ISE pre authorise access-list

Similar Questions

• Cisco ISE and WLC Access-List Design/scalability

  Hello

  I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

  Group of users 1 - apply ACL 1 - on Vlan 1

  User 2 group - apply ACL 2 - on the Vlan 1

  3 user group - apply ACL 3 - on the Vlan 1

  The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

  Any suggestion is appreciated.

  Thank you.

  In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

  http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

  The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

  Overall, I see three ways to overcome your current number:

  1. reduce the ACL by making them less specific

  2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

  3. use the SGT/SGA

  I hope this helps!

  Thank you for evaluating useful messages!

• Critical auth and limited access-list

  I play just with ISE 1.1.4 and auth critical, but I have a pretty locked down from the default access on ports list. Is it possible to replace a list of very restrictive access by default in the event of critical auth?

  It seems as if you are relieant on DACLs to provide access for devices (closed or similar mode) auth criticism is not a viable option?

  Or have I misunderstood, and perhaps "action dead event server authentication allows voice" more I waited.

  I guess I'm looking for something like "event action dead access-list less-restrictiveACL server authentication."

  Thank you

  Gas

  Why not flip it on its head and have your less-restrictive-ACL default and impose more restrictive things through dACL?

• Hitcnt of compensation on an access list

  I've searched and can't seem to find a way to clean the hitcnt on an access list other than the deletion and restoration of the access list. Does anyone know how to do this?

  Thank you

  J

  Allow Access-list ip x.x.x.x 255.255.255.240 sheep a (hitcnt = 72408)

  6.1 (4) code and most importantly you can use:

  > sheep counters clear access-list

  In the pre - 6.1 code (4) you must remove and re-add the ACL in.

• access list of split tunneling

  Hello

  I have some problems on ASA 5520 split tunneling configuration.

  Here's the scenario:

  Number of remote users connects ipsec with ASA 5520 (in central) using ubuntu vpnc-client.

  Split tunneling is used, in order to allow remote users to surf the Internet using their ISP.

  The goal is to remove the possibility for ssh/telnet servers within the local enterprise network for remote users.

  Here is a part of the config:

  internal REMOTE_gp group strategy
  attributes of Group Policy REMOTE_gp
  VPN-idle-timeout no
  Protocol-tunnel-VPN IPSec
  Group-lock no
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list REMOTE_split

  tunnel-group type REMOTE access remotely

  tunnel-group REMOTE General attributes

  authentication-server-group RADIUSGR

  Group Policy - by default-REMOTE_gp

  REMOTE tunnel-group ipsec-attributes

  pre-shared-key *.

  ISAKMP keepalive retry threshold 15 10

  RADIUS protocol AAA-server RADIUSGR

  AAA-server RADIUSGR (INSIDE_LAN) 192.168.0.244

  REMOTE_split list extended access deny tcp 192.168.0.0 255.255.255.0 ssh telnet rank everything

  permit access ip 192.168.0.0 scope list REMOTE_split 255.255.255.0 192.168.100.0 255.255.255.0

  ip subnet ##192.168.100.0/24 - where from Radius Server to allocate ip addresses to remote users.

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq ssh 192.168.100.0 255.255.255.0

  INSIDE_LAN_in list extended access deny tcp 192.168.0.0 255.255.255.0 eq telnet 192.168.100.0 255.255.255.0

  permit access ip 192.168.0.0 scope list INSIDE_LAN_in 255.255.255.0 any

  It has nat enabled on the interface, but there is a special instruction in nat0 ACL for 192.168.100.0 subnet

  permit access ip 192.168.0.0 scope list INSIDE_LAN_nat0_outbound 255.255.255.0 192.168.100.0 255.255.255.0

  The problem is that the remote users can easily ssh and telnet servers in network INSIDE_LAN. Everything I put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in the REMOTE_split ACL do not work either.

  You must configure vpn-filter rather to block telnet and ssh access as follows:

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 22

  Remote filter access list deny tcp 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 23

  distance-filter 192.168.100.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0

  attributes of Group Policy REMOTE_gp

  VPN-value filter-remote control

  Split tunnel acl has the following statement and it should be extended to standard ACLs instead of:

  REMOTE_split list of permitted access 192.168.0.0 255.255.255.0

  Hope that helps.

• Access list ASA Error | ERROR: % incomplete command

  Hi all

  I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 log https eq
  ^
  ERROR: % name host not valid

  SAME THING WITHOUT JOURNAL

  (network-config) # access - list extended acl_inside permitted object-group$

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
  255.192.0 eq https
  ERROR: % incomplete command

  SAME STUPID MISTAKE,

  THE SIMILAR RULE;

  # ACCess-list HS | I have 132.235.192.0
  permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

  ???????

  I'm not sure that this ensures a case of cisco?

  FW100ABCx (config) # 16-09-08F object-group network
  FW100ABCx(config-Network) # host network-object 172.191.235.136
  Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.135
  Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.191.235.134
  Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) # host network-object 172.52.134.76
  Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
  FW100ABCx(config-Network) #.
  FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

  acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
  ERROR: % incomplete command

  Hello Hassan.

