Access list for a single host 6248

Hello

I'm trying to setp an ACL on a powerconnect 6248 switch that allows traffic from certain hosts on a VIRTUAL LAN to another VIRTUAL local network.  I tried the setting up of an ACL to do this, but it does not work.  What would be the correct syntac for an ACL allow traffic to a certain vlan only to certain hosts?

Please advise, ideas or recommendations would be greatly appreciated.

Thank you

Marlon

Advertisement


Tags: Dell Switches

Similar Questions

  • Need help using the access list blocking a single IP address

    Basically, I'm being attacked by a massive spammer. I managed to deny him access to our mail server, however, his repeated attempts to connect to the same server is in our file of e-mail magazine. What I want to do is set up a block for its specific IP address in our 2621 router. I tried a few different combinations using access-list, but nothing helped. Can anyone suggest something? Thank you!

    Joe

    Joe,

    If you know that the attack came from a particular ip address, you can create an extended access list and deny that IP.

    access-list 101 deny ip host host of attacker_ip_address e-mail_server_ip

    If the source ip address is random then you must put a sniffer or take a look in the syslog to see if there are any model ID as a string. You can then configure NBAR on the router to mark the package and then drop the packets.

    Here is a link that explains the procedure:

    http://www.Cisco.com/en/us/NetSol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8ad.shtml

    Thank you

    Renault

  • access list for traffic crossing and IPSEC

    Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.

    I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.

    Thank you

    David

    I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.

    !
    crypto ISAKMP policy 1
    BA aes 256
    preshared authentication
    Group 2
    address of examplekey key crypto isakmp 2.3.4.5
    !
    !
    Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
    tunnel mode
    !
    cust_map 10 ipsec-isakmp crypto map
    defined peer 2.3.4.5
    game of transformation-AES256SHA
    match the address crypto_acl
    !
    interface GigabitEthernet8
    cust_map card crypto
    !
    crypto_acl extended IP access list
    host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
    !

    HTH

    Rick

  • Different 'outside_cryptomap access-list"for each VPN?

    Hello

    Just for my understanding.

    I have a VPN connected to my Cisco ASA 5520 when I tried to add an another VPN, the I must create a 2nd cryptomap, can I not create a group so there is only one card encryption?

    Currently I have:

    access-list 1 permit line outside_cryptomap_1 extended ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

    I just added outside_cryptomap_2 line access-list 1 permit extended ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

    But I was wondering if I could use something like:

    access-list 1 permit line outside_mycryptomap extended ip 0.0.0.0 0.0.0.0 VPN_Remote_Networks object-group

    When I do this, but I guess that this will cause a problem with the address in hand?

    You must use different access-list in cryptomap for each VPN.

  • Question of access list for Cisco 1710 performing the 3DES VPN tunnel

    I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

    For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

    My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

    Any input or assistance would be greatly appreciated.

    Map Test 11 ipsec-isakmp crypto

    ..

    match address 120

    Interface Ethernet0

    ..

    card crypto Test

    IP nat inside source overload map route sheep interface Ethernet0

    access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 allow ip 192.168.100.0 0.0.0.255 any

    sheep allowed 10 route map

    corresponds to the IP 130

    He would go through the interface e0 to the Internet in clear text without going above the tunnel

    Jean Marc

  • A global Access List for possible VPN3005?

    Hello

    I want to what the VPN users and LAN-to-LAN-profiles are allowed to.

    for example. to block the RPC (tcp135) ports for all traffic from any profile

    Is this possible?

    Kind regards

    Chris

    You can create this filter in one place and then just apply it to each group of users and each configuration of tunnel L2L.

    Go to Config - Mgmt policy - traffic Mgmt - rules, add an inbound rule, drop, Protocol = TCP, Source and Dest everything (leave them as what), range from 135 to 135 TCP DEst ports.

    Go to config - Mgmt - traffic Mgmt - political filters, add a filter whose default action is to transfer, and then add the rule that you just created to this filter.

    Now, you can apply to all users by going under the Group and on the tab general and addition of th efilter in there. You can also go into the tunnel L2L config and add the filter to the tunnel directly.

    Note that you want to test this first, I didn't do all the tests and perhaps the source/dest or inbound/outbound in the wrong way or something like that.

  • Help me to limit my access list order please?

    Hello

    I am trying to configure my clients 506th PIX so that I can RDP on their server.

