ICMP / ACCESS-LIST
If I access-list and statements ICMP on the same interface, which contradicts the other, who gets preference. for ex. If I refuse a package in icmp and allow the access-list package, which wins.
Access lists apply only to passing packets * by * the PIX. ICMP commands are applied to the PIX interfaces themselves (meaning premitting or deny ICMP packets to the PIX interface address). So, to answer your question, it depends on what you are trying to ping ;)
Scott
Tags: Cisco Security
Similar Questions
-
PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
-
ERROR: access-list has an icmp type selector
Hi all
Im trying to apply the access list to crypto card. and when I apply it its gives me error
ERROR: access-list has an icmp type selector
no idea please. Thank you all
The crypto-acl must be of type IP Allow. You should not specify protocols, such as the Protocol ICMP, tcp, etc..
If your proxy-ACLs should sth looks like this:
PROXY_ACL from IP x.x.x.x 255.255.255.9 access list permit y.y.y.y 255.255.255.0
but it's not:
access-list host x.x.x.x y.y.y.y eq icmp echo host allowed PROXY_ACL
-
allow icmpv6 in ipv4-access list in the tunnel
Hello
I have a little problem with an access list ipv4 blocking my ipv6 tunnel.
My tunnel works and is as follows:
interface Tunnel0
no ip address
IPv6 address
enable IPv6
source of tunnel
ipv6ip tunnel mode
tunnel destination
So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel (
). Access list that I apply is the following:
allow tcp any a Workbench
allowed UDP any eq field all
allowed any EQ 67 udp no matter what eq 68
allowed UDP any eq 123 everything
allowed UDP any eq 3740 everything
allowed UDP any eq 41 everything
allowed UDP any eq 5072 everything
allow icmp a whole
deny ip any any newspaper
Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?
TCP 3874 TIC.sixxs.net IPv4 ICT (Information Tunnel & Control Protocol) Used to retrieve the information of tunnel (for instance AICCU) Uses the TCP protocol and should work without problems UDP 3740 PoP IPv4 Heartbeat Protocol Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive the user only to pop out Protocol 41 PoP IPv4 IPv6 over IPv4 (6 in 4 tunnel) Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat) We have to appoint the internal host as the DMZ host that leaves usually passes the NAT UDP 5072 PoP IPv4 AYIYA (anything in anything) Used for tunneling IPv6 over IPv4 (AYIYA tunnels) Must cross most NAT and even firewalls without any problem ICMPv6 echo response. Tunnel endpoints IPv6 Internet Control Message Protocol for IPv6 Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel No, because it is happening inside the tunnel I missed something?
sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).
Hope someone can help me.
Hello
In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports
If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.
Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?
But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.
-Jouni
-
Lock the AnyConnect VPN with broader access list
I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.
Configuration:
attributes Anyconnect-group policy
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list WebAccessVPN
WebVPN
list of URLS no
SVC request to enable default webvpn
WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace
External FTP FTP access WebAccessVPN-list comment
WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2
WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace
WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host
WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1
You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.
-
Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:
I have a pix with interface 3 inside, outside and dmz.
IP address outside x.x.x.2 255.255.255.248
IP address inside 200.115.10.10 255.255.255.0
192.168.6.28 dmz IP address 255.255.255.0
I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.
Here is the ACL, but I change the IP addresses.
access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0
access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0
access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0
access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0
access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0
access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0
pager lines 24
opening of session
interface ethernet0 car
Auto interface ethernet1
Auto interface ethernet2
Outside 1500 MTU
Within 1500 MTU
MTU 1500 dmz
IP address outside x.x.x.2 255.255.255.248
IP address inside 200.115.10.10 255.255.255.0
192.168.6.28 dmz IP address 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
172.16.1.1 - 172.16.1.254 test IP local pool
no failover
failover timeout 0:00:00
failover poll 15
failover outside 0.0.0.0 ip address
IP Failover inside 0.0.0.0
failover dmz 0.0.0.0 ip address
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
Global (dmz) 1 192.168.6.10
NAT (inside) - 0 108 access list
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0
(inside) alias x.x.x.5 192.168.6.30 255.255.255.255
static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0
static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0
static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0
conduct permitted tcp x.x.x.6 eq lotusnotes host everything
conduct permitted tcp 2x.x.x.4 eq www host everything
conduct permitted tcp x.x.x.4 eq lotusnotes host everything
conduct permitted tcp x.x.x.5 eq www host everything
driving allowed host tcp x.x.x.5 eq field all
allow icmp a conduit
driving allowed host tcp https eq x.x.x.5 all
conduct permitted tcp 2x.x.x.5 eq 21010 host everything
the public IP address I need to access it from the inside is x.x.x.5
Hello
The ACL you provide will always be the same when shorten you it to this:
access-list 110 deny tcp host 200.115.10.0 host x.x.x.5
Access-group 110 in the interface inside
(it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)
Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:
(1) if it is an existing stream, leave the package through
(2) if it is not an existing stream, see ACL
(3) if the ACL refuses, then drop the package, if ACL allows, leave package through
(4) if the ACL does not at all, leave the package through (since it is the high level of low security)
But I guess that this is not what you want to achieve.
