Purpose of inside_access_in permit ip any any
Hi All,
Reviewing some firewalls from a company acquisition and moving to standardize configs with the existing firewalls. I see they've configured the following, and I fail to see it's purpose and hoping someone can provide some insight.
These are 5505's:
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
Don't understand the purpose of this. The inside interface is security 100, and the outside is security 0. Aren't these flows allowed by default? I get that you can specify inside_access_in when you want to limit what can go outside, but in the can of "any any" above, I don't see the point.
access-list outside_access_in extended permit icmp any any
access-group outside_access_in in interface outside
Same thing here ---> It's my understanding that ICMP, HTTPS & SSH all occur before the firewall function comes into play on a 5505, so isn't this ACL also moot?
I've sometimes seen the "inside_access_in" case used to trigger logging or hits against the access-list for a very basic connection accounting function. Beyond that though, it's a pretty superfluous command.
I could speculate that some inexperienced admin put it in just to satisfy any doubt he/she may have had when asked "are you SURE the firewall isn't blocking my traffic?" (although it may still have been if there was an inspection rule being hit :-p )
The outside one would allow pinging initiated from the outside of internal hosts that are externally addressable. (Although if that's the only entry in the ACL it would prevent all other outside-initiated traffic.)
Similar Messages
-
after loading yosemite can't get permissions from any network PC - OK from MACs on network...any advice?
would love to...way over my head so far...upgraded to Yosemite 10.10.2 - I have another MAC (motorola chipset...maybe 10.6?) and 3 PCs on the network...the older MAC linked up through the network just fine...
I can see the Yosemite MAC on the PCs...I can open customer file folders (I am a printer) from the shared drive...I can drag files (let's just call them PDFs, they mostly are) to the MAC customer file...but if I try to open them from the PC I get an error message that says permission denied - or may be in use by another user. There are no other users. After I uploaded to Yosemite, I noticed most if not all drives and or folders had permissions changed to either no access or to read only...I've changed as many as I could find...drives, and folders...I can open those same files if I'm on the yosemite mac...Here's the catch, though...I was on a different floor and that PC can open a PDF on the Yosemite...but the RIP that prints our large format prints now won't print those files (whole RIP locks up) unless they are first dragged to the PC desktop...then all is fine. I thought it was MAC upgrade oriented, but I do have a PC that halfway works...I'm really stymied... -
Hi All,
I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.
Example:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
ip access-group IN_OUT_VLAN10 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
end
ip access-list extended IN_OUT_VLAN10
permit udp any any eq bootpc
permit udp any any eq bootps
deny ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
deny ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
deny ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
permit ip any any
Above list is to block my internal subnets*
interface Dialer1
mtu 1492
ip address negotiated
ip access-group OUTSIDE_INSIDE in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nat outside
ip inspect IN_OUT_CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ******
ppp chap password ******
no cdp enable
end
ip access-list extended OUTSIDE_INSIDE
remark OUTSIDE_INSIDE_ALLOW
remark *****
permit tcp host ********* any eq 22 log-input
remark ***********
permit tcp host ************* any eq 22 log-input
remark *********
permit tcp host ************* any eq 22 log-input
remark OUTSIDE_INSIDE_BLOCK
deny icmp any any echo
deny icmp any any echo-reply
deny tcp any any eq 22 log-input
deny udp any any eq 22 log-input
deny tcp any any eq telnet log-input
deny udp any any eq 23 log-input
permit ip any any <<<<< Without this here I have no traffic*
ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload
ip inspect name IN_OUT_CBAC tcp
ip inspect name IN_OUT_CBAC udp
ip inspect name IN_OUT_CBAC icmp
Above is a basic firewall for outbound connections and returning traffic** (I hope)
My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..
This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..
