Thoroughly Confused with ADSM created access-lists when viewing ASA config

Similar Messages

• Hostname(with wildcards) based access-list or policy.

  Is there any way in cisco to use hostnames with wildcards either in ACL, or Policy, class map etc, for example I want to identify following devices with one keyword..for blocking/permit etc
  UKlondon001
  UKlondon002
  UKlondon003
  Uklondon004
  UKlondon005
  I want to capture all these with wildcard UKlondon*
  something like regular expressions...

  You can group them in object-groups. You'll need to configure their names and then create an object group:
  name 10.5.5.5 uklondon001
  name 10.5.5.6 uklondon002
  object-group network UKLONDONS
  network-object host uklondon001
  network-object host uklondon002
  access-list permit tcp any object-group UKLONDONS eq 80
  The above (from memory so don't quote me) will allow any traffic to hit any of those servers on port 80.
  If you're wanting to do this for certain websites like youtube.com or google.com, you'll need to use regex and class-maps.
  HTH,
  John

• How to read the content from a External Content Type with out creating External List in Sharepoint 2013?

  Hi,
  I have a requirement to read the External Content Type and storing the Data in a Session Variable. The Reading of the content from External Content Type with out creating a External List.
  Please help I am trying to find the solution, but unable to do that.
  Thanks,
  Pradeep

  Hi,
  Firstly an external content type designed to work with SharePoint list and there is no way to read apart from this.
  If you are looking the solution out of the " Business Connectivity" then find that data source has been exposed through WCF and  Web Service ?
  So you can use REST API and CSOM to consume those data in SharePoint.
  You can also leverage the ADO.NET option if the datasources based on MS technologies.
  Murugesa Pandian| MCPD | MCTS |SharePoint 2010

• Need Help to create access-list based on traffic logs

  Hello,
  We didn't have any Firewall in our network, we recently implemented  Cisco ASA (Context) firewall in our network with any  any permit rule .
  Our intension is to collect the source, destination, protocol & ports based on the traffic logs and then implement the access-lists , once we confirmed all the rule will added to the firewall we want remove any any permit rule .
  I need some suggestion regarding this how we can proceed on this plan, any suggestions appreciated
  Rajkumar

  Hi Rajkumar,
  That is not the ideal way of doing... this will lead to a provisioning an unauthorized person to access for something he is not authorized to.
  How many users do you have in your network? Try to categorize users based on their present authorization level of access.... say Team A users need to access everything... then you need to group them and provide full access..... Team B users need to be provided with only restricted access.... then group them and provide restricted access....
  If your case is something like this.... all users need unrestricted intranet access and certain users alone requires internet acceess... then you can define rules accordingly....
  Regards
  Karthik
  Regards
  Karthik

• Req help: creating access-lists

  cisco 2651XM router
  IOS: c2600-adventerprisek9-mz.124-15.T8.bin
  connected to internet by wic1-adsl card
  I would like to configure my router to block the following ranges of ip's.
  Start IP End IP
  69.25.60.0 69.25.61.255
  208.111.154.0 208.111.154.255
  209.249.86.0 209.249.86.255
  problem is I'm beginner level at configuring the cisco router so I'd appreciate help in knocking up a set of access lists that will do this job. Thanks for any advice.

  Also, one final note, 12.4(15)T8 supports named ACL's, as does almost any IOS these days. This is a highly recommended practice.
  I have seen several times on our network where someone wants to remove a subnet from a numbered ACL and enters the following command...
  no access-list xxx deny ip 208.111.154.0 0.0.0.255 any
  Unfortunately, the router just reads this as no access-list xxx and deletes the entire ACL. The recommended way to do this would be as follows...
  ip access-list extended
  deny ip 62.25.60.0 0.0.1.255 any
  deny ip 208.111.154.0 0.0.0.255 any
  deny ip 209.249.86.0 0.0.0.255
  exit
  interface x/x
  ip access-group
  end
  Named ACL's are also typically easier to find in the config. For example, if you were to use a numbered acl, say ACL 5, and later need to find where all it is used, you would have to search the config for "5" and that could appear many, many times. One final recommendation I make is that you use all caps when naming anything in your configuration. This makes it pretty simple to see what is something you named versus what is part of the routers parser syntax.

• How to create static list type view state?

  Hi!
  i want to create a static List type view state in asp.net c# for below type of list?
  static List<KeyValuePair<string, int>> istrStartDate = new List<KeyValuePair<string, int>>();

  Please  post it in the dedicated ASP.Net Forum
  http://forums.asp.net  for more efficient responses.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• When accessing my webmail hosted by Microsoft Office Outlook Web Access software the list of Inbox emails is not complete when viewed with Firefox but it is when viewed with IE.....any suggestions why?

  the email at issue is one I sent to myself . In addition Exchange only allows use of its 'lite' version when using Firefox but IE allows all functions.