    Currently, it looks like this and works, but anyone on the internet can get:

    list acl_out permit access tcp any host 66.252.xxx.xxx eq 3389

    Can someone tell me please the order to restrict it so that only my network connections are allowed through.

    I tried the following, but it didn't work:

    list acl_out permit tcp host (the ip address of my router external interface) access 66.252.xxx.xxx eq 3389

    Assume that my external routers address is 192.168.1.25 for illustrations sake.

    Thank you

    Hello

    access-list acl_out permit tcp host 66.252.xxx.xxx eq 3389

    where srcipnetwork is the network that you connect to all _from_, not your router. If you don't log in from a single IP address, you can use the host keyword in front of srcipnetwork instead of setting the mask subsequently.

    Best regards

    / M

  • card crypto access lists / problem if more than one entry?

    Access list for IPSec enabled traffic.

    I've been recently setting up a VPN between two sites and I came across the following problem:

    I wanted to install a VPN that only 2 posts from site A to site B, a class C network

    So I created a list of access as follows:

    access-list 101 permit IP 192.168.0.1 host 192.168.1.0 0.0.0.255

    access-list 101 permit IP 192.168.0.2 host 192.168.1.0 0.0.0.255

    When I applied the access list above to map (match address 101) encryption, I quickly realized that only the first host (192.168.0.1) was successfully encrypted beeing while the other could not. I've been geeting on ipsec debugging errors saying that traffic to 192.168.0.2 denyed by the access list.

    When I changed the access list above with the following

    access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255

    two items of work could successfully encrypted through IPSec tunnel.

    To look further into it, I realized that only the first entry of the IPsec access list has been really tested for the corresponding traffic!

    Is this a normal behavior or a known Bug? No work around for this problem?

    Kind regards.

    If you have ipsec-manual crypto map in crypto ACL, you can specify that an ACE. Check 12.2 docs:

    Access lists for labelled as ipsec-manual crypto map entries are limited to a single permit entry and the following entries are ignored. In other words, the security associations established by this particular entry card crypto are only for a single data stream. To be able to support several manually created security for different types of traffic associations, define multiple crypto access lists and then apply each a separate entrance card crypto ipsec-manual. Each access list should include a statement to define which traffic to protect.

  • bug in iOS? startup-config + command access-list + an invalid entry detected

    I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

    Cisco 827

    IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

    SOFTWARE (fc1)

    I'm looking to use a host named in a more extended access list. The

    script I copy startup-config contains the following entries:

    ! the 2 following lines appear at the top of the script

    123.123.123.123 IP name-server 123.123.123.124

    IP domain-lookup

    ! the following line appears at the bottom of the script

    120 allow host passports - 01.mx.aol.com one ip access-list

    When I reboot the router, I saw the following message:

    Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

    120 allow host passports - 01.mx.aol.com one ip access-list

    ^

    Invalid entry % detected at ' ^' marker.

    It seems as if the entrance to the server name of the router is not processed

    prior to the access list. I can not even check with

    router02 access lists 120 #sh

    makes the access list entry * not * exist.

    But when I manually type the entry in the router I see the

    Next:

    router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

    any

    Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

    [OK]

    and I can confirm its creation:

    router02 access lists 120 #sh

    Extend the 120 IP access list

    allow the host ip 64.12.137.89 one

    I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

    Any help is very appreciated.

    Hello

    Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

    When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

    Router (config) #access - list 187 ip allow any host www.cisco.com

    Router (config) #^ Z

    router #show run | 187 Inc

    IP access-list 187 allow any host 198.133.219.25

    router #show worm | split 12

    IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE

  • A possible bug related to the Cisco ASA "show access-list"?

    We had a strange problem in our configuration of ASA.

    In the "show running-config:

    Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

    Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

    Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

    access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

    access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

    access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

    access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

    access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

    inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

    inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

    Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

    inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

    inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

    Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

    inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

    Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

    Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

    Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

    access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

    inside_access_in list extended access permitted ip object windowsusageVM any newspaper

    inside_access_in list of allowed ip extended access any object testCSM

    inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

    inside_access_in list extended access permit ip host 172.31.254.2 any log

    Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

    inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

    In the "show access-list":

    access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

    access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

    Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

    line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

    line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

    line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

    line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

    allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

    allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

    allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

    allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

    allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

    allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

    access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

    allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

    allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

    allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

    access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

    permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

    access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

    permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

    allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

    access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

    25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

    allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

    permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

    access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

    allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

    allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

    permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

    access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

    allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

    access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

    There is a comment in the running configuration: (line 26)

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

    Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

    Thanks in advance.

