WAAS and SNMP access-list

Similar Messages

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• Clienless webvpn and reflexive access list firewall

  I have a Cisco Router 3825 with WEBVPN server and Reflexive access list Firewall. All is well but when i try from outside to go to WEBVPN server and try trought WEBVPN site to open some web Site it dosen`t work. For example when i try to open yahoo.com, the log shows
  "%SEC-6-IPACCESSLOGP: list ACL-FILTER-IN denied tcp 98.138.253.109(80) -> my_ip_address(45341), 1 packet  [ACL_ERROR]"
  98.138.253.109 is yahoo.com ip address
  Can you give my advice how to solve this problem? 

  If you have WEBVPN, then you have the Security-image/license on your router. That means that you are not restricted to reflexive ACLs, you can use a "real" firewall-feature like CBAC or ZBF on that device.

• Cisco ISE and WLC Access-List Design/Scalability

  Hi,
  I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
  User group 1 -- Apply ACL 1 --On Vlan 1 
  User group 2 -- Apply ACL 2 -- On Vlan 1
  User group 3 -- Apply ACL 3 -- On Vlan 1
  The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
  Any suggestion is appreciated.
  Thanks.

  Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
  The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
  Overall, I see three ways to overcome your current issue:
  1. Shrink the ACLs by making them less specific
  2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
  3. Use SGT/SGA
  Hope this helps!
  Thank you for rating helpful posts!

• ICMP Inspection and Extended Access-List

  I need a little help clarifying the need for an Extended Access-list when ICMP Inspect is enabled on an ASA.  From reading various documents such as the following (http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html), I CAN allow ICMP through my ASA using an extended access-list or enabling ICMP Inspection in the Modular Policy Framework.  Is that true?  I only NEED an Extended Access-list or enable ICMP Inspection? I do not need both?  Or is it best practice to do both?
  What does the ASA do to a PING from a host on the inside interface (Security 100) to host on the outside interface (Security 0) when ICMP Inspection is enabled with the following commands:
  policy-map global_policy
  class inspection_default
  inspect_icmp
  However, the following commands are NOT placed on the inbound Extended Access-list of the outside interface:
  access-list inbound permit icmp any any echo-reply
  access-list inbound permit icmp any any source-quench
  access-list inbound permit icmp any any unreachable 
  access-list inbound permit icmp any any time-exceeded
  access-group inbound in interface outside
  Will the PING complete?
  Thank you,
  T.J.

  Hi, T.J.
  If problem is still actual, I can answer you this question.
  Let's see situation without ICMP inspection enabled:
  The Cisco ASA will allow ICMP packets only in case if ACL entry exist on interface, where packet goes in. If we're speaking about ping, then ACL rules must allow packets in both directions.
  In case with ICMP inspection, with ACL entry you should allow only request packets, replies will be allowed based on ICMP inspection created connection.
  Speaking about your particular example with different security levels - with default ACL rule, that allow traffic from higher interface to lower - NO, you can do not enter that rules you described, and as you'll have successful ping.
  If you deleted this rule and administrate allowed traffic manually, then YES, you must allow ICMP requests to have successful ping.
  P.S. It's not a good practice to leave that default rule, which allow traffic from higher sec.lvl. to lower.

• Prime Infra. 2.0 SSH and SNMP access to devices

  New Prime Infrastructure install. I am trying to discover my routers and switches.  From the Operate and Discovery section, I can "Quick Discovery".  I am given the option set the SNMP string.  After the discovery completes, I am add SSH credentials to each (individually) device.  Is there a method to set the SSH parameters ahead of time or via bulk?
  Thanks    

  Excellent idea.  Thanks.
  I suspect the "discovery settings" will allow SSH to be added but I haven't been able to make it work.  From the discovery settings section and after I enable SSH, I am asked to provide an IP address along with the username and password.  I get the username/password but I don't understand why an IP address is needed.
  Either way, the bulk add is pretty easy.
  Thanks again!

• Access-list problem ?

  Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
  Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
  What am I missing ?
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r01
  boot-start-marker
  boot-end-marker
  logging buffered 15000
  no logging console
  no aaa new-model
  clock timezone CET 1 0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.17.1.1 172.17.1.30
  ip dhcp excluded-address 172.17.1.240 172.17.1.254
  ip dhcp excluded-address 172.17.3.1 172.17.3.30
  ip dhcp excluded-address 172.17.3.240 172.17.3.254
  ip dhcp pool VLAN1
  network 172.17.1.0 255.255.255.0
  domain-name r1.local
  default-router 172.17.1.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip dhcp pool VLAN100
  network 172.17.3.0 255.255.255.0
  domain-name r1_Guest
  default-router 172.17.3.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip domain name r1.lan
  ip name-server 212.54.40.25
  ip name-server 212.54.35.25
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  object-group network temp
  description dummy addresses
  1.1.1.1 255.255.255.0
  2.2.2.2 255.255.255.0
  object-group network vlan1-lan
  172.17.1.0 255.255.255.0
  object-group network vlan100-guest
  172.17.3.0 255.255.255.0
  object-group network ziggo-dns
  host 212.54.40.25
  host 212.54.35.25
  redundancy
  ip ssh version 2
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address dhcp
  ip access-group 104 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description r1.local lan
  ip address 172.17.1.254 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  description Vlan100 r1_Guest
  encapsulation dot1Q 100
  ip address 172.17.3.254 255.255.255.0
  ip access-group 103 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  no cdp enable
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip route 172.17.2.0 255.255.255.0 172.17.1.253
  access-list 23 permit 172.17.1.0 0.0.0.255
  access-list 101 permit ip any any
  access-list 102 deny ip any object-group vlan100-guest
  access-list 102 permit ip any any log
  access-list 103 deny ip any object-group vlan1-lan
  access-list 103 permit ip any any
  access-list 104 permit tcp any any eq 22
  access-list 104 permit udp any any eq snmp
  access-list 104 permit icmp any any time-exceeded
  access-list 104 permit icmp any any echo-reply
  access-list 104 permit icmp object-group temp any echo
  access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
  access-list 104 deny ip any any log
  no cdp run
  control-plane
  line con 0
  login local
  line aux 0
  line 2
  login local
  no activation-character
  no exec
  transport preferred none
  transport input ssh
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class 23 in
  login local
  transport input ssh
  scheduler allocate 20000 1000
  end

  Hello,
  I applied the rules and that works.
  Only thing i have now.
  Reboot router.
  Interface 0/0 gets no dhcp address from isp.
  I have to remove the 104 in from int 0/0
  Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
  Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
  Maybe i have to put in a static ip address on int0/0 ?
  Thanks for your help !

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• Access Lists

  Hi,
  I have two routers R1 and R2 with FastEthernet Interface IP address (F0/0)10.1.0.1 and
  (F0/0)10.1.0.2 respectively. I am using HSRP and R1 is active and R2 is in standby state.
  Whats happening is when I am applying ACLs in R1 on F0/0 I cannot telnet to R2 but if I remove these ACLs I can telent to R2 from R1.
  Can someone please help me with this. Since they are on same segment so my understanding is that I can telnet to R2 from R1 even after applying ACLs.
  Thanks

  Hi Jason,
  Please find below the config of R1
  interface FastEthernet0/0
  ip address 10.1.0.1 255.255.255.0
  ip access-group 101 in
  ip access-group 102 out
  speed auto
  standby 1 ip 10.1.0.254
  standby 1 preempt
  access-list 101 permit tcp host 10.1.0.1 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.2 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.3 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.4 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.5 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.6 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.7 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.8 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp host 10.1.0.9 host 192.168.1.205 range 41001 42010
  access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.1.190
  access-list 101 permit tcp 10.1.0.0 0.0.0.255 host 192.168.8.22
  access-list 101 permit udp 10.1.0.0 0.0.0.255 eq snmp host 192.168.8.22
  access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmp
  access-list 101 permit udp 10.1.0.0 0.0.0.255 host 192.168.8.22 eq snmptrap
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.1
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.2
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.3
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.4
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.5
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.6
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.7
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.8
  access-list 102 permit tcp host 192.168.1.205 range 41001 42010 host 10.1.0.9
  access-list 102 permit tcp host 192.168.1.190 10.1.0.0 0.0.0.255
  access-list 102 permit udp host 192.168.8.22 eq snmptrap 10.1.0.0 0.0.0.255
  access-list 102 permit udp host 192.168.8.22 eq snmp 10.1.0.0 0.0.0.255
  access-list 102 permit udp host 192.168.8.22 10.1.0.0 0.0.0.255 eq snmp

