Show ip access-lists with remarks?

We have a 6509E and use ACLs for our SVIs.  When viewing specific ones created I use "show ip access-lists NAME" and when finding remarks I have to constantly go back to the "show run | b NAME" but its seems clunky.  Is there way to see the view of the first with the sequence numbers but show the remarks that I can only find in the show run?

Ok , i understand that i will have to use the public IP in my ACL on the ADSL connected interace.
If i obtain a private IP on my ADSL interface from the ISP, then is it the best method to aply the ACL on the LAN interface and assign it as IP ACCESS-GROUP xxx OUT ????
And one more question.
I understand the concept with ACL with one public IP that will be NAT (overloaded). What if i am using multiple public IPs that i will NAT on all of them ???
how does this affect my ACLs. Is there a way around this ????
Thanks,
George

Similar Messages

  • Extended access list with multiple ports

    Hello All,
    I have a problem with my Cisco Catalyst 4503-E when i try to configure an extended access lists with multipleports.
    I receive the following message:
    The informations of my Switch are the following:
    Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASE-M), Version
    12.2(52)SG, RELEASE SOFTWARE (fc1)
    Please help me to resolve this problem.
    Best regards.

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • APEX Pages - User Access List with NTLM

    Hi,
    I'm building several APEX Applications, and using NTLM as its Authentication Scheme. With this, the users won't have to type any user and password. And their user name stated in top right screen.
    I'd like to build another application to administer users of all created APEX Applications. So I'd like to build 3 tables:
    1. users (hold user name, and user data)
    2. pages (hold APEX Applications pages)
    3. access_list (hold combined data of users and pages and access flag)
    The last table will give me an SQL that can be used to create page level Authorization Scheme.
    The problem is:
    I cannot find a way to get a list of user ids to pre-populated the table users. Is there a way that an administrator user use an LOV of all NTLM user instead of typing domain\user to this application? OR is there a better and elegant way to create User Access List with NTLM.
    Your helps will really help me, and thanks in advance.
    Regards,
    Aulia

    This is kind of a followup to Scott's post. Instead of using your own tables to map user accounts to permissions etc, why not simply use LDAP to query the NT domain global catalog?
    You can tell what users are members of particular AD groups and control access to functions based on AD group membership. Then you would only need one table that maps Apex functionality to AD groups.
    That's what we do. Our account management people add users to different security groups and they get access to our apex app based on those groups. The type of access is controlled by the group to which they belong.
    If you try to capture a list of all users, you'll be constantly trying to keep your list of users in sync with your AD/NTLM accounts.
    Or I guess you could simply use LDAP queries inside the database to get a list of ALL your users in a nightly batch. Wouldn't help for people added in the middle of the day, but maybe that doesn't happen often in your company.
    I have posted code on using Active Directory LDAP with dbms_ldap inside the database. Shouldn't be too much trouble to modify that code to scan your directory for users every night. Search for "dbms_ldap" in this forum.

  • Nexus1000v : ip access-list with port range

    Hi,
    I am configuring ip access-list policy with port range on Nexus1000v. I want to block traffic of a VM based on specific port or port range. Following is the example showing, blocking of rdp service (port - 3389) of vm x.x.x.x. But the scipt blocks all traffic of x.x.x.x.
    Can any body verify the scirpt and tell whats the problem with the script?
    vm x.x.x.x is on Veth2
    config t
    ip access-list Veth2_rc_vmfw_acl_in
    deny tcp any host x.x.x.x eq 3389
    exit
    ip access-list Veth2_rc_vmfw_acl_out
    deny tcp host x.x.x.x any eq 3389
    exit
    interface Veth2
    ip port access-group Veth2_rc_vmfw_acl_in in
    ip port access-group Veth2_rc_vmfw_acl_out out
    exit
    exit
    Thanks

    License? Check Data Features

  • Access list with multiple object groups

    Hello Everyone,
    I am using a cisco ASA 5525 with 8.6 code.  I am trying to setup access list for oubound access meaning hosts accessing the internet.  I have created an access list called outbound_access and did "access-groupc outbound_access in interface inside "
    I am trying to use object-groups where ever i can.  Here is an example.
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    object-group service obj_Meraki_outbound
    service-object tcp destination eq 443
    service-object tcp destination eq 80
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.x.x.x 255.255.255.240
    network-object 10.x.x.x 255.255.225.240
    object-group network obj_Meraki_pub
    des This group lists all hosts associated with Meraki. 
      network-object host 64.156.192.154
      network-object host 64.62.142.12
      network-object host 64.62.142.2
      network-object host 74.50.51.16
      network-object host 74.50.56.218
    I have tried tying all these groups together in multiple ways but cannot figure out how to do this.  This what i think it should be "access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub"
    What i want is the use the service objects and the source network would be obj_Meraki_lan and destination would be obj_Meraki_pub.   It seems the rules completely change when you use object groups.  Can someone explain this maybe with a few examples.  I am already using object groups in many acls but not for every element.
    Thanks

