ERROR: access-list has an icmp type selector

Hi all

Im trying to apply the access list to crypto card. and when I apply it its gives me error

ERROR: access-list has an icmp type selector

no idea please. Thank you all

The crypto-acl must be of type IP Allow. You should not specify protocols, such as the Protocol ICMP, tcp, etc..

If your proxy-ACLs should sth looks like this:

PROXY_ACL from IP x.x.x.x access list permit y.y.y.y

but it's not:

access-list host x.x.x.x y.y.y.y eq icmp echo host allowed PROXY_ACL

Tags: Cisco Security

Similar Questions

  • PIX 501 ICMP access list Question

    According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

    PIX1 (config) # access - list ethernet1 permit icmp any any echo response

    PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

    Access-group ethernet1 PIX1 (config) # interface inside

    This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

    Thank you

    This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

    By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

    Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

    Let me know if it helps.


    If I access-list and statements ICMP on the same interface, which contradicts the other, who gets preference. for ex. If I refuse a package in icmp and allow the access-list package, which wins.

    Access lists apply only to passing packets * by * the PIX. ICMP commands are applied to the PIX interfaces themselves (meaning premitting or deny ICMP packets to the PIX interface address). So, to answer your question, it depends on what you are trying to ping ;)


  • card crypto access lists / problem if more than one entry?

    Access list for IPSec enabled traffic.

    I've been recently setting up a VPN between two sites and I came across the following problem:

    I wanted to install a VPN that only 2 posts from site A to site B, a class C network

    So I created a list of access as follows:

    access-list 101 permit IP host

    access-list 101 permit IP host

    When I applied the access list above to map (match address 101) encryption, I quickly realized that only the first host ( was successfully encrypted beeing while the other could not. I've been geeting on ipsec debugging errors saying that traffic to denyed by the access list.

    When I changed the access list above with the following

    access-list 101 permit IP

    two items of work could successfully encrypted through IPSec tunnel.

    To look further into it, I realized that only the first entry of the IPsec access list has been really tested for the corresponding traffic!

    Is this a normal behavior or a known Bug? No work around for this problem?

    Kind regards.

    If you have ipsec-manual crypto map in crypto ACL, you can specify that an ACE. Check 12.2 docs:

    Access lists for labelled as ipsec-manual crypto map entries are limited to a single permit entry and the following entries are ignored. In other words, the security associations established by this particular entry card crypto are only for a single data stream. To be able to support several manually created security for different types of traffic associations, define multiple crypto access lists and then apply each a separate entrance card crypto ipsec-manual. Each access list should include a statement to define which traffic to protect.

  • access lists

    I have a question... or two... :) on access lists.

    My current access list looks like the following:

    access-list acl_outbound allow icmp a whole

    acl_outbound list of access allowed tcp any eq 80

    acl_outbound list of access allowed tcp any eq 21

    acl_outbound list of access allowed tcp any eq 22

    acl_outbound list of access allowed tcp any eq 8080

    acl_outbound list of access allowed tcp any eq 443

    acl_outbound ip access list allow a whole

    access-list acl_inbound allow icmp a whole

    inside_nat0_outbound ip access list allow host Bluff_Outside

    outside_cryptomap_9 ip access list allow host Bluff_Outside

    1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.

    2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.

    As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.

    My goals are:

    allow hosts listed web traffic (including https and ftp)

    allow ICMP pings pass from the inside to the outside and the response

    allow VPN tunnels to establish

    Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.


    The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:

    > card crypto outside_map 9 match address outside_cryptomap_9

    to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:

    > no outside_map interface card crypto outside

    Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.

    In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:

    > acl_outbound ip access list allow any

    This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.

