Virtual telnet/downloadable access lists: acl authorization denied error
Hello,
has someone else experienced the same "issue" as described below ? And can someone (Cisco ?) tell whether this is by design, and if so, what the reasoning is behind this ?
We use virtual telnet for user authentication, when users need to pass traffic through a PIX, and use downloadable access-lists after successful authentication.
When a user authenticates himself, an error message appears in the virtual telnet window: "error: acl authorization denied".
And the PIX log shows:
109005: Authentication succeeded for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
109015: Authorization denied (acl=#ACSACL#-IP-PIX_ACL-421492f3) for user 'user1' from <workstation-IP>/2066 to <virtual-telnet-IP>/23 on interface inside
This error message disappears when we add telnet access for the virtual telnet-IP@ in the downloadable access-list on the Cisco ACS. I could not find any reference to this configuration quirk in any document.
Now, with or without the error, the user can use virtual telnet and everything permitted
in the downloadable acl without any problem (so why post an error message then ?).
thanks
Try to disable authorization and see if this error stops
Similar Messages
-
Downloadable Access-list (ACL) on 440x/WiSM
I need a wireless solution where an Access-list is downloaded / refered to on a per-user or per-group basis in order to do filtering.
Does unified wireless (aka airespace) support this.
To make it worse - is it support while using H-REAP AP's.
TIA.
AndersYou can configure ACS 4.0 to return an ACL name after the user authenticates, and ensure that the ACS also returns the Tunnel Type attributes which tell which VLAN to use.
-
Access List (ACL) to Block Russian and Chinese Nets From Routers
I see people asking if there are premade ACL's to block Chinese and Russian nets from their edge routers. Since I spent so much time creating entries for them based on information received from http://www.ipdeny.com/ipblocks/ i decided to share them. They are in the attached Word Docs.
There are alot of entires but since it is in a standard ACL it should not tax your routers too greatly.
Sean Odom
Sybex/Wiley Cisco AuthorWell, I'd rather not tax the IPS even further for something that the edge router should be capable taking care of. Especially since the source of the traffic should be denied at the closest managed point.
If you do not want this traffic coming inbound, closest for some would be the edge router. Others may only have their firewall as the closest manageable point.
Suggestion to those that do not manage their edge router would be to compile a list such as the one listed above. Then send it to your provider requesting they place it on this router. Of course this may become a double edge sword in a sense. If there is legit traffic from one of these source IP addresses that you identify down the road, it might be a hassle to get the block resolved.
Or, you can also apply these right there on your firewall as well.
Thank you for providing this list! -
Are there any wireless controler that will accept Downloadable Access-list ?
Currently any vpn user apon connection the network has an ACL pushed from ACS to ASA.
I want to do the same for wireless but I dont use the ASA. Will one of the wireless controllers accept Downloadable ACL's like the ASA ?
MichaelDan,
That would be tricky at best. If its per user would mean 10,000 ACL at about 200 lines each. hmmm that won't fit on a 4402 now will it ?
I'm using RSA authentication, If I can do it like I do with the ACS/RSA on a per group basis would drop to about 144 ACLs at about 200 lines.
Correct me if I'm wrong but I can't use the ASA with DACL unless I'm using IpSec.
At this point I'm not limiting myself to the Wireless controllers I thought it would be the simplest solution. -
MAC access-list to deny appletalk
can I use mac access-list to deny appletalk frame only,not efect other frame on cat3560?
Hi,
I'm afraid this is not possible on the 3560. The config guide mentions: "Though visible in the command-line help strings, appletalk is not supported as a matching condition"
cfr. http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11893267
As far as I can tell, this is a hardware limitation so no 'fix' is to be expected in software.
Having said that, you might be able to achieve almost the same by blocking AARP (the Appletalk Address Resolution Protocol), with something like this:
mac access-list extended DenyAppletalk
deny any any aarp
permit any any
And then apply that ACL to each interface:
#(config-if) mac access-group DenyAppletalk in
So you will not be blocking actual Appletalk but you will prevent hosts from learning about each other in the first place, i.e. initially they may still have some cached info but after some time (and certainly after a reboot) the hosts will see no longer see any other appletalk hosts on the network.