  Sometimes a problem with Firefox may be a result of malware installed on your computer, that you may not be aware of.
  You can try these free programs to scan for malware, which work with your existing antivirus software:
  * [http://www.microsoft.com/security/scanner/default.aspx Microsoft Safety Scanner]
  * [http://www.malwarebytes.org/products/malwarebytes_free/ MalwareBytes' Anti-Malware]
  * [http://support.kaspersky.com/faq/?qid=208283363 TDSSKiller - AntiRootkit Utility]
  * [http://www.surfright.nl/en/hitmanpro/ Hitman Pro]
  * [http://www.eset.com/us/online-scanner/ ESET Online Scanner]
  [http://windows.microsoft.com/MSE Microsoft Security Essentials] is a good permanent antivirus for Windows 7/Vista/XP if you don't already have one.
  Further information can be found in the [[Troubleshoot Firefox issues caused by malware]] article.
  Did this fix your problems? Please report back to us!

• How to sync changes in user-created distributions lists when used by multiple Outlook users

  Hi all,
  Thanks for looking at my post. We are using Outlook exchange and Outlook 2010.
  I have created a distribution list that is comprised of 20 members (students) with email addresses outside our organisation. I have sent this list to others in my workteam (Lecturers) and they have added the list to their own contacts group - we
  share this list as we all email the same students for different reasons.
  My issue arises when a student needs to be deleted from the distribution list and I am the first person to find out about it. Ideally, I would like to take the student off and have this distribution list automatically update for the other lecturers instead
  of having to re-send the list to them after it has been edited. As it stands at the moment, each lecturer has to go into the distribution list I originally sent to them to delete the student.
  There has to be an easier way to sync the changes that each lecturer makes to this list.
  Any ideas?
  Thanks in advance
  Sharyn

  You can place the group in a shared Contacts folder so everyone will see the same group.
  Depending on your Exchange infrastructure and working habits, this could be a folder in your mailbox, a Public Folder, Shared Mailbox or even a SharePoint List.
  Robert Sparnaaij
  [MVP-Outlook]
  Outlook guides and more: HowTo-Outlook.com
  Outlook Quick Tips: MSOutlook.info

• IPhoto problem with "date created" on photos when moving to Ext HD

  I'm unable to copy or backup photos from iPhoto onto an external HD w/o iPhoto changing the original date and time information for the photos. I've exported them and dragged them, with different results, but the "date created" changes every time. It changes the date the original photo was taken (which is displayed for each photo in iPhoto), either changing it to the date that I edited the photo or the date that I moved the photo onto the Ext HD.  Any solutions?

  Thanks for the responses, Larry and Terence. 
  I understand that there is a difference between the photo date and the file date, and I think I understand what is going on when I try to copy my photos onto my External HD.  What I don't understand is why the EXIF data from each photo can't be transferred along with the photo.  The only date information that comes with it (via Finder) is the following:
  1)  If I drag photos into a file I've named and created on my ExtHD, finder changes the "date created" from the date the photo was taken to the date that I moved the photo from my laptop onto my destop Mac, not the date that the photo was taken.
  2)  If I use the export function to attempt to put photos on my ExtHD, finder changes the "date created" and the "date modified" to the current date and time on every photo.  (And who would even want that information?)
  What I want is for each photo to display the date and time that I actually TOOK the photo.  Is that so hard to do?
  Why does Finder switch to some sort of filing date instead of keeping the EXIF data that it seems most people would prefer?
  I hate to say this, but when I had a PC this was as easy as pie.  No problems, EVER.  And now that I have a Mac, my photo library on my ExtHD (where I store my photos for safekeeping -- in addition to Time Machine) is a mess.  My folders display the date, but the photos inside each file are incorrectly dated.
  Melinda
  P.S.  I have Mac OS X, Version 10.5.8, and would need the 10.6 version or higher to use the Better Finder app that Terence mentions.  Do you think I should update to get that program?  Is that program free or do I have to pay for it?  Would that solve my problems?

• Problems with dark Artifacts on images when viewed on PC screens???

