Simple SSH Access-List Question

Similar Messages

• Extended access list question

  Hello,
  any suggestions why the following ACL will not apply?
  access-list 100 permit udp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 eq domain
  access-list 100 permit tcp any host 192.168.155.18 established
  access-list 100 deny udp any host 192.168.155.18
  access-list 100 deny tcp any host 192.168.155.18
  access-list 100 permit ip any any
  interface GigabitEthernet0/2.16
  description Subnetz 192.168.155.16/28
  encapsulation dot1Q 16
  ip address 192.168.155.17 255.255.255.240
  ip access-group 100 in
  The server 192.168.155.18 should only answer on requests on port 53 (tcp and udp). IOS image is c7200-jk9s-mz.124-25c.bin. Applied this access-list I can still connect through any other port like ssh and so on.
  Thanks,
  Thomas

  Hi Rick,
  no there is no NAT or other things turned on on this device.
  Router#sh ip access-list 100
  Extended IP access list 100
      10 permit udp any host 192.168.155.18 eq domain (379 matches)
      20 permit tcp any host 192.168.155.18 eq domain (5 matches)
      30 permit tcp any host 192.168.155.18 established (1 match)
      40 deny udp any host 192.168.155.18 (788 matches)
      50 deny tcp any host 192.168.155.18 (79 matches)
      60 permit ip any any (562 matches)
  Router#sh ip int gi0/2.16
  GigabitEthernet0/2.16 is up, line protocol is up
    Internet address is 192.168.155.17/28
    Broadcast address is 255.255.255.255
    Address determined by non-volatile memory
    MTU is 1500 bytes
    Helper address is not set
    Directed broadcast forwarding is disabled
    Outgoing access list is not set
    Inbound  access list is not set
    Proxy ARP is disabled
    Local Proxy ARP is disabled
    Security level is default
    Split horizon is enabled
    ICMP redirects are never sent
    ICMP unreachables are always sent
    ICMP mask replies are never sent
    IP fast switching is enabled
    IP fast switching on the same interface is enabled
    IP Flow switching is enabled
    IP CEF switching is enabled
    IP Flow switching turbo vector
    IP Flow CEF switching turbo vector
    IP multicast fast switching is enabled
    IP multicast distributed fast switching is disabled
    IP route-cache flags are Fast, Flow cache, CEF, Full Flow
    Router Discovery is disabled
    IP output packet accounting is disabled
    IP access violation accounting is disabled
    TCP/IP header compression is disabled
    RTP/IP header compression is disabled
    Policy routing is disabled
    Network address translation is disabled
    BGP Policy Mapping is disabled
    WCCP Redirect outbound is disabled
    WCCP Redirect inbound is disabled
    WCCP Redirect exclude is disabled
  Reminder: 192.168.155.18 is fictive IP address because it was changed only for this post here.
  Thanks,
  Thomas

• Ssh Access-list

  Hi,
  I want to create an access-list that will allow any host to ssh to the Management address of a switch but, only the
  Management address. Does this look like a clean way to do this?
  ip access-list extended SSH_ACCESS
  permit udp Management VLAN ip any eq 22
  permit tcp Management VLAN ip any eq 22
  deny udp any other switch ips eq 22
  deny tcp any other switch ips eq 22
  permit ip any any
  line vty 0 15
  ip access-group SSH_ACCESS
  Thank you, Pat.

  Hi
  In IOS Version 12.4 its work likes that only. Can anyone try this in IOS version 15?
  R2#
  R2#sh ip int br | i up
  FastEthernet0/0            192.168.10.2    YES manual up                    up
  R2#
  R2#
  R2#telnet 192.168.10.1 /so fa0/0
  Trying 192.168.10.1 ... Open
  R1#
  R1#
  R1#sh ip access-list 100
  Extended IP access list 100
      10 permit tcp host 192.168.10.2 host 192.168.10.1 eq telnet log
      20 permit tcp host 192.168.10.2 any eq telnet log (8 matches)
      30 permit tcp any any eq telnet log
  R1#
  R1#
  R1#
  R1#sh ver | i Version
  Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
  ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
  R1#

• Access-list Question

  Hi,
  Can somebody explain me when to use "established" word at the end of access-list.

