Use extended ACL with NAT

Similar Messages

• Using extend option with PL/SQL table of tables

  Hi,
  I have a PL/SQL table of tables sructure on which I want to use extend option available with PL/SQL tables.
  But I am not able to do so. Could anyone help?
  Below is sample code given.
  Type RA_TABLE is table of CALL_DETAIL_EXCEPTION.IC_CIRCT_GR_CD%TYPE;
  TYPE tab_of_RA_TABLE IS TABLE OF RA_TABLE;
  for idx in 1..cnt_interval Loop
  query1:='select Trunk_info from dbl.vw_cgi v where not exists (select 1 from dbl.varun f
  where f.ic_circt_gr_cd= v.TRUNK_INFO and f.call_gmt_dnect_dt_time between
  to_date('''||stime||''',''yyyymmddhh24miss'') and to_date('''||etime||''',''yyyymmddhh24miss''))';
  execute immediate query1 bulk collect into Outer_table(idx);
  ra_cnt_1:= Outer_table(idx).count;
  diff:= max_cnt-RA_CNT_1;
  dbms_output.put_line('idx: '||idx);
  dbms_output.put_line('diff: '||diff);
  if diff>=1 then
  Outer_table(idx).extend( Diff);
  end if;
  end loop;
  The extend doesnt work.
  Please help!!

  Hi,
  I have a PL/SQL table of tables sructure on which I want to use extend option available with PL/SQL tables.
  But I am not able to do so. Could anyone help?
  Below is sample code given.
  Type RA_TABLE is table of CALL_DETAIL_EXCEPTION.IC_CIRCT_GR_CD%TYPE;
  TYPE tab_of_RA_TABLE IS TABLE OF RA_TABLE;
  for idx in 1..cnt_interval Loop
  query1:='select Trunk_info from dbl.vw_cgi v where not exists (select 1 from dbl.varun f
  where f.ic_circt_gr_cd= v.TRUNK_INFO and f.call_gmt_dnect_dt_time between
  to_date('''||stime||''',''yyyymmddhh24miss'') and to_date('''||etime||''',''yyyymmddhh24miss''))';
  execute immediate query1 bulk collect into Outer_table(idx);
  ra_cnt_1:= Outer_table(idx).count;
  diff:= max_cnt-RA_CNT_1;
  dbms_output.put_line('idx: '||idx);
  dbms_output.put_line('diff: '||diff);
  if diff>=1 then
  Outer_table(idx).extend( Diff);
  end if;
  end loop;
  The extend doesnt work.
  Please help!!

• Two VLANs on same Switch with NAT problem.

