Please assist me for access-list configuration
Dear Team,
Please help me to configure the access-list.
Requirement:
I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
At R2:
ip access-list exstandard 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
Regards,
Sanjib
Hello
I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
R2
ip access-list extended 101
deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
or
ip access-list extended 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 out
reverse the acl for R3 if applicable
res
Paul
Similar Messages
-
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Default action for access list Deny
Hello,
Is it possible to change the default action for an access list deny? Can the ASA be configured to send an icmp unreachable rather than just dropping the packet if an access list denies the request? I have a situation where I would like to restrict access to a specific server for a select number of users. The problem is that the restricted workstations attempt to connect to the server at log in. Since I cannot control the log in script for those users, I was hoping to use the ASA firewall instead. However, using a deny statement causes the workstation to repeatedly send SYN requests for 60 seconds. The restricted users experience an unacceptably long delay at log in. I was hoping to be able to configure the ASA to send an icmp unreachable message for those users and avoid the wait.
Thanks,
AnnHello,
As the firewall it's supposed to be invisible there is no way the ASA could send this particular messages, sorry to inform you that but you could request this particular feature with your Cisco account Team.
Regards,
Julio -
hi
i have the following configuration:
interface FastEthernet0/1
description **** connected to Timsoret Line-code yy-yyyyy 1 Giga ***
no ip address
duplex full
speed 100
interface FastEthernet0/1.2007
description ***** Connect To MASTER_SHUKEI_ON *****
encapsulation dot1Q 2007
ip address 172.21.2.46 255.255.255.248
interface FastEthernet0/1.2008
description ***** Connect To TRAST *****
encapsulation dot1Q 2008
ip address 172.21.2.54 255.255.255.248
interface FastEthernet0/1.2009
description ***** Connect To TRAST *****
encapsulation dot1Q 2009
ip address 172.21.2.62 255.255.255.248
interface FastEthernet0/1.2010
description ***** Connect To TRAST *****
encapsulation dot1Q 2010
ip address 172.21.2.707 255.255.255.248
and i want to config a access deny between the vlans, that the user can't come in to anather vlans that don't belong to them
thanksHI
Configure access-list
access-list 10 deny u r vlan2007 range
access-list 10 permit any
int f0/0.2007
access-group 10 in
same for vlan 2008
Thanks
Mahmood -
Best Practices for Accessing the Configuration data Modelled as XML File in
Hi,
I refer the couple of blof posts/Forum threads on How to model and access the Configuration data as XML inside OSB.
One of the easiest and way is to
Re: OSB: What is best practice for reading configuration information
Another could be
Uploading XML data as .xq file (Creating .xq file copy paste all the Configuration as XML )
I need expert answers for following.
1] I have .xsd file which is representing the Configuration data. Structure of XSD is
<FrameworkConfig>
<Config type="common" key="someKey">proprtyvalue</Config>
<FrameworkConfig>
2] As my project will move from one env to another the property-value will change according to the Environment...
For Dev:
<FrameworkConfig>
<Config type="common" key="someKey">proprtyvalue_Dev</Config>
<FrameworkConfig>
For Stage :
<FrameworkConfig>
<Config type="common" key="someKey">proprtyvalue_Stage</Config>
<FrameworkConfig>
3] Let say I create the following Folder structure to store the Configuration file specific for dev/stage/prod instance
OSB Project Folder
|
|---Dev
|
|--Dev_Config_file.xml
|
|---Stage
|
|--Stahe_Config_file.xml
|
|---Prod
|
|-Prod_Config_file.xml
4] I need a way to load these property file as xml element/variable inside OSb message flow.?? I can't use XPath function fn:doc("URL") coz I don't know exact path of XMl on deployed server.
5] Also I need to lookup/model the value which will specify the current server type(Dev/Stage/prod) on which OSB MF is running. Let say any construct which will act as a Global configuration and can be acccessible inside the OSb message flow. If I get the vaalue for the Global variable as Dev means I will load the xml config file under the Dev Directory @runtime containing key value pair for Dev environment.
6] This Re: OSB: What is best practice for reading configuration information
suggest the designing of the web application which will serve the xml file over the http protocol and getting the contents into variable (which in turn can be used in OSB message flow). Can we address this problem without creating the extra Project and adding the Dependencies? I read configuration file approach too..but the sample configuration file doesn't show entry of .xml file as resources
Hope I am clear...I really appreciate your comments and suggestion..