Thank you kindly everyone.Sorry Colin, here we are
#sh ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name IN_OUT_CBAC
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface Dialer1
Inbound inspection rule is not set
Outgoing inspection rule is IN_OUT_CBAC
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
icmp alert is on audit-trail is off timeout 10
Inbound access list is OUTSIDE_INSIDE
Outgoing access list is not set
Established Sessions
Session 29F5EA3C (192.168.1.198:55435)=>(54.194.173.224:5671) tcp SIS_OPEN
Session 29F5282C (192.168.1.14:62790)=>(54.243.233.199:443) tcp SIS_OPEN
Session 29F4FAE4 (192.168.1.14:62795)=>(17.110.224.20:443) tcp SIS_OPEN
Session 29F51914 (192.168.1.13:58339)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F54CD4 (192.168.1.13:58341)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F5E5EC (192.168.1.13:58340)=>(65.20.0.43:993) tcp SIS_OPEN
Session 29F52A54 (192.168.1.13:58314)=>(17.172.239.80:443) tcp SIS_OPEN
Session 29F5C36C (192.168.1.17:49964)=>(157.55.236.97:443) tcp SIS_OPEN
Session 29F4FF34 (192.168.1.14:62797)=>(216.157.12.18:80) tcp SIS_OPEN
Session 29F5DF74 (192.168.1.14:62723)=>(69.171.235.48:443) tcp SIS_OPEN
Session 29F5534C (192.168.1.14:62794)=>(66.117.29.37:443) tcp SIS_OPEN
Session 29F5F2DC (192.168.1.14:62793)=>(81.144.168.143:443) tcp SIS_OPEN
Session 29F52EA4 (192.168.1.18:53043)=>(17.110.226.11:443) tcp SIS_OPEN -
"permit tcp any any established" and IOS Firewall
Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
ip inspect name IOS_Firewall tcp
ip inspect name IOS_Firewall udp
ip inspect name IOS_Firewall icmp
interface FastEthernet4
ip address dhcp
ip access-group 161 in
ip nat outside
ip inspect IOS_Firewall out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map mymap
access-list 161 permit udp any any eq ntp
access-list 161 permit udp any any eq bootpc
access-list 161 permit tcp any any established
access-list 161 permit icmp any any
access-list 161 permit esp any any
access-list 161 permit gre any any
access-list 161 permit udp any any eq isakmp
access-list 161 permit udp any any eq non500-isakmp
access-list 161 permit udp any eq non500-isakmp any
access-list 161 permit udp any eq isakmp any
access-list 161 permit udp any eq domain any
access-list 161 permit tcp any any eq telnet
access-list 161 permit tcp any any eq 1723
access-list 161 permit tcp any any eq 4500
access-list 161 permit tcp any any eq 5000
access-list 161 permit tcp any any eq 5500
access-list 161 deny ip any any log
My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?
Thank youNo you do not need it with CBAC's TCP inspection enabled.
-
Permit udp any any to allow ping ?!
Dear Community,
I am having problems understanding how ACL works through VPN. I have the following:
HQ is behind ASA 5510, site address is 192.168.1.0 /24
Remote site is behind Cisco 887 router, site addressing is 192.168.10.0 /24
IPSec VPN is set up and working between the two sites.
Now I have applied the following ACL inside int the public interface of the branch router:
Extended IP access list 102
10 permit tcp any any eq 22 (1321 matches)
This obviously blocks icmp (ping 192.168.1.1 source 192.168.10.1)
But what I am not understanding is that the only command that will allow ICMP is (on the ACL 102):
permit udp any any
substituting udp with icmp or ip does not allow pings
Could you please give me some guidance.It's not a supported method, but the views you create are stored on the LMS server as xml files (as shown below on soft appliance) in /opt/CSCOpx/campus/etc/users/. The xml files are mostly a listing of the node IDs with their map coordinates.
You could copy them manually into the other users' directories on the server and they should see the same thing you have labored to create for their viewing pleasure.
I have brought this up with Cisco as a nice to have supported feature in the past but it never went anywhere.
[SecLab-LMS/root-ade admin]# pwd
/opt/CSCOpx/campus/etc/users/admin
[SecLab-LMS/root-ade admin]# ls -al
total 28
drwxr-x--- 2 casuser casusers 4096 Dec 16 2012 .
drwxr-x--- 4 casuser casusers 4096 Feb 8 2013 ..
