bug in iOS? startup-config + command access-list + an invalid entry detected

Similar Questions

• 'copy running-config startup-config' CCNP 300-115

  Hello everyone,

  The 'copy running-config startup-config' command does not work in the certification exam. What is the problem?

  Any help is welcome!

  Thank you!

  Just use "wr mem" instead, does it work?

• A possible bug related to the Cisco ASA "show access-list"?

  We had a strange problem in our configuration of ASA.

  In the "show running-config:

  Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

  Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

  Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

  access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

  access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

  access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

  access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

  access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

  inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

  inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

  Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

  inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

  inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

  Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

  inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

  Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

  Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

  Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

  access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

  inside_access_in list extended access permitted ip object windowsusageVM any newspaper

  inside_access_in list of allowed ip extended access any object testCSM

  inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

  inside_access_in list extended access permit ip host 172.31.254.2 any log

  Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

  inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

  In the "show access-list":

  access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

  access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

  Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

  line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

  line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

  line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

  line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

  allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

  allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

  allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

  allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

  allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

  allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

  access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

  allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

  allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

  allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

  access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

  permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

  access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

  permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

  allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

  access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

  25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

  allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

  permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

  access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

  allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

  allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

  permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

  access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

  allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

  access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

  There is a comment in the running configuration: (line 26)

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

  Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

  Thanks in advance.

  See the version:

  Cisco Adaptive Security Appliance Software Version 4,0000 1

  Version 7.1 Device Manager (3)

  Updated Friday, June 14, 12 and 11:20 by manufacturers

  System image file is "disk0: / asa844-1 - k8.bin.

  The configuration file to the startup was "startup-config '.

  fmciscoasa up to 1 hour 56 minutes

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash M50FW016 @ 0xfff00000, 2048KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

  Number of Accelerators: 1

  Could be linked to the following bug:

  CSCtq12090: ACL note line is missing when the object range is set to ACL

  The 8.4 fixed (6), so update to a newer version and observe again.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Access list ASA Error | ERROR: % incomplete command

  Hi all

  I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 log https eq
  ^
  ERROR: % name host not valid

  SAME THING WITHOUT JOURNAL

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 eq https
  ERROR: % incomplete command

  SAME STUPID MISTAKE,

  THE SIMILAR RULE;

  # ACCess-list HS | I have 132.235.192.0
  permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

  ???????

  I'm not sure that this ensures a case of cisco?

  FW100ABCx (config) # 16-09-08F object-group network
  FW100ABCx(config-Network) # host network-object 172.191.235.136
  Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.135
  Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.134
  Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.52.134.76
  Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) #.
  FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
  ERROR: % incomplete command

  Hello Hassan.

  You're missing the key word of Protocol (tcp/udp)
  Try this:

  the object-group 16-09-08F network
  host of the object-Network 172.191.235.136

  acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

  Concerning
  Dinesh Moudgil

  PS Please rate helpful messages.

• IOS VPN on 7200 12.3.1 and access-list problem

  I'm in IOS 12.3 (1) a 7200 and have configured it for VPN access. I use the Cisco VPN client. Wonder if someone has encountered the following problem, and if there is a fix.

  The external interface has the access-list standard applied that blocks incoming traffic. One of the rules is to block the IPs private, not routable, such as the 10.0.0.0 concern, for example.

  When I set my VPN connection, none of my packets get routed and I noticed that outside access list interface blocks the traffic. When I connect to the router through VPN, the router attributes to the client an IP address from a pool of the VPN as 10.1.1.0/24. But normal outside the access list denies this traffic as it should. But as soon as I have established a VPN connect, it seems that my encrypted VPN traffic must ignore the external interface access list.

  If I change my external access list to allow traffic from source address 10.1.1.0/24 my VPN traffic goes through correctly, but this goes against the application to have an outdoor access list that denies such traffic and have a VPN.

  Anyone else seen this problem or can recommend a software patch or version of IOS which works correctly?

  Thank you

  R

  That's how IOS has always worked, no way around it.

  The reasoning is to do with the internal routing on the router. Basically an encrypted packet inherits from the interface and initially past control of ACL as an encrypted packet. Then expelled the crypto engine and decrypted, so we now have this sitting pouch in the cryptographic engine part of the router. What do we with her now, keeping in mind users may want political route she is also, might want to exercise, qos, etc. etc. For this reason, the package is basically delivered on the external interface and running through everything, once again, this time as a decrypted packet. If the package hits the ACL twice, once encrypted and clear once.

