ACCESS LIST QUESTIONS?

Similar Questions

• Cisco ASA tunnel access list question

  We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel.  They ask now addresses.  My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?

  And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?

  I thank you and I hope this makes sense.  We were originally political thought based routing on the nearest core of the source.

  Dwane

  Hi Sylvie,.

  If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.

  If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)

  But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...

  So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...

  Concerning

  Knockaert

• PIX 501 ICMP access list Question

  According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

  PIX1 (config) # access - list ethernet1 permit icmp any any echo response

  PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

  Access-group ethernet1 PIX1 (config) # interface inside

  This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

  Thank you

  This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

  By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

  Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

  Let me know if it helps.

• Question of access list for Cisco 1710 performing the 3DES VPN tunnel

  I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

  For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

  My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

  Any input or assistance would be greatly appreciated.

  Map Test 11 ipsec-isakmp crypto

  ..

  match address 120

  Interface Ethernet0

  ..

  card crypto Test

  IP nat inside source overload map route sheep interface Ethernet0

  access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 allow ip 192.168.100.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 130

  He would go through the interface e0 to the Internet in clear text without going above the tunnel

  Jean Marc

• Newbie question route-map/access-list

  I am quite new to the thing whole cisco here.  I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

  We have a router cisco 1811 (yes I know its old)

  We now have a road map and I'm trying to understand it to make it work the way we want.  Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1.  Our T1 uses an ASA5505 as a router.  I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject.  I am doing as a result.  Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1.  This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1.   If our cable goes down, everything for the T1 (by design).  We have a long list of defined access our route map - use corresponding ip.  I want to change the access list to not allow local network IP addresses.  I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more.  So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network.  I wouldn't pull the laminated cord and use the console.  (I really need get a USB serial interface).  Now, you understand a little more about my situation now for all numbers, etc.

  Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

  PTP VPN: 192.168.116.0/24 comes and goes out our T1.

  1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

  ASA: 90.0.0.50

  !

  follow the accessibility of ALS 40 ip 40

  delay the decline 90 60

  !

  interface Vlan1

  Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

  IP 90.0.0.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP tcp adjust-mss 1452

  route WEBPBR card intellectual property policy

  !

  interface Vlan10

  Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

  IP 192.168.0.254 255.255.255.0

  IP nat inside

  IP helper 90.0.0.2

  IP virtual-reassembly

  route WEBPBR card intellectual property policy

  !

  ! Static routes

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

  IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

  IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

  IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

  IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

  IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

  WEBTRAFFIC extended IP access list
  deny ip any host 208.67.222.222
  deny ip any 172.20.0.0 0.0.255.255
  refuse the host tcp 90.0.0.2 any eq www
  refuse 90.0.0.14 tcp host any eq www
  refuse 90.0.0.235 tcp host any eq www
  refuse the host ip 192.168.0.40 everything
  deny ip any host 192.168.0.40
  refuse the host ip 192.168.0.41 all
  deny ip any host 192.168.0.41
  deny ip any host 192.168.0.221
  refuse the host ip 192.168.0.221 all
  refuse the host ip 192.168.0.225 all
  refuse 90.0.0.10 tcp host any eq www
  deny ip any host 192.168.0.225
  refuse 90.0.0.11 tcp host any eq www
  refuse 90.0.0.9 tcp host any eq www
  refuse 90.0.0.8 tcp host any eq www
  refuse 90.0.0.7 tcp host any eq www
  refuse 90.0.0.6 tcp host any eq www
  refuse the 90.0.0.1 tcp host any eq www
  refuse 90.0.0.13 tcp host any eq www
  refuse 90.0.0.200 tcp host any eq www
  permit tcp any any eq www
  allow the host ip 192.168.0.131 one
  allow the host ip 192.168.0.130 one
  allow the host ip 192.168.0.132 one
  allow the host ip 192.168.0.133 one
  allow the host ip 192.168.0.134 one
  allow the host ip 192.168.0.135 one
  allow the host ip 192.168.0.136 one
  allow the host ip 192.168.0.137 one
  allow the host ip 192.168.0.138 one
  allow the host ip 192.168.0.139 one
  allow the host ip 192.168.0.140 one
  allow the host ip 192.168.0.141 one
  allow the host ip 192.168.0.142 one
  allow the host ip 192.168.0.143 one
  allow the host ip 192.168.0.144 a
  allow the host ip 192.168.0.145 one
  allow the host ip 192.168.0.146 one
  allow the host ip 192.168.0.147 one
  allow the host ip 192.168.0.148 one
  allow the host ip 192.168.0.149 one
  allow the host ip 192.168.0.150 one
  allow the host ip 90.0.0.80 one
  allow the host ip 90.0.0.81 one
  allow the host ip 90.0.0.82 one
  allow the host ip 90.0.0.83 one
  allow the host ip 90.0.0.84 one
  allow the host ip 90.0.0.85 one
  allow the host ip 90.0.0.86 one
  allow the host ip 90.0.0.87 one
  allow the host ip 90.0.0.88 one
  allow the host ip 90.0.0.89 one
  allow the host ip 90.0.0.90 one
  allow the host ip 90.0.0.91 one
  allow the host ip 90.0.0.92 one
  allow the host ip 90.0.0.93 one
  allow the host ip 90.0.0.94 one
  allow the host ip 90.0.0.95 one
  refuse the host tcp 90.0.0.3 any eq www

