Reflective access-list in a WS-C3560G-24TS
I have a reflective access-list in a switch doesn't seem to work. What I want is allow our campus traffic (141.225.0.0/16) to flow freely, and block outside traffic come in except for certain users. Allow inside network (141.225.216.0/24) to go outside without any problems. The problem is inside users cannot go outside except our campus network.
Hello Guys,
Never say reboot the router after configuring something in Cisco. This is not a microsoft system or a trial and error system!
As for the problem, I really didn't get what you want exactly. However, you should apply the inbound access list (Traffic from inside to outside) on the in interface of the VLAN1 because your user's gateway is the VLAN interface and it is prefered to block traffic closest to the souce.
As for the outside to inside traffic it is has to be applied on the in interface of the outside interface.
Let me know if this helps and rate please,
Thanks,
Similar Messages
-
Packets not hitting the route-map's NAT access-list
Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
route-map ??? permit 10
match ip address ???_NAT
route-map xxx permit 10
match ip address xxx_NAT
route-map ??? permit 10
match ip address NAT_???
route-map ??? permit 10
match ip address ???_NAT
control-plane
banner motd ^CAs that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
So just a guess:
The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
HTH, Karsten -
Questions on Reflexive Access Lists
Hi Sir,
I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
The config on the core router is as follows:
int Vlan10
description *** Server Farm ***
ip address 172.16.10.1 255.255.255.0
ip access-group inboundfilters in
ip access-group outboundfilters out
int Vlan20
description *** Marketing Department ***
ip address 172.16.20.1 255.255.255.0
int Vlan30
description *** Engineering Department ***
ip address 172.16.30.1 255.255.255.0
ip access-list extended outboundfilters
permit tcp any any eq telnet
permit tcp any any eq smtp
evaluate iptraffic
ip access-list extended inboundfilters
permit ip any any reflect iptraffic
My questions:
(1) I yet to test the above config on an actual router. However, is it correct theoretically?
(2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
(3) If you have other better feature options that meet my requirements, please do recommend.
Please advise.
Thank you.
B.Rgds,
Lim TSHi Lim,
CBAC is good as well, considering the following features:
1. Traffic Filtering:
- filters TCP and UDP packets based on application-layer protocol session information.
- permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
2. Traffic Inspection
- discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
- Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
3. Alerts and Audit Trails
- can send real-time alerts and audit trails to syslog server (or buffer log)
4. Intrusion Detection
- Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
Limitations:
1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
Cheers! -
ASA 5505 version 9.1 in extended access-list I can add interface name as destination??
Hi All,
I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
Is it matching the egress interface or what?Use the interface name rather than IP address to match traffic based
on which interface is the source or destination of the traffic. You must
specify the interface keyword instead of specifying the actual IP
address in the ACL when the traffic source is a device interface. For
example, you can use this option to block certain remote IP addresses
from initiating a VPN session to the ASA by blocking ISAKMP. Any
traffic originated from or destined to the ASA, itself, requires that you
use the access-group command with the control-plane keyword. -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
-
Hellp Everyone,
I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
I want to allow the whole Intranet but few intranet websites also needs access to the internet.
Can we create such Access-List with the above requirement.
I tried to create the ACL on the switch but it blocks the whole internet access.
i want to do it for a subnet not for a specific IP.
Can someone help me in creating such access list.
Thanks in AdvanceThe exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
You would then use them as follows:
ip access-list extended main_acl
permit any object-group intranet any
permit object-group allowed_servers object-group allowed_sites any
interface vlan
ip access-group main_acl in
More details on the syntax and examples can be found here:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66 -
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
I can no longer access listing variations in Ebay after the upgrade
After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.
Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.
-
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
Hello,
There has been an access list in place where I work since well before I arrived and it doesn't quite work. I've done some research on ACLs and modified it so that it works better than it did before; however, it still doesn't do what was designed to do - block or "quarantine" devices so they are forced to update their systems with patches. It is also used to help in the baselining of pcs.
The access list works for the blocking portion, but it doesn't quite work for the baselining portion, meaning it currently succeeds in forcing the pcs to go to our server and get the latest patches but as a part of the baselining process, all machines have a policy that is pushed to them that maps a share drive. This is where the problem is - with the existing ACL, they can ping and see the share drive but they cannot access it. I've tried changing the permit ip statement to permit tcp but that just hoses the pc up and they get a "general failure" when trying to ping the share drive.
Here is access list:
ip access-list extended Quarantine_IN_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit upd any any eq domain
permit tcp any eq 3389 any
permit ip any host x.x.x.x (baseline server)
permit ip any host x.x.x.x (share drive)
permit ip any host x.x.x.x (domain controller)
permit ip any host x.x.x.x (domain controller)
ip access-list extended Quarantine_Out_L1
permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any an any eq domain
permit tcp any any eq 3389
permit ip host (baseline server) any
permit ip host (share drive) any
permit ip host (domain controller) any
permit ip host (domain controller) any
As I said, I tried changing the permit ip host (baseline server) any and ip any host (baseline server) to permit tcp statements. That didn't work; then I modified it so there were both permit tcp and permit ip (baseline server) statements. That also didn't work.
Any help would be greatly appreciated as I've been working on this issue for almost a week now with nothing to show but bald spots where I've pulled my hair out!
Thanks,
KileyPaul,
When I remove the ACL, they can access the share drive so I figured it was something I've done wrong with the ACL. I'm not able to provide a topology diagram of the network unfortunately, but we do have a server subnet, user subnet - typical of a medium sized company, I would assume. The ACL is applied to the L3 interface for baselining:
int vlan 500
description BASELINE VLAN
ip addres x.x.x.x x.x.x.x
ip access-group Quarantine_IN_L1 in
ip access-group Quarantine_Out_L1 out
ip helper-address x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
Thanks,
Kiley -
Static nat with port redirection 8.3 access-list using un-nat port?
