WAAS and SNMP access-list
I am using 4.1.1c(build b16), and testing restricting access to the SNMP MIBS. we are running inline with a separate interface for mgmt. (gi1/0). with snmp access-list defined and snmp-server access-list set.
snmp-server community public
snmp-server access-list SNMP
ip access-list standard SNMP
permit 10.10.10.2
when i walk the mib from 10.10.10.2, and then look at ACL, it doesn't show any access.
CM#sh ip access-list SNMP
Standard IP access list SNMP
1 permit 10.10.10.2
(implicit deny any: 0 matches)
total invocations: 0
To define an IP ACL from the CLI, you can use the ip access-list global configuration command, and to apply the IP ACL to an interface on the WAAS device, you can use the ip access-group interface configuration command. To configure the use of an IP ACL for SNMP, you can use the snmp-server access-list global configuration command. To specify an IP ACL that the WAE applies to the inbound WCCP GRE encapsulated traffic that it receives, you can use the wccp access-list global configuration command.
Similar Messages
-
I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?
Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.
-
Clienless webvpn and reflexive access list firewall
I have a Cisco Router 3825 with WEBVPN server and Reflexive access list Firewall. All is well but when i try from outside to go to WEBVPN server and try trought WEBVPN site to open some web Site it dosen`t work. For example when i try to open yahoo.com, the log shows
"%SEC-6-IPACCESSLOGP: list ACL-FILTER-IN denied tcp 98.138.253.109(80) -> my_ip_address(45341), 1 packet [ACL_ERROR]"
98.138.253.109 is yahoo.com ip address
Can you give my advice how to solve this problem?If you have WEBVPN, then you have the Security-image/license on your router. That means that you are not restricted to reflexive ACLs, you can use a "real" firewall-feature like CBAC or ZBF on that device.
-
Cisco ISE and WLC Access-List Design/Scalability
Hi,
I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
User group 1 -- Apply ACL 1 --On Vlan 1
User group 2 -- Apply ACL 2 -- On Vlan 1
User group 3 -- Apply ACL 3 -- On Vlan 1
The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
Any suggestion is appreciated.
Thanks.Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues.
Overall, I see three ways to overcome your current issue:
1. Shrink the ACLs by making them less specific
2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
3. Use SGT/SGA
Hope this helps!
Thank you for rating helpful posts! -
ICMP Inspection and Extended Access-List
I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA. From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework. Is that true? I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both? Or is it best practice to do both?
What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
policy-map global_policy
class inspection_default
inspect_icmp
However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
access-list inbound permit icmp any any echo-reply
access-list inbound permit icmp any any source-quench
access-list inbound permit icmp any any unreachable
access-list inbound permit icmp any any time-exceeded
access-group inbound in interface outside
Will the PING complete?
Thank you,
T.J.Hi, T.J.
If problem is still actual, I can answer you this question.
Let's see situation without ICMP inspection enabled:
The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower. -
Prime Infra. 2.0 SSH and SNMP access to devices
New Prime Infrastructure install. I am trying to discover my routers and switches. From the Operate and Discovery section, I can "Quick Discovery". I am given the option set the SNMP string. After the discovery completes, I am add SSH credentials to each (individually) device. Is there a method to set the SSH parameters ahead of time or via bulk?
ThanksExcellent idea. Thanks.
I suspect the "discovery settings" will allow SSH to be added but I haven't been able to make it work. From the discovery settings section and after I enable SSH, I am asked to provide an IP address along with the username and password. I get the username/password but I don't understand why an IP address is needed.
Either way, the bulk add is pretty easy.
Thanks again! -
Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
endHello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help ! -
Nered to know where I can view ACL denies regarding "access-list deny any log" ?
I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. CheersHi,
Yes, with an extended access-list with the last line:
deny ip any any log
with "sh log" you can see the source address of the packets being dropped.
Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
logging console debugging
logging monitor debugging
With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
access-list 101 deny tcp any range 0 65535 any range 0 65535 log
access-list 101 deny udp any range 0 65535 any range 0 65535 log
access-list 101 deny icmp any any log
access-list 101 deny ip any any log
to log the sources and destinations IPs and port numbers.
Best Regards,
Pedro Lereno -
Hi,
I have two routers R1 and R2 with FastEthernet Interface IP address (F0/0)10.1.0.1 and
(F0/0)10.1.0.2 respectively. I am using HSRP and R1 is active and R2 is in standby state.
Whats happening is when I am applying ACLs in R1 on F0/0 I cannot telnet to R2 but if I remove these ACLs I can telent to R2 from R1.
Can someone please help me with this. Since they are on same segment so my understanding is that I can telnet to R2 from R1 even after applying ACLs.