    Hi,
    Seems to work on my test ASA
    Attached it to my current LAN interface.
    ASA(config)# packet-tracer input LAN tcp 10.2.11.1 12345 64.156.192.154 80
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         WAN
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group outbound_access in interface LAN
    access-list outbound_access extended permit object-group obj_Meraki_outbound object-group obj_Meraki_lan object-group obj_Meraki_pub
    object-group service obj_Meraki_outbound
    service-object tcp destination eq https
    service-object tcp destination eq www
    service-object tcp destination eq 7734
    service-object tcp destination eq 7752
    service-object udp destination eq 7351
    object-group network obj_Meraki_lan
    network-object 10.2.11.0 255.255.255.240
    network-object 10.5.11.0 255.255.255.240
    object-group network obj_Meraki_pub
    description: This group lists all hosts associated with Meraki.
    network-object host 64.156.192.154
    network-object host 64.62.142.12
    network-object host 64.62.142.2
    network-object host 74.50.51.16
    network-object host 74.50.56.218
    Additional Information:
    access-list outbound_access line 1 extended permit tcp 10.2.11.0 255.255.255.240 host 64.156.192.154 eq www (hitcnt=1) 0x4d812691
    Also have used such configuration in some special cases where the customer has insisted on allow specific TCP/UDP ports between multiple networks. And nothing is stopping from adding ICMP into the "object-group service" also.
    - Jouni

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • Show access-list | include

    Couple questions on show with include
    1. Can you do a show command with include and a space meaning can you search for say "permit ip"?
    2. Can you do a search for an exclude say "show access-list | exclude eq"?                  

    Sure, examples:
    How do you do the include for words and spaces?
    When filtering you can use the underscore to refer to spaces on the lines.
    Can you do a show command for access-list where you are looking for permit IP without "eq"?
    You can't mix commands like, mixing "inc" & "exc".  So no.
    Besides, the only available option when using two or more pipes is only OR, in case you were wondering.
    Now, examples
    show run access-list test
    access-list test remark hello world
    access-list test remark helloworld
    access-list  test remark hey hello world
    access-list  test remark heyhelloworld
    Now, filtering:
    show runnaccess-list | i hello
    access-list test remark hello world
    access-list test remark helloworld
    access-list test remark hey hello world
    access-list test remark heyhelloworld
    show run access-list | i _world
    access-list test remark hello world
    access-list  test remark hey hello world
    show run access-list | i hey |  world
    access-list test remark hello world
    access-list test remark hey hello world
    I think that covers it.
    Here is a good articule about the topic:
    http://stack.nil.com/ipcorner/EnhanceIOSUI/

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • BGP with access lists

    Hello,
    Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part  access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
    Thanks,

    The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
    It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • Port Forwarding & Access List Problems