I've never tried this or seen this work myself but you may want to give it a go and let us know?
Herbert -
Packets not hitting the route-map's NAT access-list
Hi Everyone,
I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
interface GigabitEthernet0/1.102
description "xxx"
encapsulation dot1Q 102
ip address 10.300.301.1 255.255.255.0
ip access-group xxx_ACL in
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool ???_POOL ??
ip nat pool xxx_POOL ??
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip nat inside source route-map xxx pool xxx_POOL overload
ip nat inside source route-map ??? pool ???_POOL overload
ip access-list extended xxx-VPN
remark VPN to xxx
permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
ip access-list extended xxx_ACL
deny ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
permit ip any any
ip access-list extended xxx_NAT
deny ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
deny ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
permit ip 10.300.301.0 0.0.0.255 any
route-map ??? permit 10
match ip address ???_NAT
route-map xxx permit 10
match ip address xxx_NAT
route-map ??? permit 10
match ip address NAT_???
route-map ??? permit 10
match ip address ???_NAT
control-plane
banner motd ^CAs that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
So just a guess:
The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
HTH, Karsten -
In IOS XR access list. Which packets will be permitted ?
Refer to the command:
ipv4 access-list FILTER
10 permit tcp any 192.168.15.32 0.0.0.15 eq www
20 deny ipv4 any 192.168.15.32 0.0.0.15
30 permit ipv4 any any
The access list has been configured on the Gi0/0/0/0 interface in the inbound direction. Which packets that are sourced from 10.1.1.1 TCP port 1060, if they are routed to the Gi0/0/0/0 interface, will be permitted?
A. destination IP address: 192.168.15.49, destination TCP port: 80
B. destination IP address: 192.168.15.49, destination TCP port: 8080
C. destination IP address: 192.168.15.46, destination TCP port: 80
D. destination IP address: 192.168.15.41, destination TCP port: 8080
E. destination IP address: 192.168.15.36, destination TCP port: 80
F. destination IP address: 192.168.15.37, destination TCP port: 8080
What is it same in the IOS ? If it do follow to sequence. In sequence 30 permit source any destination any. I thought all choice are permitted. What do you think
Thank you very much.The ACL are evaluated line to line until hit some sentence, so in your ACL.
10. All traffic coming from any source with destination 192.168.15.32 through 47 and TCP port 80 will be permitted.
20. Al traffic from any source and going to destination 192.168.15.32 through 47 and port not 80 will be denied.
30. Any other traffic, with destination different that 192.168.15.32/29 will be permitted.
besides of that, same behavior could be reached with two lines:
ipv4 access-list FILTER
10 deny ipv4 any 192.168.15.32 0.0.0.15
20 permit ipv4 any any
PVD. -
Please assist me for access-list configuration
Dear Team,
Please help me to configure the access-list.
Requirement:
I have three different subnets(10.1.1.0/24, 20.1.1.0/24, 30.1.1.0/24). PC1, PC3 are within 10.1.1.0 subnets and PC2 and PC4 are within 30.1.1.0 subnets.
I want 10.1.1.0 subnet should not access 30.1.1.0 subnets but 30.1.1.0 subnets should access 10.1.1.0 subnets. Please find below configuration.
At R2:
ip access-list exstandard 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
But this configuration is not working, it's blocking the 30.1.1.0 subnet to access 10.1.1.0 also. Please help me!!!!!
Regards,
SanjibHello
I assume the rtrs are performing the routing for these subnets and no the switches, anyway your acl doesn't look correct, try this:
R2
ip access-list extended 101
deny ip 30.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 in
or
ip access-list extended 101
deny ip 10.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255
permit ip any any
int f0/0
ip access-group 101 out
reverse the acl for R3 if applicable
res
Paul -
Hi,
if we have a LAN to LAN vpn between to two cisco firewalls and allowed the service as IP (ipsec tunnel) do we need indivugial access-list in the security policy ? (i had a similar case where i had to put in a entry on the security policy for port 16000 between the two subnets used onthe LAN to LAN firewalls)
i was under the impression the security policy applies only for non vpn and for vpn traffic we need to specify on the ipsec tunnel (under the tab service)
ThanksThere are two way you can filter traffic which is moving over VPN.