  Hello all.
  I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
  NAT Solution 1
  ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
  ip nat inside source list 1 pool INET overload
  access-list 1 permit any
  NAT Solution 2
  ip nat inside source list 100 interface fa1/0 overload
  access-list 100 permit ip any any
  Router config
  R1#sh run
  Building configuration...
  Current configuration : 1470 bytes
  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname R1
  boot-start-marker
  boot-end-marker
  enable secret
  no aaa new-model
  ip subnet-zero
  ip cef
  interface FastEthernet0/0
   no ip address
   duplex auto
   speed auto
  interface FastEthernet0/0.5
   encapsulation dot1Q 5 native
   ip address 172.16.1.6 255.255.255.248
  interface FastEthernet0/0.10
   encapsulation dot1Q 10
   ip address 172.20.0.254 255.255.255.0
   ip nat inside
  interface FastEthernet0/0.20
   encapsulation dot1Q 20
   ip address 172.20.1.254 255.255.255.0
   ip nat inside
  interface Serial0/0
   no ip address
   shutdown
  interface Serial0/1
   no ip address
   shutdown
  interface Serial0/2
   no ip address
   shutdown
  interface Serial0/3
   no ip address
   shutdown
  interface FastEthernet1/0
   ip address dhcp
   ip nat outside
   duplex auto
   speed auto
   no cdp enable
  router ospf 1
   log-adjacency-changes
   network 172.16.1.0 0.0.0.7 area 0
   network 172.20.0.0 0.0.0.255 area 0
   network 172.20.1.0 0.0.0.255 area 0
   network 192.168.1.0 0.0.0.255 area 0
  no ip http server
  ip classless
  line con 0
   exec-timeout 0 0
   password
   logging synchronous
   login
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   password
   logging synchronous
   login
  line vty 5 181
   exec-timeout 0 0
   password
   logging synchronous
   login
  end
  Switch Config
  SW1#sh run
  Building configuration...
  Current configuration:
  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname SW1
  ip subnet-zero
  interface FastEthernet0/1
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 5
   switchport trunk allowed vlan 1,5,10,20,1002-1005
   switchport mode trunk
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
   switchport access vlan 10
  interface FastEthernet0/5
   switchport access vlan 10
  interface FastEthernet0/6
   switchport access vlan 10
  interface FastEthernet0/7
   switchport access vlan 10
  interface FastEthernet0/8
   switchport access vlan 10
  interface FastEthernet0/9
   switchport access vlan 10
  interface FastEthernet0/10
   switchport access vlan 10
  interface FastEthernet0/11
   switchport access vlan 10
  interface FastEthernet0/12
   switchport access vlan 20
  interface FastEthernet0/13
   switchport access vlan 20
  interface FastEthernet0/14
   switchport access vlan 20
  interface FastEthernet0/15
   switchport access vlan 20
  interface FastEthernet0/16
   switchport access vlan 20
  interface FastEthernet0/17
   switchport access vlan 20
  interface FastEthernet0/18
   switchport access vlan 20
  interface FastEthernet0/19
   switchport access vlan 20
  interface FastEthernet0/20
   switchport access vlan 20
  interface FastEthernet0/21
   switchport access vlan 20
  interface FastEthernet0/22
   switchport access vlan 20
  interface FastEthernet0/23
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface FastEthernet0/24
   shutdown
   switchport trunk encapsulation dot1q
   switchport mode trunk
  interface GigabitEthernet0/1
  interface GigabitEthernet0/2
  interface VLAN1
   no ip address
   no ip directed-broadcast
   no ip route-cache
   shutdown
  interface VLAN5
   ip address 172.16.1.1 255.255.255.248
   no ip directed-broadcast
   no ip route-cache
  ip default-gateway 172.16.1.6
  line con 0
   transport input none
   stopbits 1
  line vty 0 4
   login
  line vty 5 15
   login
  end

  You need to change your acl because NAT doesn't usually work with "any" as the source.
  I tend to use extended acls so -
  access-list 101 permit 172.20.0.0 255.255.255.0 any
  access-list 101 permit 172.20.1.0 255.255.255.0 any
  and then use your second solution ie. overload on the interface.
  If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
  Jon

• Extended ACL permit ip and allowed ports

                     Hi everyone
  Need to confirm if we have extended ACL with object group below
  access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
  will above ACL allow all the ports  on the destination object group?
  Thanks
  mahesh

  And to illustrate the situation above
  Situation 1 - Only allow rule exists on the ACL
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  Allow ALL TCP/UDP source and destination ports
  Allow those from the source networks of SOURCE to the destination networks of DESTINATION
  Situation 2 - Deny rules exist before the allowing rule
  object-group network SOURCE
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  object-group network DESTINATION
  network-object 10.10.100.0 255.255.255.0
  network-object 10.10.200.0 255.255.255.0
  access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
  access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
  access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
  The above ACL would
  First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
  It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
  It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
  The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
  So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
  In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
  - Jouni

• JS: Issues on using extendables

  Hi All,
  We use "extendables.jsx" with package for interlinking our internal url. When we use extendables in our script, we faces the below mentioned problems:
  1. try-catch functionality is not working and shows "null" object error. i.e. if any error persists in try loop, then script shows error and stops instead of moving to catch loop.
  2. We could not convert the script into  binary format.
  Kindly provide us a solution.
  regards
  Masthan

  I asked the developer on a separate issue, and the project isn't maintained, so good luck with support. You may have to try and fix it yourself. In fact at last check, there was no option to submit a bug/issue to the project's GitHub site, just able to submit pull requests and fork the project. I do see many forks, but am assuming the forks could be from "users" and not much of folks who actually contribute enhancements or fixes to the project (whether they kept it in their own forks or submitted pull requests). Sadly I find the Github UI hard to browse the forks expediently to see what's different between each etc. to see if anyone make changes in a fork.
  By the way, the separate issue I had with Extendables is that it's enhancement of ExtendScripts causes extra members/properties to a standard ExtendScript/javascript object. Thus when iterating over an object, you have to be sure to call object.hasOwnProperty(propertyName) to filter out the extra inherited members that are not meant to be there in your original intended object.

