ACL LocalFW Vs pushed Firesight ACL

Hi guys

If we have a strategy pushed Firesight to ASA network and it has a local policy on the interface, which would override?

Also is there a way we could check on the SAA what policy he received from Firesight?

How do you push a policy to the Firesight ASA?

Do you mean that you have a policy thrust to the firepower of the ASA service module?

In this case, these are quite different things. The ASA evaluates the passage of the ACL interface occupants when the package is presented to the interface. The service module evaluates the flow against its policies when it receives the package from the ASA parent under the policy-map.

Is not one or the other, is both and the net result is their cumulative policy when it is applied in the series (as a Boolean 'AND' logical).

See this link for a picture:

https://CCIE-or-null.NET/2014/12/10/packet-flow-with-firepower/

Tags: Cisco Security

Similar Questions

TIME BASED ACLS ON FIRESIGHT MANAGER

Dear all,

We use the power of fire management center Cisco for VMWare. In which we have created several rules under strategies--> access control. But we want to run some rules under the defined time interval. Can anyone please help on this configuration.

screenshot is attached.

Thank you very much.

Raja,

Sorry, but this feature is not currently available.

LRT224 DMZ ACL

Hello

I have a bit of a strange situation that I can't actually know. It's probably something I'm on, that I'm usually on enterprise-class

My current situation:
1. WAN1 with an external static IP address.
2. LAN1 switches in pool addressing of class a.
3. DMZ connected to the addressing of class B pool (/ 29 subnet)
Port forwarding pushes some ports to our Exchange/Intranet site on class A.

Port translation pushes a TCP port that is customized to a specific machine in class B.

Class B cannot access class A, the opposite is not true. This is normal.

Class can access the internet, a specific class B machine cannot. This is false.

How I configure my ACL:

DENY all traffic to DMZ port. subnet class B source, destination one subnet of class.

ALLOW all traffic on the DMZ, source ANY, internet destination port.

ALLOW all traffic on port WAN1, subnet of class B source, destination ANY,

ALLOW TCP port custom port WAN1, source ANY, a specific destination IP address in the class B (DMZ).

ALLOW all traffic on the LAN, ANY source, ANY destination port.

DENY all traffic on the DMZ port, source ANY, a class of destination subnet.

Furthermore, and I noticed in fact just that, why it's split between WAN and WAN1? Could be the problem?

As I know the DMZ does not work the way you use. Isn't the range of private IP addresses to public IP addresses for your servers to use instead of a range of IP addresses. The DMZ LRT is different from other standard model of the DMZ.

https://community.Linksys.com/T5/Linksys-small-business/LRT214-LRT224-DMZ-basic-configuration/m-p/85...

ACS and download ACL for multiple clients-AAA

Hello!

I need to know if it is possible to download ACL on the DACL device that is not a part of the conversation of RADIUS? In other words, I have a user who needs access to certain resources and attempts to connect to the network via PIX1. I need to authenicate it by ACS and download ACL PIX1 and (attention) PIX2 also (some firewalls upstream). Is it possible to do?

I don't think that you can do. As you mentioned that the other PIX has no Radius configuration. And you can push only DACL of the Radius on the PIX server, she asks, not in any other PIX.

And I'm not aware of any mechanism or feature, which allows you to transfer the downloaded ACL of one PIX to another.

Kind regards

Prem

ACL - ISE

Hi team!

in ISE, can a static acl applied dynamically to a switch interface, i.e. If a port on a switch, which amounts to a printer is active, but no certificate is received on the ISE, then the ISE will push an ACL to the switch port to allow only traffic to the printer. This could bypass the authentication MAC workaround eventually.

Bravo!

Bellefroid

Please find attached.

Thank you for evaluating useful messages!

1.2 of the ISE and ACL with several ports

When you create a DACL for my groups I used the syntax "permit tcp any 192.168.20.0 0.0.0.255 eq 22 443" for one of my acl within the DACL and the validated syntax checking. When I pushed my groups too, it worked but I have heard that this type of port several ACL in ISE is not supported. Does anyone know if this is accurate?