  "established" is a keyword used in the automatically generated ACLs for TCP return connections.
  check for this URL to get more infirmation.
  http://www.cisco.com/univercd/cc/td/doc/solution/sesm/sesm_320/webprtal/7fire.htm#1110326
  hope it helps ... rate if it does ...

• NAC access list question

  so we have a NAC in our lab, set up as L3 OOB....we have a vlan set up for internet only access..a route map is configured on the CORE to send the internet only traffic back to the NAC for restrictions (to mimic the inband solution)......in our unauthenticated role policy, we set up the access list on a vlan to only access the internet and block internal address...the weird thing is, the access list on the NAC works on any internal addresses, but when the pc pings/telnets the CORE itself (and any mgnt ip addresses) it works?????....anybody know the reason why...im sure a workaroud is to put an acl on the CORE itself to block that...
  Hope my drawing is enough to assist.....
  CORE--------l3 switch--------pc
  |
  |
  |
  NAC

  That's a great idea - the ACL on the management interfaces of the devices.
  Is the ACL for the unauthenticated role on the L3 switch or the Core?
  I would guess it is on the L3 switch, since it is likely the default gateway for that unauth vlan.
  peter

• IPSEC access-list question

  Hi,
  I have an access-list with the following line...
  permit ip host 65.119.114.3 62.140.152.0 0.0.0.31
  and its crypto ipsec sa shows up as this, with no packets encaps or decaps.
  protected vrf:
  local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
  remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
  current_peer: 62.140.138.249:500
  PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #send errors 0, #recv errors
  I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.
  protected vrf:
  local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
  remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)
  current_peer: 62.140.138.249:500
  PERMIT, flags={}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
  #send errors 0, #recv errors 0
  Thanks!!

  Can you post the configuration from this device.
  Regards,
  Arul

• Simple MAC access control question on 5508

  We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is impliment straight forward MAC filtering. The problem I am having is the controller allows either any WLAN or only one WLAN, and a interface setting. I need to have each MAC be able to access several WLAN's but not all of them. Can anyone point me to a artcle or give me a quick idea of what I can do.I have basic WLAN's configured and have MAC filtering generally working. I cannot just use a user authentication becasue each user may have 20-30 devices, but not all of these devices should be allowed on all WLAN's and I do not want to rely on the user.
  Thank you

  Looks like it is applicable only if AAA is configured for that WLAN.
  – interface_name
  —The name of the interface. This interface name is used to override the interface configured to the WLAN.
  Note You must have AAA enabled on the WLAN to override the interface name.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wpmkr1222223

• Simple Spark Dropdown List Question

  Hello,
  In my interface, I have a drop down list. When the user changes the value, I'm trying to throw up an alert window ( 'are you sure...') because the change has a ripple effect. Everything works fine except when the user makes their selection from the Alert window, the dropdown list stays open. I've tried the 'closeDropDown' method, but that doesn't seem to work. I thought it might be because of the Alert control, but I'm not sure.
  Any help or a nudge in the right direction to where I can find an answer would be appreciated.

  First, thanks for responding.
  I was throwing up the alert window on the 'change' (and also unsuccessfully the 'changing') event of the drop down list. After reading your response, I tried throwing it up on the 'close' event of the dropdown list, which worked.

