Use extended ACL with NAT
Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
thanks in advance,
Han
access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_5
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 0.0.0.0 0.0.0.0
Hi Han,
If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
standard ACL:
access-list 10 standard permit ip 172.16.0.0
Extended ACL:
access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
Please do rate if the given information helps.
By
Karthik
Similar Messages
-
Using extend option with PL/SQL table of tables
Hi,
I have a PL/SQL table of tables sructure on which I want to use extend option available with PL/SQL tables.
But I am not able to do so. Could anyone help?
Below is sample code given.
Type RA_TABLE is table of CALL_DETAIL_EXCEPTION.IC_CIRCT_GR_CD%TYPE;
TYPE tab_of_RA_TABLE IS TABLE OF RA_TABLE;
for idx in 1..cnt_interval Loop
query1:='select Trunk_info from dbl.vw_cgi v where not exists (select 1 from dbl.varun f
where f.ic_circt_gr_cd= v.TRUNK_INFO and f.call_gmt_dnect_dt_time between
to_date('''||stime||''',''yyyymmddhh24miss'') and to_date('''||etime||''',''yyyymmddhh24miss''))';
execute immediate query1 bulk collect into Outer_table(idx);
ra_cnt_1:= Outer_table(idx).count;
diff:= max_cnt-RA_CNT_1;
dbms_output.put_line('idx: '||idx);
dbms_output.put_line('diff: '||diff);
if diff>=1 then
Outer_table(idx).extend( Diff);
end if;
end loop;
The extend doesnt work.
Please help!!Hi,
I have a PL/SQL table of tables sructure on which I want to use extend option available with PL/SQL tables.
But I am not able to do so. Could anyone help?
Below is sample code given.
Type RA_TABLE is table of CALL_DETAIL_EXCEPTION.IC_CIRCT_GR_CD%TYPE;
TYPE tab_of_RA_TABLE IS TABLE OF RA_TABLE;
for idx in 1..cnt_interval Loop
query1:='select Trunk_info from dbl.vw_cgi v where not exists (select 1 from dbl.varun f
where f.ic_circt_gr_cd= v.TRUNK_INFO and f.call_gmt_dnect_dt_time between
to_date('''||stime||''',''yyyymmddhh24miss'') and to_date('''||etime||''',''yyyymmddhh24miss''))';
execute immediate query1 bulk collect into Outer_table(idx);
ra_cnt_1:= Outer_table(idx).count;
diff:= max_cnt-RA_CNT_1;
dbms_output.put_line('idx: '||idx);
dbms_output.put_line('diff: '||diff);
if diff>=1 then
Outer_table(idx).extend( Diff);
end if;
end loop;
The extend doesnt work.
Please help!! -
Two VLANs on same Switch with NAT problem.
Hello all.
I have few cisco devices at home that i am using to study from. I am using for now on this little setup a 2620XM and a 3500XL Switch. I have two vlans setup on the switch VLan10 and VLan20 using router on a stick. I have setup the inside and outside interfaces. I have the fa1/0 as my outside with a dhcp address of 192.168.1.10. I have also setup my internet router to see networks 172.20.0.0/24 and 172.20.1.0/24. I am able to ping back and forth from 192.168.1.0/24 to both networks. The issue comes when i try to apply NAT. I have tried two different setups and both have failed. I have two ping windows open on my PC on the 192.168.1.0/24 side both hitting vlan 10 and 20. Once i applied either Nat solution i lose ping on one vlan while still pinging the other, but both vlans can't go out to the internet. Below is the NAT solutions i have tried below. Also running config for both router and switch. If anybody can i assist i would really appreciate it.
NAT Solution 1
ip nat pool INET 192.168.1.10 192.168.1.10 netmask 255.255.255.0
ip nat inside source list 1 pool INET overload
access-list 1 permit any
NAT Solution 2
ip nat inside source list 100 interface fa1/0 overload
access-list 100 permit ip any any
Router config
R1#sh run
Building configuration...
Current configuration : 1470 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname R1
boot-start-marker
boot-end-marker
enable secret
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
no ip address
duplex auto
speed auto
interface FastEthernet0/0.5
encapsulation dot1Q 5 native
ip address 172.16.1.6 255.255.255.248
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 172.20.0.254 255.255.255.0
ip nat inside
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 172.20.1.254 255.255.255.0
ip nat inside
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial0/2
no ip address
shutdown
interface Serial0/3
no ip address
shutdown
interface FastEthernet1/0
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.7 area 0
network 172.20.0.0 0.0.0.255 area 0
network 172.20.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
no ip http server
ip classless
line con 0
exec-timeout 0 0
password
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 0 0
password
logging synchronous
login
line vty 5 181
exec-timeout 0 0
password
logging synchronous
login
end
Switch Config
SW1#sh run
Building configuration...