Sushil
Edited by: Sushil Deshpande on Jan 24, 2011 10:56 AMIf you can enforce some sort of naming convention for the transport endpoint for this proxy service across the environments, where the environment name is part of the endpoint you may able to retrieve it from $inbound in the message pipeline.
eg. http://osb_host/service/prod/service1 ==> Prod and http://osb_host/service/prod/service2 ==> stage , then i think $inbound/ctx:transport/ctx:uri can give you /service/prod/service1 or /service/stage/service1 and applying appropriate xpath functions you will be able to extract the environment name.
Chk this link for details on $inbound/ctx:transport : http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/userguide/context.html#wp1080822 -
Access-List configuration on ASR9k
hello All,
I have on my network an ASR 9000 and want to configure an access-list. But is there any command to refer an ACL via object network as ASA do.
and which is the command that refer to it?
So is it possible to create objects and then to refer at the acl
Regards,
meryHi Mery,
here is an example.
RP/0/RSP0/CPU0:ASR9K-PE2-R1#show configuration commit changes last 1
Mon Feb 24 00:06:10.681 UTC
Building configuration...
!! IOS XR Configuration 5.1.0
object-group network ipv4 real
host 100.1.1.1
ipv4 access-list real
10 permit icmp any any
20 permit tcp any net-group real eq www
30 permit tcp any net-group real eq www log
40 permit tcp any net-group real eq ftp
50 permit tcp any net-group real eq telnet
60 permit tcp any net-group real eq pop3
70 permit tcp any net-group real eq smtp
80 permit tcp any net-group real eq domain
90 permit tcp any net-group real eq ftp-data
100 permit tcp any net-group real established
110 permit tcp any net-group real eq 389
111 permit udp any net-group real eq 389
120 permit tcp any net-group real eq 636
121 permit udp any net-group real eq 636
200 permit ipv4 any any
end
RP/0/RSP0/CPU0:ASR9K-PE2-R1# -
ASA5520 access-list configuration?
I have two asa5520s, version 7.2(2).
I have use access-list for the firewall as:
access-list outside extended permit ip object-group mydomain any
access-list outside extended permit icmp object-group mydomain any
access-group outside in interface outside.
I believe that all the ip traffic should be allowed from machine AA in private network behind inside interface to a machine BB in public network (outside of outside interface of asa5520)
(private) AA->asa5520->BB (public)
However, it seems works for most of case, but, it do not work for certain port.
telnet AA 80 -> it seems working fine
telnet AA 3816 -> it is not work.
when I do the packet trace on asa5520, it said access-list not allowed.
Could anyone advice me what does my configuratin miss? How to corrrect this problem? and also, how can I see all the implicy rules which set by default?
any comments will be appreciated
Thanks in advanceplease upload/copy your config so we can see
-
Simple SSH Access-List Question
I am enabling SSH access for all of our Cisco devices and want to restrict access to just the following ip addresses: 192.168.200.1-192.168.200.50. I forgot the exact access-list configuration to accomplish this. The subnet is /24 and I don't want the whole subnet - just .1 - .50.
Thank you,
Thomas ReilingHi there,
If using ssh make sure you have a domain name, host name and a generated rsa key. Assuing you've done that, the the following ACL and line vty command will do the trick. Note that the 1-50 host list is not on a subnet barrier.
To get it exactly
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
access-list 1 host 192.168.200.50
access-list 1 deny any log
It would be a good idea to put it on a boundary though, so the following would be much more simpler and easier to read.
access-list 1 remark ALLOW MANAGEMENT
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 deny any log
Apply the access-class on the vty lines and depending on authentication, i'd put something there too.
line vty 0 4
access-class 1 in
transport input ssh
password blahblah
That ought to do it.
good luck!
Brad -
My IPOD Classic is not synching to my itunes library so the songs in the library are not placed into my IPOD. This happened subsequent to my laptop crash and it was restored. I downloaded Itunes and was able to transfer songs and I also imported music from cds into library. However, when I click on SYNCH nothing happens and the songs in itunes library are not imported into my ipod.
Please assist. Thanks.Are they configured to sync to your iPod from under the iPod's music configuration tab in iTunes? See this article for more help and assistance on syncing music to your iPod Classic.
Syncing music to iPod or iPhone
B-rock -
Hi
I have 2 vlan : 192.168.38.0 and 192.168.31.0.
In the 38.0 network, I have an exchange server.
And in the 31.0 network, I have a clients(microsoft outlook).
The pb is when i configure the access-list, the client start a 135 port communication but it don't have an answer.
But if i open the all port, it's Ok.
Here, my access-list.
