Purpose of inside_access_in permit ip any any

Similar Messages

• After loading yosemite can't get permissions from any network PC - OK from MACs on network...any advice?

  after loading yosemite can't get permissions from any network PC - OK from MACs on network...any advice?

  would love to...way over my head so far...upgraded to Yosemite 10.10.2 - I have another MAC (motorola chipset...maybe 10.6?) and 3 PCs on the network...the older MAC linked up through the network just fine...
  I can see the Yosemite MAC on the PCs...I can open customer file folders (I am a printer) from the shared drive...I can drag files (let's just call them PDFs, they mostly are) to the MAC customer file...but if I try to open them from the PC I get an error message that says permission denied - or may be in use by another user. There are no other users. After I uploaded to Yosemite, I noticed most if not all drives and or folders had permissions changed to either no access or to read only...I've changed as many as I could find...drives, and folders...I can open those same files if I'm on the yosemite mac...Here's the catch, though...I was on a different floor and that PC can open a PDF on the Yosemite...but the RIP that prints our large format prints now won't print those files (whole RIP locks up) unless they are first dragged to the PC desktop...then all is fine. I thought it was MAC upgrade oriented, but I do have a PC that halfway works...I'm really stymied...

• Permit ip any any

  Hi All,
  I have a question around the permit ip any any statement on an inbound ACL when using NAT. Is it safe? If I take the statement out of my list I can't do anything.
  Example:
  interface GigabitEthernet0/0.10
   encapsulation dot1Q 10
   ip address 192.168.1.1 255.255.255.192
   ip access-group IN_OUT_VLAN10 in
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip nat inside
   ip virtual-reassembly in
  end
  ip access-list extended IN_OUT_VLAN10
   permit udp any any eq bootpc
   permit udp any any eq bootps
   deny   ip 192.168.1.0 0.0.0.63 192.168.1.64 0.0.0.63
   deny   ip 192.168.1.0 0.0.0.63 192.168.1.128 0.0.0.63
   deny   ip 192.168.1.0 0.0.0.63 192.168.1.192 0.0.0.63
   permit ip any any
  Above list is to block my internal subnets*
  interface Dialer1
    mtu 1492
   ip address negotiated
   ip access-group OUTSIDE_INSIDE in
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip verify unicast source reachable-via rx allow-default 100
   ip nat outside
   ip inspect IN_OUT_CBAC out
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 1
   dialer-group 1
   no keepalive
   ppp authentication chap callin
   ppp chap hostname ******
   ppp chap password ******
   no cdp enable
  end
  ip access-list extended OUTSIDE_INSIDE
   remark OUTSIDE_INSIDE_ALLOW
   remark *****
   permit tcp host ********* any eq 22 log-input
   remark ***********
   permit tcp host ************* any eq 22 log-input
   remark *********
   permit tcp host ************* any eq 22 log-input
   remark OUTSIDE_INSIDE_BLOCK
   deny   icmp any any echo
   deny   icmp any any echo-reply
   deny   tcp any any eq 22 log-input
   deny   udp any any eq 22 log-input
   deny   tcp any any eq telnet log-input
   deny   udp any any eq 23 log-input
   permit ip any any <<<<< Without this here I have no traffic*
  ip nat inside source list VLAN10_OUTSIDE interface Dialer1 overload
  ip inspect name IN_OUT_CBAC tcp
  ip inspect name IN_OUT_CBAC udp
  ip inspect name IN_OUT_CBAC icmp
  Above is a basic firewall for outbound connections and returning traffic** (I hope)
  My question is do I need to put every single port I want to allow in and out in even though I am using NAT? It will be an insane list especially with gaming as XBOX uses random ports each time. I don't have any static NAT entries so when I do a port scan they are all closed as expected except 22 and 23 which I have closed only to specific hosts. Does IP here mean basically IP as in routing addresses etc (which would make sense) or does it mean the entire TCP/IP suite like TCP and UDP ports etc..
  This has confused me so long I thought I would ask.. I see it on a lot of SMB routers with ADSL etc using NAT..
  Thank you kindly everyone.