-rw-r----- 1 casuser casusers 7345 Aug 29 13:23 Layer~2~View.xml
-rw-r----- 1 casuser casusers 1807 Nov 8 2012 SwitchCloud-1.xml
-rw-r----- 1 casuser casusers 1540 Feb 27 2013 Unconnected~Device~View.xml
-rw-r----- 1 casuser casusers 351 Sep 25 15:59 user.preferences
[SecLab-LMS/root-ade admin]# -
I have one computer with Windows 7 and an older version of Firefox, not sure exactly which one. I have never had a problem with saving passwords on it. I now have a new computer with Windows 8.1 and the latest version of Firefox, installed 5.29.14, and it is only randomly saving passwords. All the sites I've tried are ones that permit this, and I was able to save them on Explorer. I've checked my settings and save password is enabled--it seems Firefox is being selective about what it will save passwords for. Is this something new or is there a way to change it so it the box will always pop up asking me to if I want to save a password? Thanks for any help!
I appreciate your help but I am not a very expert computer user. I have checked that I am permitting passwords to be saved and it does work on some sites. I don't know how to do the first two things you mentioned
"You can toggle the signon.overrideAutocomplete pref to true on the about:config page.
You can remove autocomplete=off with a bookmarklet to make Firefox store form data like names and passwords. "
I found a bookmarklet on the page above but I don't know how one applies them.
What baffles me is why I've never experienced this issue with Windows 7 and the version of Firefox I am using on it. It works just fine on the Aetna site and all the others I'm having this problem wit Do you think it may be a Windows 8.1 issue? Or something with the new version of Firefox? As I said, I've got Win7 and an older version of Firefox that I use with it. I'm reluctant to update to a newer version of Firefox on my old computer in case that is the problem.
Thanks very much for your help and any other suggestions are very much appreciated. -
Regarding iPhoto '11 9.5 (902.7 build running on an older Intel based MacBook Pro with iPhoto libraries on a USB2 External HD). I am dealing with iPhoto taking too long to download photos. Specifically, I rechecked and repaired HD permissions. I am running the most current software my five year old Intel MacBook Pro can run. What happens is that when I connect an external SD card, or my iPhone, the new version of iPhoto takes up to two full minutes to fully acknowledge the device. Then locate new photos and be ready to download them to my external HD. I am kind of concerned about this. This has never happened before.
I take 20,000 photos a year. I really don't want to lose any. Or is there something I am doing wrong? Or need to be aware of? Any experienced suggestions would be appreciated. Thanks. Have a great day.
PS.... The cameras I use are Canon SX-30, Nikon D3100, and my iPhone 4S. Thanks again for your assistance.Hello Old Toad.... Those sound like great ideas.
I thought I checked and repaired disk permissions on my main boot HD. That boot disk is Mac OS Extended (Journaled) Capacity 749.3 GB. Available 562.53 GB. BUT.... now that I think of it.... the Seagate external HD with USB2 interface is: Mac OS Extended (Journaled), Capacity 639.79 GB, Available 36.2 GB with my latest iPhoto Library 517.37 GB that was already scanned & updated to be read by the latest iPhoto version.
I'll try your suggestions tonight as far as double checking 'permissions' and setting up a tiny test library.
Or maybe it's time to fill up another External HD?
I appreciate your and anyone else's suggestions to try.
Have a great day. ~~ David in Rochester NY -
Don't have correct permissions to any drive other than the boot drive
I installed SL, and when it came time to enter in the user name, it said the name was already taken xxxx and so I entered yyyy. As an example.
Now User yyyy has Read / Write permissions for everything on Drive 1, the boot drive, but ALL of the other hard drives have xxxx as having Read / Write permissions, and not for my new account yyyy. So everytime I need to write a file to a hard drive, I have to fix permission for the folder the file resides in. This is getting old fast.
How can I change all my drives, folders, files, etc, etc to have yyyy permissions added without doing them 1 at a time?what kind of backups? manual ones? then it's ok to do the following
select a drive and enter command+i. in the resulting popup, unlock the lock at the bottom, change the permissions as you want, then click on the "gears" action button at the bottom and select "apply to enclosed items".
However, let me stress here that you should NEVER EVER use "apply to enclosed items" on ANY system created folders, system drives or TM drives. that includes btw things like your home folder, your desktop folder etc. use it ONLY on folders you made yourself. using it on a system drive will have catastrophic results. using it on any system created folder will likely have highly unpleasant ones because such folders often have invisible ACLs and using this button will propagate them inside. -
Permz - Quickly change file permissions in any file manager
Designed to be integrated into any file manager, permz is a bash script which presents a GUI menu. You can use it to quickly change file permissions and ownership as a normal user or as root, and delete files as root. I wrote this because I have yet to see a file manager that isn't cumbersome for this - the mechanism is usually buried on a second tab of the Properties window, and changing permissions often involves multiple clicks in a grid. To change the owner of a file, you need to type the username. And if the file is owned by root, you can't do anything.
permz --help
Presents a GUI menu for changing file permissions/ownership. May be run
as a normal user or root.