ThanksHi Jason,
Please find below the config of R1
interface FastEthernet0/0
ip address 10.1.0.1 255.255.255.0
ip access-group 101 in
ip access-group 102 out
speed auto
standby 1 ip 10.1.0.254
standby 1 preempt
access-list 101 permit tcp host 10.1.0.1 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.2 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.3 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.4 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.5 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.6 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.7 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.8 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp host 10.1.0.9 host 192.168.1.205 range 41001 42010
access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.1.190
access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.8.22
access-list 101 permit udp 10.1.0.0 0.0.0.255 eq snmp host 192.168.8.22
access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmp
access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmptrap
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.1
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.2
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.3
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.4
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.5
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.6
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.7
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.8
access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.9
access-list 102 permit tcp host 192.168.1.190 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 eq snmptrap 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 eq snmp 10.1.0.0 0.0.0.255
access-list 102 permit udp host 192.168.8.22 10.1.0.0 0.0.0.255 eq snmp -
Thoroughly Confused with ADSM created access-lists when viewing ASA config
Background:
I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
None of them ever removed any lines from the configuration, and none did any documentation.
I have several basic questions, which show my ignorance.
When examining the actual configuration from a CLI perspective:
1. Does an ADSM-created access list end with any specific ADSM-added suffix?
2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?Actually, I don't think I ever made myself clear.
I am working with a hard copy of the CLI.
I have no acccess to the devices to run any commands, nor access to the ADSM.
I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
I have probably 10-15 different access lists in this config.
Some look to be affiliated with specific ports. Some of these ports are up, some down.
I have the same rule sets appearing in 3 separate access lists, in some cases.
Of course, each of these 3 access lists is slightly different.
Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
An example:
3 access lists:
Prmary_Public_access_in
Primary_Public_access_in_tmp
Arin_Primary_Public_access_in
Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
Primary_Public_access_in does not appear to be directly associated with any one port
So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic? -
WS-C3524-XL-EN , mac access-list , ssh ..
does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
thanksThere is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.
-
How to access Access List information through SNMP?
Hi,
I wonder if it is possible to access a router's access lsit info (acl type, name, entries, stats) through SNMP.
Using the SNMP Object Navigator I have found a MIB and OIDs that should allow me to do just that:
Object
ciscoACLMIB
OID
1.3.6.1.4.1.9.9.808
MIB
CISCO-ACL-MIB ; - View Supporting Images
Description
"This MIB module defines objects that describe Cisco Access
Control Lists (ACL).
But clicking on the "Supported Images" link shows that this MIB is not supported in any IOS release? I have tested with an snmpwalk on a few routers with different IOS versions and I don't get any results:
SNMPv2-SMI::enterprises.9.9.808 = No Such Object available on this agent at this OID
Is there anyway to read the ACL info through SNMP? Can anybody explain me how to do this?
Thanks in advance.
AlbertoHi Alberto,
Unfortunately ,it is not possible to get ACL information via SNMP.
there is an Enhancement BUG already been filed for the same.
CSCdu44167 no corresponding MIB for show access-list on a router .
Thanks-
Afroz
***Ratings Encourages Contributors *** -
Hi!
I have Linksys SPS224G4.
I'm trying to create mac access-list and bing to interface by using SNMP.
Please advise me in what MIB can I find OID's to operate such functions?These OID's lie in qosclimib.mib
-
How to find out list of users and their access on Sharepoint
Hello Everyone
How can i find out list of users and what access they have on SharePoint site? I want to create table with list of the users and their access?
Thanksyou can get the report using below powershell scripts. first one gives list of users in a site collection level.
The second link generates the permissions reports for each user.
http://techtrainingnotes.blogspot.com/2010/12/sharepoint-powershell-script-to-list.html
https://sp2010userperm.codeplex.com/
My Blog- http://www.sharepoint-journey.com|
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful -
Vpn site to site and remote access , access lists
Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?
If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.
Maybe you are looking for
-
Help me about LiveCycle Data Services
Hi all, I use Flex 3 and BlazeDS server to write my web app. Today, I want use LiveCycle Data Services ES. I have done some steps bellow and I need some guides continue from anyone. 1. Download the LiveCycle Data Services ES from adobe home pag
-
Cracked iPhone 6 screen and screen is all white with different colors going down it. What do I do???
-
Receiver Mail Adapter: transformation of Content tag
Hi, I have a problem with the transformation of the tag Content in the e-mail message. I'm very ignorant about xsl and java transformation, but my problem is quite simple. My message, coming from an R/3 system, is this: <ns:Mail xmlns:ns="http://sap
-
I replaced HD on MBP and upgraded to itunes 11. I have two ipod classics and an iphone 4s. When i connect ipods they get recognized show in sidebar and do a real quick sync, but don't add any of the music i just put in itunes yesterday (that's how
-
3 valuations in Material ledger
Hi, My client's requirement is as follows: 1) Legal valuation has to be in Local currency but on Actual Costing 2) Profit Center Valuation in Local currency but on standard costing - same as Group valuation 3) Group Valuation in Group currency in sta