1) Filter at source ofcourse ACLs are required.
For example Crypto acl allows - Site A 10.0.0.0/24 to Site-B 20.0.0.0/24 but traffic can be filtered at interface where 10.0.0.0/24 is configured .Lets assume port 80 we want to deny.
ACL would be -- access-list XXX extended deny tcp 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0 eq 80
permit any any
acess-group xxxx in inside
So this will deny port 80 and permit rest of the traffic.
2) You can configure VPN filter which is called under group policy .
Thanks
Ajay -
Access provisioning through Access List
I have Inter Vlan Routing done on my Core Switch, through which subnets are restricted to access each other, Example subnet of 10.1.23.0 cannot have access to subnet of 10.1.24.0.
Due to certain requirement i want that 10.1.23.19(Users Worskstain IP) can access 10.1.24.41 (Users Workstation IP)
Is it possible to do that, without disturbing my InterVlan Routing? Please suggestBelow is the Configuration of Intervlan Routign on my core Switch, please suggest
interface Vlan2
description IAS
ip address 10.1.14.2 255.255.254.0
ip access-group IAS out
vrrp 2 ip 10.1.14.5
vrrp 2 priority 99
interface Vlan3
description MKT
no ip address
ip access-group MKT out
vrrp 3 ip 10.1.6.5
vrrp 3 priority 99
interface Vlan4
description ESG
ip address 10.1.16.2 255.255.255.128
ip access-group ESS out
vrrp 4 ip 10.1.16.5
vrrp 4 priority 99
interface Vlan5
description NMSG
ip address 10.1.24.2 255.255.255.128
vrrp 5 ip 10.1.24.5
vrrp 5 priority 99
interface Vlan6
description OAG
ip address 10.1.26.2 255.255.255.128
vrrp 6 ip 10.1.26.5
vrrp 6 priority 99
interface Vlan7
description SMG
ip address 10.1.28.2 255.255.255.128
ip access-group SMG out
vrrp 7 ip 10.1.28.5
vrrp 7 priority 99
interface Vlan8
description DMG
ip address 10.1.30.2 255.255.255.128
ip access-group DMG out
vrrp 8 ip 10.1.30.5
vrrp 8 priority 99
interface Vlan9
description DMS_UAT
ip address 10.1.32.2 255.255.255.128
ip access-group DMS_UAT out
vrrp 9 ip 10.1.32.5
vrrp 9 priority 99
interface Vlan10
description SEG
ip address 10.1.34.2 255.255.254.0
vrrp 10 ip 10.1.34.5
vrrp 10 priority 99
interface Vlan11
description SEG-2
ip address 10.1.33.2 255.255.255.128
vrrp 11 ip 10.1.33.5
vrrp 11 priority 99
interface Vlan12
description Finance_F2
ip address 10.1.2.2 255.255.255.0
vrrp 12 ip 10.1.2.5
vrrp 12 priority 99
interface Vlan13
description Operations
ip address 10.1.10.2 255.255.255.128
ip access-group OPS out
vrrp 13 ip 10.1.10.5
vrrp 13 priority 99
interface Vlan17
description PD&T
ip address 10.1.36.2 255.255.255.128
ip access-group PDT out
vrrp 17 ip 10.1.36.5
vrrp 17 priority 99
interface Vlan18
description HR&Admin
ip address 10.1.8.2 255.255.255.0
ip access-group HR&Admin out
vrrp 18 ip 10.1.8.5
vrrp 18 priority 99
interface Vlan19
no ip address
interface Vlan20
no ip address
interface Vlan21
no ip address
interface Vlan22
description SEG3
ip address 10.1.44.2 255.255.255.128
ip access-group SEG3 out
vrrp 22 ip 10.1.44.5
vrrp 22 priority 99
interface Vlan23
description Call_Center
ip address 10.1.42.2 255.255.255.0
ip access-group CC out
vrrp 23 ip 10.1.42.5
vrrp 23 priority 99
interface Vlan24
description IT_Sec
ip address 10.1.23.2 255.255.255.0
vrrp 23 ip 10.1.23.5
vrrp 23 priority 99
interface Vlan25
description Q-mgmt
ip address 10.1.9.2 255.255.255.0
ip access-group ACESSCONTROL out
vrrp 25 ip 10.1.9.5
vrrp 25 priority 99
interface Vlan26
description RTA
ip address 10.1.150.2 255.255.254.0
ip access-group RTA out