You can implement several DACL to control access and the sound works perfectly with ISE

Note the useful messages *.

Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

Hello

I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

Kind regards

RAM

+ 6 012-2918870

Hello

It is not possible.

You cannot push the ACL in the NAC manager.

If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

Using the Radius attributes you can then map users to roles.

Please, take a look at this:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

HTH,

Tiago

--

If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Easy VPN - acl

Hello

There is an "acl" parameter that is not clear to me, it is configured at customer site:

Crypto ipsec VPN ezvpn client

connect auto

Cisco key band EASYVPN

client mode

peer 10.0.0.1

username cisco password cisco

xauth userid local mode

ACL 101

Everything that I added to the ACL 101 tunnel is always present. I found a description:

Step 6
ACL {name - acl |} ACL-number}
Example:

Device (ezvpn-crypto-config) # acl acl-list1

Specifies several subnets in a VPN tunnel.

"Specifies several subnets in a VPN tunnel". -what it means, source?

I tried to use this setting, and I added the access list:

access-list 123 allow ip 10.10.10.0 0.0.0.255 host 20.0.0.20

access-list 123 allow ip 50.50.50.0 0.0.0.255 host 20.0.0.20

where 10.10.10.0 and 50.50.50.0 are source and 20.0.0.20 is the destination.

When I ping with source 10.10.10.3 (physical int) for 20.0.0.20 - numbers of BA & desc packages grows.

but when I ping with source 50.50.50.50 (int loop) for 20.0.0.20 - I see that it wasn't to push into the tunnel.

Could someone explain how the work parameter and for what is it?

Thank you

Hubert

Hubert,

Ref:

http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_esyvpn/configuration/15-2mt/sec-easy-VPN-rem.html

in client mode several subnets are not supported, nor what they sense.

You specify what internal subnets of announcement to the server that are configured behind this device.

In client mode, the server sees only the assigned IP address.

M.

Reset home folder permissions and the default ACL on macOS Sierra?

A tool that I've used in the past to troubleshooting doesn't seem to be available in macOS Sierra.

There was a procedure in el captain to reset the permissions of file and ACLs in start in recovery mode, by running the command terminal, resetpassword. This command pulls up a GUI in Sierra as el cap but the "reset the user permissions and ACLs" option is no longer there.

This article describes the procedure to el captain

http://appletoolbox.com/2016/07/fix-corrupt-user-accounts-MacOS/#For_El_Capitan _ andmacOS

Is there another way to reset the permissions of the user and the default ACLs on macOS Sierra?

If you are looking for in the forums on the topic and limit to messages by Linc Davis, he posted a script that will reset everything.

How to set ACLs for a volume?

Hello

I'm sharing installation points on my external hard drive (in El Capitan Server) and he said:

"Failed to save the access control list. Make sure that the access control lists are enabled on the volume. »

There used to be a way to do it from the server application.

Can any tell me how to proceed?

Thank you!

A few things to look at.

First of all, if it is a new drive, you reformat to make sure it is formatted in HFS +? Some external drives are preformatted with alternative formats of partition. For example, if the drive is formatted in FAT I think not that he supports the ACL.

Then, if the drive is formatted in HFS +, there is a chance that your player is set to ignore permissions. Select the drive in the Finder and information. Reveal the section sharing and permissions of the window read the information. Check the status of the 'ignore property on the Volume' and make sure it is not checked.

Also, I suggest that you do not share an entire drive. Instead, create a folder on the root of the drive and then created folders within the folder. The reason is that the root of the disc contains a number of hidden files that have specific uses. For example. Spotlight is to search for and .fsevents for file system events. You don't want mess you with permissions on these hidden folders.

Reid

Apple Consultants Network

Author - "El Capitan Server - Foundation Services.

Author - "El Capitan Server - Collaboration & control»

Author - "El Capitan Server - Advanced Services '.

ACL work properly with 10.11.3?

I upgraded a few weeks before 10.11.3 on my server and I noticed that new files created from client computers (actions) are now owned by the creator instead of the group. They user is not yet listed in the ACL is only the group. In fact for other users cannot delete the files that must be deleted.

