ICMP / ACCESS-LIST

If I access-list and statements ICMP on the same interface, which contradicts the other, who gets preference. for ex. If I refuse a package in icmp and allow the access-list package, which wins.

Access lists apply only to passing packets * by * the PIX. ICMP commands are applied to the PIX interfaces themselves (meaning premitting or deny ICMP packets to the PIX interface address). So, to answer your question, it depends on what you are trying to ping ;)

Scott

Tags: Cisco Security

Similar Questions

  • PIX 501 ICMP access list Question

    According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

    PIX1 (config) # access - list ethernet1 permit icmp any any echo response

    PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

    Access-group ethernet1 PIX1 (config) # interface inside

    This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

    Thank you

    This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

    By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

    Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

    Let me know if it helps.

  • ERROR: access-list has an icmp type selector

    Hi all

    Im trying to apply the access list to crypto card. and when I apply it its gives me error

    ERROR: access-list has an icmp type selector

    no idea please. Thank you all

    The crypto-acl must be of type IP Allow. You should not specify protocols, such as the Protocol ICMP, tcp, etc..

    If your proxy-ACLs should sth looks like this:

    PROXY_ACL from IP x.x.x.x 255.255.255.9 access list permit y.y.y.y 255.255.255.0

    but it's not:

    access-list host x.x.x.x y.y.y.y eq icmp echo host allowed PROXY_ACL

  • allow icmpv6 in ipv4-access list in the tunnel

    Hello

    I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

    My tunnel works and is as follows:

    interface Tunnel0

    no ip address

    IPv6 address

    enable IPv6

    source of tunnel

    ipv6ip tunnel mode

    tunnel destination

    So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

    Access list that I apply is the following:

    allow tcp any a Workbench

    allowed UDP any eq field all

    allowed any EQ 67 udp no matter what eq 68

    allowed UDP any eq 123 everything

    allowed UDP any eq 3740 everything

    allowed UDP any eq 41 everything

    allowed UDP any eq 5072 everything

    allow icmp a whole

    deny ip any any newspaper

    Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

    TCP 3874 TIC.sixxs.net IPv4 ICT (Information Tunnel & Control Protocol) Used to retrieve the information of tunnel (for instance AICCU) Uses the TCP protocol and should work without problems
    UDP 3740 PoP IPv4 Heartbeat Protocol Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive the user only to pop out
    Protocol 41 PoP IPv4 IPv6 over IPv4 (6 in 4 tunnel) Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat) We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
    UDP 5072 PoP IPv4 AYIYA (anything in anything) Used for tunneling IPv6 over IPv4 (AYIYA tunnels) Must cross most NAT and even firewalls without any problem
    ICMPv6 echo response. Tunnel endpoints IPv6 Internet Control Message Protocol for IPv6 Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel No, because it is happening inside the tunnel

    I missed something?

    sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

    Hope someone can help me.

    Hello

    In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

    If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

    Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

    But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

    -Jouni

  • Lock the AnyConnect VPN with broader access list

    I'm trying to lock my AnyConnect VPN interface. I use the split tunneling. I want only to http tunnel traffic to an external http server we have and ftp to another external server behave. I don't want anything else through the tunnel or anywhere else allowed on our network. My current setup, I can connect to the vpn and the servers ping external ip address, but not by name. I can also not navigate anywhere else while I'm connected. It is not imperative for me to navigate anywhere else, when you are connected, but I need to allow only access specified above.

    Configuration:

    attributes Anyconnect-group policy

    VPN-tunnel-Protocol svc webvpn

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list WebAccessVPN

    WebVPN

    list of URLS no

    SVC request to enable default webvpn

    WebAccessVPN list extended access allow icmp disable any newspaper host FTP - EXT object-group Ping_and_Trace

    External FTP FTP access WebAccessVPN-list comment

    WebAccessVPN list extended access permitted tcp disable no matter what newspaper to host FTP - EXT object-group DM_INLINE_TCP_2

    WebAccessVPN list extended access allow icmp disable any newspaper host LICENSING-EXT object-group Ping_and_Trace

    WebAccessVPN list extended access allowed object-group TCPUDP any LICENSING-EXT eq www log disable host

    WebAccessVPN list extended access deny ip any object-group DM_INLINE_NETWORK_1

    You can use the vpn filter under the attributes of political group. In the vpn-filter, you can reference the access list you created.

