Which direction should ACL be applied
Hello there,
I'm adding ACLs to lock down the LAN environment and my core is a 4510+R. I want to block port 80, 443 and 8080 from coming INTO the network. My security guy tells me users use port 80, 443 and 8080 to get out and web services use other ports to come back in. I want to use an extended access-list the likes of:
ip access-list extended NO_HTTP
deny tcp any any eq 80
deny tcp any any eq 443
deny tcp any any eq 8080
permit ip any any
My confusion is: which direction on my SVI do I apply this ACL if I want users to be able to access web sites but block inbound traffic on 80, 443 and 8080? All information I've been able to read says to apply extended ACLs as close to the source as possible. With an SVI, that seems like a grey area?
Any kind of clarification on this would be most helpful and appreciative.
Thanks very much in advance,
Kiley
I think from the perspective of SVI you have to apply the access list OUT. OUT means that the traffic will be process by the access list after is get routed or exiting the interface in other words packets origin from the outside GOING OUT to your LAN.
Similar Messages
-
Should ACL be applied on port in Closed mode
Hi,
while reading about Closed mode deployment of ISE, I came across conflict in Cisco's "HowTo-10-Universal_Switch_Config" and "HowTo-25-Closed_Mode" documents.
According to "HowTo-10-Universal_Switch_Config", in Closed Mode, we need to apply a ACL on switch port as follows
ip access-list ext ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
remark Ping
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
remark Drop all the rest
deny ip any any log
But according to "HowTo-25-Closed_Mode", in Closed Mode, we don't apply this ACL on switchport.
So my question is, if the ACL need to applied on Switchport or not..and how it will affect switchport
Thanks,
AdityaHello Aditya-
Very good question. The default ACL will always be there on the switch weather you configure one or not. Check out this document:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/sw8021x.html#pgfId-1193896
You have two options:
1. Create your own default ACL to avoid the default one (that only allows DHCP). Your default ACL should be more permissive than the default one. For instance, mine always included "permit ip any any." That way authenticated and authorized hosts are not blocked from accessing any resources on the network.
2. Always return a DACL in your ISE authorization profiles (even if it is just "permit ip any any". That way the default-ACL is removed
I prefer method number #2 that way I don't have to bother with the default ACL and it also allows me to control traffic based on the different authorization profiles and DACLs that I apply.
I hope this helps!
Thank you for rating helpful posts! -
Which .exe file I should choose to apply SP2 for SQL Server 2008r2 Enterprise Edition 64Bit
Hi All,
Which .exe file I should choose to apply SP2 for SQL Server 2008r2 Enterprise Edition 64Bit.
And what is the difference between below .exe files.
SQLServer2008R2SP2-KB2630458-x64-ENU.exe
SQLServer2008R2SP2-KB2630458-IA64-ENU.exe
Grateful to your time and support. Regards, ShivaGood day
Shiva Shakthi,
I have change the type of the thread to a question, as this is a question :-)
please chose the right type next time. If you have a question then use a question thread (this is the default), and that will let you mark the answers that you get.
Have a nice day :-)
[Personal Site] [Blog] [Facebook] -
Not sure which direction I should be heading
I'm going to drop a lot of money on equipment sometime during the next six months, and I'm really not sure which direction I should take this. As I see it I could either go with everything hardware, or I could go with Mainstage. Basically, what I want is to get the sound of me and my keyboardist up to snuff, as it's currently not that great.
What I'm thinking of getting for now:
Hardware route:
Nord Electro 73
a magically great guitarfx
Software route:
Mainstage
M-Audio Profire 2626
Midi foot controller
Macbook Pro 3,06GHz 4GB RAM
As you can see, the Mainstage route will be more expensive. At the same time it will offer more flexibility, and the ability for more bandmates to join in in the future.
Keyboardist will use the following sounds:
- Piano
- Rhodes w/ effects
- B3
- Clavinet
- Solina
- Strings
- (Maybe some C64 SID-sounds)
I guess that's it for now.
Guitarist (me) will use:
- Overdrive
- Amp simulator
- Delay (I know this takes a lot of processing power, so only one or two delay-fx simultaneously.)
- Other, typical guitar-fx.
If I go hardware I'll go with a multi-fx, but I have yet to find any that will let me tap the tempo on one patch and then keep that tempo when I go to the next patch, so they get kind of limited.
We will both be playing at the same time, and latency is important. I want to use it at 16bit/44,1KHz, as I guess that's the lowest I can go. I want to be able to play with 32 sample buffer. At 64 samples the latency gets too long. I guess I could get used to it, but the day I try to run my bassist or other guitarist og lead vocals or backing vocals through Mainstage I don't want to have to excuse the latency.
Is it stable enough? I plan on using the computer as a Mainstage-only laptop, not installing anything except Mainstage and maybe a few plugins. It'll normally not be connected to the internet, with Airport turned off.