    Good morning all,
    I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated!  I've researched a lot lately but I'm still learning.  Side note:  I've replaced the external ip address with 1.1.1.1.
    I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail.  You may notice I dont have access-list 102 that i created on any interfaces.  This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet. 
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname pantera-office
    boot-start-marker
    boot-end-marker
    no logging buffered
    enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
    aaa new-model
    aaa authentication login default local
    aaa session-id common
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1 192.168.0.150
    ip dhcp excluded-address 192.168.0.251 192.168.0.254
    ip dhcp pool private
       import all
       network 192.168.0.0 255.255.255.0
       dns-server 8.8.8.8 8.8.4.4 
       default-router 192.168.0.1 
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip domain name network.local
    multilink bundle-name authenticated
    crypto pki trustpoint TP-self-signed-4211276024
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-4211276024
     revocation-check none
     rsakeypair TP-self-signed-4211276024
    crypto pki certificate chain TP-self-signed-4211276024
     certificate self-signed 01
      3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
      69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535 
      31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132 
      37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
      8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626 
      31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881 
      1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4 
      93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96 
      D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
      03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261 
      746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF 
      41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41 
      FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D 
      14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944 
      82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703 
      E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79 
      D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
      quit
    username pantera privilege 15 password 0 XXXX
    username aneuron privilege 15 password 0 XXXX
    archive
     log config
      hidekeys
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key xxxx address 2.2.2.2
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Tunnel to 2.2.2.2
     set peer 2.2.2.2
     set transform-set ESP-3DES-SHA 
     match address 100
    interface FastEthernet0/0
     description $ETH-WAN$
     ip address 2.2.2.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map SDM_CMAP_1
    interface FastEthernet0/1
     description $ETH-LAN$
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex auto
     speed auto
    interface Serial0/0/0
     no ip address
     shutdown
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    no ip http server
    ip http authentication local
    no ip http secure-server
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
    ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
    ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
    ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
    ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
    ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
    ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
    ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
    ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
    ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
    ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 101 remark CCP_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 102 remark Web Server ACL
    access-list 102 permit tcp any any
    snmp-server community public RO
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps vrrp
    snmp-server enable traps ds1
    snmp-server enable traps tty
    snmp-server enable traps eigrp
    snmp-server enable traps envmon
    snmp-server enable traps flash insertion removal
    snmp-server enable traps icsudsu
    snmp-server enable traps isdn call-information
    snmp-server enable traps isdn layer2
    snmp-server enable traps isdn chan-not-avail
    snmp-server enable traps isdn ietf
    snmp-server enable traps ds0-busyout
    snmp-server enable traps ds1-loopback
    snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
    snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
    snmp-server enable traps disassociate
    snmp-server enable traps deauthenticate
    snmp-server enable traps authenticate-fail
    snmp-server enable traps dot11-qos
    snmp-server enable traps switch-over
    snmp-server enable traps rogue-ap
    snmp-server enable traps wlan-wep
    snmp-server enable traps bgp
    snmp-server enable traps cnpd
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps entity
    snmp-server enable traps resource-policy
    snmp-server enable traps event-manager
    snmp-server enable traps frame-relay multilink bundle-mismatch
    snmp-server enable traps frame-relay
    snmp-server enable traps frame-relay subif
    snmp-server enable traps hsrp
    snmp-server enable traps ipmulticast
    snmp-server enable traps msdp
    snmp-server enable traps mvpn
    snmp-server enable traps ospf state-change
    snmp-server enable traps ospf errors
    snmp-server enable traps ospf retransmit
    snmp-server enable traps ospf lsa
    snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
    snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
    snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
    snmp-server enable traps ospf cisco-specific errors
    snmp-server enable traps ospf cisco-specific retransmit
    snmp-server enable traps ospf cisco-specific lsa
    snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
    snmp-server enable traps pppoe
    snmp-server enable traps cpu threshold
    snmp-server enable traps rsvp
    snmp-server enable traps syslog
    snmp-server enable traps l2tun session
    snmp-server enable traps l2tun pseudowire status
    snmp-server enable traps vtp
    snmp-server enable traps aaa_server
    snmp-server enable traps atm subif
    snmp-server enable traps firewall serverstatus
    snmp-server enable traps isakmp policy add
    snmp-server enable traps isakmp policy delete
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server enable traps ipsec cryptomap add
    snmp-server enable traps ipsec cryptomap delete
    snmp-server enable traps ipsec cryptomap attach
    snmp-server enable traps ipsec cryptomap detach
    snmp-server enable traps ipsec tunnel start
    snmp-server enable traps ipsec tunnel stop
    snmp-server enable traps ipsec too-many-sas
    snmp-server enable traps ipsla
    snmp-server enable traps rf
    route-map SDM_RMAP_1 permit 1
     match ip address 101
    control-plane
    line con 0
     logging synchronous
    line aux 0
    line vty 0 4
    scheduler allocate 20000 1000
    end
    Any/All help is greatly appreciated!  I'm sorry if I sound like a newby!
    -Evan

    Hello,
    According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
    Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
    If your provider assigns you a dynamic ipv4 address to the wan interface you can use
    Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
    Verify the settings with show ip nat translation.
    Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
    Best Regards
    Lukasz

  • Convert named access list to line numbers

    I printed out a document months ago which has since then disappeared into my mountains of paperwork. Somewhere in that document listed a command that converted an extended, named access list to one with line numbers. I even recall that you could input the line interval into the conversion process (so lines would be 5,10,15 etc or 10,20,30 etc).
    I just upgraded a 6509, and I'm ready to put line numbers in my access list, and can't find the command - a new Cisco search is coming up empty. Can anyone recall what the command is?? Again, it's for converting an existing access-list with no line numbers to one with line numbers.
    Thank you!

