Req help: creating access-lists

Similar Messages

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• Need Help to create access-list based on traffic logs

  Hello,
  We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .
  Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
  I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
  Rajkumar

  Hi Rajkumar,
  That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
  How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
  If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
  Regards
  Karthik
  Regards
  Karthik

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• I need help creating a list of vertical clickable buttons in an aside

  OK so here is the setup for this site I am working on. http://www.bestmarketingnames.com/default2.php I need to change that list on the left side into real buttons with destination when you click them. Here is a link that i have been tinkering with. http://www.bestmarketingnames.com/default.php I need them to fit in the left aside and vertical. I can't make them vertical. I'm sure it's a fairly simple thing but I don't know how to do it.
  Thanks

  Try this:
  <!doctype html>
  <html>
  <head>
  <meta charset="utf-8">
  <title>HTML5, Vertical Menu</title>
  <!--[if lt IE 9]>
  <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
  <![endif]-->
  <style>
      /***add these to your CSS Reset***/
      margin: 0;
      padding: 0;
      -moz-box-sizing: border-box;
      -webkit-box-sizing: border-box;
      box-sizing: border-box;
  nav {
      width: 250px;
      background: #555;
      color: #FFF;
      font-family: Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif;
  nav li {
      list-style: none;
      width: 248px;
      line-height: 2.5em;
      border: 2px solid #CCC;
      text-align: center;
      font-weight: bold;
      font-size: 16px;
      cursor: pointer;
  nav li:hover {
      background-color: #FFF;
      color: #000
  </style>
  </head>
  <body>
  <aside>
  <nav>
  <ul>
  <li>Menu 1</li>
  <li>Menu 2</li>
  <li>Menu 3</li>
  <li>Menu 4</li>
  </ul>
  </nav>
  </aside>
  </body>
  </html>
  ❄  ☃  ❄Nancy O.

• How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

  Hellp Everyone,
  I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
  I want to allow the whole Intranet but few intranet websites also needs access to the internet.
  Can we create such Access-List with the above requirement.
  I tried to create the ACL on the switch but it blocks the whole internet access.
  i want to do it for a subnet not for a specific IP.
  Can someone help me in creating such access list.
  Thanks in Advance

  The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
  In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
  The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
  You would then use them as follows:
  ip access-list extended main_acl
  permit any object-group intranet any
  permit object-group allowed_servers object-group allowed_sites any
  interface vlan
  ip access-group main_acl in
  More details on the syntax and examples can be found here:
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

• I'm attempting to create an access list

  I'm attempting to create an access list that allows traffic to the internet but denies access to any internal networked ip space.  This will be applied to a vlan interface as an "in".  My thought is that it should deny traffic to the 172."30,29,28" space from any but then permit them to any other address.  Can someone please confirm or refute my acl list understanding?  Thanks in advance.  - Kyle
  ip access-list extended TEST-IN
   deny ip any 172.30.0.0 0.0.255.255
   deny ip any 172.29.0.0 0.0.255.255
   deny ip any 172.28.0.0 0.0.255.255
   permit ip host 10.20.0.6 any

  Hi Kyle,
  The ACL rules would work fine. but consider the following guidelines when creating ACL on IOS.
  1) if you are permitting 1 host or a smaller domain and denying a subnet, then use the permit before denying.
  Example:
  ip access-list extended TEST-IN
   permit ip host 10.20.0.6 any
   deny ip any 172.30.0.0 0.0.255.255
   deny ip any 172.29.0.0 0.0.255.255
   deny ip any 172.28.0.0 0.0.255.255
  And also, this would permit the 10.20.0.6 to the 172.30/29/28 as well.
  Reason: ACL works on hit and trial basis. If match is found, it would not go beyond.. so to minimize the overhead and cpu usage, prefer to get smaller rules on top before major denies/permits.
  2) In case of denies.
  example:
  ip access-list extended TEST-IN
    deny ip host 10.20.0.6 any   <<<<<<<<<<<<<< the smaller entries come first.
    permit ip any 172.30.0.0 0.0.255.255
    permit ip any 172.29.0.0 0.0.255.255
    permit ip any 172.28.0.0 0.0.255.255
  Saves computation time and processing as well.
  Hope that helps.
  Abhishek
  CCIE 35269