  ALS IP 40

  208.67.220.220 ICMP echo source interface Vlan1

  Timeout 6000

  frequency 20

  ALS annex IP 40 life never start-time now

  allowed WEBPBR 2 route map

  corresponds to the IP WEBTRAFFIC

  set ip next-hop to check the availability of the 197.164.245.109 1 track 40

  That is how we have it set up right now.  If I put in a few lines above WEBTRAFFIC with:

  deny ip any 192.168.0.0 0.0.0.255

  deny ip any 90.0.0.0 0.0.0.255

  deny ip any 192.168.116.0 0.0.0.255

  !  Etc with all internal networks

  * And then put at the bottom:

  allow an ip

  who will ALL break so we can not communicate with anything?  Or is that what I did to do this, we get internal routing etc.?  Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well?  (We have public IPS 14 (one for the T1 gateway) that would go as well?)  I don't want to try to put in those at the top and make sure no one can do anything.  I hope I made clear what I'm doing...

  Post edited by: Ryan Young

  I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

  HTH

  Rick

• Simple Question SSH Access-List

  I am allowing SSH access for all of our Cisco devices and you want to restrict access to all the following ip addresses: 192.168.200.1 - 192.168.200.50.  I forgot the exact configuration of access list to achieve this.  The subnet is 24 and I don't want the whole subnet - seulement.1-. 50.

  Thank you

  Thomas Reiling

  Hello

  If you use ssh, make sure that you have a domain name, host name and a rsa key is generated.  Assuing you have done this, the command vty ACL and following line will do the trick.  Note that the host 1-50 list is not on a subnet barrier.

  To get it exactly

  access-list 1 remark MANAGEMENT ALLOW
  access-list 1 permit 192.168.200.0 0.0.0.31

  access-list 1 permit 192.168.200.32 0.0.0.15

  access-list 1 permit 192.168.200.48 0.0.0.1

  host access-list 1 192.168.200.50

  access-list 1 refuse any newspaper

  It would be a good idea to put it on a limit, however, so the following would be much simpler and easier to read.

  access-list 1 remark MANAGEMENT ALLOW
  access-list 1 permit 192.168.200.0 0.0.0.63

  access-list 1 refuse any newspaper

  Apply the class of access on the vty lines and authentication, I would put something there too.

  line vty 0 4
  access-class 1
  entry ssh transport

  password Bonneau

  That should do it.

  Good luck!

  Brad

• Question of Access-list PIX

  The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).

  Router (works)

  access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80

  PIX (does not work)

  access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

  I get the error on the PIX:

  ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair

  Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?

  Thank you!

  Domo Arigato!

  You can use

  192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.

  Of course you can refuse the host 192.168.1.49 and

  Let the others allow 192.168.1.48 255.255.255.248

• line 300 deny access-list

  Everyone;

  I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

  Thanks in advance;

  gmaurice

  No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)

• Cisco 837 and access list

  Hi all

  Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

  Here is my list of access

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

  If I want to delete only this line

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  I do not know how, I if do:

  no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  all the access-list 120 is removed!

  Help, please!

  Olivier

  Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

  You can create a named extended access-list and have the sequence number for each statements.

  !

  Standard IP access list note

  permit 172.10.0.0 0.0.255.255

  10.1.1.0 permit 0.0.0.255

  permit 192.168.1.0 0.0.0.255

  deny all

  !

  and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

  Standard note of access-list (config) #ip

  (config-std-nacl) #no 3

  This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

  regds

• Order of access-list syntax

  Hello

  I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

  It looks like this when it did not work:

  (outside interface incoming traffic)

  access list 100 permit tcp any any established journal

  access-list 100 permit udp any any eq field journal

  access list 100 permit tcp any any eq field journal

  access-list 100 deny ip any any newspaper

  To make this work, I had to add these two lines:

  access-list 100 permit udp any eq field no matter what newspaper

  access list 100 permit tcp any eq field no matter what newspaper

  I do not understand the difference between

  access-list 100 permit udp any eq field all

  and

  access-list 100 permit udp any any eq field

  If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

  Hello

  Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

  When we look at how DNS works now in what concerns this ACL

  • DNS lookup is usually made at the port of destination UDP/53
  • PC uses the random source for the DNS lookup port
  • Responses from DNS server for research with source UDP/53 port
  • Responses from DNS server to the computer on the port that the source PC search DNS

  So naturally you'll see responses from the host source and source UDP/53 port DNS

  If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

  Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

  Hope this helps

  Be sure to mark it as answered in the affirmative.