I am having difficulty following the logic of the port-translation and hoping someone can shed some light on it. Here is the configuration on a 5505 with 8.3
object network obj-10.1.1.5-06
nat (inside,outside) static interface service tcp 3389 3398
object network obj-10.1.1.5-06
host 10.1.1.5
access-list outside_access_in line 1 extended permit tcp any any eq 3389 (hitcnt=3)
access-group outside_access_in in interface outside
So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully. What gives?
Thanks in advance..Hello,
I would be more than glad to explain you what is going on!
The thing is since 8.3 NAT is reviewed before the acl so, the ASA receives the packet on the outside interface, checks for a existing connection, if there is none it will un-nat the packet and then check the ACL.
After the packet in un-natted what we have is the private ip addresses and the real ports. so that is why on this versions you got to point the ACL to the private ip addresses and ports.
Regards,
Julio
Rate helpful posts -
Acl-name in access-list requirements
Hi,
I would ask about the acl-name in access-list,
Does it act as a link between the ACL and an interface?
or it could be written as any-thing, without any constrains?
such as
access-list test_ACL extended permit tcp host 10.105.10.22 host 10.140.180.35 eq ssh
is it OK?
or test_ACL should be defined somewhere prior using it in ACL?just because the ACL is not defined in an access-group doesn't mean it is not in use. There are several other areas that use ACLs. Class-maps are another common place where ACLs are used to match on traffic that will be used in a policy-map. Another comon use for ACLs is to define interesting traffic, or traffic that is to be encrypted, over a site to site VPN.
But for this specific ACL that you mention, the question you need to answer is, does the ACL define IPs that are assigned within your network, and do you have any applications that require the tcp timeout to be adjusted? If the answer is no to either of thaese then it is safe to assume you can remove the class-map test_ACL and the class test_ACL under the policy-map configuration.
Whether the ACL itself can be removed, I would assume it is safe to remove as it is called test_ACL, but then again, I have see people set up test configurations and then leave them as is without changing the name. So I would suggest investigating further to see if the name test_ACL is referenced any other places in your configuration.
Please remember to select a correct answer and rate helpful posts -
Access-List Process - Urgent Help
Dear All,
My question here in this forum , in the Process of :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
Now, My question is here :-
Was I correct in choosing the Interface that I will apply this Access-list or not ?
Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
1. Fast Ethernet 0 / 0 :-
Description : connected to My Network as MY LAN .
IP Address of this Interface : 192.168.1.10 / 255.255.255.0
2. Fast Ethernet 0 /1 :-
Description : connected to Second Network on second Building.
IP Address of this Interface : 172.16.20.10 / 255.255.0.0
3. Serial Interface ( S 0 ).
Description : connected to My Server Farm which is in another Network
IP Address of this interface : 10.1.8.20 / 255.255.255.0.
> No any serial interface or any serial connection at all on my 1841 Route.
> The Default route on My Router is
> IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
As anyone knows, its an Extended Access List.
So I wrote it like that:-
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
Router(config)# access-list 102 permit ip any any
Process of choosing the interface :-
1- Which Interface should I apply this Access-list ?
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
To answer and to understand the answer, for the 2 questions, here is my Process :-
First Interface f 0 / 0 :-
< this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
Second Interface f 0 / 1 :-
< this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
Third Interface S0:-
Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
So, final answer will be as following :-
1- Which Interface should I apply this Access-list ?
( Serial / 0 ) .
2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
( Outbound ) .
Was I correct or not ? please some one is update me.The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.
-
A possible bug related to the Cisco ASA "show access-list"?
We encountered a strange problem in our ASA configuration.
In the "show running-config":
access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in extended permit ip object 172.31.254.2 any log
access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in extended permit ip object windowsusageVM any log
access-list inside_access_in extended permit ip any object testCSM-object
access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in extended permit ip host 172.31.254.2 any log
access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
In the "show access-list":
access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a 3bacc1
access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06 85254a
access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0 x7e7ca5a7
access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn t=0) 0x02a111af
access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt =0) 0x19244261
access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn t=0) 0x0dbff051
access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7 b798b0e
access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416 81b
access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf 227
access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
There is a comment in the running config: (line 26)
access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
Thanks in advance.
show version:
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 7.1(3)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fmciscoasa up 1 hour 56 mins
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1Could be related to the following bug:
CSCtq12090: ACL remark line is missing when range object is configured in ACL
Fixed in 8.4(6), so update to a newer version and observe it again.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server.
Maybe you are looking for
-
I also need advice on removing old Compaq back-up. That laptop is dead. Hard drive wiped and removed before recycling. Help
-
We've a business partner who requires us to create a service request message with a SAML 2.0 assertion. The partner's supplied two certificates and a test harness for their JAVA webservice. I've created a WCF client with a `CustomBinding` to try and
-
Iphone 4 apps keep opening and closing
My Iphone 4 apps that other people have gotten for me (because they've already bought them) by signing into THEIR accounts on MY phone keep opening then closing. I cant do the authorize/reauthorize thing because those apps arent on my Itunes account,
-
Hi, Im getting the following error when I try to pull data from SAP R/3 to the SEM Production Server. DBIF_RSQL_SQL_ERROR CX_SY_OPEN_SQL_DB I have a virtual user x who has full authorization. This is the user that logs into R/3 from SMP executes the
-
Predictive Reporting on Outbound
So yesterday we changed from Progressive to Predictive with a Max of 3 lines, but I can't find any reporting to tell me how many lines the predictive Dialer was actually calling at any one point in the day (They are saying it never changed from 1 lin