• Cleaning up Access Lists

  Here is an access list I want to know if I can "clean up" :
  access-list outside_access_in extended permit tcp any host 192.168.0.81 eq 7500
  access-list outside_access_in extended permit tcp any host 192.168.0.202 eq 3389
  access-list outside_access_in extended permit object RDP any any
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 7500
  access-list outside_access_in_1 extended permit object RDP any object FileServer
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53827
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 3389
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53828
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53829
  access-list outside_access_in_1 extended permit tcp any host 192.168.0.81 eq 53830
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53850
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53810
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 53855
  access-list outside_access_in_1 extended permit tcp any object New_Server eq telnet
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 55443
  access-list outside_access_in_1 extended permit tcp any object New_Server eq 7500
  access-list outside_access_in_1 extended permit tcp any object DattoDevice eq ssh
  access-list outside_access_in_1 extended permit udp any object DattoDevice eq ntp
  access-list outside_access_in_1 extended permit icmp any object DattoDevice
  access-list RemoteVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 156.30.21.200 255.255.255.248
  access-list outside_cryptomap_1 extended permit ip object host-192.168.0.81 156.30.21.200 255.255.255.248
  What is the significance of the _1 on most of these statements? Should/could I add an _1 to the top 4 lines to make this list symmetrical?  I suspect some of these lines were created when they migrated over from a PIX501 to this ASA......

  Hi,
  To my understanding the numbering in the format "_1" (and similiar) are generated by device when you configure it through the ASDM.
  The "access-list" configurations for "outside_access_in" and "outside_access_in_1" are for 2 totally different ACLs.
  I would imagine that only one of them it attached to your "outside" interface at the moment. You can check what ACLs are attached to the interfaces of the ASA with the command
  show run access-group
  You could add the same lines from the old ACL to the new ACL with the "_1" at the end but you probably wont need all the statements (if any). The first line of the ACL you seem to have in the new one already.
  The second ACL line might be in the new ACL. I am not sure as it contains "object" configurations which hold the IP addresses that I cant see.
  Same goes for the third line of the ACL. It contains an "object" configuration though it seems it allows RDP from "any" host to "any" host. You might already have the RDP rules for the required hosts but with this information I can not say whats the case.
  The last (fourth) line of the ACL seems to be a RDP rule that previously allowed RDP connections towards a host that used the PIX firewalls "outside" interface as its public IP address. This wont be needed anymore as in the new software that you are using you always allow the traffic to the local IP address, even if there is a NAT conigured.
  The ACL named "RemoveVPN_SplitTunnelAcl" is probably currently in the "group-policy" configurations of your VPN. I doubt you will have to touch this at all.
  At the end of the post you have ACLs named "outside_cryptomap" and "outside_cryptomap_1". These seems to be ACLs configured for L2L VPN connections. Considering the destinatin subnet in both of these is identical I imagine that also only one of these is in actual use at the moment.
  You can check what is in use with the command
  show run crypto map
  Hope this helps :)
  - Jouni

• A simple report to list security access on all folders

  Hi there
  I want a simple report to list security access on all folders (group wise)
  any help ...??
  Thanks.
  Rakesh.

  Hi AnTiiiKa,
  For this issue, you can first retrieve all the users on the site, then get all permissions of each user. With this PowerShell Script you could retrieve all Permissions for a Specific User for a SiteCollection
  on all Webs and Subwebs, Lists and Items. Here is an article about how to get  all Roles and Groups from the User and the URL.  
  SharePoint SP2010 - Retrieve all User Permissions via PowerShell:
  http://sp2010userperm.codeplex.com/
  save the report to a csv (excel file):
  $web = Get-SPWeb http://address/site/site/site
  $user=$web.AllUsers
  Get-SPWeb YOURURL | Get-SPUserEffectivePermissions $user | Export-Csv -NoTypeInformation
  -Path c:\perms.csv
  Please inform me freely if you have any questions.
  Thanks

• ASR 5000 access list for ssh and telnet

  Dears,
  how can we  apply an access list for telnet and ssh on asr 5k ?
  please advise if this is feasible.
  thx.