  -Jouni

• ISE pre authorise access-list

  Dear,

  I created a list of access-pre approval for cisco ise 1.4, depending on the Switch Configuration required to Support Cisco ISE 2.0 functions, properly profiled Cisco IP phone and download a good list of permit ip access IE, but when I make a PSTN call I hear a one-way audio, when I see the switch connects it show me that RTP has been blocked by default access-list , I have a question when my DACL list is downloaded correctly then why the default ACL is interrupting the RTP, also I see the port number 2000 & 2443 is blocked by default access-list by phone losses its connection to the server, which are used to to the CUCM keepalive.

  Something I'm missing?

  Thank you

  Which is not the same thing?

  Try using the 'details' after the command

• FWSM firewall context Access-List entry Limitation

  We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.

  Hello

  This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

  If you run the command (syntax may be different in 3.x code):

  See the np 3 acl County property

  You get a result that looks like this:

  -CLS rule current account-

  CLS filter rule Count: 0

  CLS rule Fixup count: 11

  CLS is Ctl rule Count: 0

  CLS AAA rule count: 2187

  CLS is given rule Count: 0

  CLS Console rule count: 7

  Political CLS NAT rule Count: 0

  County of CLS ACL rule: 3491

  Add CLS uncommitted ACL: 0

  CLS ACL Del uncommitted: 0

  -CLS rule MAX - account

  CLS filter MAX: 3584

  CLS Fixup MAX: 32

  CLS is Ctl rule MAX: 716

  CLS is given rule MAX: 716

  AAA CLS MAX rule: 5017

  CLS Console rule MAX: 2150

  Political CLS NAT rule MAX: 3584

  CLS ACL rule MAX: 56627

  The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

  I'll try to find the syntax 7.x and post here later.

  -Jason

  Rate if this can help.

• Public static NAT vs. Access-List

  Hello

  I have a question what is the best practice static NAT and access list. Example:

  Server (192.168.1.1) Web inside to outside (10.10.10.10) with the port 80 and 443.

  IP nat inside source static tcp 192.168.1.1 80 10.10.10.10 80

  IP nat inside source static tcp 192.168.1.1 10.10.10.10 443 443

  Or

  IP nat inside source static 192.168.1.1 10.10.10.10

  Access-list 101 permit tcp any host 10.10.10.10 eq 80

  Access-list 101 permit tcp any host 10.10.10.10 eq 443

  interface ethernet0
  IP access-group 101 in

  Thank you

  The operational reasons - it will break things.

• access list for traffic crossing and IPSEC

  Hi, just a question fast and easy if everything goes well as im on thinking that he. IM on the establishment of the IPSEC between a Cisco router to another Cisco router. I want to only allow RDP through IPSEC.

  I of course implement the ACL for the SHEEP, but I'll have to implement another ACL application outside? interface allowing a specific RDP server and denying everything.

  Thank you

  David

  I have extracted this router to work. I changed some details to conceal the source, but it should illustrate what you need to do.

  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  address of examplekey key crypto isakmp 2.3.4.5
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac AES256SHA
  tunnel mode
  !
  cust_map 10 ipsec-isakmp crypto map
  defined peer 2.3.4.5
  game of transformation-AES256SHA
  match the address crypto_acl
  !
  interface GigabitEthernet8
  cust_map card crypto
  !
  crypto_acl extended IP access list
  host ip 192.168.25.52 permit 172.24.0.0 0.0.7.255
  !

  HTH

  Rick

• PIX 535 and access lists

  Hello

  We have a Cisco PIX 535. By default, traffic on one more secure interface with a lower security level is allowed, what is?

  OK, I have a doubt, I had to define an access list entry to allow a telnet connection between inside and outside. There is no rule against that traffic, but without this rule the telnet connection cannot be established.

  And my question is: why? It is not supposed to be allowed by default?

  Thanks in advance.

  Higher default-> bottom is allowed... However, once you add instructions permit, it is implicitly deny all at the end. So, if you allow ftp and ssl web... so by default, any other traffic is denied and you need to be precise with your permit.