There's probably a lot of stuff I've forgot to mention, that I might think of later, but the main question is; which route would you go in my situation? Hardware or software?
Message was edited by: hanerlend
Message was edited by: hanerlendStability will be risky on mainstage. Some people have no problems, other have lots of cpu issues.
I've been running one keyboardist and a backingtrack loaded into exs24 and have had one problem during a show that required a reboot.
EXS24 stopped playing a backing track twice as well - which was pretty major.
I'll be using playback for backing tracks and will not be sending my guitar through the computer. We will also have a drummer playing now, so if the computer breaks, we'll lose keyboards and will be able to continue on and end a song.
I think it's an acceptable risk for the flexibility and cost savings - since I already had a laptop and all the midi gear. And I try to accept a bit of glitchyness as it's a new program. Hopefully that will be changing over the next few months - as this latest version seems more stable and updates should add to that.
If I were a major act playing large shows, *I would not be using it*. And if it continues to cause problems, we'll be looking for something else.
I used the logic environment for our last band. We had three keyboards for three separate people - that worked pretty much flawlessly. -
ACLs never apply to traffic generated by the router
http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?Thanks Rick,,,I need some clarification about the below scenario please:
suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
the ip address for e0/0 172.16.0.1/16.
R1(config)=access-list 101 deny ip any any
R1(config)#interafec serial 0/0
R1(config-if)#ip access-group out
R1(config)=access-list 150 deny ip any any
R1(config)#interafec fastethernet 0/0
R1(config-if)#ip access-group in
Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
1- ((The inbound ACL will deny all traffic)).
This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
The source and destination ip addresses still matching the condition of ACL , why should't it be
denied ? -
Sending URL's to outllook which directly links to th workitem of the UWL
My project which was developed on ASP with oracle is now being re-designed into enterprise portals and SAP R/3 4.6c. Here the scenario is when a user creates or changes a pricing condition on the PORTAL .it should trigger a workflow in SAP r/3 which goes through a loop of approval process and finally gets approved or rejected.
Here the notifications are sent to the approvers outlook where the outlook subject should contain two links, the first should link to the portal UWL and the second should link to the respective WORKITEM in the UWL.
My questions are
1) How an event on the portal side does trigger a workflow at the backend?
Do we need to explicitly raise the event in the BAPI for create/change to trigger workflow using SWE_EVENT_CREATE or is there any alternative?
2) How to send a notification to the outlook with URLs which directly points to UWL and respective work item in the portal UWL?
I gone through the EXTENDED NOTIFICATIONS FOR SAP Business WORKFLOW help file but I didnt a clear picture of it.
It is all with the BSPs in the help file?
3) Its only configuration that we do in the portal to get all the work items from SAP inbox or Do we need to do any extra coding to get all the work items into the UWL ?
Please do the need full .Basically I am new to WEBFLOW. So, if possible spare some time and send me the flow and the solutions in detail.
Advance thanks
Warm regards,
SateeshHi sateesh
To make RSWUWFML2 work at least you have to do:
1. Set up SAP Gatway to connect to Outlook (SCOT) as type INT
2. There are some settings additional that basis will have to carry out - CHECK OSS for that
3. Ensure all the users have home email address
4. In SO16 Tab MailSySgRP choose send email to user's home address
5. Then in SAP schedule report RSWUWFML2 (frequency should be ideally
every 10 min -depends on the volume of emails)
You will find further information in note: 733681
If the requirement for direct acces to the workitem in the UWL is very important you could do the following:
Make a copy of the report ie. ZRSWUWFMS2 and make the appropriate changes in the code and schedule that instead. This is not recomendable, since all changes made to the report by SAP will be lost to you.
Hope it helps
Kind regards
Mikkel
Message was edited by: Mikkel Iversen -
I'm new to all CS applications, though I'm familiar wit the concepts. I just bought CC and want to start teaching myself how to use each app (primary end goal being photoshop, illustrator, and inDesign). is there an order in which i should learn the apps that makes it easier to comprehend it and others?
thanks!Hi Blair,
Personally, I think they are all unique enough in their own right that the order wouldn't really matter. I'm biased towards Photoshop. You might want to spend time going through the content here:
http://tv.adobe.com/show/learn-photoshop-cc/
http://tv.adobe.com/show/learn-illustrator-cs6/
http://tv.adobe.com/show/learn-indesign-cc/
and here
https://helpx.adobe.com/creative-cloud/products.html
If you already know the concepts, it will be a matter of learning the interface and how to apply the concepts in practice.