Requires: zenity gksu
Optional: sudo (recommended to prevent multiple root password prompts)
Usage: permz FILE [...]
MENU FUNCTIONS:
rwxrwxrwx Sets file(s) to given permissions
Sticky Clear/Set Performs "chmod -t" or +t to clear or set the sticky
bit. You may select to clear/set sticky in addition
to changing other permissions.
Recursive go-rxw "chmod -R go-rxw" on file(s) recursively, denying
access to non-owners
Recursive go-w "chmod -R go-w" on file(s) recursively, denying write
to non-owners
Recursive ugo+rX "chmod -R ugo+rX" giving read access to all. Also
sets +x for directories and executables.
Recursive ugo+w "chmod -R ugo+w" on file(s), giving write to all
(You may select several compatible recursive functions above at once)
Owner USER As ROOT Sets ownership to USER:USER as root
DELETE As ROOT Deletes file(s) as root. Must be used alone or with
"Perform Recursively" (to delete directories - USE
WITH CAUTION). Not available if permz is run as root.
Perform As ROOT Run as root to change selected permissions.
(Use of root is automatic when changing ownership)
Perform Recursively Adds -R to all chmod, chown, and delete commands to
descend into subdirectories. Use in conjunction with
any other functions. (Recursion is automatic for
"Recursive" functions above)
Current su command is set to: gksu -gS
If you're somewhat familiar with bash, adding additional options or changing the existing ones is straightforward.
I have tested it pretty thoroughly but if you do encounter anything amiss please let me know.
More details at http://igurublog.wordpress.com/downloads/script-permz/
And in the AUR at http://aur.archlinux.org/packages.php?ID=36978
Instructions for integrating permz into PCManFM-Mod are here.
Last edited by IgnorantGuru (2010-05-05 13:53:08)rransom wrote:Recursive ugo+rX would be more useful than "Recursive ugo+r (dirs +x)". (The +X feature of chmod is available at least in GNU coreutils, FreeBSD, and POSIX 2003.)
Done - thanks for the tip. I also left the old code active in there with just the menu option disabled, so if anyone wants it the other way or wants both it's easy to enable. The difference is that the old way won't make any files +x, just dirs.
permz doesn't provide every possible setting of permissions, just common ones, so you may want to customize it. But I used to have these as user actions when I used Krusader and I found these were the handy ones, at least for me. -
How to give write permissions to any file in mac os x 10.8.3
How can we give write access to the file in mac os x 10.8.3.It is not allowing to login as root user also.Can any one please help me in this.I think in mac os x 10.8.3 security update only bloocked this root access.We can give permissions to anyfile upto mac os x 10.8.2.How can we edit any system files?
Download TextWrangler from BareBones' website, not the Mac App Store. It will allow you to edit system files by authenticating. The Mac App store version doesn't have that capability.
You could also edit them in the Terminal with pico, nano, emacs (perhaps more). TextWrangler is much easier to use, though. -
Will repairing Permissions disrupt any currently running services.
I have a server that is set up running DNS, Open Directory, and Software Update services. It is the latest update, 10.5.8. I just wanted to know if anyone knows if running a permissions repair will disrupt any of these services.
Thanksit won't interrupt these services
we run permissions repair on live machines all the time.. no problems. -
Mac Pro DVD Drive "Perma Sleep" - Any thoughts?
I have a MacPro with the following DVD drive in it:
PIONEER DVD-RW DVR-111D:
Firmware Revision: AB09
Interconnect: ATAPI
Burn Support: Yes (Apple Shipped/Supported)
Cache: 2000 KB
Reads DVD: Yes
CD-Write: -R, -RW
DVD-Write: -R, -RW, +R, +RW, +R DL
Burn Underrun Protection CD: Yes
Burn Underrun Protection DVD: Yes
Write Strategies: CD-TAO, CD-SAO, CD-Raw, DVD-DAO
Media: No
This morning I was burning a CD-R from iTunes. The burn finished and the system locked up with the "curtain of death".