  • problem of access lists

    Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

    I have a pix with interface 3 inside, outside and dmz.

    IP address outside x.x.x.2 255.255.255.248

    IP address inside 200.115.10.10 255.255.255.0

    192.168.6.28 dmz IP address 255.255.255.0

    I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

    Here is the ACL, but I change the IP addresses.

    access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0

    access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

    access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

    access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

    access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

    access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

    access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

    pager lines 24

    opening of session

    interface ethernet0 car

    Auto interface ethernet1

    Auto interface ethernet2

    Outside 1500 MTU

    Within 1500 MTU

    MTU 1500 dmz

    IP address outside x.x.x.2 255.255.255.248

    IP address inside 200.115.10.10 255.255.255.0

    192.168.6.28 dmz IP address 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    172.16.1.1 - 172.16.1.254 test IP local pool

    no failover

    failover timeout 0:00:00

    failover poll 15

    failover outside 0.0.0.0 ip address

    IP Failover inside 0.0.0.0

    failover dmz 0.0.0.0 ip address

    history of PDM activate

    ARP timeout 14400

    Global 1 interface (outside)

    Global (dmz) 1 192.168.6.10

    NAT (inside) - 0 108 access list

    NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

    NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

    (inside) alias x.x.x.5 192.168.6.30 255.255.255.255

    static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0

    static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0

    static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0

    conduct permitted tcp x.x.x.6 eq lotusnotes host everything

    conduct permitted tcp 2x.x.x.4 eq www host everything

    conduct permitted tcp x.x.x.4 eq lotusnotes host everything

    conduct permitted tcp x.x.x.5 eq www host everything

    driving allowed host tcp x.x.x.5 eq field all

    allow icmp a conduit

    driving allowed host tcp https eq x.x.x.5 all

    conduct permitted tcp 2x.x.x.5 eq 21010 host everything

    the public IP address I need to access it from the inside is x.x.x.5

    Hello

    The ACL you provide will always be the same when shorten you it to this:

    access-list 110 deny tcp host 200.115.10.0 host x.x.x.5

    Access-group 110 in the interface inside

    (it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)

    Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

    (1) if it is an existing stream, leave the package through

    (2) if it is not an existing stream, see ACL

    (3) if the ACL refuses, then drop the package, if ACL allows, leave package through

    (4) if the ACL does not at all, leave the package through (since it is the high level of low security)

    But I guess that this is not what you want to achieve.

    I think you need something like this:

    access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www

    access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www

    access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www

    access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0

    (assuming that you have a 24 - bit subnet on your dmz)

    access ip-list 110 permit a whole

    Access-group 110 in the interface inside

    This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.

    I hope this helps.

    Kind regards

    Leo

  • access lists

    I have a question... or two... :) on access lists.

    My current access list looks like the following:

    access-list acl_outbound allow icmp a whole

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080

    acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443

    acl_outbound ip access list allow a whole

    access-list acl_inbound allow icmp a whole

    inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

    outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

    1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.

    2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.

    As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.

    My goals are:

    allow hosts listed web traffic (including https and ftp)

    allow ICMP pings pass from the inside to the outside and the response

    allow VPN tunnels to establish

    Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.

    Dave

    The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:

    > card crypto outside_map 9 match address outside_cryptomap_9

    to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:

    > no outside_map interface card crypto outside

    Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.

    In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:

    > acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any

    This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.

  • Access list in a PIX?

    I have the access-list applied on my "external" my PIX interface and I'm trying to make it so pings coming from the 'inside' book, but those who come of the? outside? in case of failure.

    access-list outside permit icmp any any echo response

    list a whole outside access allowed icmp time-exceeded

    access outside allowed icmp list everything all inaccessible

    Using a VPN, you can create a rule/filter and apply it to the tunnel which verifies the established bit to be set. Is it possible to do this with a list of access a PIX?