-Dave -
Want to learn SAP - which module should opt for...
one of my friend is in to Retail domain..non SAP Domain working with one retail channel as a store manager. ...Wants to learn SAP....which module should he go for..SD / CRM / or direct IS_Retail certification...as a fresher where he will be able to get chance...???
i am working as a SAP Recruiter in some company..so i am aware that there is not much demand for fresher in this industry..
please guide...Plenty of information about Retail education on <a href="https://websmp104.sap-ag.de/RETAIL">Service Marketplace - Retail</a> where you will find course descriptions. For example:
This curriculum comprises an Overview Course (Level 2), which explains the main retailing processes in SAP for Retail, plus seven Detailed Courses (Level 3), which examine specific retailing processes and how these are mapped and controlled in SAP for Retail.
The Overview Course IRT100 (Retail Process Overview) explains the core processes of a retailing company. Based on a scenario in which merchandise is sold from stores, the course demonstrates how the store and distribution center are supplied with goods. Further process examples are the special cases of promotions and return of merchandise. -
Which One Should I Choose?
When I launch Disk Utility, I'm asked to select a disk, volume, or image. I'm enclosing a photo of my hard drives. For instance, if I wanted to repair disk permissions on "Hard Disk," there appear to be two choices. Choice one: Hard Disk icon. Choice two: Hard Disk icon and number 74.5 GB ST380021A
Which one should I choose to repair?
The same choices are given to the other two hard drives that I have. Two choices per hard disk?
I use a Dual 1 GHz PowerPC G4 (QuickSilver 2002); running OS X 10.5.8 Leopard.Niel is correct, for repairing permissions etc you can use ether...
The upper icon (ST380021A) represents the device, the icon underneath it (Hard Disk) represents a partition, (you can divide the disk up into multiple partitions)
If you select the device, actions will affect all partitions, (i.e. fix permissions on all partitions on that device) whereas selecting an individual partition will only affect that one partition.
One thing that breaks this is the partition tab, which applies to the current device and all of it's partitions even if you are only selecting one if it's partitions. -
Ip redirects - which direction?
I am troubleshooting an issue with CPU utilization on a 3750X stack. The show controllers cpu-interface tells me that the icmp queue counter is growing quite fast ... about 5000 per second. I read that this is a queue for ICMP redirect messages.
Now, I know what ICMP redirects are about, and how they are supposed to work. What I need to know is what would be the effect of the no ip redirects command on the SVI of the switch? Which direction of traffic does it apply to? Would it be:
If I receive a packet, and I know a better router that could handle it, but I will not send a redirect to tell the host so,
If I forward a packet, and receive a redirect, then I will not take the redirection into account,
Both of the above,
None of the above.
Thanks in advance.
Kevin Dorrell
LuxembourgThanks for all your help guys. This forum is awesome. Yes, I know I could sort it out by going into a corner with GNS3, but somehow talking it over with my peers is a much better way of learning.
Anyway, I did go and try a few things in the lab. First of all, Rick is right to say that the router does not take any account of incoming redirects ... unless you have no ip routing, in which case you have a host and not a router any more. If you do disable ip routing, then it does take account of redirects, storing them in a cache which you can see with show ip redirects. Now, if it is acting as a host, can you get it to ignore the redirects? No you cannot. The command no ip redirects has no effect on incoming redirects. So the router is behaving as a host, and not a very secure one at that(!).
I also tested the normal operation of ip redirects, and no ip redirects does disable the generation of IP redirect message.
I did find one difference between my router lab and my live production 3750X though. In the lab, my 3640 did not attempt to generate an ip redirect to the alternate gateway unless the alternate gateway was on the same subnet as the source of the original packet. So it would not generate a redirect for a packet that was coming in from its primary subnet and getting sent out to a gateway in its secondary subnet.
Kevin Dorrell
Luxembourg -
JEditorPane and JTextPane,which one should I choose?
I wanna develop a Java IDE, Could anybody kindly give me suggestions on which component should I choose to use for the editor of the IDE? why? and what is the difference of "StyledDocment" and "PlainDocument"?
thanks so much!!!!I'm not going to give you the answer rather direct you to read Vorobiev's SWING book. Lots of good examples.
Good luck. -
Which services should be moved to a new SharePoint Enterprise Application server?
Our farm is currently a WFE and a SQL server. I've been tasked with creating a new SP Enterprise Application/Search server.