I think you need something like this:
access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www
access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www
access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www
access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0
(assuming that you have a 24 - bit subnet on your dmz)
access ip-list 110 permit a whole
Access-group 110 in the interface inside
This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.
I hope this helps.
Kind regards
Leo
-
I have a question... or two... :) on access lists.
My current access list looks like the following:
access-list acl_outbound allow icmp a whole
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443
acl_outbound ip access list allow a whole
access-list acl_inbound allow icmp a whole
inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.
2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.
As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.
My goals are:
allow hosts listed web traffic (including https and ftp)
allow ICMP pings pass from the inside to the outside and the response
allow VPN tunnels to establish
Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.
Dave
The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:
> card crypto outside_map 9 match address outside_cryptomap_9
to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:
> no outside_map interface card crypto outside
Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.
In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:
> acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any
This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.
-
I have the access-list applied on my "external" my PIX interface and I'm trying to make it so pings coming from the 'inside' book, but those who come of the? outside? in case of failure.
access-list outside permit icmp any any echo response
list a whole outside access allowed icmp time-exceeded
access outside allowed icmp list everything all inaccessible
Using a VPN, you can create a rule/filter and apply it to the tunnel which verifies the established bit to be set. Is it possible to do this with a list of access a PIX?
I have a 6.3 (5) PIX 501
If you add (in config mode)
ICMP deny everything outside
The above will disable any ping/trace route or network scans of the internet (that is, your network will be in stealth mode), if you also add
access-list outside permit icmp any any echo response
list a whole outside access allowed icmp time-exceeded
access outside allowed icmp list everything all inaccessible
outside access-group in external interface
This will then allow icmp traffic going out to the internet, BUT don't be do not allow anyone to ping/trace route internet or analyze your network!
You can test this by visiting http://www.grc.com and using the program "shields up" to analyze your network. Try first without icmp deny out of any instruction and then with the statement added to your configuration.
Hope this helps
Jay
-
Too often, I see in the access list statement, there is a line number set to 1, like this:
permit access-list id_test 1...
Desc the doc said: "The line number to insert a note or an access control element (ACE)."
I can understand his 'writing' but never 'really' understand. :)
Someone could it explain by giving an example?
Thank you for helping.
Scott
PIX (config) # access-list id_test sh
id_test list of access; 5 elements
id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)
id_test of access list row 2 allow accord any host 2.2.2.2 (hitcnt = 0)
id_test of access list row 3 will allow any host 3.3.3.3 (hitcnt = 0)
line 4 of the id_test of access list allow accord any host 4.4.4.4 (hitcnt = 0)
access list id_test line 5 will allow any host 5.5.5.5 (hitcnt = 0)
PIX (config) # access - list id_test line 2 Note Hello
PIX (config) # access-list id_test sh
id_test list of access; 5 elements
id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)
Hello from note access-list id_test line 2
id_test of access list row 3 will allow any host 2.2.2.2 (hitcnt = 0)
line 4 of the id_test of access list allow accord any host 3.3.3.3 (hitcnt = 0)
access list id_test line 5 will allow any host 4.4.4.4 (hitcnt = 0)
id_test of access list line 6 will allow any host 5.5.5.5 (hitcnt = 0)
allowed for pix (config) # access - list id_test line 1 icmp any host 1.1.1.1
PIX (config) # access-list id_test sh
id_test list of access; 6 items
allowed to Access-list id_test line 1 icmp any host 1.1.1.1 (hitcnt = 0)
id_test of access list row 2 allow accord any host 1.1.1.1 (hitcnt = 0)
Note access-list id_test line 3 Hello
line 4 of the id_test of access list allow accord any host 2.2.2.2 (hitcnt = 0)
access list id_test line 5 will allow any host 3.3.3.3 (hitcnt = 0)
id_test of access list line 6 will allow any host 4.4.4.4 (hitcnt = 0)
access list id_test line 7 will allow any host 5.5.5.5 (hitcnt = 0)
TRIS-NOC-FW1 (config) #.
