A simple (I think) - compensation access list hitcounts

How can I clear counters hitcnt for access lists? Also a reload...

These hitcounts (as in "show access-list"):

access list to the INSIDE of the line 1 permit ip 10.100.10.0 255.255.255.0 host CrazyLarry (hitcnt = 107575)<>

Thank you.

This gives a shot:

access-list aclname Clear counters

Scott

Tags: Cisco Security

Similar Questions

Simple Question SSH Access-List

I am allowing SSH access for all of our Cisco devices and you want to restrict access to all the following ip addresses: 192.168.200.1 - 192.168.200.50. I forgot the exact configuration of access list to achieve this. The subnet is 24 and I don't want the whole subnet - seulement.1-. 50.

Thank you

Thomas Reiling

Hello

If you use ssh, make sure that you have a domain name, host name and a rsa key is generated. Assuing you have done this, the command vty ACL and following line will do the trick. Note that the host 1-50 list is not on a subnet barrier.

To get it exactly

access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.31

access-list 1 permit 192.168.200.32 0.0.0.15

access-list 1 permit 192.168.200.48 0.0.0.1

host access-list 1 192.168.200.50

access-list 1 refuse any newspaper

It would be a good idea to put it on a limit, however, so the following would be much simpler and easier to read.

access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.63

access-list 1 refuse any newspaper

Apply the class of access on the vty lines and authentication, I would put something there too.

line vty 0 4
access-class 1
entry ssh transport

password Bonneau

That should do it.

Good luck!

Brad

Hitcnt of compensation on an access list

I've searched and can't seem to find a way to clean the hitcnt on an access list other than the deletion and restoration of the access list. Does anyone know how to do this?

Thank you

J

Allow Access-list ip x.x.x.x 255.255.255.240 sheep a (hitcnt = 72408)

6.1 (4) code and most importantly you can use:

> sheep counters clear access-list

In the pre - 6.1 code (4) you must remove and re-add the ACL in.

Ipv6 access list does not apply autonomous Aironet 3602I-E

As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic on

and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.

In addition, when creating a list like this ipv6 access:

guest_egress6 IPv6 access list
refuse an entire ipv6

The other is automatically created:

IPv6-guest_egress6 role-based access list
refuse an entire ipv6

A deletion also removes the other.

What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

Please rate helpful messages... :-)

Order of access-list syntax

Hello

I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

It looks like this when it did not work:

(outside interface incoming traffic)

access list 100 permit tcp any any established journal

access-list 100 permit udp any any eq field journal

access list 100 permit tcp any any eq field journal

access-list 100 deny ip any any newspaper

To make this work, I had to add these two lines:

access-list 100 permit udp any eq field no matter what newspaper

access list 100 permit tcp any eq field no matter what newspaper

I do not understand the difference between

access-list 100 permit udp any eq field all

and

access-list 100 permit udp any any eq field

If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

Hello

Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

When we look at how DNS works now in what concerns this ACL
- DNS lookup is usually made at the port of destination UDP/53
- PC uses the random source for the DNS lookup port
- Responses from DNS server for research with source UDP/53 port
- Responses from DNS server to the computer on the port that the source PC search DNS
So naturally you'll see responses from the host source and source UDP/53 port DNS

If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

Hope this helps

Be sure to mark it as answered in the affirmative.

-Jouni

access list for traffic crossing and IPSEC

Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.

I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.

Thank you

David

I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.

!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
address of examplekey key crypto isakmp 2.3.4.5
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
tunnel mode
!
cust_map 10 ipsec-isakmp crypto map
defined peer 2.3.4.5
game of transformation-AES256SHA
match the address crypto_acl
!
interface GigabitEthernet8
cust_map card crypto
!
crypto_acl extended IP access list
host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
!

HTH

Rick

How can I clear counters access-list on a pix firewall

How can I erase the hitcounts on an on a pix firewall access list without resetting the pix?

It would be clear access-list on a router counters.

Thanks in advance

Steve

access list counters Clear

problem of access lists

Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

I have a pix with interface 3 inside, outside and dmz.