    Hi Emily,
    I guess this is what you are looking for. I have not tried it my self but would like to test it out.
    1. enable
    2. configure terminal
    3. ip access-list resequence access-list-name starting-sequence-number increment
    4. ip access-list {standard | extended} access-list-name
    5. sequence-number permit source source-wildcard
    or
    sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    6. sequence-number deny source source-wildcard
    or
    sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
    7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.
    8. end
    9. show ip access-lists access-list-name
    This link should help :
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
    regards,
    -amit singh

  • Pb access-list Catalyst 4507r

    Hi
    I have 2 vlan : 192.168.38.0 and 192.168.31.0.
    In the 38.0 network, I have an exchange server.
    And in the 31.0 network, I have a clients(microsoft outlook).
    The pb is when i configure the access-list, the client start a 135 port communication but it don't have an answer.
    But if i open the all port, it's Ok.
    Here, my access-list.
    Could you confirm if it's ok
    in advance, Thank you
    access-list 131 remark sur interface vlan 31 Client NB
    access-list 131 permit ip any 192.168.31.0 0.0.0.255
    access-list 131 permit tcp any host 192.168.38.203 eq 135
    access-list 131 permit icmp any 192.168.38.0 0.0.0.255
    access-list 131 deny ip any any
    access-list 138 remark sur interface vlan 38 Bureautique
    access-list 138 permit ip any 192.168.38.0 0.0.0.255
    access-list 138 permit icmp any 192.168.31.0 0.0.0.255
    access-list 138 deny ip any any

    Hi,
    Thank you very much.
    When i see with the ethereal soft, the client need to open a range port(>1024).
    Please give me the access-list
    In advance thanks!!

  • IPSEC access-list question

    Hi,
    I have an access-list with the following line...
    permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
    and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
    protected vrf:
    local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
    current_peer: 62.140.138.249:500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #send errors 0, #recv errors
    I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
    protected vrf:
    local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
    current_peer: 62.140.138.249:500
    PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
    #send errors 0, #recv errors 0
    Thanks!!

    Can you post the configuration from this device.
    Regards,
    Arul

  • Strange access list debug output

    I have a router interface configured with the following access list:
    access-list 101 permit tcp any any eq 23
    access-list 101 deny ip any any
    effectively, telnet is allowed and all other protocols are denied. when I start a debug on this access-list (debug ip packet list 101 detailed) and start telnetting to the router, everything works (as it should). But when I look with "show ip access list" I see there are about 30 matches on the "...eq 23" rule, which is correct, but there are also around 30 matches on the deny ip any any rule. The debug output shows only port 23 traffic and return traffic.
    My question: what packets hit the "deny ip any any" rule when starting a telnet session?

    Hi
    Could be a name resolution issue but the easiest way to check would be to change your second line in the access-list to
    access-list 101 deny ip any any log
    HTH
    Jon

  • How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

    Hellp Everyone,
    I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
    I want to allow the whole Intranet but few intranet websites also needs access to the internet.
    Can we create such Access-List with the above requirement.
    I tried to create the ACL on the switch but it blocks the whole internet access.
    i want to do it for a subnet not for a specific IP.
    Can someone help me in creating such access list.
    Thanks in Advance

    The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
    In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
    The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
    You would then use them as follows:
    ip access-list extended main_acl
    permit any object-group intranet any
    permit object-group allowed_servers object-group allowed_sites any
    interface vlan
    ip access-group main_acl in
    More details on the syntax and examples can be found here:
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

Maybe you are looking for

  • ITunes won't open, unknown error (-200)

    I'm on a G5 running OS 10.4.6. Unexpectedly my iTunes stopped opening(latest version 6.4). When trying to open it, it immediately quits and this message appears: "The iTunes application could not be opened. An unknown error occurred (-200)." ALSO, th

  • Goods Receipt reversal

    HI Following error is coming in goods receipt reversal account determination for entry dsds prd bs01_zc01 not possible, dsds-company code,bs01-plant,zc01-valuation class,why system asking to assign gl account in obyc for prd,(price difference account

  • Iphone 5 signal dropping issue

    Hi guys, I just got my Iphone5 as a gift from my friend month ago. It was really exciting when I first got it. However I found sometimes when I unlock the screen, the signal will suddenly drop to 1 bar and then searching, this will take seconds and t

  • How to use selection buttons in an ALV created without abap objects?

    Hi, I use an alv created without ABAP Objects to show some information. Can I introduce inside the alv, the top buttons to select all rows / none row? And the second question, how may I introduce lateral buttons in the ALV to select indidividual rows

  • Photo down loading.

    Duplicate down loads from Sony A55V digital camera. When I down load photo's from the camera to my Mac or Ipad2 they sometimes copy all photo's on the camera? Other times they only copy the new photo's? What is the fix.