  • No not removed from the external interface access-list access list?


    customer wanted to modify the access list (add a new line)

    so he has first publish no access-list command can

    apply the change to the access list, but the access list has been

    removed from the interface outside

    is this a normal behavior? on routers access list stay connected

    for the event of the interface if you issue no access-list command

    Thanks in advance for any comments


    Hi Thibault-

    No, it is not a normal behavior, sounds more like an error by the customer. It's always a good idea to copy the required ACL on a text editor (Notepad) do not forget to include "access-group command" i.e. "access-group interface inside inside' or 'access-group out in interface outside' - when copying the required ACL and then issues a 'no access-list inside' or 'no access-list outside' the first line in the ACL copied on your notebook before copy you it to the PIX , also make sure that you are using the config and make an "m wr" (write memory) after the ACL modified have been applied on the PIX.

    Hope this helps-

  • access-list on router

    An access list has been configured on a router to block an IP address. Can can additional IPS added to the original access list at a later date?


    (config) #access - list 5 deny

    (config) #access-list 5 permit one

    Can use us the access list 5 to block additional IP addresses or to create a new access list?

    of course, you can

    lets take this example

    R2 #sh - ip access lists

    IP access list 5 standard

    10 deny

    20 allow a

    You can do like

    R2 (config) #ip - 5 standard access list

    R2 (config-ext-nacl) #no 20 allowed any R2 (config-ext-nacl) #end

    then start putting the statements refuse you want


    (config) #access - list 5 deny

    (config) #access - list 5 deny

    then put your license

    (config) #access-list 5 permit one

    Remember that without the permit, everything in the end something not permitted by the ACL will be denied because there is no default all refuse (implicit deny) at the end of each ACL

    If the permit all it will solve

    Good luck

    Please, if useful rates

  • Access list in a PIX?

    I have the access-list applied on my "external" my PIX interface and I'm trying to make it so pings coming from the 'inside' book, but those who come of the? outside? in case of failure.

    access-list outside permit icmp any any echo response

    list a whole outside access allowed icmp time-exceeded

    access outside allowed icmp list everything all inaccessible

    Using a VPN, you can create a rule/filter and apply it to the tunnel which verifies the established bit to be set. Is it possible to do this with a list of access a PIX?

    I have a 6.3 (5) PIX 501

    If you add (in config mode)

    ICMP deny everything outside

    The above will disable any ping/trace route or network scans of the internet (that is, your network will be in stealth mode), if you also add

    access-list outside permit icmp any any echo response

    list a whole outside access allowed icmp time-exceeded

    access outside allowed icmp list everything all inaccessible

    outside access-group in external interface

    This will then allow icmp traffic going out to the internet, BUT don't be do not allow anyone to ping/trace route internet or analyze your network!

    You can test this by visiting and using the program "shields up" to analyze your network. Try first without icmp deny out of any instruction and then with the statement added to your configuration.

    Hope this helps


  • Access list ASA Error | ERROR: % incomplete command

    Hi all

    I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

    acl_inside list extended access allowed object-group 16-09-08F eq https Journal

    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 255.
    255.192.0 log https eq
    ERROR: % name host not valid


    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 255.
    255.192.0 eq https
    ERROR: % incomplete command



    # ACCess-list HS | I have
    permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 eq https


    I'm not sure that this ensures a case of cisco?

    FW100ABCx (config) # 16-09-08F object-group network
    FW100ABCx(config-Network) # host network-object
    Add items (host to network-object to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object
    Add items (host to network-object to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object
    Add items (host to network-object to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object
    Add items (host to network-object to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) #.
    FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

    acl_inside list extended access allowed object-group 16-09-08F eq 443
    ERROR: % incomplete command

    Hello Hassan.

    You're missing the key word of Protocol (tcp/udp)
    Try this:

    the object-group 16-09-08F network
    host of the object-Network

    acl_inside list extended access permitted tcp object-group 16-09-08F

    Dinesh Moudgil

    PS Please rate helpful messages.

  • Message error "the preconfiguration file has the wrong type of preset."

    I try to import the Preset brushes for newborn photography.  They are. Irtemplate files. I'm going in in my cc in Lightroom Develop Module, then opening presets Panel and hover the cursor over the user Presets.  I right click and choose "import".  So I find the real. The Irtemplate file and then click Import.  What I get is the above error message «the presets file has the wrong type of preset.»  What I am doing wrong?