    I have a 6.3 (5) PIX 501

    If you add (in config mode)

    ICMP deny everything outside

    The above will disable any ping/trace route or network scans of the internet (that is, your network will be in stealth mode), if you also add

    access-list outside permit icmp any any echo response

    list a whole outside access allowed icmp time-exceeded

    access outside allowed icmp list everything all inaccessible

    outside access-group in external interface

    This will then allow icmp traffic going out to the internet, BUT don't be do not allow anyone to ping/trace route internet or analyze your network!

    You can test this by visiting http://www.grc.com and using the program "shields up" to analyze your network. Try first without icmp deny out of any instruction and then with the statement added to your configuration.

    Hope this helps

    Jay

  • access-list [line-num]

    Too often, I see in the access list statement, there is a line number set to 1, like this:

    permit access-list id_test 1...

    Desc the doc said: "The line number to insert a note or an access control element (ACE)."

    I can understand his 'writing' but never 'really' understand. :)

    Someone could it explain by giving an example?

    Thank you for helping.

    Scott

    PIX (config) # access-list id_test sh

    id_test list of access; 5 elements

    id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

    id_test of access list row 2 allow accord any host 2.2.2.2 (hitcnt = 0)

    id_test of access list row 3 will allow any host 3.3.3.3 (hitcnt = 0)

    line 4 of the id_test of access list allow accord any host 4.4.4.4 (hitcnt = 0)

    access list id_test line 5 will allow any host 5.5.5.5 (hitcnt = 0)

    PIX (config) # access - list id_test line 2 Note Hello

    PIX (config) # access-list id_test sh

    id_test list of access; 5 elements

    id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

    Hello from note access-list id_test line 2

    id_test of access list row 3 will allow any host 2.2.2.2 (hitcnt = 0)

    line 4 of the id_test of access list allow accord any host 3.3.3.3 (hitcnt = 0)

    access list id_test line 5 will allow any host 4.4.4.4 (hitcnt = 0)

    id_test of access list line 6 will allow any host 5.5.5.5 (hitcnt = 0)

    allowed for pix (config) # access - list id_test line 1 icmp any host 1.1.1.1

    PIX (config) # access-list id_test sh

    id_test list of access; 6 items

    allowed to Access-list id_test line 1 icmp any host 1.1.1.1 (hitcnt = 0)

    id_test of access list row 2 allow accord any host 1.1.1.1 (hitcnt = 0)

    Note access-list id_test line 3 Hello

    line 4 of the id_test of access list allow accord any host 2.2.2.2 (hitcnt = 0)

    access list id_test line 5 will allow any host 3.3.3.3 (hitcnt = 0)

    id_test of access list line 6 will allow any host 4.4.4.4 (hitcnt = 0)

    access list id_test line 7 will allow any host 5.5.5.5 (hitcnt = 0)

    TRIS-NOC-FW1 (config) #.

    the golden rule of the acl, is that it works in order, from top to bottom. with the line number, you can precisely insert the new entry of acl or note everywhere where you want.

    for example, imagine you have a 200-entry acl, and now you want to allow one host before the other refuse registration. of course you don't want to interrupt the network by UN-apply and reapply the entire acl. in this case, the line number to save life.

  • Newbie question route-map/access-list

    I am quite new to the thing whole cisco here.  I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

    We have a router cisco 1811 (yes I know its old)

    We now have a road map and I'm trying to understand it to make it work the way we want.  Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1.  Our T1 uses an ASA5505 as a router.  I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject.  I am doing as a result.  Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1.  This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1.   If our cable goes down, everything for the T1 (by design).  We have a long list of defined access our route map - use corresponding ip.  I want to change the access list to not allow local network IP addresses.  I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more.  So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network.  I wouldn't pull the laminated cord and use the console.  (I really need get a USB serial interface).  Now, you understand a little more about my situation now for all numbers, etc.

    Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

    PTP VPN: 192.168.116.0/24 comes and goes out our T1.

    1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

    ASA: 90.0.0.50

    !

    follow the accessibility of ALS 40 ip 40

    delay the decline 90 60

    !

    interface Vlan1

    Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

    IP 90.0.0.254 255.255.255.0

    IP nat inside

    IP virtual-reassembly

    IP tcp adjust-mss 1452

    route WEBPBR card intellectual property policy

    !

    interface Vlan10

    Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

    IP 192.168.0.254 255.255.255.0

    IP nat inside

    IP helper 90.0.0.2

    IP virtual-reassembly

    route WEBPBR card intellectual property policy

    !