  I have a very urgent problem concerning Adobe Photoshop CS3, my Apple Cinema 20 inch Display and my SpyderPro2 on my Mac Pro Intel Dual Core Xeon 2x 2.66GHz.
  I have been using the Spyder for some years now, but recently I have been having big problems with the results. I only use Photoshop CS3 to enhance digital products images.
  I have a major contract with a jewellery company in London, where I clean up digital photos. Images that I have lightened up to look great on my Cinema Display have been reported by my client to look pretty dark on their PC's in their offices.
  Some of these images show lines and grubby patches??? To check this I opened files in Photoshop and moved the levels 'black' slider down quite some way, and did see evidence of what the client could see at their end? It seems that when I have used a faded eraser brush it leaves a light patch in between the shadows of the jewellery. This shouldn't be visible to the naked eye though?
  I must point out that when I use the eyedropper tool on images, to read the amount of grey or colour in the white areas around the peices, I am shown values of 1,2 or 4 maximum in the CMYK values. 4 percent out of 100 is nothing and should not be visible to the naked eye?
  How is it that my clients PC's can see dark shadows and where my eraser brush has rubbed out???
  I have tried many re-calibrations and also tested all of my older calibrations dating back a few years. I have also tested the same faulty images on Intel iMac's, an eMac, and a few PC's. On the iMac's I can just about make out the artefacts that my client can see, but nothing that I would deem as unacceptable.
  I am at a loss as to the fault, but It may be the Spyder2 Pro's inability to calibrate my Apple Cinema display properly? I may lose my contract which I cannot afford to do, and I simply have to find the cause ASAP.
  I have my Mac's in my office apartment next to two bay windows. I have vertical blinds there. When calibrating I have always turned off all the lights and pulled the blinds right back so that only the light from the two large window doors is coming in.
  For graphic design the calibrations seemed to be okay for quite some time, but recently it is getting harder to achieve good results with the Spyder? This could affect all of my workflow which is very serious. But I must stress that overall the Spyder results are not terrible. I can see good colours and dark levels and in general across all of my calibrated profiles, the jewellery looks acceptable on my Cinema Display?
  I did say to my clients that they should calibrate their PC screen properly but their offices have many Screens and they all show the same artefacts (some much worse than others)? I know that PC Screens are darker than Mac's but a 4% grey should not be visible????
  As these are a web company the images will be seen by PC users around the world and most of these will have no calibration on their screens. What can be done to prevent this and what is the cause of this? I can't possible please everyone, but as a creative professional I have to be 100% certain that my workflow is at its best.
  I need urgent help to solve this or loose valuable business? I hope that you are able to help solve this mystery. Could this possibly be something with Photoshop?
  I have just purchased the new Spyder3 Pro which I hope will give perfect results but I have to find out what the cause of this is. If some of the fault lies with the client, I can charge these for all the testing and calibrating I have done.
  Kind regards,
  Jason Conway
  ideo-sync - inspired design.

  Thanks for all your comments and so quickly.
  To be clearer, I am not working in CMYK for image enhancing at all, but windows RGB in photoshop, which is darker than working CMYK or Monitor RGB. I just use the CMYK colour scale in the photoshop colour picker window to see what values are around the object.
  its not 4 across all four but on average C4, M2, Y1, K0.
  When saving in save for web the images look fine on my screen, pretty much the same as the photoshop tiff file.
  Each image has adobe RGB 1998 embedded when saved as a tiff file.
  The client looks on internet explorer 7 on their PC's and also within Photoshop.
  Colour settings within photoshop are using MacUser magazine's recommended setting from 2006: RGB: Adobe RGB 1998, CMYK: Euroscale Coated V2, Grey: Generic Grey, SPOT: 20% dot gain. Engine: Apple CMM, Intent: Relative Colorimetric. Also Black point compensation and User Dither are checked.
  Also the monitor calibration is set at 6500 at 2.2 gamma.
  To be clearer about the dark shadowing and the artefacts. When using levels I click on a shadow point to remove all but a slight shadow. Then I sometimes need to use the faded eraser to clean up or lessen the shadow. The image looks fine on my screen, but in the levels window I drag the black pointer about a third of the was across the screen to simulate what the client is seeing on their screen. This is quite a long way to drag the slider. I can sometime see the edges of the image, or white holes where the eraser has been. The lines are areas around the object that have been rubbed out a bit.
  I agree that colour values will show on a screen, but the effect of the shadow should be smooth and not clearly visible with an edge?
  http://www.ideo-sync.co.uk/p110741.jpg
  also p110741.tif
  I have uploaded the layered tiff file and the web jpeg to my server, so you can hopefully see something odd?
  If there is a problem with my cinema display at least its under warranty, and the new Spyder3 pro should help when it arrives in a few days time.
  Hopefully I can pinpoint the exact cause to this and take steps to stop this ever happening again. I am very grateful for your advice and help.
  Kind regards,
  Jason.