    Predefined live (Windows): C:\Users\User Name\AppData\Roaming\Adobe\Lightroom\Local of adjustment presets.

    Presets to develop 'Global' live in: C:\Users\User Name\AppData\Roaming\Adobe\Lightroom\Develop Presets.

    Find your presets in the "Lightroom" file folders (similar to above) tab Preferences dialog - Presets > [show Lightroom Presets folder]

    Manually copy & paste your .lrtemplate files to the appropriate folder and restart Lightroom.

    Note: The folder [develop Presets] can tolerate and allows subfolders, the folder [Local adjustment presets] cannot.

    If only in the folder [Local adjustment presets] .lrtemplate files.

  • Download Adobe Captivate trial - The Akamai Download Manager has encountered a fatal error: access denied.

    I tried to download the Adobe Captivate trial several times now.

    Finally, he worked at a given time, and I was downloading file 1 of 2. At half way I had to stop the download, with the intention to resume the next day. Now when I try to take it back, I kept getting the message "Akamai Download Manager has encountered a fatal error: access denied." & loc = en_us & prdLabe l = Adobe Captivate 8.0 & resumeDLM = true & URL = _8_x64_LS21.7z; 1.exe & language = en & index = 1 & name=Adobe%20Captivate%208.0%20English%20Windows64-bit & prompt = model pr & prdLabel = Adobe Captivate 8.0 optvalue = & upsell = 

    Even when I tried to register again on the Adobe Web site to restart a new download, I got the same message.

    Could someone please?

    Thank you


    Try to jump the ADM and download directly via the link below.  Don't forget to follow the steps described in the Note: very important Instructions in the section on the pages of this site download and have cookies turned on in your browser, otherwise the download will not work correctly.

    Adobe Captivate 8 direct download links: Free Trials with no Akamai | ProDesignTools

  • Error "this application has failed to start because normaliz.dll was not found. Reinstalling the application may fix this problem.

    Original title: error explorer.exe, Normaliz.dll is missing please help me about the issue.


    I get the error "this application has failed to start because normaliz.dll was not found. Reinstalling the application may fix this problem"Please help me!

    Well - so much for the expertise of committed Microsoft Support Engineer 'experts', but no answer to what I expected.

    See how it works for you:

    If you see a message like this:

    Explorer.EXE - unable to locate component: this application has failed to start because Normaliz.dll was not found. Reinstalling the application may fix this problem.

    It is in the case Log:

    Event type: Information
    Event source: Application Popup
    Event category: no
    Event ID: 26

    Application popup: Explorer.EXE - unable to locate component: this application has failed to start because Normaliz.dll was not found. Reinstalling the application may fix this problem.

    Start explorer.exe, but the normaliz.dll file.  If explorer.exe is not able to run, you will not be able to do much with your system until the replacement of normaliz.dll.

    You can click OK for errors and finished up in the Task Manager where you can try to fix it.  The message can keep popping up from time to time, while you're fixing it, so just click OK to close the message.

    If normaliz.dll is missing, you can copy it from a working system to the system afflicted with the same version of XP and Internet Explorer.

    You will get a good copy and put it on a floppy disk, thumb drive etc and copy it to your system plagued by using Manager tasks.

    The normaliz.dll file must be located in the c:\windows\system32 folder and therefore is not a Windows file protected, making the Microsoft Support Engineer 'experts' suggest running sfc/scannow, which is just another one of their prosecution of wild goose that will not work, he'll never work and it will only waste your time (and they don't tell you how to run either - if explorer.exe does not start).

    Then engaged Microsoft Support Engineer 'experts' will offer to you develop a copy of the file from the XP installation CD you probably haven't, but it is also not on your XP installation CD, and you will have the same problem try their suggestions to 'try' to start in any any Mode without failure, so this will not help you.  These "experts" seem to think that the Safe Mode boot or boot will replace magically missing files, but it doesn't.