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

Here is the ACL, but I change the IP addresses.

access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

pager lines 24

opening of session

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

172.16.1.1 - 172.16.1.254 test IP local pool

no failover

failover timeout 0:00:00

failover poll 15

failover outside 0.0.0.0 ip address

IP Failover inside 0.0.0.0

failover dmz 0.0.0.0 ip address

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

Global (dmz) 1 192.168.6.10

NAT (inside) - 0 108 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

(inside) alias x.x.x.5 192.168.6.30 255.255.255.255

static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0

static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0

static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0

conduct permitted tcp x.x.x.6 eq lotusnotes host everything

conduct permitted tcp 2x.x.x.4 eq www host everything

conduct permitted tcp x.x.x.4 eq lotusnotes host everything

conduct permitted tcp x.x.x.5 eq www host everything

driving allowed host tcp x.x.x.5 eq field all

allow icmp a conduit

driving allowed host tcp https eq x.x.x.5 all

conduct permitted tcp 2x.x.x.5 eq 21010 host everything

the public IP address I need to access it from the inside is x.x.x.5

Hello

The ACL you provide will always be the same when shorten you it to this:

access-list 110 deny tcp host 200.115.10.0 host x.x.x.5

Access-group 110 in the interface inside

(it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)

Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

(1) if it is an existing stream, leave the package through

(2) if it is not an existing stream, see ACL

(3) if the ACL refuses, then drop the package, if ACL allows, leave package through

(4) if the ACL does not at all, leave the package through (since it is the high level of low security)

But I guess that this is not what you want to achieve.

I think you need something like this:

access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www

access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0

(assuming that you have a 24 - bit subnet on your dmz)

access ip-list 110 permit a whole

Access-group 110 in the interface inside

This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.

I hope this helps.

Kind regards

Leo

access lists

I have a question... or two... :) on access lists.

My current access list looks like the following:

access-list acl_outbound allow icmp a whole

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080

acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443

acl_outbound ip access list allow a whole

access-list acl_inbound allow icmp a whole

inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.

2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.

As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.

My goals are:

allow hosts listed web traffic (including https and ftp)

allow ICMP pings pass from the inside to the outside and the response

allow VPN tunnels to establish

Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.

Dave

The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:

> card crypto outside_map 9 match address outside_cryptomap_9

to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:

> no outside_map interface card crypto outside

Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.

In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:

> acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any

This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.

PIX 525 access-list

I know it must be simple, however, I have some difficulty doing that work. I use version 5.3

I'm trying to block access to the internet at 172.16.39.X. whatever it is on this network should NOT be able to access the internet.

I use the list of access and access - group commands but I must have some syntax errors or something as there doesn't seem to be blocking access. Could someone provide a concrete syntax for this address with 255.255.255.0 subnet so I can see if perhaps I simply make a mistake in the entry. I am new to PIX so I wouldn't be really surprised.

Thank you

Dave

You can do this in several ways:

1. you can exclude this your NAT range. This will not allow this range out to the internet.

2. on your inside interface, apply this rule:

insideACL list access deny ip 172.16.39.0 255.255.255.0 any

insideACL ip access list allow a whole

I hope this helps.

ACCESS LIST QUESTIONS?

I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.

192.168.1x

* THE REMOTE SITE

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

192.168.0.X

HAND ROUTER

recording of debug trap

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

not run cdp

sheep allowed 10 route map

corresponds to the IP 101

!

IP tcp mss<68-10000>

Hope this helps,

Gilbert

Access-list command not supported in the 2.2 FWSM (1)

Hi Netpros

I am facing a strange problem with one of my FWSM installed in my spare box 7609.

I have a FWSM installed in live production network, in which the caught watch access list supported and I am able to set up their place, but in the alternative box, I am unable to do so when I have? to get the command supported, it doesn't either up the access-list command.

The two boxes run upward with 2.2 (1) and on different 7609 boxes.

Basically, I want to do the CLI or the tested features up to in my box of spare before you go and implement the same on the live production network.

I have attached both the version of the show, but also the supporting documents.