  Sorry Colin, here we are
  #sh ip inspect all
  Session audit trail is disabled
  Session alert is enabled
  one-minute (sampling period) thresholds are [unlimited : unlimited] connections
  max-incomplete sessions thresholds are [unlimited : unlimited]
  max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
  tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
  tcp idle-time is 3600 sec -- udp idle-time is 30 sec
  tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
  dns-timeout is 5 sec
  Inspection Rule Configuration
   Inspection name IN_OUT_CBAC
      tcp alert is on audit-trail is off timeout 3600
      udp alert is on audit-trail is off timeout 30
      icmp alert is on audit-trail is off timeout 10
  Interface Configuration
   Interface Dialer1
    Inbound inspection rule is not set
    Outgoing inspection rule is IN_OUT_CBAC
      tcp alert is on audit-trail is off timeout 3600
      udp alert is on audit-trail is off timeout 30
      icmp alert is on audit-trail is off timeout 10
    Inbound access list is OUTSIDE_INSIDE
    Outgoing access list is not set
  Established Sessions
   Session 29F5EA3C (192.168.1.198:55435)=>(54.194.173.224:5671) tcp SIS_OPEN
   Session 29F5282C (192.168.1.14:62790)=>(54.243.233.199:443) tcp SIS_OPEN
   Session 29F4FAE4 (192.168.1.14:62795)=>(17.110.224.20:443) tcp SIS_OPEN
   Session 29F51914 (192.168.1.13:58339)=>(65.20.0.43:993) tcp SIS_OPEN
   Session 29F54CD4 (192.168.1.13:58341)=>(65.20.0.43:993) tcp SIS_OPEN
   Session 29F5E5EC (192.168.1.13:58340)=>(65.20.0.43:993) tcp SIS_OPEN
   Session 29F52A54 (192.168.1.13:58314)=>(17.172.239.80:443) tcp SIS_OPEN
   Session 29F5C36C (192.168.1.17:49964)=>(157.55.236.97:443) tcp SIS_OPEN
   Session 29F4FF34 (192.168.1.14:62797)=>(216.157.12.18:80) tcp SIS_OPEN
   Session 29F5DF74 (192.168.1.14:62723)=>(69.171.235.48:443) tcp SIS_OPEN
   Session 29F5534C (192.168.1.14:62794)=>(66.117.29.37:443) tcp SIS_OPEN
   Session 29F5F2DC (192.168.1.14:62793)=>(81.144.168.143:443) tcp SIS_OPEN
   Session 29F52EA4 (192.168.1.18:53043)=>(17.110.226.11:443) tcp SIS_OPEN

• "permit tcp any any established" and IOS Firewall

  Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
  I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
  ip inspect name IOS_Firewall tcp
  ip inspect name IOS_Firewall udp
  ip inspect name IOS_Firewall icmp
  interface FastEthernet4
  ip address dhcp
  ip access-group 161 in
  ip nat outside
  ip inspect IOS_Firewall out
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map mymap
  access-list 161 permit udp any any eq ntp
  access-list 161 permit udp any any eq bootpc
  access-list 161 permit tcp any any established
  access-list 161 permit icmp any any
  access-list 161 permit esp any any
  access-list 161 permit gre any any
  access-list 161 permit udp any any eq isakmp
  access-list 161 permit udp any any eq non500-isakmp
  access-list 161 permit udp any eq non500-isakmp any
  access-list 161 permit udp any eq isakmp any
  access-list 161 permit udp any eq domain any
  access-list 161 permit tcp any any eq telnet
  access-list 161 permit tcp any any eq 1723
  access-list 161 permit tcp any any eq 4500
  access-list 161 permit tcp any any eq 5000
  access-list 161 permit tcp any any eq 5500
  access-list 161 deny   ip any any log
  My question is, is the statement "access-list 161 permit tcp any any established"  required since I already have the IOS Firewall feature turned on?
  Thank you

  No you do not need it with CBAC's TCP inspection enabled.

• Permit udp any any to allow ping ?!

  Dear Community,
  I am having problems understanding how ACL works through VPN. I have the following:
  HQ is behind ASA 5510, site address is 192.168.1.0 /24
  Remote site is behind Cisco 887 router, site addressing is 192.168.10.0 /24
  IPSec VPN is set up and working between the two sites.
  Now I have applied the following ACL inside int the public interface of the branch router:
  Extended IP access list 102
      10 permit tcp any any eq 22 (1321 matches)
  This obviously blocks icmp (ping 192.168.1.1 source 192.168.10.1)
  But what I am not understanding is that the only command that will allow ICMP is (on the ACL 102):
  permit udp any any
  substituting udp with icmp or ip does not allow pings
  Could you please give me some guidance.