• Thoroughly Confused with ADSM created access-lists when viewing ASA config

  Background:
  I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
  None of them ever removed any lines from the configuration, and none did any documentation.
  I have several basic questions, which show my ignorance.
  When examining the actual configuration from a CLI perspective:
  1. Does an ADSM-created access list end with any specific ADSM-added suffix?
  2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command?
  3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional?
  4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?

  Actually, I don't think I ever made myself clear.
  I am working with a hard copy of the CLI.
  I have no acccess to the devices to run any commands, nor access to the ADSM.
  I have to get someone with access to the devices to get the CLI based config, or run any show commands for me.
  As stated before, it has been built and rebuilt by different people, some using CLI, some using ADSM, but no one ever cleaned up code or documented.
  I have probably 10-15 different access lists in this config.
  Some look to be affiliated with specific ports. Some of these ports are up, some down.
  I have the same rule sets appearing in 3 separate access lists, in some cases.
  Of course, each of these 3 access lists is slightly different.
  Here is the worst example I have to deal with, and hence why I need to know if an access-list can be active WITHOUT being defined in the access-group command AND AT THE SAME time NOT affiliated with a port.
  An example:
  3 access lists:
  Prmary_Public_access_in
  Primary_Public_access_in_tmp
  Arin_Primary_Public_access_in
  Primary_Public_access_in_tmp is associated with the Primary_Public interface, since it is defined in an access-group command.
  Arin_Public_Primary_access_in is associated with a logical port that is shutdown.
  Primary_Public_access_in does not appear to be directly associated with any one port
  So are Arin_Public_Primary_access_in and Primary_Public_access_in access lists that being referenced to manage traffic?

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.

• How to access Access List information through SNMP?

  Hi,
  I wonder if it is possible to access a router's access lsit info (acl type, name, entries, stats) through SNMP.
  Using the SNMP Object Navigator I have found a MIB and OIDs that should allow me to do just that: 
  Object
  ciscoACLMIB
  OID
  1.3.6.1.4.1.9.9.808
  MIB
  CISCO-ACL-MIB ;   -   View Supporting Images
  Description
  "This MIB module defines objects that describe Cisco Access
  Control Lists (ACL).
  But clicking on the "Supported Images" link shows that this MIB is not supported in any IOS release? I have tested with an snmpwalk on a few routers with different IOS versions and I don't get any results:
  SNMPv2-SMI::enterprises.9.9.808 = No Such Object available on this agent at this OID
  Is there anyway to read the ACL info through SNMP? Can anybody explain me how to do this?
  Thanks in advance.
  Alberto

  Hi Alberto,
  Unfortunately ,it is not possible to get ACL information via SNMP.
  there is an Enhancement BUG already been filed for the same.
  CSCdu44167    no corresponding MIB for show access-list on a router .
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Access-list through SNMP

  Hi!
  I have Linksys SPS224G4.
  I'm trying to create mac access-list and bing to interface by using SNMP.
  Please advise me in what MIB can I find OID's to operate such functions?

  These OID's lie in qosclimib.mib

• How to find out list of users and their access on Sharepoint

  Hello Everyone
  How can i find out list of users and what access they have on SharePoint site? I want to create table with list of the users and their access?
  Thanks

  you can get the report using below powershell scripts. first one gives list of users in a site collection level.
  The second link generates the permissions reports for each user.
  http://techtrainingnotes.blogspot.com/2010/12/sharepoint-powershell-script-to-list.html
  https://sp2010userperm.codeplex.com/
  My Blog- http://www.sharepoint-journey.com|
  If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

• Vpn site to site and remote access , access lists

  Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

  If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.