• ADF -how to create table binding when view object is no known until runtime

  I want to programmatically create a table binding to a view object where the view object name is not known until run-time. Then I will use a dynamic table to display it. Can anyone provide an example?

  I looked at example #9. It gets me closer to what I am looking for but not quite enough. In my case, I don't have (or want in this case) a pageDefinition with a pre-declared Iterator binding. I am converting an exsisting BC4J/Struts/JSP application. I would like to rewrite my reusable component tags to make use of ADF bindings and Faces. My tags are passed the ApplicationModule and ViewObject names as parameters, much like the old BC4J datatags. I do not want to go back and rewrite all of my pages from scratch using drag-and-drop declarative bindings with a pageDefinition for every page. I am hoping to have my rewritten tags handle everything programmatically based only on the ViewObject name passed at run-time.

• Anyone have issues with watch face not disappearing when viewing glances. Pic included.

  Take a look at your watch when you swipe up to glances the watch face remains in a blurred background. Wasn't like this out of the box.

  Yes mine does the same. This isn't a problem though is it.  mine did the same out of the box and I have no problem with it.  I'm pretty sure it's an intentional Feature.

• ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

  When running on 8.4 i had a working config with the following scenario.
  I have 2 interfaces configured as the outside interface.
  One is connected to my internet connection
  The other one is connected to a host that has a public ip.
  The public host can access internet and also a PAT port on an internal host.
  But after the upgrade the internal hosts can't access the external host but everything else on internet 
  packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
  Phase: 1
  Type: ACCESS-LIST
  Subtype: 
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   x.x.x.0    255.255.240.0   outside
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop  
  Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
  If i add 1 to the destination ip:
  packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   x.x.x.0    255.255.240.0   outside
  Phase: 2
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any4 any4 
  Additional Information:
  Phase: 3
  Type: NAT
  Subtype: 
  Result: ALLOW
  Config:
  nat (inside,outside) source dynamic any interface
  Additional Information:
  Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
  Phase: 4
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: NAT
  Subtype: rpf-check
  Result: ALLOW
  Config:
  nat (inside,outside) source dynamic any interface
  Additional Information:
  Phase: 7      
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 9
  Type: IP-OPTIONS
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: USER-STATISTICS
  Subtype: user-statistics
  Result: ALLOW 
  Config:
  Additional Information:
  Phase: 11
  Type: FLOW-CREATION
  Subtype: 
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 98586, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow
  Nat rules:
  nat (inside,outside) source static IPv6_HOST interface service https https
  nat (inside,outside) source static IPv6_HOST interface service http http
  nat (inside,outside) source static IPv6_HOST interface service ssh ssh
  nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
  nat (inside,outside) source dynamic any interface
  The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
  I can ping the EXTERNAL host from the ASA but not from the internal network.
  Any ideas would be appreciated.

  Hmmm, by adding the following i got it working:
  nat (inside,outside) source static IPv6_HOST interface service https https
  nat (inside,outside) source static IPv6_HOST interface service http http
  nat (inside,outside) source static IPv6_HOST interface service ssh ssh
  nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
  nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
  nat (inside,outside) source dynamic any interface
  It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• Unable to SSH in to ASA with new created user

  Hello. I have an ASA 5510 firewall running an older verison of code. I"m trying to create a new user account to log in but I can't seem to SSH with this account. ASDM works fine but SSH fails. I thought the command would have been: 
  username newuser password usertest123 privilege 15
  But I can't SSH with this. What am I missing?
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)

  I think this may be what's missing. Here's the error I received though when trying to add this to the configuration. I'm assuming I need to create this group?
  FIrewall-ASA(config)# aaa authentication ssh console local
  ERROR: aaa-server group local does not exist
  Usage: [no] aaa mac-exempt match <mac-list-id>
          [no] aaa authentication secure-http-client
          [no] aaa authentication listener http|https <if_name> [port <port>] [redirect]
          [no] aaa authentication|authorization|accounting include|exclude <svc>
                  <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
          [no] aaa authentication serial|telnet|ssh|http|enable console
                  <server_tag> [LOCAL]
          [no] aaa accounting telnet|ssh|serial|enable console <server_tag>
          [no] aaa authentication|authorization|accounting match
                  <access_list_name> <if_name> <server_tag>
          [no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
          [no] aaa accounting command {privilege <level>} <tacacs_server_tag>
          [no] aaa proxy-limit <proxy limit> | disable
          [no] aaa local authentication attempts max-fail <fail-attempts>
          clear configure aaa
          clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
          show running-config [all] aaa [authentication|authorization|accounting
                  |max-exempt|proxy-limit]
          show aaa local user [lockout]