I use the server to change the permissions using the ACL and that worked great, but after the upgrade, it's just like using the Finder to change (POSIX) permissions when I used to have all the problems.

Y at - it something I am doing wrong? or something that has allowed?

Thanks for any help.

I've noticed that new files created from client computers (actions) are now owned by the creator instead of the group.

A folder can never belong to a group.

The owner of any file/folder is always a 'user '.

Customers use AFP or SMB?

If SMB: activate ACL for the SMB shared files, run this command on the server:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server lock - bool YES

sudo serveradmin stop smb

sudo serveradmin beginning smb

If you still have problem, please create a folder then check/post the permissions of the parent folder and it's new.

LS - lde/Path/Parent/NewFolder

LS - Parent/road/lde

Jeff

VLAN ACL M4100

Dear Sir

We want to create an access list to isolate our Wifi network invited all the other vlan.
When I do, diseapper of the other SSID of our laptops.

I applied to the access list to our direction to SVI comments in

! Description of the system "M4100 - 24 G - POE + ProSafe 24 port Gigabit L2 + Managed Switch w ith PoE +, 10.0.2.13, B1.0.1.1"
! Version of the software system "10.0.2.13".
! System Up Time "28 days 22 hours 39 minutes 58 seconds"
! Other packets QOS, IPv6, routing
! Current SNTP synchronized time: SNTP last attempt status is not successful
!
database of VLAN
VLAN 99 200-208 455-456 999
VLAN 99 name 'TEST '.
name of VLAN 200 'Clients '.
name of VLAN 201 "Telefonie.
name of VLAN 202 "guest."
name of VLAN 203 'fr '.
the name of VLAN 204 "TD."
VLAN name 205 "DMZ".
VLAN name 206 'printers '.
VLAN name 207 'media '.
VLAN 208 name 'Wireless '.
VLAN name 999 "3com".
VLAN 1 1 routing
-Other - or ITU (q)
VLAN 200 2 routing
VLAN 201 3 routing
VLAN routing 202 4
VLAN routing 5 203
VLAN routing 204 6
VLAN routing 205 7
VLAN routing 206 8
VLAN routing 9 207
VLAN routing 10 208
VLAN routing 11 455
VLAN routing 12 456
VLAN routing 99 13
output

network mgmt_vlan 203
IP http secure server
Configure
time range
default IP gateway - 10.253.255.1
level of 483f42190380e8780a9d32a3c63d31b86d6ad49b870db8306af86a9ce3e06cd9a39f66e666e86f0aaab777b0ab9fe571908247c31d904463d1a0767400f8e763 user name 'admin' password encrypted 15
level password user name "secit" encrypted 15 912ba98d721224814ea15db6dec1701819e75dfcafa635831e9eab148c105c20ba85dc61882dd47a65eb66dff6cf0005a1a2232b6957ec898cd6187c6bdbb510
line console
output
-Other - or ITU (q)

line telnet
output

ssh line
output

spanning tree bpduguard

!

IP access-list ACL_Wizard_IPv4_0
output

IP access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.1.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.3.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.4.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.5.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.6.0 0.0.0.255
-Other - or ITU (q)
deny ip 10.253.2.0 0.0.0.255 10.253.7.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.8.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.9.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.11.0 0.0.0.255
IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
output

class-map correspondence ClassVoiceVLAN ipv4
game of vlan 201
output

Policy-map PolicyVoiceVLAN in
class ClassVoiceVLAN
Assign-queue 3
output

output

interface 0/1
Description "ACCESSPORTS.
participation of VLAN include 200-201
VLAN tagging 201
-Other - or ITU (q)
output

interface 0/2
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/3
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201 204
VLAN tagging 201
-Other - or ITU (q)
IP mtu 1500
output

interface 0/4
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/5
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 99
participation of VLAN include 99 200 - 201
-Other - or ITU (q)
VLAN tagging 201
IP mtu 1500
output

interface 0/6
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/7
VLAN 201 votes
policy - PolicyVoiceVLAN
Description "ACCESSPORTS.
pvid VLAN 203
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
output