vrrp 26 ip 10.1.150.5
vrrp 26 priority 99
interface Vlan27
description P&D
ip address 10.1.45.2 255.255.255.0
ip access-group PD out
vrrp 27 ip 10.1.45.5
vrrp 27 priority 99
interface Vlan28
description Trustee
ip address 10.1.18.2 255.255.255.0
ip access-group TRUSTEE out
vrrp 28 ip 10.1.18.5
vrrp 28 priority 99
ip access-list standard CC
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard CEO
deny 10.1.2.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard CS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
ip access-list standard DMG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard DMSSCAN
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard DMS_UAT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard ESS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard FIN
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard HRADMIN
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard IAD
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard IAS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard ITSEC
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
ip access-list standard MKT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard NMSG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard OAG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
ip access-list standard OPS
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard PD
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard PDT
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard Q-mgmt
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
permit any
ip access-list standard RTA
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
permit any
ip access-list standard SEG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SEG2
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SEG3
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard SMG
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.18.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard TRUSTEE
deny 10.1.2.0 0.0.0.255
deny 10.1.4.0 0.0.0.255
deny 10.1.6.0 0.0.0.255
deny 10.1.8.0 0.0.0.255
deny 10.1.9.0 0.0.0.255
deny 10.1.10.0 0.0.0.255
deny 10.1.12.0 0.0.0.255
deny 10.1.14.0 0.0.0.255
deny 10.1.23.0 0.0.0.255
deny 10.1.24.0 0.0.0.255
deny 10.1.26.0 0.0.0.255
deny 10.1.28.0 0.0.0.255
deny 10.1.30.0 0.0.0.255
deny 10.1.32.0 0.0.0.255
deny 10.1.33.0 0.0.0.255
deny 10.1.34.0 0.0.0.255
deny 10.1.35.0 0.0.0.255
deny 10.1.36.0 0.0.0.255
deny 10.1.38.0 0.0.0.255
deny 10.1.42.0 0.0.0.255
deny 10.1.44.0 0.0.0.255
deny 10.1.45.0 0.0.0.255
deny 10.1.48.0 0.0.0.255
deny 10.1.50.0 0.0.0.255
deny 10.1.150.0 0.0.0.255
permit any
ip access-list standard static-routes
permit 10.1.136.0 0.0.1.255
permit 10.1.138.0 0.0.1.255
permit 10.1.142.0 0.0.0.255
permit 10.1.144.0 0.0.1.255
permit 10.1.160.0 0.0.1.255
permit 10.1.200.0 0.0.1.255
permit 10.1.204.0 0.0.1.255
permit 10.1.210.0 0.0.0.255
permit 10.1.222.0 0.0.1.255
permit 172.18.100.0 0.0.0.255
permit 172.18.101.0 0.0.0.255
permit 172.18.102.0 0.0.0.255
permit 172.18.103.0 0.0.0.255
permit 172.18.104.0 0.0.0.255
permit 172.18.105.0 0.0.0.255
permit 172.18.106.0 0.0.0.255
permit 10.1.146.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 10.1.145.0 0.0.0.255 -
Extended access list on Cisco routers
Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
ThanksYes, you can. If you do sh access-list, the router will show the sequence number. You can than add a sequence, delete a sequence or change one.
