me the access-list
  In advance thanks!!

• Cleaning up Access Lists

  Here is an access list I want to know if I can "clean up" :
  access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
  access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
  access-list outside_access_in extended permit object RDP any any
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
  access-list outside_access_in_1 extended permit object RDP any object FileServer
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
  access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
  access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
  access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
  access-list outside_access_in_1 extended permit icmp any object DattoDevice
  access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
  access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
  What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

  Hi,
  To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
  The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
  I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
  show run access-group
  You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
  The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
  Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
  The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
  The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
  At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
  You can check what is in use with the command
  show run crypto map
  Hope this helps :)
  - Jouni

• LMS compliance check on all access lists

  Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.     
  thanks.           

  I forgot to mention that i am running this against Cisco ASA devices which displays like this:
  access-list TEST_ACL extended deny ip any any
  I have tried:
  access-list [#.*#] extended deny ip any any
  but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
  Any ideas?

• Show access-list | include

  Couple questions on show with include
  1. Can you do a show command with include and a space meaning can you search for say "permit ip"?
  2. Can you do a search for an exclude say "show access-list | exclude eq"?                  

  Sure, examples:
  How do you do the include for words and spaces?
  When filtering you can use the underscore to refer to spaces on the lines.
  Can you do a show command for access-list where you are looking for permit IP without "eq"?
  You can't mix commands like, mixing "inc" & "exc".  So no.
  Besides, the only available option when using two or more pipes is only OR, in case you were wondering.
  Now, examples
  show run access-list test
  access-list test remark hello world
  access-list test remark helloworld
  access-list  test remark hey hello world
  access-list  test remark heyhelloworld
  Now, filtering:
  show runnaccess-list | i hello
  access-list test remark hello world
  access-list test remark helloworld
  access-list test remark hey hello world
  access-list test remark heyhelloworld
  show run access-list | i _world
  access-list test remark hello world
  access-list  test remark hey hello world
  show run access-list | i hey |  world
  access-list test remark hello world
  access-list test remark hey hello world
  I think that covers it.
  Here is a good articule about the topic:
  http://stack.nil.com/ipcorner/EnhanceIOSUI/

• ASR 5000 access list for ssh and telnet

  Dears,
  how can we  apply an access list for telnet and ssh on asr 5k ?
  please advise if this is feasible.
  thx.

  Hello Joseph,
  Sorry for the delay in response.
  To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
  For example:
  config
  context local
  no server telnetd
  #exit
  System Administration Guide of the relevant version will give you detailed information in this regard.
  Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
  You can find other guides here:  http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
  Hope this helps..
  Regards
  Aneesh

• Bought bulk sms App and it appears downloaded in iTunes. Can't access my Apps in iTunes and won't download to my my iPhone either, please assist!!!

  Please assist. I bought group sms App from iTunes store and it downloaded to my Windows Ultimate 7 Pc. Cannot get it downloaded to my iPhone 4 and cannoy access any App in iTunes that I have downloaded before. Supposed to transfer to my phone with sync but no transfer happens notwithstanding numerous syncs. Apps remains unclickable in iTunes and not accessable, please point me in the correct direction??

  Unhappy-user wrote:
  Apps remains unclickable in iTunes and not accessable
  That is because they only work on iOS devices.
  As for the other issue, connect the device, select it in the left hand pane.  In the right pane, select the Apps tab.  Is Sync Apps checked?  Is the specific App(s) checked?  Is Automatically sync new apps checked?
  Any errors in iTunes or on the device when syncing?