    See the version:

    Cisco Adaptive Security Appliance Software Version 4,0000 1

    Version 7.1 Device Manager (3)

    Updated Friday, June 14, 12 and 11:20 by manufacturers

    System image file is "disk0: / asa844-1 - k8.bin.

    The configuration file to the startup was "startup-config '.

    fmciscoasa up to 1 hour 56 minutes

    Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

    Internal ATA Compact Flash, 128 MB

    BIOS Flash M50FW016 @ 0xfff00000, 2048KB

    Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

    Start firmware: CN1000-MC-BOOT - 2.00

    SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

    Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

    Number of Accelerators: 1

    Could be linked to the following bug:

    CSCtq12090: ACL note line is missing when the object range is set to ACL

    The 8.4 fixed (6), so update to a newer version and observe again.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Effect of the access lists on free access of high to low by default

    I'll implement access rules list on PIX525 (V6.3) with several DMZ, but want to minimize the rules.

    Scenario - 3 interfaces (inside (secuity100, average security50 outside Security0)

    To allow hosts on the way to reach the inside I create an access list applied to a central interface. However, will be an implicit (or explicit) deny at the end of the access list prevents the intermediate hosts with default value to open access to the lower security outside the interface?

    Thank you

    Mick

    Level of security and access lists:

    To grant access of lower to higher level, you need to an access list and a static.

    Equal to equal level cannot talk to each other.

    Higher level of security can talk to lower levels, if there is no access on this interface list and the NAT is configured correctly.

    ACL will add at the end a "deny ip any any" after a statement of license. So getting back to your question: If you allow a DMZ host to connect internal host on a specific port that all other connections are blocked. You must specify all the tarffic in this access list otherwise they will be blocked.

    The only exception is the traffic may be from other interface access lists to the demilitarized zone, answers etc. For example, you are allowing port 80 to a dmz host outside this traffic will not be verified again by the dmz access list.

    sincerely

    Patrick

  • What is the command to access management for

    could someone explain pls what is the exact purpose of the access management command.

    Assane

    1. it is not feasible to Telnet for the pix outside interface under any circumstance, you can just telnet to the inside interface with the command 'management-access' on the remote vpn access.

    2 Yes, the command 'telnet on the inside' is needed on top of the command "access management". as a general rule, no acl only if necessary.

    3. "but is it possible to have a client who cannot have access to the administration of the Interior. assuming that you are referring to restrict access remote vpn for the pix inside interface. with v6.x, connection vpn can be restricted by an incoming acl assuming that the command "sysopt connection permit-ipsec" is disabled.

    for example

    No ipsec sysopt connection permit

    access-list 111 permit tcp host eq 23

    allow IP access-list 111

    allow IP access-list 111

    Access-group 111 in external interface

    the first entry is used to restrict remote access vpn Telnet for pix inside interface only; the second entry is used to allow another group of remote user in order to get full access with remote vpn access. and the third section is used to allow a lan - lan vpn for a branch.

  • access-list [line-num]

    Too often, I see in the access list statement, there is a line number set to 1, like this:

    permit access-list id_test 1...

    Desc the doc said: "The line number to insert a note or an access control element (ACE)."

    I can understand his 'writing' but never 'really' understand. :)

    Someone could it explain by giving an example?

    Thank you for helping.

    Scott

    PIX (config) # access-list id_test sh

    id_test list of access; 5 elements

    id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

    id_test of access list row 2 allow accord any host 2.2.2.2 (hitcnt = 0)

    id_test of access list row 3 will allow any host 3.3.3.3 (hitcnt = 0)

    line 4 of the id_test of access list allow accord any host 4.4.4.4 (hitcnt = 0)

    access list id_test line 5 will allow any host 5.5.5.5 (hitcnt = 0)