• Creating Custom DC copying Standard DC : Illegal dependency: Access list

  Hi ,
  After having imported DC it has is/uces/ear ,is/uces/war & is/uces/java componets
  Created new DC for having different context node by importing xml files of standard is/uces/ear to is/ucesCustApp/ear.
  After creating Projects of all 3 Component ,what is does that it allow modification on standard is/uces/war & is/uces/java. Tried Creating custom is/uces/war & is/uces/java but builds fails reporting
  ERROR: Illegal dependency: Access list does not allow use of ..... various libraries for is/ucesCustApp/java. ( I updated dcdef file as it was in standard)
  Is there is anyway we can create new Custom DCs without impacting standard is/uces/war & is/uces/java on the Development server?
  Best Regards
  Ravi

  Hi
  Did you get an anser for this Query ?
  Regards
  Priyanka

• Help with an access list please

  Hi guys, i have an access list applied inbound to an interface on a router at the edge of our LAN.Our LAN subnet is 10.10.x.x and the incoming subnet is 10.13.x.x both with a 16 bit mask. The ACL is applied inbound to the interface that the the 10.13.x.x subnet come in on. I want to only allow them to go to our internal webserver to run a corporate web app, resolve dns for this web server with our dns servers, and have full access to a server on the other side of our WAN for another 32 bit app they are running. Here is my ACL:(you will notice i have also configured a single ip full access in for us to use when we are on site)
  access-list 101 permit ip 10.10.0.0 0.0.255.255 any
  access-list 101 permit ip host 10.13.1.254 any
  access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
  access-list 101 permit udp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.2 eq domain
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.1 eq domain
  access-list 101 permit ip 10.13.0.0 0.0.255.255 host 192.168.9.1
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 host 10.10.10.24 eq www
  access-list 101 deny ip 10.13.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  access-list 101 deny ip 10.13.0.0 0.0.255.255 172.16.100.0 0.0.0.255
  access-list 101 deny ip any any
  From the 10.13.x.x network this works like a charm but here is the key: i want to be able to remote admin their machines but cant. Even though the ACL is applied inbound only i cant get to their subnet, even with the first permit statement i still cant get to their subnet. I am assuming its allowing me in but the problem is lying with the return traffic. Is their a way for me to deny them access as in the list but for me to remote their subnet?
  Any help you could offer would be appreciated.

  I agree with you that the first line in the access list is incorrect. Coming in that interface the source address should never be 10.10.0.0. But if he follows your first suggestion then any IP packet from 10.13.anything to anything will be permitted and none of the other statements in the access list will have any effect.
  And I have a serious issue with what he appears to suggest which is that he will take his laptop (with a 10.10.x.x address), connect it into a remote subnet, and expect it to work. Unless he has IP mobility configured, he may be able to send packets out, but responses to 10.10.x.x will be sent to the 10.10.0.0 subnet and will not get to his laptop. He needs to rething this logic.
  I do agree with your second suggestion that:
  access-list 101 permit tcp 10.13.0.0 0.0.255.255 eq 5900 10.10.0.0 0.0.255.255
  should allow the remote administration to work (assuming that 5900 is the correct port and assuming that it uses tcp not udp).
  HTH
  Rick

• Virus access-list help

  Hello all,
  I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.
  The problem is one of the System guys says it's a legit service, something to do with Active Directory.
  When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.
  I do "sh access-list" and the deny 445 entry has millions of hits.
  We do a network wide Symantec update and scan and find nothing.
  Should I disable this 445 entry? Is it a legit service?
  Thanx for any help

  Hello,
  Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.
  HTH please rate any posts that were helpful.
  Patrick Laidlaw