For example if you have an acces-list like this:
Extended IP access list test
10 deny ip 10.10.10.0 0.0.0.255 any log
15 deny ip 11.11.11.0 0.0.0.255 any log
you can now add a new sequence between 10 and 15
11 deny ip 172.16.10.0 0.0.0.255 any log
You just have to make sure to use the sequence number when you create the last access-list
HTH -
LMS compliance check on all access lists
Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.
thanks.I forgot to mention that i am running this against Cisco ASA devices which displays like this:
access-list TEST_ACL extended deny ip any any
I have tried:
access-list [#.*#] extended deny ip any any
but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
Any ideas? -
Hello all,
I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.
The problem is one of the System guys says it's a legit service, something to do with Active Directory.
When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.
I do "sh access-list" and the deny 445 entry has millions of hits.
We do a network wide Symantec update and scan and find nothing.
Should I disable this 445 entry? Is it a legit service?
Thanx for any helpHello,
Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.
HTH please rate any posts that were helpful.
Patrick Laidlaw -
ORA-24247: network access denied by access control list (ACL) using FTP
What used to work on our 10g server now doesn't work on 11g. We recently migrated to a new server and this FTP download process is the only thing that is giving me problems.
I have tried using the IP Address and Domain name, opened up the ports 10 to 80 (just in case) and even tried FTPing to a local FTP site and cannot seem to get past the ORA-24247 error. At this point I am not sure what else to try. The FTP process worked great in 10g...
begin
dbms_network_acl_admin.create_acl (
acl => 'cwtoto_acl_file.xml',
description => 'FTP Access',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
dbms_network_acl_admin.add_privilege (
acl => 'cwtoto_acl_file.xml',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'resolve',
start_date => null,
end_date => null
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => '69.30.63.173',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.rmpc.org',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.taglab.org',
lower_port => 10,
upper_port => 80
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => '146.63.252.61',
lower_port => 10,
upper_port => 80
commit;
end;
Edited by: tfrawley on Jan 20, 2011 10:23 AMSo, I have contacted support to fix my inability to login to Oracle Support. In the meantime I'll just run through this problem one more time:
I executed the following:
begin
dbms_network_acl_admin.create_acl (
acl => 'cwtoto_acl_file.xml',
description => 'FTP Access',
principal => 'CWT_OPERATOR',
is_grant => TRUE,
privilege => 'connect',
start_date => null,
end_date => null
dbms_network_acl_admin.assign_acl (
acl => 'cwtoto_acl_file.xml',
host => 'ftp.rmpc.org',
lower_port => 1,
upper_port => 1000
commit;
end;
This should give me an ACL xml file and permission for CWT_OPERATOR to connect to ftp.rmpc.org on ports 1 through 1000.
I can look and see if the creation was successful: SELECT host, lower_port, upper_port, acl FROM dba_network_acls t ;
HOST LOWER_PORT UPPER_PORT ACL
1 ftp.rmpc.org 1 1000 /sys/acls/cwtoto_acl_file.xml
Looks good right?
So I test it using the following:
DECLARE
l_conn UTL_TCP.connection;
BEGIN
l_conn := ftp.login('ftp.rmpc.org','21','[email protected]','anonymous');
ftp.logout( l_conn);
END;
And get the following errors:
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "SYS.UTL_TCP", line 17
ORA-06512: at "SYS.UTL_TCP", line 246
ORA-06512: at "SYSTEM.FTP", line 49
ORA-06512: at line 4
Has anyone else tried to use UTL_TCP and experienced a simliar issue? -
ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP
I am getting following ACL error while executing following procedure:
create or replace procedure sat_proc as
http_req utl_http.req;
http_resp utl_http.resp;
BEGIN
http_req := utl_http.begin_request('www.yahoo.com');
http_resp := utl_http.get_response(http_req);
utl_http.end_response(http_resp);
END;
exec sat_proc;
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at "TRANSDBA.SAT_PROC", line 5
ORA-06512: at line 1
I am able to execute successfully while executing above code as PL/SQL block:
DECLARE
http_req utl_http.req;
http_resp utl_http.resp;
BEGIN
http_req := utl_http.begin_request('www.yahoo.com');
http_resp := utl_http.get_response(http_req);
utl_http.end_response(http_resp);
END;
PL/SQL procedure successfully completed.
Could help me find why I am getting error while executing same code in a procedure? Is there any privilege missing?GRANT EXECUTE ON SYS.UTL_HTTP TO <your_user>;
SQL> set time on
17:21:01 SQL> set role none;
Role set.