  Hello Joseph,
  Sorry for the delay in response.
  To control access to ASR5000 via telnet, other than configuring an ACL, there is a way to disable telnetd by configuring local context.
  For example:
  config
  context local
  no server telnetd
  #exit
  System Administration Guide of the relevant version will give you detailed information in this regard.
  Here is the latest system admin guide (for SW version 17): http://www.cisco.com/c/dam/en/us/td/docs/wireless/asr_5000/17-0/PDF/17-ASR5000-Sys-Admin.pdf
  You can find other guides here:  http://www.cisco.com/c/en/us/support/wireless/asr-5000-series/products-installation-and-configuration-guides-list.html
  Hope this helps..
  Regards
  Aneesh

• Questions on Reflexive Access Lists

  Hi Sir,
  I'm trying to protect a server farm using reflexive access lists. I also would like any hosts to originate connections to the servers on TCP ports 23 (telnet) and 25 (smtp).
  The config on the core router is as follows:
  int Vlan10
  description *** Server Farm ***
  ip address 172.16.10.1 255.255.255.0
  ip access-group inboundfilters in
  ip access-group outboundfilters out
  int Vlan20
  description *** Marketing Department ***
  ip address 172.16.20.1 255.255.255.0
  int Vlan30
  description *** Engineering Department ***
  ip address 172.16.30.1 255.255.255.0
  ip access-list extended outboundfilters
  permit tcp any any eq telnet
  permit tcp any any eq smtp
  evaluate iptraffic
  ip access-list extended inboundfilters
  permit ip any any reflect iptraffic
  My questions:
  (1) I yet to test the above config on an actual router. However, is it correct theoretically?
  (2) If I were to allow outside hosts to initiate connections to the servers on more protocols/ports, I would be adding more normal "permit" statements in the outboundfilters ACL before the "evaluate" statement. Wouldn't this become very static-based, as far as security is concerned?
  (3) If you have other better feature options that meet my requirements, please do recommend.
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

  Hi Lim,
  CBAC is good as well, considering the following features:
  1. Traffic Filtering:
  - filters TCP and UDP packets based on application-layer protocol session information.
  - permit specified TCP and UDP traffic through a firewall when the connection is initiated from inside protected network, or outside network.
  2. Traffic Inspection
  - discover and manage state information for TCP and UDP sessions which is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions.
  - Protect against DoS attack by checking/verifying sequence no (must be within the expected range) and discard unknown packets. Same goes to attack via fragmented IP.
  3. Alerts and Audit Trails
  - can send real-time alerts and audit trails to syslog server (or buffer log)
  4. Intrusion Detection
  - Embedded with 59 well-known IDS signatures. Similar to IDS features in PIX.
  Limitations:
  1. Only protect protocol you specify. The rest will depend on ACL you have in the router but not up to session layer.
  2. No protection for attacks originating from internal network, unless if you have firewall (pix/asa/ios-firewall) protection.
  3. Only protect certain type of well-known attacks only - based on 59 embedded IDS signatures
  For spoofing protection, i.e spoof attack from outside/common user segment, maybe you should apply RFC2827 (prevent IP on protected segment from coming back into that segment from outside). Make sure your ACL has the 'establish' keyword as well. As recommended by Cisco, you should apply multiple layer of security protection both on your router and other devices connected to it.
  Cheers!

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

• Access-list port range question

  Hi,
  I would like to clarify the exact operation of the below command:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ip access-list extended VoiceACL
  permit udp any any range 16384 16387
  Thus the range statement in the above access list specify that it allow only three ports "16384 to 16387". Is that correct ? Bit confused with this command. One of my friend said that the range statement not just specify 3 ports,but it specify the starting port as 16384 and the end port number 32771 [16384+16387].
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Value1] = starting port number
  [Value2] + [Value1] = end port number
  Thanks
  Nachi

  Hi Nachi,
  This represent the ports ranging between the first number and the last number included, in your case this is actually 4 ports: 16384, 16385, 16386 and 16387
  Regards,
  Raphael

• Access-LIst a simple one

                     Hi All,
  am I correct in asuming the following ACl
  access-list inside_nonat_acl extended permit ip host 8.8.8.8 host 10.10.10.10
  permits all ip traffic from 8.8.8.8 to 10.10.10.10? I'm a litle confused because of the nonat syntax in the acl name.
  Thanks

  Hi thanks for the reply,
  I only have the .txt file so can't see if an interface has it applied.  I dont understand what they have done as one line may have
  allow 443 access to eg 10.10.10.10 from 4.4.4.4
  then another line will have permit ip to from 4.4.4.4 to 10.10.10.10
  signed
  Confused