• Applying Extended ACL close to Destination

                     Hi Everyone,
  Need to share something here.Mostly we use extended ACL close to the source.
  Here is this scenario i need to use the extended ACL  close to destination to fix the issue.
  Here is info
  Server 1  connected to interface X  ASA1  it has wan connection to ASA2---ASA2 has connection to ASA3.
  Now  ASA3 is learning source server IP via its Y interface.
  In order to reach the destination server ASA3  has to through its interface Z.
  Now there was ACL  on ASA3 which denies traffic from source server IP  to destination IP on interface Y.
  I apply the ACL  on ASA3 to allow the traffic and it worked.
  Dooes someone elase also has seen this behaviour?
  Regards
  Mahesh

  Hi,
  The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
  Just as an example I could mention one real life setup that I manage.
  The setup contains 4 firewalls always (at minimum)
  One is customer firewall/vpn device
  One is our vpn device
  One is our firewall device
  One is our partner firewall device
  This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
  - Jouni

• GRE for VPN using extendable NAT.

  Iam trying to configure VPN, I've got this:
  ip nat inside source static tcp 192.168.100.8 1352 203.145.145.145 1352 extendable
  ip nat inside source static tcp 192.168.100.8 1723 203.145.145.145 1723 extendable
  ip nat inside source static tcp 192.168.100.8 47 203.145.145.145 47 extendable
  ip nat inside source static tcp 192.168.100.8 isakmp 203.145.145.145 isakmp extendable
  ip nat inside source static tcp 192.168.100.12 3389 203.145.145.145 3389 extendable
  where do I put the GRE protocol in this configuration? Without GRE vpn does not work.
  I don't want to do this:
  ip nat inside source static 192.168.100.8 203.145.145.145
  Is it a good idea to use interface Tunnel40843 for VPN than static NAT an external ip address, how do I use tunnel for VPN? What's the code?

  To see how GRE over IPSec can be configured, refer to 'Configuring IPSec/GRE with NAT' at http://www.cisco.com/warp/public/707/ipsecgrenat.html. The document additionally discusses a firewall configuration that you could skip unless you have a firewall in place too.

• Extended Notifications with Links while using Citrix to Access Hosted SAP

  Hello,
  I am working on a system which is hosted remotely where Citrix and Single signon are used to access the SAP instance.  I need to be able to send email to their Outlook server with executable links back to the workitems.  I had planned to use Extended Notifications to get this done.  I am fine with everything except for the Citrix link.  I am not sure whether the link in the email will be able to find its way through Citrix to the SAP instance.  I also need to know the SSO is going to work - it seems at a minimum they would need to sign on to Citrix.  Has anyone out there done this, or at least know whether it would/should/won't work?
  Thanks in advance for any help you can offer,
  Jeff Gray

  As far my knowledge, on Citrix it won't work. As far portal is concerned, it will work.
  Regards, IA

• Using extended desktop mode with ThinkPad x220

  I have an Acer AL2216W external monitor. It has a resolution of 1680 x 1050
  http://support.acer.com/acerpanam/monitor/0000/Acer/AL2216W/AL2216Wsp2.shtml
  When I use extended desktop mode with the external monitor set as the primary display, everything scales properly on both the external and internal monitor.
  However, if I set the internal monitor as the primary display, the external display does not fill the screen (there is a big black border around the desktop).
  In both cases, the resolution setting for the external monitor is 1680 x 1050.
  Is this normal behaviour?
  Solved!
  Go to Solution.

  Hello,
  That's how Windows behaves.  Supposedly Realtime Soft Ltd.'s UltraMon gives you more precise control over wallpaper under Windows, but I have not used it myself.
  Regards,
  Aryeh Goretsky
  I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
  S230u (3347-4HU) • X220 (4286-CTO) • W510 (4318-CTO) • W530 (2441-4R3) • X100e (3508-CTO) • X120e (0596-CTO) • T61p (6459-CTO) • T43p (2678-H7U) • T42 (2378-R4U) • T23 (2648-LU7)
    Deutsche Community   Comunidad en Español Русскоязычное Сообщество

• SC with Limit Item using Extended Classic Scenario?

  Hello,
  Can we implement SC with Limit Item using Extended Classic Scenario.
  I mention that we replicate the Product Categories from R/3 backend.
  We have tried to create a SC with Limit item, but the data on Quantity, Price and Tax is not picked up at PO level.
  Regards,
  Shaiek

  Hi
  Please try out this.
  For the time-being,
  Try de-activating all the custom BADI Implementations and check, what is happening, in the standard SRM system. How does it behave incase of limit item ?
  Incase it works fine, without any Custom Implementation active in the system, I suspect there is something wrong in your current deactivated BADI Implementation.
  Since i don't have access to your system , Please paste the code here.
  Hope this will help.
  Please reward suitable points.
  Regards
  - Atul

• Play Quicktime file on extended mode with 2 monitors using fullscreen

  I have content that plays in QuickTime that was designed to run on 2 displays using extended mode. Whenever I full screen it defaults to only using one of the displays.