    You also will be able to properly run a browser on the system afflicted to go on Internet download one.

    There is a large computer security risk in the normaliz.dll from some website download.  The best idea is to get a copy of normaliz.dll from another computer that has the same version of XP and IE and replace it from a USB device (which you can access from the Manager tasks), or using a system that works, you can download one of my SkyDrive.

    You can still use the Task Manager to run the system restore and bring it back, but I've never tried and never use SR in all cases.

    If you have recently done a bunch of Microsoft updates, you may have also gotten IE8 so maybe that something was wrong here although the normaliz.dll is the same for each version.

    When you see the error, you can click beyond it and eventually arrived at your screen background image where you can press CTRL-ALT-DEL to start Task Manager. TM, you can click file, new task, Browse and edit the menu drop-down "Files of type" to all files that you can see all the files in folders.

    Go to c:\windows\system32 to see if normaliz.dll is really missing. If the error appears again while browsing, just click OK to get past it.  The explorer.exe tries to run and cannot until the missing file is replaced.

    If it's the only thing missing, you can get one from a working system of the same type as yours, copy on a Flash DRIVE or a floppy disk and always using TM, to browse, copy and paste it where it should be or you can download one of my SkyDrive.

    TM, you can still access your thumb or any other medium the same disk by navigating, copy, paste, etc very well all work.  You use TM to navigate to your thumb or floppy disk, copy the normaliz.dll good and then paste it in the c:\windows\system32 folder, where it is supposed to be.

    If things get worse, just return to TM and remove the file back where you were in first place and continue troubleshooting.

    Using a system that works, you can also download a copy of the file from my SkyDrive and put it on a floppy or USB thumbdrive and networks diskettes for the distressed system.  Sandalenet means wear you the system afflicted by hand.

    I downloaded a copy of XP Pro SP3 file you need on my SkyDrive (everyone has a SkyDrive for file sharing).

    You can download it and when you do, place a copy of the file in these two folders (assuming that Windows is installed on your C drive):


    Here is the link to my SkyDrive and you can get the file you need here:! 311

    When you see the files available for download, you can not see the file extension (.exe, .dll, .cpl, .sys, .zip, etc.), but when download you them they will have the right extension.

    When you download the file (especially if you use Internet Explorer), when you get a chance to save the file, your browser is unable to save the file with an extension (by example, .exe, .dll, .cpl, .sys, .zip, etc) then you will need to manually add the extension appropriate to the file when you download the file before you save it.

    You can download the file without the extension, and then rename the file to add the appropriate extension.  You do not want to use a file called normaliz when the name of the file should really be called normaliz.dll (if the downloaded file has no extension, you will need to change the name of the file to add the appropriate extension to make it work.

    You then put the downloaded files in the correct folders on your system.

    That may not solve all your problems, but at least you will be spending this part and we can then fix the rest.

  • Error: Access denied... Administrative privileges may be required.

    I am trying to solve a problem with an application (Trend Micro, some files were corrupted), which requires that I have crushed some corrupted files.

    Whenever I do, I get the above error message.  Error: Access is denied.  Cannot create [filename]. Administrative privileges may be required.

    I am the administrator on this computer, and I believe that I have administrator privileges.  I just upgraded to Win 7, I had this problem on Vista.

    So, how can ensure me that I got really full administrative privileges?  Create an administrative user, then delete me?

    Thank you very much for the help.

    Hi Markb56,
    I suggest to create a new administrator account and check if that helps.

    1. click on the Start button and select Control Panel.
    2. click on user accounts.
    3. click on user accounts. Now click on manage user accounts.
    4. click on create a user account. Now, type the account name and select administrator.
    5. click on create account.

    For more information, visit the links below:

    Important note: This response contains a reference to third party World Wide Web site. Microsoft provides this information as a convenience to you. Microsoft does not control these sites and no has not tested any software or information found on these sites; Therefore, Microsoft cannot make any approach to quality, security or the ability of a software or information that are there. There are the dangers inherent in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
    I suggest contact you its manufacturer for better help.
    Hope this information is useful.
    Umesh P - Microsoft Support

  • FWSM firewall context Access-List entry Limitation

    We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.