  It's not a supported method, but the views you create are stored on the LMS server as xml files (as shown below on soft appliance) in /opt/CSCOpx/campus/etc/users/. The xml files are mostly a listing of the node IDs with their map coordinates.
  You could copy them manually into the other users' directories on the server and they should see the same thing you have labored to create for their viewing pleasure.
  I have brought this up with Cisco as a nice to have supported feature in the past but it never went anywhere.
  [SecLab-LMS/root-ade admin]# pwd
  /opt/CSCOpx/campus/etc/users/admin
  [SecLab-LMS/root-ade admin]# ls -al
  total 28
  drwxr-x--- 2 casuser casusers 4096 Dec 16  2012 .
  drwxr-x--- 4 casuser casusers 4096 Feb  8  2013 ..
  -rw-r----- 1 casuser casusers 7345 Aug 29 13:23 Layer~2~View.xml
  -rw-r----- 1 casuser casusers 1807 Nov  8  2012 SwitchCloud-1.xml
  -rw-r----- 1 casuser casusers 1540 Feb 27  2013 Unconnected~Device~View.xml
  -rw-r----- 1 casuser casusers  351 Sep 25 15:59 user.preferences
  [SecLab-LMS/root-ade admin]#

• Have Windows 8.1 and have tried all fixes suggested on her but still can't get it to ask if I want passwords saved. These are sites that do permit it.Any ideas?

  I have one computer with Windows 7 and an older version of Firefox, not sure exactly which one. I have never had a problem with saving passwords on it. I now have a new computer with Windows 8.1 and the latest version of Firefox, installed 5.29.14, and it is only randomly saving passwords. All the sites I've tried are ones that permit this, and I was able to save them on Explorer. I've checked my settings and save password is enabled--it seems Firefox is being selective about what it will save passwords for. Is this something new or is there a way to change it so it the box will always pop up asking me to if I want to save a password? Thanks for any help!

  I appreciate your help but I am not a very expert computer user. I have checked that I am permitting passwords to be saved and it does work on some sites. I don't know how to do the first two things you mentioned
  "You can toggle the signon.overrideAutocomplete pref to true on the about:config page.
  You can remove autocomplete=off with a bookmarklet to make Firefox store form data like names and passwords. "
  I found a bookmarklet on the page above but I don't know how one applies them.
  What baffles me is why I've never experienced this issue with Windows 7 and the version of Firefox I am using on it. It works just fine on the Aetna site and all the others I'm having this problem wit Do you think it may be a Windows 8.1 issue? Or something with the new version of Firefox? As I said, I've got Win7 and an older version of Firefox that I use with it. I'm reluctant to update to a newer version of Firefox on my old computer in case that is the problem.
  Thanks very much for your help and any other suggestions are very much appreciated.

• HT4736 Taking too long (2 minutes) to locate and download photos into Photo '11 9.5 (902.7 build running on an older Intel based MacBook Pro with iPhoto libraries on a USB2 External HD).  I checked and repaired HD permissions. Any ideas?

  Regarding iPhoto '11 9.5 (902.7 build running on an older Intel based MacBook Pro with iPhoto libraries on a USB2 External HD).  I am dealing with iPhoto taking too long to download photos.  Specifically, I rechecked and repaired HD permissions. I am running the most current software my five year old Intel MacBook Pro can run.   What happens is that when I connect an external SD card, or my iPhone, the new version of iPhoto takes up to two full minutes to fully acknowledge the device. Then locate new photos and be ready to download them to my external HD.  I am kind of concerned about this.  This has never happened before. 
  I take 20,000 photos a year.  I really don't want to lose any.  Or is there something I am doing wrong?  Or need to be aware of?  Any experienced suggestions would be appreciated.  Thanks.  Have a great day.
  PS.... The cameras I use are Canon SX-30, Nikon D3100, and my iPhone 4S.  Thanks again for your assistance.

  Hello Old Toad.... Those sound like great ideas. 
  I thought I checked and repaired disk permissions on my main boot HD.  That boot disk is Mac OS Extended (Journaled)  Capacity 749.3 GB.  Available 562.53 GB.   BUT.... now that I think of it.... the Seagate external HD with USB2 interface is: Mac OS Extended (Journaled), Capacity 639.79 GB, Available 36.2 GB with my latest iPhoto Library 517.37 GB that was already scanned & updated to be read by the latest iPhoto version. 
  I'll try your suggestions tonight as far as double checking 'permissions' and setting up a tiny test library.
  Or maybe it's time to fill up another External HD?
  I appreciate your and anyone else's suggestions to try.
  Have a great day. ~~ David in Rochester NY