the golden rule of the acl, is that it works in order, from top to bottom. with the line number, you can precisely insert the new entry of acl or note everywhere where you want.
for example, imagine you have a 200-entry acl, and now you want to allow one host before the other refuse registration. of course you don't want to interrupt the network by UN-apply and reapply the entire acl. in this case, the line number to save life.
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
Access list ASA Error | ERROR: % incomplete command
Hi all
I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?
acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal
(network-config) # access - list extended acl_inside permitted object-group$
acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 log https eq
^
ERROR: % name host not validSAME THING WITHOUT JOURNAL
(network-config) # access - list extended acl_inside permitted object-group$
acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 eq https
ERROR: % incomplete commandSAME STUPID MISTAKE,
THE SIMILAR RULE;
# ACCess-list HS | I have 132.235.192.0
permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https???????
I'm not sure that this ensures a case of cisco?
FW100ABCx (config) # 16-09-08F object-group network
FW100ABCx(config-Network) # host network-object 172.191.235.136
Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.135
Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.134
Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.52.134.76
Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) #.
FW100ABCx(config-Network) # acl_inside of access allowed object-group list $acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
ERROR: % incomplete commandHello Hassan.
You're missing the key word of Protocol (tcp/udp)
Try this:the object-group 16-09-08F network
host of the object-Network 172.191.235.136acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0
Concerning
Dinesh MoudgilPS Please rate helpful messages.
-
Ipv6 access list does not apply autonomous Aironet 3602I-E
As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.
Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).
The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.
This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.
Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:
interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic onand these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.
No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:
000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.In addition, when creating a list like this ipv6 access:
guest_egress6 IPv6 access list
refuse an entire ipv6The other is automatically created:
IPv6-guest_egress6 role-based access list
refuse an entire ipv6A deletion also removes the other.
What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?
Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)
PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.
You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.
Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.
Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?
Please rate helpful messages... :-)
-
Access list ID # on a PIX firewall
Is anyone know what of the identifier access list on a pix firewall?
Standard IOS = 1-99
Extended IOS is 100-199.
SW = PIX?
There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.
access-list 100000000000000; 1 items
allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)
Jason
-
Everyone;
I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.
Thanks in advance;
gmaurice
No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)
-
Router Access List - where it is applied?
I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":
R - H1BR1 #sh run
Building configuration...Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
endR H1BR1 #.
I guess you are looking for
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY?
Best regards
Milan
Maybe you are looking for
-
Opportunity to see several pages by drop-down list next to the "back" button seems to have
Since the recent update, I seem to have lost the small arrow next to the back button for me to go to, say, 4 pages before the current.Can I bring back or has it disappeared for good?Thank you for any response
-
Impossible to download on several site and various types of files
All of a sudden with Vista Home Premium for several years, cannot download. Have two accounts on the system, the two administrator. One with a passward and the other without. Can download from the account with a password that I rarely access as I am
-
80074F8F error in fact appear due faulty settings, date and time of the BIOS?
After I got error x80074F8F that told me to check my date a hours settings (offset) This offset is applicable betwwen the software settings and my BIOS? Thank you Best regards Simsmart.
-
See the contents of the .jar file
Dear all, Good evening from the India. Here's the problem I want to share with you all. I'm working on Windows 7 Home Basic Version. I downloaded e - tds_tcs_rpu_1.2.ex According to the advice of the NSDL-TIN people, I downloaded new e - tds_tcs_rpu_
-
Windows 8 not to close from charms & reinstallation menu charm
"I did a 'reset' on ' my laptop Dell, who eliminated windows 10 and reinstalled windows 8. The function "close" in the menu of charms has worked a few times and is no longer made. I have to close it manually from the power button. Any suggestions? A