• Access-List Process - Urgent Help

  Dear All,
  My question here in this forum , in the Process of :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  Now, My question is here :-
  Was I correct in choosing the Interface that I will apply this Access-list or not ?
  Please read my Process of choosing the Interface, and tell me if I am correct or Not ?
  I have here My Router, as Internet Router which is 1841 , with 2 Fast Ethernet interfaces as the following :-
  1. Fast Ethernet 0 / 0 :-
  Description : connected to My Network as MY LAN .
  IP Address of this Interface : 192.168.1.10 / 255.255.255.0
  2. Fast Ethernet 0 /1 :-
  Description : connected to Second Network on second Building.
  IP Address of this Interface : 172.16.20.10 / 255.255.0.0
  3. Serial Interface ( S 0 ).
  Description : connected to My Server Farm which is in another Network
  IP Address of this interface : 10.1.8.20 / 255.255.255.0.
  > No any serial interface or any serial connection at all on my 1841 Route.
  > The Default route on My Router is
  > IP ROUTE 0.0.0.0 0.0.0.0 10.1.8.20
  Now, I want only to deny user 192.168.1.40 to access the one server on the server FARMS which is OUR POP3 Server with this IP 10.1.8.40 / 24.
  As anyone knows, its an Extended Access List.
  So I wrote it like that:-
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq smtp
  Router(config)# access-list 102 deny tcp 192.168.1.40 0.0.0.0 host 10.1.8.40 eq pop3
  Router(config)# access-list 102 permit ip any any
  Process of choosing the interface :-
  1- Which Interface should I apply this Access-list ?
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  To answer and to understand the answer, for the 2 questions, here is my Process :-
  First Interface f 0 / 0 :-
  < this is the originating interface, and no need to apply the ACLs on it weather if inbound or outbound >, so F0/0 is not the correct interface to apply the ACLS on it.
  Second Interface f 0 / 1 :-
  < this is the second interface, and it have inbound / outbound direction , if I enable the ACL on this Interface, on the inbound direction, it will inter because nothing match on the condition, also, no need to make it on the OUTBOUND direction, because it will not get out from this interface, or there is no match condition on it.
  Third Interface S0:-
  Also, I have to look to the route on the Router, I will find it, every thing will route to interface serial / 0, and if I enable the ACL on the inbound direction, it will stop the traffic from enter the Interface < only it will disable from enter the interface, if the conditions accrue > so no need on the inbound, but on the outbound it will work.
  So, final answer will be as following :-
  1- Which Interface should I apply this Access-list ?
  ( Serial / 0 ) .
  2- on which Direction on the selected interface I have to apply this Access-list ? In or Out ?
  ( Outbound ) .
  Was I correct or not ? please some one is update me.

  The access-list can be applied in any direction depending on the requirement. As per the scnearion you have given the access-list has to appiled at the inbound direction. It is called inbound accesslist.

• Access List - cisco 2600- HELP

  Hi,
  i want ask we, if the access list are bi-directional or it are one-directional?
  If i want negate "LAN A" (eth1) to go in "LAB B" (eth0) which acl i must use and then "LAN B" can go to "LAN A"?
  Thanks

  Emanuele
  When applied on an interface access lists are uni-directional. You can apply an access list inbound on the interface and apply an access list outbound on the interface if you want a bi-directional effect.
  I am not sure that I understand what you are trying to accomplish. I think that I understand that you do not want LAN A to send to LAN B. I am not clear if you want LAN B to be able to send to LAN A, which it sort of sounds like. The problem with this is how to differentiate something coming from LAN A to LAN B which is a response to something that originated from LAN B versus something originated from LAN A. For TCP connections you can use the established concept in the access list, but there is not a good way to handle UDP, ICMP, etc.
  If you do not want either subnet to communicate with the other then I suggest that you write 2 access lists. The first access list would deny traffic with a source in LAN A and a destination in LAN B and would permit other traffic. This access list would be applied outbound on LAN A interface. The second access list would deny traffic with a source in LAN B and a destination in LAN A and would permit other traffic. This access list would be applied outbound on LAN B interface. If you do this I do not see a need for an inbound filter on either interface.
  If I have not understood your question correctly please clarify what you are attempting to accomplish.
  HTH
  Rick

• Help with creating a list, adding to it, calling it and putting it in a combobox with c#

  I have been making a word RPG game with the windows form in c#, and I have encountered some problems along the way. Right now I have a character creation screen, and a screen that displays all of the stats, and gear equipment. I was thinking about adding
  some basic/starting items and put the list into a combobox. I created a separate class and named it HeadItems.cs, and put all of the possible stats, as well as ID and string name. I set a constructor with many parameters, so I can simply input this code, and
  have it generate a head item.
  HeadItems.Add(new HeadItem("Test Head", 0,2,0,0,1));
  Then I was trying to make the combobox, called cboHeadItems, and put its DataSource as HeadItems. Though I am not sure how to get it so it displays the first array, or the string name in the combobox. I am also not sure if I should create the list in the
  player entity class or its own class. From there I am not sure how to call the list on other forms/classes or how to make the name appear in the combobox for people to select.

  Hiya!
  It isn't that simple I'm afraid! You cant make the datasource of a combobox a 'HeadItem' because it doesn't know what that is and it won't know how to handle it.
  There are a few different ways to do it. You can pass it an array, a dataset, a datatable to mention just a few.
  Probably the simplest way is this:
  foreach(HeadItem hi in HeadItems){
  comboBox1.Items.Add(hi[0]); //Depends on your setup
  Antony
  :D

• Create a report on access lists from a switch or router

  I need to view the hits on an access list I have running on a clients layer 3 switches and routers. I know the syslog messages for the ACL are making it to the MARS. What event type do I need to select and query type do I need to select to get a report on this information?
  Thanks.
  Dan

  You can do a query with the result type "Unknown Event Types" to list all the logs with Unknown Reporting Devices. It will show an "Add Device" button wherever applicable which displays the result set.