    PIX (config) # access - list id_test line 2 Note Hello

    PIX (config) # access-list id_test sh

    id_test list of access; 5 elements

    id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

    Hello from note access-list id_test line 2

    id_test of access list row 3 will allow any host 2.2.2.2 (hitcnt = 0)

    line 4 of the id_test of access list allow accord any host 3.3.3.3 (hitcnt = 0)

    access list id_test line 5 will allow any host 4.4.4.4 (hitcnt = 0)

    id_test of access list line 6 will allow any host 5.5.5.5 (hitcnt = 0)

    allowed for pix (config) # access - list id_test line 1 icmp any host 1.1.1.1

    PIX (config) # access-list id_test sh

    id_test list of access; 6 items

    allowed to Access-list id_test line 1 icmp any host 1.1.1.1 (hitcnt = 0)

    id_test of access list row 2 allow accord any host 1.1.1.1 (hitcnt = 0)

    Note access-list id_test line 3 Hello

    line 4 of the id_test of access list allow accord any host 2.2.2.2 (hitcnt = 0)

    access list id_test line 5 will allow any host 3.3.3.3 (hitcnt = 0)

    id_test of access list line 6 will allow any host 4.4.4.4 (hitcnt = 0)

    access list id_test line 7 will allow any host 5.5.5.5 (hitcnt = 0)

    TRIS-NOC-FW1 (config) #.

    the golden rule of the acl, is that it works in order, from top to bottom. with the line number, you can precisely insert the new entry of acl or note everywhere where you want.

    for example, imagine you have a 200-entry acl, and now you want to allow one host before the other refuse registration. of course you don't want to interrupt the network by UN-apply and reapply the entire acl. in this case, the line number to save life.

  • Newbie question route-map/access-list

    I am quite new to the thing whole cisco here.  I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

    We have a router cisco 1811 (yes I know its old)

    We now have a road map and I'm trying to understand it to make it work the way we want.  Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1.  Our T1 uses an ASA5505 as a router.  I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject.  I am doing as a result.  Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1.  This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1.   If our cable goes down, everything for the T1 (by design).  We have a long list of defined access our route map - use corresponding ip.  I want to change the access list to not allow local network IP addresses.  I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more.  So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network.  I wouldn't pull the laminated cord and use the console.  (I really need get a USB serial interface).  Now, you understand a little more about my situation now for all numbers, etc.

    Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

    PTP VPN: 192.168.116.0/24 comes and goes out our T1.

    1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

    ASA: 90.0.0.50

    !

    follow the accessibility of ALS 40 ip 40

    delay the decline 90 60

    !

    interface Vlan1

    Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

    IP 90.0.0.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    IP tcp adjust-mss 1452

    route WEBPBR card intellectual property policy

    !

    interface Vlan10

    Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

    IP 192.168.0.254 255.255.255.0

    IP nat inside

    IP helper 90.0.0.2

    IP virtual-reassembly

    route WEBPBR card intellectual property policy

    !

    ! Static routes

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

    IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

    IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

    IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

    IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

    IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

    WEBTRAFFIC extended IP access list
    deny ip any host 208.67.222.222
    deny ip any 172.20.0.0 0.0.255.255
    refuse the host tcp 90.0.0.2 any eq www
    refuse 90.0.0.14 tcp host any eq www
    refuse 90.0.0.235 tcp host any eq www
    refuse the host ip 192.168.0.40 everything
    deny ip any host 192.168.0.40
    refuse the host ip 192.168.0.41 all
    deny ip any host 192.168.0.41
    deny ip any host 192.168.0.221
    refuse the host ip 192.168.0.221 all
    refuse the host ip 192.168.0.225 all
    refuse 90.0.0.10 tcp host any eq www
    deny ip any host 192.168.0.225
    refuse 90.0.0.11 tcp host any eq www
    refuse 90.0.0.9 tcp host any eq www
    refuse 90.0.0.8 tcp host any eq www
    refuse 90.0.0.7 tcp host any eq www
    refuse 90.0.0.6 tcp host any eq www
    refuse the 90.0.0.1 tcp host any eq www
    refuse 90.0.0.13 tcp host any eq www
    refuse 90.0.0.200 tcp host any eq www
    permit tcp any any eq www
    allow the host ip 192.168.0.131 one
    allow the host ip 192.168.0.130 one
    allow the host ip 192.168.0.132 one
    allow the host ip 192.168.0.133 one
    allow the host ip 192.168.0.134 one
    allow the host ip 192.168.0.135 one
    allow the host ip 192.168.0.136 one
    allow the host ip 192.168.0.137 one
    allow the host ip 192.168.0.138 one
    allow the host ip 192.168.0.139 one
    allow the host ip 192.168.0.140 one
    allow the host ip 192.168.0.141 one
    allow the host ip 192.168.0.142 one
    allow the host ip 192.168.0.143 one
    allow the host ip 192.168.0.144 a
    allow the host ip 192.168.0.145 one
    allow the host ip 192.168.0.146 one
    allow the host ip 192.168.0.147 one
    allow the host ip 192.168.0.148 one
    allow the host ip 192.168.0.149 one
    allow the host ip 192.168.0.150 one
    allow the host ip 90.0.0.80 one
    allow the host ip 90.0.0.81 one
    allow the host ip 90.0.0.82 one
    allow the host ip 90.0.0.83 one
    allow the host ip 90.0.0.84 one
    allow the host ip 90.0.0.85 one
    allow the host ip 90.0.0.86 one
    allow the host ip 90.0.0.87 one
    allow the host ip 90.0.0.88 one
    allow the host ip 90.0.0.89 one
    allow the host ip 90.0.0.90 one
    allow the host ip 90.0.0.91 one
    allow the host ip 90.0.0.92 one
    allow the host ip 90.0.0.93 one
    allow the host ip 90.0.0.94 one
    allow the host ip 90.0.0.95 one
    refuse the host tcp 90.0.0.3 any eq www