Current configuration:
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname SW1
ip subnet-zero
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport trunk allowed vlan 1,5,10,20,1002-1005
switchport mode trunk
interface FastEthernet0/2
interface FastEthernet0/3
interface FastEthernet0/4
switchport access vlan 10
interface FastEthernet0/5
switchport access vlan 10
interface FastEthernet0/6
switchport access vlan 10
interface FastEthernet0/7
switchport access vlan 10
interface FastEthernet0/8
switchport access vlan 10
interface FastEthernet0/9
switchport access vlan 10
interface FastEthernet0/10
switchport access vlan 10
interface FastEthernet0/11
switchport access vlan 10
interface FastEthernet0/12
switchport access vlan 20
interface FastEthernet0/13
switchport access vlan 20
interface FastEthernet0/14
switchport access vlan 20
interface FastEthernet0/15
switchport access vlan 20
interface FastEthernet0/16
switchport access vlan 20
interface FastEthernet0/17
switchport access vlan 20
interface FastEthernet0/18
switchport access vlan 20
interface FastEthernet0/19
switchport access vlan 20
interface FastEthernet0/20
switchport access vlan 20
interface FastEthernet0/21
switchport access vlan 20
interface FastEthernet0/22
switchport access vlan 20
interface FastEthernet0/23
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/24
shutdown
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
interface VLAN5
ip address 172.16.1.1 255.255.255.248
no ip directed-broadcast
no ip route-cache
ip default-gateway 172.16.1.6
line con 0
transport input none
stopbits 1
line vty 0 4
login
line vty 5 15
login
endYou need to change your acl because NAT doesn't usually work with "any" as the source.
I tend to use extended acls so -
access-list 101 permit 172.20.0.0 255.255.255.0 any
access-list 101 permit 172.20.1.0 255.255.255.0 any
and then use your second solution ie. overload on the interface.
If you find you cannot ping between your vlans then you need to modify the above acl to deny traffic between the vlans/IP subnets then permit any as above but it should work without doing that.
Jon -
Extended ACL permit ip and allowed ports
Hi everyone
Need to confirm if we have extended ACL with object group below
access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
will above ACL allow all the ports on the destination object group?
Thanks
maheshAnd to illustrate the situation above
Situation 1 - Only allow rule exists on the ACL
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
Allow ALL TCP/UDP source and destination ports
Allow those from the source networks of SOURCE to the destination networks of DESTINATION
Situation 2 - Deny rules exist before the allowing rule
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
- Jouni -
JS: Issues on using extendables
Hi All,
We use "extendables.jsx" with package for interlinking our internal url. When we use extendables in our script, we faces the below mentioned problems:
1. try-catch functionality is not working and shows "null" object error. i.e. if any error persists in try loop, then script shows error and stops instead of moving to catch loop.
2. We could not convert the script into binary format.
Kindly provide us a solution.
regards
MasthanI asked the developer on a separate issue, and the project isn't maintained, so good luck with support. You may have to try and fix it yourself. In fact at last check, there was no option to submit a bug/issue to the project's GitHub site, just able to submit pull requests and fork the project. I do see many forks, but am assuming the forks could be from "users" and not much of folks who actually contribute enhancements or fixes to the project (whether they kept it in their own forks or submitted pull requests). Sadly I find the Github UI hard to browse the forks expediently to see what's different between each etc. to see if anyone make changes in a fork.
By the way, the separate issue I had with Extendables is that it's enhancement of ExtendScripts causes extra members/properties to a standard ExtendScript/javascript object. Thus when iterating over an object, you have to be sure to call object.hasOwnProperty(propertyName) to filter out the extra inherited members that are not meant to be there in your original intended object. -
Applying Extended ACL close to Destination
Hi Everyone,
Need to share something here.Mostly we use extended ACL close to the source.
Here is this scenario i need to use the extended ACL close to destination to fix the issue.
Here is info
Server 1 connected to interface X ASA1 it has wan connection to ASA2---ASA2 has connection to ASA3.
Now ASA3 is learning source server IP via its Y interface.
In order to reach the destination server ASA3 has to through its interface Z.