• Don't have correct permissions to any drive other than the boot drive

  I installed SL, and when it came time to enter in the user name, it said the name was already taken xxxx and so I entered yyyy. As an example.
  Now User yyyy has Read / Write permissions for everything on Drive 1, the boot drive, but ALL of the other hard drives have xxxx as having Read / Write permissions, and not for my new account yyyy. So everytime I need to write a file to a hard drive, I have to fix permission for the folder the file resides in. This is getting old fast.
  How can I change all my drives, folders, files, etc, etc to have yyyy permissions added without doing them 1 at a time?

  what kind of backups? manual ones? then it's ok to do the following
  select a drive and enter command+i. in the resulting popup, unlock the lock at the bottom, change the permissions as you want, then click on the "gears" action button at the bottom and select "apply to enclosed items".
  However, let me stress here that you should NEVER EVER use "apply to enclosed items" on ANY system created folders, system drives or TM drives. that includes btw things like your home folder, your desktop folder etc. use it ONLY on folders you made yourself. using it on a system drive will have catastrophic results. using it on any system created folder will likely have highly unpleasant ones because such folders often have invisible ACLs and using this button will propagate them inside.

• Permz - Quickly change file permissions in any file manager

  Designed to be integrated into any file manager, permz is a bash script which presents a GUI menu.  You can use it to quickly change file permissions and ownership as a normal user or as root, and delete files as root.  I wrote this because I have yet to see a file manager that isn't cumbersome for this - the mechanism is usually buried on a second tab of the Properties window, and changing permissions often involves multiple clicks in a grid. To change the owner of a file, you need to type the username. And if the file is owned by root, you can't do anything.
  permz --help
  Presents a GUI menu for changing file permissions/ownership. May be run
  as a normal user or root.
  Requires: zenity gksu
  Optional: sudo (recommended to prevent multiple root password prompts)
  Usage: permz FILE [...]
  MENU FUNCTIONS:
  rwxrwxrwx Sets file(s) to given permissions
  Sticky Clear/Set Performs "chmod -t" or +t to clear or set the sticky
  bit. You may select to clear/set sticky in addition
  to changing other permissions.
  Recursive go-rxw "chmod -R go-rxw" on file(s) recursively, denying
  access to non-owners
  Recursive go-w "chmod -R go-w" on file(s) recursively, denying write
  to non-owners
  Recursive ugo+rX "chmod -R ugo+rX" giving read access to all. Also
  sets +x for directories and executables.
  Recursive ugo+w "chmod -R ugo+w" on file(s), giving write to all
  (You may select several compatible recursive functions above at once)
  Owner USER As ROOT Sets ownership to USER:USER as root
  DELETE As ROOT Deletes file(s) as root. Must be used alone or with
  "Perform Recursively" (to delete directories - USE
  WITH CAUTION). Not available if permz is run as root.
  Perform As ROOT Run as root to change selected permissions.
  (Use of root is automatic when changing ownership)
  Perform Recursively Adds -R to all chmod, chown, and delete commands to
  descend into subdirectories. Use in conjunction with
  any other functions. (Recursion is automatic for
  "Recursive" functions above)
  Current su command is set to: gksu -gS
  If you're somewhat familiar with bash, adding additional options or changing the existing ones is straightforward.
  I have tested it pretty thoroughly but if you do encounter anything amiss please let me know.
  More details at http://igurublog.wordpress.com/downloads/script-permz/
  And in the AUR at http://aur.archlinux.org/packages.php?ID=36978
  Instructions for integrating permz into PCManFM-Mod are here.
  Last edited by IgnorantGuru (2010-05-05 13:53:08)

  rransom wrote:Recursive ugo+rX would be more useful than "Recursive ugo+r (dirs +x)".  (The +X feature of chmod is available at least in GNU coreutils, FreeBSD, and POSIX 2003.)
  Done - thanks for the tip.  I also left the old code active in there with just the menu option disabled, so if anyone wants it the other way or wants both it's easy to enable.  The difference is that the old way won't make any files +x, just dirs.
  permz doesn't provide every possible setting of permissions, just common ones, so you may want to customize it.  But I used to have these as user actions when I used Krusader and I found these were the handy ones, at least for me.

• How to give write permissions to any file in mac os x 10.8.3

  How can we give write access to the file in mac os x 10.8.3.It is not allowing to login as root user also.Can any one please help me in this.I think in mac os x 10.8.3 security update only bloocked this root access.We can give permissions to anyfile upto mac os x 10.8.2.How can we edit any system files?

  Download TextWrangler from BareBones' website, not the Mac App Store. It will allow you to edit system files by authenticating. The Mac App store version doesn't have that capability.
  You could also edit them in the Terminal with pico, nano, emacs (perhaps more). TextWrangler is much easier to use, though.