  Here, this might help you. I was having problems copying to my Lacie external hard drive, too. I contacted Lacie and this was the response I received - which I followed and have now been able to move all my imovie, idvd, quicktime, etc. files to the Lacie:
  The default formatting on these drives is FAT32, compatible with both Mac and PC. However, FAT32 has some limitations-it will not hold any single file larger than 4GB and it does not like filenames with any other characters other than A-Z, a-z, 0-9, periods and underscores. Mac
  OS 10.1.x and 10.2.x will not mount large FAT32 volumes.
  The Mac Extended format does not have any of these limitations as it is the Mac-native format. If you will not be sharing this drive with a PC at all, reinitialize the drive as follows. You will need to copy off
  any data you need temporarily as this will erase the drive.
  OS X - Initializing with Disk Utility (will erase the drive)
  1. Open the Disk Utility found the Utilities folder.
  2. On the left, select the drive (not the volume below it).
  3. On the right, select the Partition tab.
  4. Under Volume Scheme, set it to the number of partitions desired(usually Mac OS Extended).
  5. Set the format you desire.
  6. It is not necessary to check the OS 9 Drivers check box.
  7. Once you have the drive set up how you desire, click on the Partition button in the lower right.
  8. It should only take a few moments to complete, and when done, the drive will mount on the desktop.
  Answers to most common questions can be found in the manual on the CD
  that came with your product or in our FAQs:
  http://www.lacie.com/support/faq/

• Canot erase my macbook air ssd..always create a extended partition with about 5G used space

  I cant erase my air ssd, always create about 5G used extended partition..

  Try booting the fallback kernel, there is a problem with the AHCI driver concerning new Macbooks. When you've booted, add ata_generic to the modules in /etc/mkinitcpio.conf and rebuild the initrd with mkinitcpio -p kernel26.

• [svn:osmf:] 9829: Extending ILayoutContext with an ' updateIntrinsicDimensions' method, that the ILayoutRender uses to inform the context that context' s intrinsical dimensions may have changed because its children got layed-out .

  Revision: 9829
  Author:   [email protected]
  Date:     2009-08-31 06:38:08 -0700 (Mon, 31 Aug 2009)
  Log Message:
  Extending ILayoutContext with an 'updateIntrinsicDimensions' method, that the ILayoutRender uses to inform the context that context's intrinsical dimensions may have changed because its children got layed-out. Adding implementing code to LayoutContextSprite and LayoutRendererBase.
  Modified Paths:
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/ILayoutContext.as
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/LayoutContextSprite.as
      osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/LayoutRendererBase.as

  A slow boot time can be caused by login items.
  User Login Items:
      Flux
      NoSleep
      ClipMenu
      Canon IJ Network Scanner Selector2
      BetterTouchTool
      USBOverdriveHelper
      TotalFinder
      Gmail Notifr
  Open System Preferences > Users & Groups > Login Items
  Remove one login item noted above then restart your Mac to test. It may be one or multiple items causing the slow boot.

• Can you use Time Capsule with any wifi extender?

  Can you use Time capsule with any wifi extenders?

  No, since Apple designed their routers to only work with other Apple routers.
  I suppose that it is possible that another brand might work, but since you won't know this until you try, it would be a good idea to have a clear understanding of the store's return policy before you decide to gamble.

• Extended acl - multiple ports on same acl line

  hello
  i'm working on a (long) acl and have started looking at putting multiple ports on the same line
  e.g.
  instead of:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80
  permit tcp any host 10.10.10.1 eq 443
  i'd use:
  ip access-list extended test3
  permit tcp any host 10.10.10.1 eq 80 443
  its shortening the acl considerably but the question is:
  does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
  what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
  thanks
  andy

  Hello
  No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
  Cisco3750#show platform tcam utilization
  CAM Utilization for ASIC# 0                      Max            Used
                                                           Masks/Values    Masks/values
  IPv4 security aces:                          1024/1024         33/33
  Note: Allocation of TCAM entries per feature uses
  a complex algorithm. The above information is meant
  to provide an abstract view of the current TCAM utilization
  As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
  thanks
  Andy