0/8 interface
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/9
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/10
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/11
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/12
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/13
VLAN 201 votes
policy - PolicyVoiceVLAN
-Other - or ITU (q)
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/14
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

-Other - or ITU (q)
interface 0/15
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/16
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 202
VLAN automatic participation 1
participation of VLAN include 201-202
VLAN tagging 201
IP mtu 1500
output
-Other - or ITU (q)

interface 0/17
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/18
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 203
participation of VLAN include 200-201 203
VLAN tagging 201
IP mtu 1500
-Other - or ITU (q)
output

interface 0/19
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 206
VLAN automatic participation 1
participation of VLAN include 201 206
VLAN tagging 201
IP mtu 1500
output

interface 0/20
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 999
participation of VLAN include 200-201 204-207 455-456 999
-Other - or ITU (q)
VLAN tagging 200-201 204-207 455-456
IP mtu 1500
output

interface 0/21
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 455
VLAN automatic participation 1
participation of VLAN include 200-204 455-456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/22
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
VLAN automatic participation 1
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/23
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

-Other - or ITU (q)

interface 0/24
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 999
pvid VLAN 999
participation of VLAN include 200-208 455-456 999
VLAN tagging 200-207 455-456
IP mtu 1500
output

interface vlan 1
Routing
DHCP IP address
output

interface vlan 200
Routing
-Other - or ITU (q)
IP 10.253.0.1 255.255.255.0
output

interface vlan 201
Routing
IP 10.253.1.1 255.255.255.0
output

interface vlan 202
Routing
IP 10.253.2.1 255.255.255.0
IP access-group Deny_Guest_Intervlan_Routing vlan 202 in
output

interface vlan 203
Routing
IP 10.253.3.1 255.255.255.0
output
-Other - or ITU (q)

interface vlan 204
Routing
IP 10.253.4.1 255.255.255.0
output

interface vlan 205
Routing
IP 10.253.5.1 255.255.255.0
output

interface vlan 206
Routing
IP 10.253.6.1 255.255.255.0
output

-Other - or ITU (q)

interface vlan 207
Routing
IP 10.253.7.1 255.255.255.0
output

interface vlan 208
Routing
IP 10.253.8.1 255.255.255.0
output

interface vlan 455
Routing
IP 10.253.255.2 255.255.255.0
output

interface vlan 456
-Other - or ITU (q)
Routing
IP 10.253.11.1 255.255.255.0
output

interface vlan 99
Routing
IP 10.253.9.1 255.255.255.0
output

IP management vlan 203
dhcp service
pool IP dhcp "Telefonie.
Rental 7 0 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.1.1
Network 10.253.1.0 255.255.255.0
domain secit.be
b-node NetBIOS node type
output

-Other - or ITU (q)
pool IP dhcp "guest."
Rental 0 12 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.2.1
Network 10.253.2.0 255.255.255.0
secit domain name - guest.be
b-node NetBIOS node type
output

pool IP dhcp 'media '.
Rental 0 12 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.7.1
Network 10.253.7.0 255.255.255.0
secit domain name - media.be
b-node NetBIOS node type
output

pool IP dhcp "TD."
Rental 0 14 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.4.1
Network 10.253.4.0 255.255.255.0
-Other - or ITU (q)
secit domain name - td.be
b-node NetBIOS node type
output

pool IP dhcp "internal."
Rental 7 0 0
10.253.3.2 DNS server
router by default - 10.253.0.1
Network 10.253.0.0 255.255.255.0
domain fixitsolutions.local
b-node NetBIOS node type
output

output

Maybe it's the DHCP packet filtering.

For help, try to add a rule to allow DHCP packets.

Example: (this is obviously NOT the exact rule to filter only the DHCP packets, but just a simple rule for the test)
```
IP access-list Deny_Guest_Intervlan_Routing
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```
If this ACL works (you can get the DHCP address), then you will need to write the ACL right, something like (this is just an example):
```
IP access-list Deny_Guest_Intervlan_Routing
  ! DHCPDISCOVER
  permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPOFFER
  0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! DHCPINFORM
  permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPACK
  0.0.0.0 eq 68
  permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! Internal traffic

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
  ! Internet traffic

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```

Does anyone know if the ACL of HP2011 series widescreen has speakers?