    ! Static routes

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

    IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

    IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

    IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

    IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

    IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

    WEBTRAFFIC extended IP access list
    deny ip any host 208.67.222.222
    deny ip any 172.20.0.0 0.0.255.255
    refuse the host tcp 90.0.0.2 any eq www
    refuse 90.0.0.14 tcp host any eq www
    refuse 90.0.0.235 tcp host any eq www
    refuse the host ip 192.168.0.40 everything
    deny ip any host 192.168.0.40
    refuse the host ip 192.168.0.41 all
    deny ip any host 192.168.0.41
    deny ip any host 192.168.0.221
    refuse the host ip 192.168.0.221 all
    refuse the host ip 192.168.0.225 all
    refuse 90.0.0.10 tcp host any eq www
    deny ip any host 192.168.0.225
    refuse 90.0.0.11 tcp host any eq www
    refuse 90.0.0.9 tcp host any eq www
    refuse 90.0.0.8 tcp host any eq www
    refuse 90.0.0.7 tcp host any eq www
    refuse 90.0.0.6 tcp host any eq www
    refuse the 90.0.0.1 tcp host any eq www
    refuse 90.0.0.13 tcp host any eq www
    refuse 90.0.0.200 tcp host any eq www
    permit tcp any any eq www
    allow the host ip 192.168.0.131 one
    allow the host ip 192.168.0.130 one
    allow the host ip 192.168.0.132 one
    allow the host ip 192.168.0.133 one
    allow the host ip 192.168.0.134 one
    allow the host ip 192.168.0.135 one
    allow the host ip 192.168.0.136 one
    allow the host ip 192.168.0.137 one
    allow the host ip 192.168.0.138 one
    allow the host ip 192.168.0.139 one
    allow the host ip 192.168.0.140 one
    allow the host ip 192.168.0.141 one
    allow the host ip 192.168.0.142 one
    allow the host ip 192.168.0.143 one
    allow the host ip 192.168.0.144 a
    allow the host ip 192.168.0.145 one
    allow the host ip 192.168.0.146 one
    allow the host ip 192.168.0.147 one
    allow the host ip 192.168.0.148 one
    allow the host ip 192.168.0.149 one
    allow the host ip 192.168.0.150 one
    allow the host ip 90.0.0.80 one
    allow the host ip 90.0.0.81 one
    allow the host ip 90.0.0.82 one
    allow the host ip 90.0.0.83 one
    allow the host ip 90.0.0.84 one
    allow the host ip 90.0.0.85 one
    allow the host ip 90.0.0.86 one
    allow the host ip 90.0.0.87 one
    allow the host ip 90.0.0.88 one
    allow the host ip 90.0.0.89 one
    allow the host ip 90.0.0.90 one
    allow the host ip 90.0.0.91 one
    allow the host ip 90.0.0.92 one
    allow the host ip 90.0.0.93 one
    allow the host ip 90.0.0.94 one
    allow the host ip 90.0.0.95 one
    refuse the host tcp 90.0.0.3 any eq www

    ALS IP 40

    208.67.220.220 ICMP echo source interface Vlan1

    Timeout 6000

    frequency 20

    ALS annex IP 40 life never start-time now

    allowed WEBPBR 2 route map

    corresponds to the IP WEBTRAFFIC

    set ip next-hop to check the availability of the 197.164.245.109 1 track 40

    That is how we have it set up right now.  If I put in a few lines above WEBTRAFFIC with:

    deny ip any 192.168.0.0 0.0.0.255

    deny ip any 90.0.0.0 0.0.0.255

    deny ip any 192.168.116.0 0.0.0.255

    !  Etc with all internal networks

    * And then put at the bottom:

    allow an ip

    who will ALL break so we can not communicate with anything?  Or is that what I did to do this, we get internal routing etc.?  Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well?  (We have public IPS 14 (one for the T1 gateway) that would go as well?)  I don't want to try to put in those at the top and make sure no one can do anything.  I hope I made clear what I'm doing...