Upon reboot I found that the DVD drive will spin at boot up, will eject from the keyboard, but it does not respond to any disc inserted in it. When inserting a disc, there is no spin up, no response from the system. I have inserted:
- Blank CD-R
- Blank DVD-R
- Recorded CD-R
- Purchased (factory made) CDs and DVDs
none of which respond. In response I have attempted:
- Resetting the machine, left it un- plugged for several hours, still not working
- Resetting the PRAM by booting with CMD-OPT-P-R
- Facing towards Cupertino and offering a bowl of corn flakes as snackrafice
None of which worked. Any thoughts, or is it take it to be repaired time?
Thanks
BruceSounds like it is toast. You can get an immediate replacement at the Apple store. DIY replacement is very easy. OWC has a video on how. You can also find a replacement at a greatly reduced price from Newegg or OWC, but the immediate gratification will be missing during shipping. If it's under warranty, the Apple store should give you a new one, or I think they should and not have you wait for one to be shipped or require you to bring in your MP. Thes things are heavy!
Michael -
I only create Read Only folders can't set permissions for any file but mine
My issue is I have 25 users and an X-Serve and it seems like all the users
do not have the same permissions. More specifically if a user creates a
folder on the server only that user can access it. This is the same if the
user creates the folder on there desktop and then copies the files to the
server. But if they copy a "read only" folder or file (this happens more
with files) to there desktop and then they open the file save it and place
it back on the server there is no problem.
I also, have a user that whenever she creates a folder it automatically
set's itself to read only. No matter whether she copies from her desktop to
the server or visa versa. Every folder she creates is protected this way
here settings are all the same as everyone else. So I'm not sure if she is
unique or if the settings for my users are incorrect.
I did not set up the server or the user's so I'm really trying to catch up
quick. We are really suffering in that it totally slow's things down almost
to a crawl in some cases. I really hope you can help me out with this I've
attached some screen shot's and the X-Serve system profiler for background.
--I suggest posting to the Xerve forum http://discussions.apple.com/forum.jspa?forumID=854
-
For example, I'm trying ot move a group of jpgs from one folder ot another and it throws an 8058 error every time. PSD's won't open fromt he finder, it throws an application not found error even though I can open the same files from within the application.
Yep, same here. Cannot drag and drop copy with Mavericks. A copy paste throws a 8058 error.
-
Allow traffic inside to outside
Hi
One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
Host IP on inside network - 172.16.30.15
Application to access - 74.219.x.x
Inside ACL name - inside-acl
cheers
PaulI would apply this to the inside interface. Now, I have no idea what specific entries you have on
your inside access list, so I'll write it, as if it's a brand new configuration.
access-list inside_access_in permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 obect-group service Ports
access-list inside_access_in deny ip host 172.16.30.15 any
access-list inside_access_in permit ip any any
access-group inside_access_in in interface inside
This will allow host 172.16.30.15 tcp access to 74.219.x.x on the specific ports, then all other IP traffic
will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else
is wide open outbound.
Maybe you are looking for
-
In Logic account the operator function is not working properly
Hi all , When am defiining the logic accounts using a operator as Function ,it is not working at all showing a red border in the cell and not able to update the grid . InValue/Exp-> am using a function -> CurVal > 0 then Result=CurVal else Result ="s
-
Looking for a way to load 100 pages without images/style
Hi, I have a bookmark folder that contains nearly 100 pages I can right-click on the folder and choose "Open all in tabs", which is what I want, but I'd like to get rid of all the pictures/style otherwise it lags and eats too much bandwitdh. I don't
-
How to save the form data into adobe db?
Hi All, How to save the form data into adobe db? I have designed one xdp file. Through processFormSubmission(), I got the submitted form data as Document obj. Then I have called the workflow kickoff program. code: InvocationRequest request = myFactor
-
Insertion Data Containing Special Characters
Hi, I exported my table data to an ascii file using TOAD, which created the insert statements for me. I intend to insert these data to another database. The problem is that the data contains some characters like single quote and ampersand which would
-
I have a relatively straightforward Block storage cube (Planning cube). I loaded my data and had about 2400 level 0 blocks. I have 14 dimensions and 2 are dense (accounts and time periods). The other dimensions aren't crazy big the biggest being 350