Could you confirm if it's ok
in advance, Thank you
access-list 131 remark sur interface vlan 31 Client NB
access-list 131 permit ip any 192.168.31.0 0.0.0.255
access-list 131 permit tcp any host 192.168.38.203 eq 135
access-list 131 permit icmp any 192.168.38.0 0.0.0.255
access-list 131 deny ip any any
access-list 138 remark sur interface vlan 38 Bureautique
access-list 138 permit ip any 192.168.38.0 0.0.0.255
access-list 138 permit icmp any 192.168.31.0 0.0.0.255
access-list 138 deny ip any anyHi,
Thank you very much.
When i see with the ethereal soft, the client need to open a range port(>1024).
Please give me the access-list
In advance thanks!! -
Here is an access list I want to know if I can "clean up" :
access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
access-list outside_access_in extended permit object RDP any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
access-list outside_access_in_1 extended permit object RDP any object FileServer
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
access-list outside_access_in_1 extended permit icmp any object DattoDevice
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical? I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......Hi,
To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
show run access-group
You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
You can check what is in use with the command
show run crypto map
Hope this helps :)
- Jouni -
LMS compliance check on all access lists
Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.
thanks.I forgot to mention that i am running this against Cisco ASA devices which displays like this:
access-list TEST_ACL extended deny ip any any
I have tried:
access-list [#.*#] extended deny ip any any
but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
Any ideas? -
Show access-list | include
Couple questions on show with include
1. Can you do a show command with include and a space meaning can you search for say "permit ip"?
2. Can you do a search for an exclude say "show access-list | exclude eq"?Sure, examples:
How do you do the include for words and spaces?
When filtering you can use the underscore to refer to spaces on the lines.
Can you do a show command for access-list where you are looking for permit IP without "eq"?
You can't mix commands like, mixing "inc" & "exc". So no.
Besides, the only available option when using two or more pipes is only OR, in case you were wondering.
Now, examples
show run access-list test
access-list test remark hello world
access-list test remark helloworld
access-list test remark hey hello world
access-list test remark heyhelloworld
Now, filtering:
show runnaccess-list | i hello
access-list test remark hello world
access-list test remark helloworld
access-list test remark hey hello world
access-list test remark heyhelloworld
show run access-list | i _world
access-list test remark hello world
access-list test remark hey hello world
show run access-list | i hey | world
access-list test remark hello world
access-list test remark hey hello world
I think that covers it.
Here is a good articule about the topic:
http://stack.nil.com/ipcorner/EnhanceIOSUI/ -
ASR 5000 access list for ssh and telnet
Dears,
how can we apply an access list for telnet and ssh on asr 5k ?
please advise if this is feasible.
thx.Hello Joseph,
Sorry for the delay in response.
To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
For example:
config
context local
no server telnetd
#exit
System Administration Guide of the relevant version will give you detailed information in this regard.
Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
You can find other guides here: http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
Hope this helps..
Regards
Aneesh -
Please assist. I bought group sms App from iTunes store and it downloaded to my Windows Ultimate 7 Pc. Cannot get it downloaded to my iPhone 4 and cannoy access any App in iTunes that I have downloaded before. Supposed to transfer to my phone with sync but no transfer happens notwithstanding numerous syncs. Apps remains unclickable in iTunes and not accessable, please point me in the correct direction??
Unhappy-user wrote:
Apps remains unclickable in iTunes and not accessable
That is because they only work on iOS devices.
As for the other issue, connect the device, select it in the left hand pane. In the right pane, select the Apps tab. Is Sync Apps checked? Is the specific App(s) checked? Is Automatically sync new apps checked?
Any errors in iTunes or on the device when syncing?
Maybe you are looking for
-
I recently moved and I got a new sim but I still use my old sim. I want to use both numbers for iMessage and FaceTime but i have absolutely no idea how to do it! please help me! I have a macbook pro and iphone 5
-
my hp photosmart premium c390g-m installed a few years ago has been working fine. now will not print in black. new cartridge has been installed. cleaned printhead. alignment fails. do i need a new printer?
-
PSE 6 Mac - Panorama Option Greyed Out
In PSE 6.0 for Mac the option for Photo-merge to Panorama is grayed out. I've read a few other posts in various forums, so I know it is not my computer problem. I've not read a logical or definitive fix for it. I have an iMac with the latest OSX, a
-
Hi, We have two node Oracle RAC 11g setup on windows. Its configured with 3 scan ips. When i login through the scan ips i found that those servers had oracle 11g installed in it. Is this oracle 11g installed automatically??
-
Downloaded book pages are almost black with black text
I have downloaded books from Internet Archive (such as: http://archive.org/details/firstrecordsofma00marl ) and the pages have a very dark background with black text. Not easily readable. They are viewable OK on line. I use Windows XP v3 and Adob