  Your external ACL shall include the non encrypted and encrypted form of the package.

  Now, if you're afraid that people can then simply spoof packets to come from 10.1.1.0 and they will be allowed through your router, bzzzt, wrong. The first thing that the router checks when it receives a packet on an interface with a card encryption applied is that if the package needs to be encrypted, it is from his crypto ACL and its IP pools. If he receives a decrypted packet when it knows that it must have been encrypted, it will drop the package immediately and a flag a syslog something as "received the decrypted packet when it should have been."

  You can check on the old bug on this here:

  http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCdz54626&submit=search

  and take note of the section of the security implications, you may need to slightly modify your configuration.

• The list of ' words: config ' commands

  "' I want to be able to really fine tune/customize firefox, but now many of the changes I want to make are no longer available through" subject: config. An example of such a change - how to force the new tabs to open empty - took a bit of research and know what that question to ask or how to phrase it. Is there a list of all the "about: config" commands, and if so, where I find/get them? It's just a printable list (acceptable, but just...), a searchable database based (better, but probably still have to knowledge/sentence question), or better yet, a searchable database of key word with the previous two options? Also, is this putative version specific list, or is constantly updated with a mixture of old and new commands? I realize the risk of damage to the installation of firefox and am willing to consider, because I think that I am reasonably cautious and would check any really dodgy changes after implementation.

  You can also read the comments in the source code of Firefox to default preferences.

  • Resource:///defaults/Preferences/Firefox.js
  • Resource://GRE/greprefs.js

  Note that he has also hidden prefs that not exist by default and have an action/hard coded default.
  
  Such a pref must be created if you want to use.

  See for example:

  • http://KB.mozillazine.org/UI.SpellCheckerUnderlineStyle

• New to pix, need help with "debug access list of all the" command

  I have a pix 515 v6.3. I am tring to use then "debug access list of all the" command to see what traffic is stopped by my access list. However, I don't get any output. I turn execution of the command, but nothing happens. Other debug commands give the console. Perhaps, I do not understand what "debug to access list of all the" is used for. Any help that can be provided would be greatly appreciated.

  Tim

  Also try following the commands of logging

  LOGG on

  LOGG buff 7

  term Lun

  M.

• Access-list command not supported in the 2.2 FWSM (1)

  Hi Netpros

  I am facing a strange problem with one of my FWSM installed in my spare box 7609.

  I have a FWSM installed in live production network, in which the caught watch access list supported and I am able to set up their place, but in the alternative box, I am unable to do so when I have? to get the command supported, it doesn't either up the access-list command.

  The two boxes run upward with 2.2 (1) and on different 7609 boxes.

  Basically, I want to do the CLI or the tested features up to in my box of spare before you go and implement the same on the live production network.

  I have attached both the version of the show, but also the supporting documents.

  Pls do not help to find where I m lack somehting here :-(.

  regds

  Your spare module is configured in mode 'multiple context', where you can create up to 100 logical firewall within one FWSM. In this mode, when you the meeting into the FWSM, you enter in what we call the context of the system in which all you can do is set the other contexts. In the context of the system there is no notion of the lists of access or something like that, and that's why you can't see these commands you.

  You want to deliver the FWSM in unique context mode by running the command:

  simple mode

  Reboot and then when he comes back to the top you'll be good to go.

• Ipv6 access list does not apply autonomous Aironet 3602I-E

  As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

  Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

  The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

  This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

  Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

  interface Dot11Radio0.2
  guest_ingress6 filter IPv6 traffic in
  guest_egress6 filter IPv6 traffic on

  and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

  No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

  000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
  000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
  000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  etc.

  In addition, when creating a list like this ipv6 access:

  guest_egress6 IPv6 access list
  refuse an entire ipv6

  The other is automatically created:

  IPv6-guest_egress6 role-based access list
  refuse an entire ipv6

  A deletion also removes the other.

  What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

  Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

  PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

  You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

  Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

  Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

  Please rate helpful messages... :-)

• % Error opening nvram: / startup-config (Permission denied)

  I get a weird error, permission denied issuing 'show config' at the level of the user.  We use this everywhere in the environment without any problems.

  IOS: System image file is "flash0:c2900 - universalk9-mz.» Spa. 152 - 3.T.bin.

  R1 #sh run | I have aaa

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + authenticated if

  AAA authorization commands 1 default group Ganymede + authenticated if

  AAA authorization commands 15 default group Ganymede + authenticated if

  accounting AAA commands default 15 stop only Ganymede group.