    Post edited by: Ryan Young

    I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

    HTH

    Rick

  • Access list ASA Error | ERROR: % incomplete command

    Hi all

    I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
    255.192.0 log https eq
    ^
    ERROR: % name host not valid

    SAME THING WITHOUT JOURNAL

    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
    255.192.0 eq https
    ERROR: % incomplete command

    SAME STUPID MISTAKE,

    THE SIMILAR RULE;

    # ACCess-list HS | I have 132.235.192.0
    permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

    ???????

    I'm not sure that this ensures a case of cisco?

    FW100ABCx (config) # 16-09-08F object-group network
    FW100ABCx(config-Network) # host network-object 172.191.235.136
    Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.191.235.135
    Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.191.235.134
    Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.52.134.76
    Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) #.
    FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
    ERROR: % incomplete command

    Hello Hassan.

    You're missing the key word of Protocol (tcp/udp)
    Try this:

    the object-group 16-09-08F network
    host of the object-Network 172.191.235.136

    acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

    Concerning
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Ipv6 access list does not apply autonomous Aironet 3602I-E

    As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

    Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

    The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

    This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

    Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

    interface Dot11Radio0.2
    guest_ingress6 filter IPv6 traffic in
    guest_egress6 filter IPv6 traffic on

    and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

    No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

    000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
    000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
    000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
    000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
    000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
    000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
    000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
    000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
    000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
    000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
    000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
    etc.

    In addition, when creating a list like this ipv6 access:

    guest_egress6 IPv6 access list
    refuse an entire ipv6

    The other is automatically created:

    IPv6-guest_egress6 role-based access list
    refuse an entire ipv6

    A deletion also removes the other.

    What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

    Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

    PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

    You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

    Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

    Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

    Please rate helpful messages... :-)

  • Access list ID # on a PIX firewall

    Is anyone know what of the identifier access list on a pix firewall?

    Standard IOS = 1-99

    Extended IOS is 100-199.

    SW = PIX?

    There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.

    access-list 100000000000000; 1 items

    allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)

    Jason

  • line 300 deny access-list

    Everyone;

    I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

    Thanks in advance;

    gmaurice

    No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)

  • Router Access List - where it is applied?

    I seem to be missing something here.  I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview?  Here is the result of the "Show Run":

    R - H1BR1 #sh run
    Building configuration...