The screen wide ACL of HP2011 series have speakers?

Hello

I believe that the link above shows wrong information on the speakers. Please use the following manual to check again (#15 page) because there are few models for the complete series:

http://h10032.www1.HP.com/CTG/manual/c03351672.PDF

It seems that some models have output for speakers, not integrated as mentioned in page #2:

External USB speakers amplified with audio cable supplied (some models)

Kind regards.

WLAN Access Denied for active MAC address in the ACL

I have a pretty great list ACL (Access Control) and I've never had a problem with it in the past, but I just got a new laptop and same computer when I save the MAC address and reboot the router I always get the "WLAN Access Denied" error for access from your laptop.

I did all the "sanity checks" to ensure that the password is correct and that other devices still work.

I had the MAC address of the laptop the same way, I always have, I see the MAC address in the Logs in the access denied message and copy it from there, in the access list. I did it with more than 20 other devices successfully, I'm not sure what is different about this one MAC address... I confirm through ipconfig on the laptop that the MAC address I use is correct.

When I turn off ACL, I can connect without any problem of the laptop.

Any thoughts? I am very familiar with computers and you can do an advanced troubleshooting, I do not know infrastructure and networks of the stuff so I don't know where to start here.

Any ideas on how I can fix this would be appreciated!

You may have hit a limit of the ACL. A test, remove a device from your list and see if your laptop will connect. This would confirm if you have contributed the most to list ACL on the router...

Help! ACL MASSIVE corruption

It seemed to me have made a colossal mistake to set up my iMac.

I split the drive HARD internal into two partitions: OS X = P1 P2 10.10.5, = OS X 10.7.5. All updates applied

Here is was I think I was wrong:

I installed OS X Server 5 on the partition of Yosemite, AND OS X Server Lion on the Partition of Lion. I did this, so I could do some tests with server on both systems.

Everything worked well and I was able to switch between the two partitions, testing various settings, including VPNS.

However, last week, after doing some work in Lion, when I rebooted in Yosemite, I've was besieged with ACL errors and messages 'cannot access Library.

I ran disk utility, and it seems that ALL the files on the system got error unexpected 'ACL '. By clicking 'Fix' did nothing to solve the problem.

Displaying information about any file showed several redundant entries sharing and permissions, WHICH are set to = read-only privilege.

I tried to delete or modify privileges manually, but I'm not able to modify privileges even after my admin id and password.

I tried to use the terminal to remove the ACL (all 10.10), but who have not (I can't get the correct syntax).

I thought that the problem probably occurred when I was in the score of Lion, then tried to restart in Lion and Lion is now completely locked as well. Reboot is stuck on the gray screen with the small wheel (3 days).

Then I tried to restart in Yosemite, and he is so stuck on the gray screen and the spinning wheel.

I would try to remove the ACL again using Terminal Server after restarting in the score of 10.10 recovery, but need help with the syntax for the elimination of the ACL in the partition.

i.e.

The Yosemite drive name is "HD iMac 27.

After the launch of Terminal I would enter orders
1. CD /volumes/ "HD iMac 27.
2. chmod n r "HD iMac 27.
This will remove the ACL settings for all files on the partition successfully?

I enclose a link to a screenshot of 'ls - el' and 'ls - al' orders on the partition, if it can help to diagnosis:

https://www.dropbox.com/SC/lzrlmb4ttmq9gux/AADR8wsWQNqFoOtF8elTJZUva

Any help, suggestions or precautions would be greatly appreciated

TIA

BTW - as a last resort, I tried to reinstall the Yosemite, but Setup won't work either. I hope that if I can remove the ACL I can complete the reinstallation.

Yes, something to add a bunch of ACL permissions where they shouldn't be. This:

sudo chmod-r n "/ Volumes/iMac 27 inch HD.

should remove them.

C.

ACL LocalFW Vs pushed Firesight ACL

Similar Questions

Maybe you are looking for