    ALS IP 40

    208.67.220.220 ICMP echo source interface Vlan1

    Timeout 6000

    frequency 20

    ALS annex IP 40 life never start-time now

    allowed WEBPBR 2 route map

    corresponds to the IP WEBTRAFFIC

    set ip next-hop to check the availability of the 197.164.245.109 1 track 40

    That is how we have it set up right now.  If I put in a few lines above WEBTRAFFIC with:

    deny ip any 192.168.0.0 0.0.0.255

    deny ip any 90.0.0.0 0.0.0.255

    deny ip any 192.168.116.0 0.0.0.255

    !  Etc with all internal networks

    * And then put at the bottom:

    allow an ip

    who will ALL break so we can not communicate with anything?  Or is that what I did to do this, we get internal routing etc.?  Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well?  (We have public IPS 14 (one for the T1 gateway) that would go as well?)  I don't want to try to put in those at the top and make sure no one can do anything.  I hope I made clear what I'm doing...

    Post edited by: Ryan Young

    I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

    HTH

    Rick

  • Cisco 837 and access list

    Hi all

    Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

    Here is my list of access

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

    If I want to delete only this line

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    I do not know how, I if do:

    no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    all the access-list 120 is removed!

    Help, please!

    Olivier

    Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

    You can create a named extended access-list and have the sequence number for each statements.

    !

    Standard IP access list note

    permit 172.10.0.0 0.0.255.255

    10.1.1.0 permit 0.0.0.255

    permit 192.168.1.0 0.0.0.255

    deny all

    !

    and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

    Standard note of access-list (config) #ip

    (config-std-nacl) #no 3

    This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

    regds

Maybe you are looking for

  • MyRIO_problem have to deploy every time that the device is not

    HelloI just want to ask u MyRIO. After that I deployed MyRIO program. I can run.Went however that I power off the power supply and that the former program cannot run. I have to deploy the program again. So, how to run the program without deploying th

  • Sleeve for 17 "predator?

    Anyone need and found a sleeve (not a laptop bag) which corresponds to the 17 predator?  I checked the dimensions of many sleeves, I found on Amazon, and none seems not to work in all dimensions.

  • Google chrome runs multiple threads in taskbar when chrome is not yet installed

    I use a Dell Inspiron 620 with processor I5-2320, 64-bit windows 7 Home premium.  In the taskbar, Image name rmsfwylmn.exe * 32 with a google chrome description and it is causing the CPU run high.  I do have google chrome installed on this machine. 

  • Function keys on the keyboard does not

    Original title: Volume on Asus X54H Windows 8 Upgrade key Hello I had a laptop Asus X54H Windows 7. Then I downloaded Windows 8 on it, that I love, and now I can't use shortcuts. Usually, I would conclude function, then I would press f10 for mute, f1

  • ORA-01489: result of concatenating string is too long

    Hola a todos, Necesito ayuda, estoy creando UN a plano cual tiene el archivo a linea of 11500 characters largo, pero al building the question me envia el error (ORA-01489) descrito, alguien sabe como avoid than aparezca este error, the idea are what