  AAA - the id of the joint session

  R1 #sh run | I have priv

  privilege exec level 1 traceroute

  Ping privileges exec level 1

  privilege level exec 1 see logging

  See the privileged exec level 1 configuration

  privilege exec 1 show privilege level

  show privileges exec level 1

  R1 #disable

  R1 > show config

  11855 262136 bytes using

  % Error opening nvram: / startup-config (Permission denied)

  You are indeed allowed to run the command (as evidenced by the fact that the command run).

  See the config is actually an alias for the command more nvram:startup - config
  

  Accordingly, the question is the permission on the file, not the control itself.

  Unfortunately, the file systems do not explicitly support permissions.  This used to be implicitly supported by permissions to see the config.

  Maybe it's a bug.  I opened a case on it if you need really need this feature.

• PIX Firewall 525 access list problem

  Hello.

  I have the following problem. After insertion of an access list, despite seeing the packages associated with the list, they do not "match", that is, it is as if the list wasn't doing his job.

  Who can be the cause of this behavior?

  PIX 525 model

  IOS 6.3 (4)

  Thank you.

  Marulanda Ramiro Z.

  Are all of syslogs sent properly to the remote host? If so, I would say that the udp connection is never closed by the PIX. Let's say that the connection never hit the timeout in the pix config. If the connection remains open and doesnot increments the hit count for your access list. I have a PIX that makes the same behavior.

  The increase in the number of accesses is also based on the connection and not on each packet passing through the PIX.

  You can use a debug command to see the packets through the PIX.

  HTH

  Mike

• Problem to get the startup-config under the privilege level

  Hi guys

  I use the level of privilege 15.2 and in this version, that I can not get the startup-config under some of IOS (in this case, IE 7)

  I have no problem to get it from the earlier version, also to 15.1

  Router #sh privileges

  Current privilege level is 7

  Router #sh startup-config

  With the help of 4414 262136 bytes

  % Error opening nvram: / startup-config (Permission denied)

  Config:

  privilege exec level 7 show startup-config

  privilege level exec 15 see the configuration

  show privileges exec level 1

  When I added cmd ' privilege exec level 7 show startup-config ', IOS generated automatically new line "privilege exec 15 level show configuration.

  seems that there must be an "improvement" under versions of 15.2

  Any ideas?

  Thank you

  Pet

  Hello

  I have faced the same problem and opened a folder. Please find the answer I get from the TAC:

  ==============================================

  This is designed by design as a security measure. Starting in the new versions of IOS, the privilege level of access to system files must be configured separately. There are two options to solve this problem:

  (1) run the command at the prompt to activate it.

  (2) set the privilege level of the file system via the config command "file privilege X" with X the number of privilege level

  ==============================================

  Hope that helps.

  Best regards.

  Karim

• EEM script to check running-config startup-config changes after reloading

  I'm trying to follow a bug that causes some CLIs to disappear from the running-config after you reload the router.

  The LCIs were saved in the startup-config before reloading the router.

  Is there an EEM to compare the running-config startup-config online with after reload of the router and syslog lines that are missing from the running-config?

  You could do something simple like:

  Event Manager applet config compare

  event timer cron cron-entry "@reboot".

  command action 1.0 cli 'enable '.

  cli 2.0 action command "show archive config diff nvram:startup - config system: running-config.

  post 3.0 action to "[email protected] / * /'from'[email protected] / * /" Server "10.1.1.1" topic "Config diffs" body "$_cli_result".

• Cisco 837 and access list

  Hi all

  Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

  Here is my list of access

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

  If I want to delete only this line

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  I do not know how, I if do:

  no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  all the access-list 120 is removed!

  Help, please!

  Olivier

  Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

  You can create a named extended access-list and have the sequence number for each statements.

  !

  Standard IP access list note

  permit 172.10.0.0 0.0.255.255

  10.1.1.0 permit 0.0.0.255

  permit 192.168.1.0 0.0.0.255

  deny all

  !

  and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

  Standard note of access-list (config) #ip

  (config-std-nacl) #no 3

  This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

  regds

• PIX 501 ICMP access list Question

  According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

  PIX1 (config) # access - list ethernet1 permit icmp any any echo response

  PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

  Access-group ethernet1 PIX1 (config) # interface inside

  This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

  Thank you

  This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

  By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

  Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

  Let me know if it helps.