• Will repairing Permissions disrupt any currently running services.

  I have a server that is set up running DNS, Open Directory, and Software Update services. It is the latest update, 10.5.8. I just wanted to know if anyone knows if running a permissions repair will disrupt any of these services.
  Thanks

  it won't interrupt these services
  we run permissions repair on live machines all the time.. no problems.

• Mac Pro DVD Drive "Perma Sleep" - Any thoughts?

  I have a MacPro with the following DVD drive in it:
  PIONEER DVD-RW DVR-111D:
  Firmware Revision: AB09
  Interconnect: ATAPI
  Burn Support: Yes (Apple Shipped/Supported)
  Cache: 2000 KB
  Reads DVD: Yes
  CD-Write: -R, -RW
  DVD-Write: -R, -RW, +R, +RW, +R DL
  Burn Underrun Protection CD: Yes
  Burn Underrun Protection DVD: Yes
  Write Strategies: CD-TAO, CD-SAO, CD-Raw, DVD-DAO
  Media: No
  This morning I was burning a CD-R from iTunes. The burn finished and the system locked up with the "curtain of death".
  Upon reboot I found that the DVD drive will spin at boot up, will eject from the keyboard, but it does not respond to any disc inserted in it. When inserting a disc, there is no spin up, no response from the system. I have inserted:
  - Blank CD-R
  - Blank DVD-R
  - Recorded CD-R
  - Purchased (factory made) CDs and DVDs
  none of which respond. In response I have attempted:
  - Resetting the machine, left it un- plugged for several hours, still not working
  - Resetting the PRAM by booting with CMD-OPT-P-R
  - Facing towards Cupertino and offering a bowl of corn flakes as snackrafice
  None of which worked. Any thoughts, or is it take it to be repaired time?
  Thanks
  Bruce

  Sounds like it is toast. You can get an immediate replacement at the Apple store. DIY replacement is very easy. OWC has a video on how. You can also find a replacement at a greatly reduced price from Newegg or OWC, but the immediate gratification will be missing during shipping. If it's under warranty, the Apple store should give you a new one, or I think they should and not have you wait for one to be shipped or require you to bring in your MP. Thes things are heavy!
  Michael

• I only create Read Only folders can't set permissions for any file but mine

  My issue is I have 25 users and an X-Serve and it seems like all the users
  do not have the same permissions. More specifically if a user creates a
  folder on the server only that user can access it. This is the same if the
  user creates the folder on there desktop and then copies the files to the
  server. But if they copy a "read only" folder or file (this happens more
  with files) to there desktop and then they open the file save it and place
  it back on the server there is no problem.
  I also, have a user that whenever she creates a folder it automatically
  set's itself to read only. No matter whether she copies from her desktop to
  the server or visa versa. Every folder she creates is protected this way
  here settings are all the same as everyone else. So I'm not sure if she is
  unique or if the settings for my users are incorrect.
  I did not set up the server or the user's so I'm really trying to catch up
  quick. We are really suffering in that it totally slow's things down almost
  to a crawl in some cases. I really hope you can help me out with this I've
  attached some screen shot's and the X-Serve system profiler for background.
  --

  I suggest posting to the Xerve forum http://discussions.apple.com/forum.jspa?forumID=854

• Upgraded to Mavericks and now I can't compress files, move files, preview files or open files outside of their native application. Ran disk utilities multiple times and checked file and folder permissions. Any ideas?

  For example, I'm trying ot move a group of jpgs from one folder ot another and it throws an 8058 error every time. PSD's won't open fromt he finder, it throws an application not found error even though I can open the same files from within the application.

  Yep, same here. Cannot drag and drop copy with Mavericks. A copy paste throws a 8058 error.

• Allow traffic inside to outside

  Hi
  One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020
  How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.
  Host IP on inside network  - 172.16.30.15
  Application to access - 74.219.x.x
  Inside ACL name - inside-acl
  cheers
  Paul

  I would apply this to the inside interface. Now, I have no idea what specific entries you have on
  your inside access list, so I'll write it, as if it's a brand new configuration.
  access-list inside_access_in permit tcp host 172.16.30.15 74.219.0.0 255.255.0.0 obect-group service Ports
  access-list inside_access_in deny ip host 172.16.30.15 any
  access-list inside_access_in permit ip any any
  access-group inside_access_in in interface inside
  This will allow host 172.16.30.15 tcp access to 74.219.x.x on the specific ports, then all other IP traffic
  will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else
  is wide open outbound.