17:21:23 SQL> @utl_http.sql
17:21:34 SQL> DECLARE
17:21:34 2 http_req utl_http.req;
17:21:34 3 http_resp utl_http.resp;
17:21:34 4 BEGIN
17:21:34 5 http_req := utl_http.begin_request('www.yahoo.com');
17:21:34 6 http_resp := utl_http.get_response(http_req);
17:21:34 7 utl_http.end_response(http_resp);
17:21:34 8 END;
17:21:34 9 /
PL/SQL procedure successfully completed.
17:21:35 SQL> connect / as sysdba
Connected.
17:22:47 SQL> connect dbadmin/admindb
Connected.
17:23:06 SQL> @utl_http.sql
17:23:22 SQL> DECLARE
17:23:22 2 http_req utl_http.req;
17:23:22 3 http_resp utl_http.resp;
17:23:22 4 BEGIN
17:23:22 5 http_req := utl_http.begin_request('www.yahoo.com');
17:23:22 6 http_resp := utl_http.get_response(http_req);
17:23:22 7 utl_http.end_response(http_resp);
17:23:22 8 END;
17:23:22 9 /
PL/SQL procedure successfully completed.
17:23:23 SQL> set role none;
Role set.
17:23:29 SQL> @utl_http.sql
17:23:31 SQL> DECLARE
17:23:31 2 http_req utl_http.req;
17:23:31 3 http_resp utl_http.resp;
17:23:31 4 BEGIN
17:23:31 5 http_req := utl_http.begin_request('www.yahoo.com');
17:23:31 6 http_resp := utl_http.get_response(http_req);
17:23:31 7 utl_http.end_response(http_resp);
17:23:31 8 END;
17:23:31 9 /
DECLARE
ERROR at line 1:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-24247: network access denied by access control list (ACL)
ORA-06512: at line 5
17:23:31 SQL> above is from test user
Below is from SYSDBA account
SQL> set time on
17:20:53 SQL> revoke execute on sys.utl_http to dbadmin;
revoke execute on sys.utl_http to dbadmin
ERROR at line 1:
ORA-00905: missing keyword
17:22:03 SQL> revoke execute on sys.utl_http from dbadmin;
revoke execute on sys.utl_http from dbadmin
ERROR at line 1:
ORA-04020: deadlock detected while trying to lock object
ACLiLZU+w09hR7gQAB/AQAjcw==
17:22:32 SQL> /
Revoke succeeded.
17:22:52 SQL> Edited by: sb92075 on Jun 10, 2010 5:24 PM
Maybe you are looking for
-
How can i add to a listBox items near in a new column other items ?
The items on the right i changed the property of the listBox1 righttoleft to Yes. My problem is i want to build a new column for the number so each number i'm adding will be next on the left to the belong item string. And not under it like now. 1. Ma
-
30" display with MacBook Pro--how to resolve sparking pixels?
I'm seeing sparkling pixels in large black or dark gray areas on my 30" display (bought in Dec 2005). when using it with a new MBP (2.0Ghz, 2GB). I didn't see those when using it with my stock G5 dual-core 2.0GHz. Should I address this at the display
-
Remove-FASTSearchMetadataManagedProperty errors out with config server
Hi, I have a problem when I execute the command: Remove-FASTSearchMetadataManagedProperty, it errors out with: Remove-FASTSearchMetadataManagedProperty : Error when communicating with the config server 'The remote server returned an error: (503) Serv
-
Are there white balance presets - like in Camera Raw?
Hi. I'm newer to Aperture, and when I'm editing photos, I'm wondering if there's a white balance preset, like in Adobe Camera Raw, that match my camera's white balance options (cloudy, flash, daylight, etc.). Is there something like that in Aperture
-
Will QuickTime Pro Decoders work in Windows Media Player?
I am working on a Notebook/Laptop with Windows XP Home. This machine does not play DVDs in Windows Media Player. I am considering upgrading to Quicktime Pro for all of its functions. I was just wondering if this would fix Windows Media Player too? Th