Now there was ACL on ASA3 which denies traffic from source server IP to destination IP on interface Y.
I apply the ACL on ASA3 to allow the traffic and it worked.
Dooes someone elase also has seen this behaviour?
Regards
MaheshHi,
The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
Just as an example I could mention one real life setup that I manage.
The setup contains 4 firewalls always (at minimum)
One is customer firewall/vpn device
One is our vpn device
One is our firewall device
One is our partner firewall device
This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
- Jouni -
GRE for VPN using extendable NAT.
Iam trying to configure VPN, I've got this:
ip nat inside source static tcp 192.168.100.8 1352 203.145.145.145 1352 extendable
ip nat inside source static tcp 192.168.100.8 1723 203.145.145.145 1723 extendable
ip nat inside source static tcp 192.168.100.8 47 203.145.145.145 47 extendable
ip nat inside source static tcp 192.168.100.8 isakmp 203.145.145.145 isakmp extendable
ip nat inside source static tcp 192.168.100.12 3389 203.145.145.145 3389 extendable
where do I put the GRE protocol in this configuration? Without GRE vpn does not work.
I don't want to do this:
ip nat inside source static 192.168.100.8 203.145.145.145
Is it a good idea to use interface Tunnel40843 for VPN than static NAT an external ip address, how do I use tunnel for VPN? What's the code?To see how GRE over IPSec can be configured, refer to 'Configuring IPSec/GRE with NAT' at http://www.cisco.com/warp/public/707/ipsecgrenat.html. The document additionally discusses a firewall configuration that you could skip unless you have a firewall in place too.
-
Extended Notifications with Links while using Citrix to Access Hosted SAP
Hello,
I am working on a system which is hosted remotely where Citrix and Single signon are used to access the SAP instance. I need to be able to send email to their Outlook server with executable links back to the workitems. I had planned to use Extended Notifications to get this done. I am fine with everything except for the Citrix link. I am not sure whether the link in the email will be able to find its way through Citrix to the SAP instance. I also need to know the SSO is going to work - it seems at a minimum they would need to sign on to Citrix. Has anyone out there done this, or at least know whether it would/should/won't work?
Thanks in advance for any help you can offer,
Jeff GrayAs far my knowledge, on Citrix it won't work. As far portal is concerned, it will work.
Regards, IA -
Using extended desktop mode with ThinkPad x220
I have an Acer AL2216W external monitor. It has a resolution of 1680 x 1050
http://support.acer.com/acerpanam/monitor/0000/Acer/AL2216W/AL2216Wsp2.shtml
When I use extended desktop mode with the external monitor set as the primary display, everything scales properly on both the external and internal monitor.
However, if I set the internal monitor as the primary display, the external display does not fill the screen (there is a big black border around the desktop).
In both cases, the resolution setting for the external monitor is 1680 x 1050.
Is this normal behaviour?
Solved!
Go to Solution.Hello,
That's how Windows behaves. Supposedly Realtime Soft Ltd.'s UltraMon gives you more precise control over wallpaper under Windows, but I have not used it myself.
Regards,
Aryeh Goretsky
I am a volunteer and neither a Lenovo nor a Microsoft employee. • Dexter is a good dog • Dexter je dobrý pes
S230u (3347-4HU) • X220 (4286-CTO) • W510 (4318-CTO) • W530 (2441-4R3) • X100e (3508-CTO) • X120e (0596-CTO) • T61p (6459-CTO) • T43p (2678-H7U) • T42 (2378-R4U) • T23 (2648-LU7)
Deutsche Community Comunidad en Español Русскоязычное Сообщество -
SC with Limit Item using Extended Classic Scenario?
Hello,
Can we implement SC with Limit Item using Extended Classic Scenario.
I mention that we replicate the Product Categories from R/3 backend.
We have tried to create a SC with Limit item, but the data on Quantity, Price and Tax is not picked up at PO level.
Regards,
ShaiekHi
Please try out this.
For the time-being,
Try de-activating all the custom BADI Implementations and check, what is happening, in the standard SRM system. How does it behave incase of limit item ?
Incase it works fine, without any Custom Implementation active in the system, I suspect there is something wrong in your current deactivated BADI Implementation.
Since i don't have access to your system , Please paste the code here.
Hope this will help.
Please reward suitable points.
Regards
- Atul -
Play Quicktime file on extended mode with 2 monitors using fullscreen
I have content that plays in QuickTime that was designed to run on 2 displays using extended mode. Whenever I full screen it defaults to only using one of the displays.