• Error while creating request list Unable to detect the SAP system directory

  We are upgrading SAP BW (NW 7.0 EHP1) to SAP BW (NW 7.3)
  source OS: Windows 2008 R2,  source DB: MSSQL server 2008 R2 SP1 CU3
  I had started the upgrade by running: STARTUP.BAT
  I had started the DSUGui on the server (CI / DB on the same server) from: D:\usr\sap\BP1\upg\sdt\exe\DSUGui.bat
  I ran both programs (run as administrators).
  Once SAP Gui connects and was able to create userid/ password and when ready to start the initialization phase (click next)
  gives me the error
  Error while creating request list - see preceeding messages. Unable to detect the SAP system directory on the local host
  I had tried STARTUP.BAT "jce_policy_zip=Z:\export-import\downloads\jce_policy-6'  and still the same error.
  I had started DSUGui.bat with trace and the trace file contents are
  <!LOGHEADER[START]/>
  <!HELP[Manual modification of the header may cause parsing problem!]/>
  <!LOGGINGVERSION[2.0.7.1006]/>
  <!NAME[D:
  usr
  sap
  bp1
  upg
  sdt
  trc
  server.trc]/>
  <!PATTERN[server.trc]/>
  <!FORMATTER[com.sap.tc.logging.TraceFormatter(%d [%s]: %-100l [%t]: %m)]/>
  <!ENCODING[UTF8]/>
  <!LOGHEADER[END]/>
  Jan 11, 2012 10:14:58 AM [Error]:                          com.sap.sdt.engine.core.communication.AbstractCmd.log(AbstractCmd.java:102) [Thread[ExecuteWorker,5,main]]: Execution of command com.sap.sdt.engine.core.communication.CmdActionEvent@376433e4 failed: while trying to invoke the method java.io.File.getAbsolutePath() of an object returned from com.sap.sdt.dsu.service.req.DSURequestListBuilder.getSystemDir()
  Jan 11, 2012 10:14:58 AM [Error]:                          com.sap.sdt.engine.core.communication.AbstractCmd.log(AbstractCmd.java:103) [Thread[ExecuteWorker,5,main]]: java.lang.NullPointerException: while trying to invoke the method java.io.File.getAbsolutePath() of an object returned from com.sap.sdt.dsu.service.req.DSURequestListBuilder.getSystemDir()
  Jan 11, 2012 10:14:58 AM [Error]:                          com.sap.sdt.engine.core.communication.AbstractCmd.log(AbstractCmd.java:103) [Thread[ExecuteWorker,5,main]]: java.lang.NullPointerException: while trying to invoke the method java.io.File.getAbsolutePath() of an object returned from com.sap.sdt.dsu.service.req.DSURequestListBuilder.getSystemDir()
  Jan 11, 2012 10:14:58 AM [Error]:                                                 com.sap.sdt.engine.core.communication.CmdActionEvent [Thread[ExecuteWorker,5,main]]: java.lang.NullPointerException: while trying to invoke the method java.io.File.getAbsolutePath() of an object returned from com.sap.sdt.dsu.service.req.DSURequestListBuilder.getSystemDir()
       at com.sap.sdt.dsu.service.req.DSURequestListBuilder.persistSystemInfo(DSURequestListBuilder.java:277)
       at com.sap.sdt.dsu.service.DSUService.createRequestList(DSUService.java:338)
       at com.sap.sdt.dsu.service.controls.DSUListener.actionNext(DSUListener.java:144)
       at com.sap.sdt.dsu.service.controls.DSUListener.actionPerformed(DSUListener.java:67)
       at com.sap.sdt.server.core.controls.SDTActionListener$Listener.actionPerformed(SDTActionListener.java:46)
       at com.sap.sdt.engine.core.communication.CmdActionEvent.actOnEvent(CmdActionEvent.java:43)
       at com.sap.sdt.engine.core.communication.CmdEvent.execute(CmdEvent.java:69)
       at com.sap.sdt.engine.core.communication.ExecWorker.handleCmd(ExecWorker.java:36)
       at com.sap.sdt.engine.core.communication.AbstractWorker.run(AbstractWorker.java:93)
  I could not get Upgrade started.  Any help is appreciated
  Thanks
  Prathap

  Did you get this solved?
  I have the same problem