Pls do not help to find where I m lack somehting here :-(.

regds

Your spare module is configured in mode 'multiple context', where you can create up to 100 logical firewall within one FWSM. In this mode, when you the meeting into the FWSM, you enter in what we call the context of the system in which all you can do is set the other contexts. In the context of the system there is no notion of the lists of access or something like that, and that's why you can't see these commands you.

You want to deliver the FWSM in unique context mode by running the command:

simple mode

Reboot and then when he comes back to the top you'll be good to go.

L2l VPN Access-list crypto-interesting

Hi everyone, I have a question.

I have ASA1 and ASA2 connected via a private cloud to intellectual property and two hosts behind each of the ASA.

The tunnel is up, and I can ping to host1, which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.

When I show crypto ipsec his on ASA2 I see

#pkts program: 451, #pkts encrypt: 451, #pkts digest: 451

#pkts decaps: 451, #pkts decrypt: 451, #pkts check: 451

and they are multiplying, each ping I have sent to host1 host2. But when I do sh cryptointeresting access-list that defines my crypto interesting traffic on ASA2 I see not growing hits with each ping I send host1 who is behind ASA1.

The question is whether I'm supposed to see crtyptointeresting access-list hits rising on ASA2, when I ping host2 to host1, which is on the other end behind ASA1 (behind ASA2).

Thank you

Hi my friend.

When you ping with the ASA2 ASA1 you won't see hitcounts in the ASA2 ACL. This happens because the number of access number to increase traffic must be defined in the ACL.

Basically when you ping ASA1 with the ASA2 traffic does not match the direction of the ACL on ASA 2 crypto (which is defined from ASA2 LAN to LAN ASA1) so it does not count as a success.

You see decrypted packets and decapsualated because the traffic corresponding to the terms previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent through the tunnel.

I hope this clarifies your questions.

BTW sorry I did not get back to you on your second post NAT, I see that Varun has given you a great answer.

Have fun!

Raga

Newbie question route-map/access-list

I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

We have a router cisco 1811 (yes I know its old)

We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.

Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

PTP VPN: 192.168.116.0/24 comes and goes out our T1.

1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

ASA: 90.0.0.50

!

follow the accessibility of ALS 40 ip 40

delay the decline 90 60

!

interface Vlan1

Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

IP 90.0.0.254 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1452

route WEBPBR card intellectual property policy

!

interface Vlan10

Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

IP 192.168.0.254 255.255.255.0

IP nat inside

IP helper 90.0.0.2

IP virtual-reassembly

route WEBPBR card intellectual property policy

!

! Static routes

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq www

ALS IP 40

208.67.220.220 ICMP echo source interface Vlan1

Timeout 6000

frequency 20

ALS annex IP 40 life never start-time now

allowed WEBPBR 2 route map

corresponds to the IP WEBTRAFFIC

set ip next-hop to check the availability of the 197.164.245.109 1 track 40

That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:

deny ip any 192.168.0.0 0.0.0.255

deny ip any 90.0.0.0 0.0.0.255

deny ip any 192.168.116.0 0.0.0.255

! Etc with all internal networks

* And then put at the bottom:

allow an ip

who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...

Post edited by: Ryan Young

I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

HTH

Rick

Access list ASA Error | ERROR: % incomplete command

Hi all

I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

(network-config) # access - list extended acl_inside permitted object-group$

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 log https eq
^
ERROR: % name host not valid

SAME THING WITHOUT JOURNAL

(network-config) # access - list extended acl_inside permitted object-group$

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 eq https
ERROR: % incomplete command

SAME STUPID MISTAKE,

THE SIMILAR RULE;

# ACCess-list HS | I have 132.235.192.0
permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

???????

I'm not sure that this ensures a case of cisco?

FW100ABCx (config) # 16-09-08F object-group network
FW100ABCx(config-Network) # host network-object 172.191.235.136
Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.135
Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.134
Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.52.134.76
Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) #.
FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
ERROR: % incomplete command

Hello Hassan.

You're missing the key word of Protocol (tcp/udp)
Try this:

the object-group 16-09-08F network
host of the object-Network 172.191.235.136

acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

Concerning
Dinesh Moudgil

PS Please rate helpful messages.

A simple (I think) - compensation access list hitcounts

Similar Questions

Maybe you are looking for