Which services should be moved? This is what's currently listed in Services on Server:
Access Database Service Started Stop
Application Registry Service Started Stop
Business Data Connectivity Service Started Stop
Central Administration Started Stop
Claims to Windows Token Service Started Stop
Document Conversions Launcher Service Stopped Start
Document Conversions Load Balancer Service Stopped Start
Excel Calculation Services Started Stop
Lotus Notes Connector Stopped Start
Managed Metadata Web Service Started Stop
Microsoft SharePoint Foundation Incoming E-Mail Started Stop
Microsoft SharePoint Foundation Sandboxed Code Service Stopped Start
Microsoft SharePoint Foundation Subscription Settings Service Stopped Start
Microsoft SharePoint Foundation Web Application Started Stop
Microsoft SharePoint Foundation Workflow Timer Service Started Stop
PerformancePoint Service Started Stop
Search Query and Site Settings Service Started Stop
Secure Store Service Started Stop
SharePoint Foundation Search Stopped Start
SharePoint Server Search Started Stop
User Profile Service Started Stop
User Profile Synchronization Service Started Stop
Visio Graphics Service Started Stop
Web Analytics Data Processing Service Started Stop
Web Analytics Web Service Started Stop
Word Automation Services Started StopTake a look at http://www.microsoft.com/en-us/download/details.aspx?id=37000. It should help you decide where it is most appropriate to locate services.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Sharepoint 2013 - Which Server Should Run Microsoft SharePoint Foundation Sandboxed Code Service
We have just deployed Sharepoint 2013 and also CRM 2011..
Our Sharepoint 2013 Environment has a WFE and an APP server and we have a CRM 2011 box.
We have been getting the following error in IE when Users in CRM are clicking on the Document Link under accounts which links to Sharepoint 2013
"This Content cannot be displayed in a frame
To help protect the security of information you enter into this website, the publisher of this content does not allow it to be displayed in a frame."
It seems like it is a IE Security Issue, but I am suspecting it could be the Microsoft SharePoint Foundation Sandboxed Code Service.
Which server should be running the Microsoft SharePoint Foundation Sandboxed Code Service| WFE or APP.
Also which server should run the Windows Service: SharePoint User Code Host
Thank you in advance.Hi,
Please have a look at the following post:
http://technet.microsoft.com/en-us/library/jj219591.aspx
As it describes, the recommendation is for both services to start it on the Web Front End servers.
Cheers,
Vincent -
Multiple Apple ID's, which one should be main iCloud ID on iOS 5?
Hey! Seems like iCloud is a bit more complex to setup than I had thought it would be. Here's the situation. I have two Apple ID's. One is my @me.com account that I just migrated to iCloud. Second Apple ID is an @gmail.com account that I use for all of my iTunes purchases (also migrated to iCloud. I know you can have multiple Apple ID's setup in iOS (by means of "Mail, Contacts, Calenders"), but there is only room for one account under the "iCloud" tab/setting under iOS settings. Which one should be used here? My @me.com, or the one I use for iTunes purchases? ...or does it even matter? Just want to set everything up optimally from the start so I don't have to go back later and correct something.
Thanks all for your assistance!Try here > Apple IDs and iCloud
-
Consider the following html code where I open a textarea and include a comment tag within the textarea. Within the comment tag (which Firefox 4 should ignore) I've included a close textarea tag. Firefox 4 (unlike FF3 and IE) closes the textarea.
The following code is also available at
http://www.cems.uwe.ac.uk/caa/ffbug/index.html
We are about to start a textarea....<p>
<pre><nowiki><textarea rows='20' cols='40'>
Here is the textarea.
Inside these comment blocks I'll put a close textarea tag which Firefox should ignore but does not.
<p>
<!--
We are now inside comment blocks...
<br>
This code should be inside the text area.<br>
</textarea>
<br>
and so should this code be <b>inside</b> the text area (but is not in Firefox 4).
-->
</textarea>
<p></nowiki></pre>
This code should be outside the textbox.Try posting at the Web Development / Standards Evangelism forum at MozillaZine. The helpers over there are more knowledgeable about web page development issues with Firefox. <br />
http://forums.mozillazine.org/viewforum.php?f=25 <br />
You'll need to register and login to be able to post in that forum.
Maybe you are looking for
-
Mac HD no longer shows up in Vista
I installed the bootcamp update that is recommended before upgrading to Windows 7. However, my Windows 7 upgrade was unsuccessful due to my existing version of Windows (evidently Vista Ultimate cannot be upgraded to Windows 7 Home edition). Anyway, I
-
Mpeg-4 wont play in latest itunes
I converted some dvd files to mpeg-4, and it plays in windows media player, nero, my IPOD, etc, but NOT in Itunes/Quicktime (they both use the same player). In those two, audio comes out, but no video, just a black screen (I tried some trouble shooti
-
Mail doesn't allow a new POP Account
Mail doesn't allow me to create a new POP account... I all ready have 3 accounts including .Mac account and 2 more POP mail accounts and works fine!!!! Last week I re installl all my preference (I clean up my MAC)and always works fine... but not anym
-
Unlocking file in sample editor
After recording an audio file, I have attempted to go into the sample editor to make some alterations to the recording. After highlighting the area and pressing delete I get a pop-up message that says: "This audio file cannot be changed! Volume or fi
-
Hi, I'm having a problem preventing my jsp pages from caching. On my jsp page I have an ordimage object in a table, the source of which is the url of a servlet which serves up an image. If I navigate to a new page and on this page change the image of