Here, this might help you. I was having problems copying to my Lacie external hard drive, too. I contacted Lacie and this was the response I received - which I followed and have now been able to move all my imovie, idvd, quicktime, etc. files to the Lacie:
The default formatting on these drives is FAT32, compatible with both Mac and PC. However, FAT32 has some limitations-it will not hold any single file larger than 4GB and it does not like filenames with any other characters other than A-Z, a-z, 0-9, periods and underscores. Mac
OS 10.1.x and 10.2.x will not mount large FAT32 volumes.
The Mac Extended format does not have any of these limitations as it is the Mac-native format. If you will not be sharing this drive with a PC at all, reinitialize the drive as follows. You will need to copy off
any data you need temporarily as this will erase the drive.
OS X - Initializing with Disk Utility (will erase the drive)
1. Open the Disk Utility found the Utilities folder.
2. On the left, select the drive (not the volume below it).
3. On the right, select the Partition tab.
4. Under Volume Scheme, set it to the number of partitions desired(usually Mac OS Extended).
5. Set the format you desire.
6. It is not necessary to check the OS 9 Drivers check box.
7. Once you have the drive set up how you desire, click on the Partition button in the lower right.
8. It should only take a few moments to complete, and when done, the drive will mount on the desktop.
Answers to most common questions can be found in the manual on the CD
that came with your product or in our FAQs:
http://www.lacie.com/support/faq/ -
I cant erase my air ssd, always create about 5G used extended partition..
Try booting the fallback kernel, there is a problem with the AHCI driver concerning new Macbooks. When you've booted, add ata_generic to the modules in /etc/mkinitcpio.conf and rebuild the initrd with mkinitcpio -p kernel26.
-
Revision: 9829
Author: [email protected]
Date: 2009-08-31 06:38:08 -0700 (Mon, 31 Aug 2009)
Log Message:
Extending ILayoutContext with an 'updateIntrinsicDimensions' method, that the ILayoutRender uses to inform the context that context's intrinsical dimensions may have changed because its children got layed-out. Adding implementing code to LayoutContextSprite and LayoutRendererBase.
Modified Paths:
osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/ILayoutContext.as
osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/LayoutContextSprite.as
osmf/trunk/framework/MediaFramework/org/openvideoplayer/layout/LayoutRendererBase.asA slow boot time can be caused by login items.
User Login Items:
Flux
NoSleep
ClipMenu
Canon IJ Network Scanner Selector2
BetterTouchTool
USBOverdriveHelper
TotalFinder
Gmail Notifr
Open System Preferences > Users & Groups > Login Items
Remove one login item noted above then restart your Mac to test. It may be one or multiple items causing the slow boot. -
Can you use Time Capsule with any wifi extender?
Can you use Time capsule with any wifi extenders?
No, since Apple designed their routers to only work with other Apple routers.
I suppose that it is possible that another brand might work, but since you won't know this until you try, it would be a good idea to have a clear understanding of the store's return policy before you decide to gamble. -
Extended acl - multiple ports on same acl line
hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line
e.g.
instead of:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443
i'd use:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443
its shortening the acl considerably but the question is:
does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
thanks
andyHello
No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
Cisco3750#show platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
IPv4 security aces: 1024/1024 33/33
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
thanks
Andy
Maybe you are looking for
-
Photoshop CC messes up text colors, layer effects and whole layers?!
Hello I was just working on several documents when something strange happend - out of nothing the appearance of fonts,layers, backgrounds etc changed. white color turned black. some layers had total different colors ( bitmap layers, no shape layers)
-
I need to compile a code in dev c++ how can I do it on my mac?
I need to compile a code in dev c++ how can I do it on my mac?
-
Hi Guys, It's regarding AP Check which will be printing on pre-printed check. Script has only one page. In the main window multiple line items (Invoices) will print. If there are more line items it will overflow to the next page. Now issue is Client
-
How do I know which is the correct location of the JVM?
How do I know which is the correct location of the JVM? What do I add to my PATH environment variable? I'm trying to install Sybase ASE on my Sun Fire v480 SPARC box, but keep getting the below error... *"A suitable JVM could not be found. Please run
-
Composing SMS from Contact List
I have a Blackberry Pearl 8100 and when I go into my contact list and select a name to SMS and then add another recepient to send the same message to it comes up with first person I selected to SMS again i.e. I picked Wendy first and added Brian to s