    This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

    If you run the command (syntax may be different in 3.x code):

    See the np 3 acl County property

    You get a result that looks like this:

    -CLS rule current account-

    CLS filter rule Count: 0

    CLS rule Fixup count: 11

    CLS is Ctl rule Count: 0

    CLS AAA rule count: 2187

    CLS is given rule Count: 0

    CLS Console rule count: 7

    Political CLS NAT rule Count: 0

    County of CLS ACL rule: 3491

    Add CLS uncommitted ACL: 0

    CLS ACL Del uncommitted: 0

    -CLS rule MAX - account

    CLS filter MAX: 3584

    CLS Fixup MAX: 32

    CLS is Ctl rule MAX: 716

    CLS is given rule MAX: 716

    AAA CLS MAX rule: 5017

    CLS Console rule MAX: 2150

    Political CLS NAT rule MAX: 3584

    CLS ACL rule MAX: 56627

    The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

    I'll try to find the syntax 7.x and post here later.


    Rate if this can help.

  • problem of access lists

    Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

    I have a pix with interface 3 inside, outside and dmz.

    IP address outside x.x.x.2

    IP address inside dmz IP address

    I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

    Here is the ACL, but I change the IP addresses.

    access-list 108 allow ip

    access-list 108 allow ip

    access-list 108 allow ip

    access-list 108 allow ip

    access-list 88 allow ip

    access-list 88 allow ip

    access-list 88 allow ip

    pager lines 24

    opening of session

    interface ethernet0 car

    Auto interface ethernet1

    Auto interface ethernet2

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    IP address outside x.x.x.2

    IP address inside dmz IP address

    alarm action IP verification of information

    alarm action attack IP audit - test IP local pool

    no failover

    failover timeout 0:00:00

    failover poll 15

    failover outside ip address

    IP Failover inside

    failover dmz ip address

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    Global (dmz) 1

    NAT (inside) - 0 108 access list

    NAT (inside) 1 0 0

    NAT (dmz) 1 0 0

    (inside) alias x.x.x.5

    static (inside, outside) x.x.x.6 netmask 0 0

    static (inside, outside) x.x.x.4 netmask 0 0

    static (dmz, external) x.x.x.5 netmask 0 0

    conduct permitted tcp x.x.x.6 eq lotusnotes host everything

    conduct permitted tcp 2x.x.x.4 eq www host everything

    conduct permitted tcp x.x.x.4 eq lotusnotes host everything

    conduct permitted tcp x.x.x.5 eq www host everything

    driving allowed host tcp x.x.x.5 eq field all

    allow icmp a conduit

    driving allowed host tcp https eq x.x.x.5 all

    conduct permitted tcp 2x.x.x.5 eq 21010 host everything

    the public IP address I need to access it from the inside is x.x.x.5


    The ACL you provide will always be the same when shorten you it to this:

    access-list 110 deny tcp host host x.x.x.5

    Access-group 110 in the interface inside

    (it wouldn't work well, because the host * watch the zero * probably does not exist)

    Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

    (1) if it is an existing stream, leave the package through

    (2) if it is not an existing stream, see ACL

    (3) if the ACL refuses, then drop the package, if ACL allows, leave package through

    (4) if the ACL does not at all, leave the package through (since it is the high level of low security)

    But I guess that this is not what you want to achieve.

    I think you need something like this:

    access-list 110 permit tcp host x.x.x.5 eq www

    access-list 110 permit tcp host x.x.x.5 eq www

    access-list 110 permit tcp host x.x.x.5 eq www

    access-list 110 deny ip x.x.x.0

    (assuming that you have a 24 - bit subnet on your dmz)

    access ip-list 110 permit a whole

    Access-group 110 in the interface inside

    This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the subnet to the dmz and allow traffic on all the others outside.

    I hope this helps.

    Kind regards


Maybe you are looking for