    Current configuration: 3391 bytes
    !
    ! No change since the last restart configuration
    !
    version 12.4
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    R-H1BR1 host name
    !
    boot-start-marker
    boot-end-marker
    !
    County of logging
    logging buffered 51200
    no console logging
    !
    No aaa new-model
    IP cef
    !
    !
    !
    !
    no ip domain search
    domain IP p911.positron name - psap.com
    name of the IP-server 10.4.0.1
    name of the IP-server 10.4.0.2
    name of the IP-server 10.5.0.3
    name of the IP-server 10.5.0.4
    IP multicast routing
    Authenticated MultiLink bundle-name Panel
    !
    !
    username * secret privilege 15 5 *.
    Archives
    The config log
    hidekeys
    !
    !
    TFTP IP source interface FastEthernet0/0.1
    !
    !
    !
    interface Tunnel5
    Description * TUNNEL to NODE B (Multicast only) *.
    IP 10.250.4.1 255.255.255.252
    IP pim-interval between queries 1
    origination-State pim IP 4 refresh rate
    PIM dense mode IP
    IP tcp adjust-mss 1436
    KeepAlive 1 6
    tunnel source 10.4.15.254
    tunnel destination 10.5.15.254
    !
    interface Tunnel25
    Description * TUNNEL at 25 SATELLITE (Multicast only) *.
    IP 10.250.25.1 255.255.255.252
    IP pim-interval between queries 1
    origination-State pim IP 4 refresh rate
    PIM dense mode IP
    IP tcp adjust-mss 1436
    KeepAlive 1 6
    tunnel source 10.4.15.254
    tunnel destination 10.25.15.254
    !
    interface FastEthernet0/0
    Description * to switch 1 last Port *.
    no ip address
    Speed 100
    full-duplex
    KeepAlive 1
    !
    interface FastEthernet0/0.1
    Description * BACKROOM LAN *.
    encapsulation dot1Q 1 native
    IP 10.4.15.253 255.255.240.0
    neighbor-filter IP pim DENY
    IP pim dr-priority 255
    IP pim-interval between queries 1
    origination-State pim IP 4 refresh rate
    PIM dense mode IP
    no ip mroute-cache
    KeepAlive 1
    45 minimum waiting time charge 60
    Watch 1 ip 10.4.15.254
    1 1 3 sleep timers
    1 standby preempt delay minimum charge 15 15 15 sync
    !
    interface FastEthernet0/1
    Description * BETWEEN R1 and R2 *.
    IP 10.252.204.1 255.255.255.252
    no ip proxy-arp
    IP-range of greeting 1 2604 eigrp
    IP - eigrp 2604 2 hold time
    no ip mroute-cache
    Speed 100
    full-duplex
    KeepAlive 1
    !
    interface FastEthernet0/0/0
    Description * WAN to H2 connection *.
    IP 172.16.215.246 255.255.255.0
    Speed 100
    full-duplex
    KeepAlive 1
    !
    interface FastEthernet0/0/1
    Description * connection to AAU *.
    IP 192.168.10.1 255.255.255.0
    Speed 100
    full-duplex
    KeepAlive 1
    45 minimum waiting time charge 60
    Watch 3 ip 192.168.10.3
    sleep timers 3 1 3
    3 standby preempt delay minimum charge 15 15 15 sync
    !
    Router eigrp 2604
    redistribute static
    passive-interface FastEthernet0/0.1
    passive-interface FastEthernet0/0/1
    10.4.0.0 network 0.0.15.255
    Network 10.252.0.0 0.0.255.255
    network 172.16.215.0 0.0.0.255
    No Auto-resume
    !
    IP forward-Protocol ND
    IP route 10.119.138.0 255.255.254.0 192.168.10.13
    IP route 10.121.1.0 255.255.255.0 192.168.10.13
    !
    !
    no ip address of the http server
    IP mroute 10.5.0.0 Tunnel5 255.255.240.0
    IP mroute 10.25.0.0 255.255.240.0 Tunnel25
    !
    standard IP DENY access list
    deny all
    !
    interface FastEthernet0/0.1 source journaling
    logging server-arp
    record 10.4.0.1
    !
    !
    control plan
    !
    !
    Line con 0
    local connection
    line to 0
    line vty 0 4
    exec-timeout 0 0
    local connection
    transport telnet entry
    line vty 5 15
    exec-timeout 0 0
    opening of session
    transport telnet entry
    !
    Scheduler allocate 20000 1000
    NTP-period clock 17177530
    NTP 10.4.0.1 Server
    end

    R H1BR1 #.

    I guess you are looking for

    interface FastEthernet0/0.1
    Description * BACKROOM LAN *.
    encapsulation dot1Q 1 native
    IP 10.4.15.253 255.255.240.0
     neighbor-filter IP pim DENY

    ?

    Best regards

    Milan

Maybe you are looking for

  • When the site of JohnLewis I add items to the basket but can't see the basket or check?

    I bought on JohnLewis.com years, but recently, I add stuff to the cart and then can't see basket or case. I just received message awaits Johnlewis etc. I can move on OK in Internet Explorer on the same PC, but it's so slow.

  • you send update messages?

    I got messages from outdated software update. Is sent by firefox? There are too many viruses out there for install me the update unless that I'm sure was sent by Firefox.

  • Tecra M3 - touchpad does not work with Windows 7

    I have a Tecra M3 I've updgraded to Windows 7. The touchpad does not work.The Web of Toshiba site has a Windows 7 drivers for this model. I tried install the driver of the touchpad and PVAT from the A11 model but still cannot make it work. Can anyone

  • Lenovo Y510p low fps after fans walk up

    I had to remove my lenovo y510p and change the dc port. Now everything works fine, but there seems to be a graphics card problem or something. After I have play a game on support ~ keen, the fan blows on both sides, high speed, it seems, then after a

  • Cyber-shot DSC-P100 pic view very blue sky

    My camera is 10 years (Cyber-shot DSC-P100 and until that time, no problem.) Problem: When you try to view the photos from the memory card or take those pictures become almost 'ghostly' very light blue or as an old "negative." I bought a new batttery