  You're missing the key word of Protocol (tcp/udp)
  Try this:

  the object-group 16-09-08F network
  host of the object-Network 172.191.235.136

  acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

  Concerning
  Dinesh Moudgil

  PS Please rate helpful messages.

• Ipv6 access list does not apply autonomous Aironet 3602I-E

  As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

  Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

  The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

  This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

  Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

  interface Dot11Radio0.2
  guest_ingress6 filter IPv6 traffic in
  guest_egress6 filter IPv6 traffic on

  and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

  No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

  000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
  000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
  000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  etc.

  In addition, when creating a list like this ipv6 access:

  guest_egress6 IPv6 access list
  refuse an entire ipv6

  The other is automatically created:

  IPv6-guest_egress6 role-based access list
  refuse an entire ipv6

  A deletion also removes the other.

  What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

  Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

  PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

  You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

  Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

  Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

  Please rate helpful messages... :-)

• Access list ID # on a PIX firewall

  Is anyone know what of the identifier access list on a pix firewall?

  Standard IOS = 1-99

  Extended IOS is 100-199.

  SW = PIX?

  There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.

  access-list 100000000000000; 1 items

  allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)

  Jason

• line 300 deny access-list

  Everyone;

  I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

  Thanks in advance;

  gmaurice

  No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)

• Router Access List - where it is applied?

  I seem to be missing something here.  I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview?  Here is the result of the "Show Run":

  R - H1BR1 #sh run
  Building configuration...

  Current configuration: 3391 bytes
  !
  ! No change since the last restart configuration
  !
  version 12.4
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  R-H1BR1 host name
  !
  boot-start-marker
  boot-end-marker
  !
  County of logging
  logging buffered 51200
  no console logging
  !
  No aaa new-model
  IP cef
  !
  !
  !
  !
  no ip domain search
  domain IP p911.positron name - psap.com
  name of the IP-server 10.4.0.1
  name of the IP-server 10.4.0.2
  name of the IP-server 10.5.0.3
  name of the IP-server 10.5.0.4
  IP multicast routing
  Authenticated MultiLink bundle-name Panel
  !
  !
  username * secret privilege 15 5 *.
  Archives
  The config log
  hidekeys
  !
  !
  TFTP IP source interface FastEthernet0/0.1
  !
  !
  !
  interface Tunnel5
  Description * TUNNEL to NODE B (Multicast only) *.
  IP 10.250.4.1 255.255.255.252
  IP pim-interval between queries 1
  origination-State pim IP 4 refresh rate
  PIM dense mode IP
  IP tcp adjust-mss 1436
  KeepAlive 1 6
  tunnel source 10.4.15.254
  tunnel destination 10.5.15.254
  !
  interface Tunnel25
  Description * TUNNEL at 25 SATELLITE (Multicast only) *.
  IP 10.250.25.1 255.255.255.252
  IP pim-interval between queries 1
  origination-State pim IP 4 refresh rate
  PIM dense mode IP
  IP tcp adjust-mss 1436
  KeepAlive 1 6
  tunnel source 10.4.15.254
  tunnel destination 10.25.15.254
  !
  interface FastEthernet0/0
  Description * to switch 1 last Port *.
  no ip address
  Speed 100
  full-duplex
  KeepAlive 1
  !
  interface FastEthernet0/0.1
  Description * BACKROOM LAN *.
  encapsulation dot1Q 1 native
  IP 10.4.15.253 255.255.240.0
  neighbor-filter IP pim DENY
  IP pim dr-priority 255
  IP pim-interval between queries 1
  origination-State pim IP 4 refresh rate
  PIM dense mode IP
  no ip mroute-cache
  KeepAlive 1
  45 minimum waiting time charge 60
  Watch 1 ip 10.4.15.254
  1 1 3 sleep timers
  1 standby preempt delay minimum charge 15 15 15 sync
  !
  interface FastEthernet0/1
  Description * BETWEEN R1 and R2 *.
  IP 10.252.204.1 255.255.255.252
  no ip proxy-arp
  IP-range of greeting 1 2604 eigrp
  IP - eigrp 2604 2 hold time
  no ip mroute-cache
  Speed 100
  full-duplex
  KeepAlive 1
  !
  interface FastEthernet0/0/0
  Description * WAN to H2 connection *.
  IP 172.16.215.246 255.255.255.0
  Speed 100
  full-duplex
  KeepAlive 1
  !
  interface FastEthernet0/0/1
  Description * connection to AAU *.
  IP 192.168.10.1 255.255.255.0
  Speed 100
  full-duplex
  KeepAlive 1
  45 minimum waiting time charge 60
  Watch 3 ip 192.168.10.3
  sleep timers 3 1 3
  3 standby preempt delay minimum charge 15 15 15 sync
  !
  Router eigrp 2604
  redistribute static
  passive-interface FastEthernet0/0.1
  passive-interface FastEthernet0/0/1
  10.4.0.0 network 0.0.15.255
  Network 10.252.0.0 0.0.255.255
  network 172.16.215.0 0.0.0.255
  No Auto-resume
  !
  IP forward-Protocol ND
  IP route 10.119.138.0 255.255.254.0 192.168.10.13
  IP route 10.121.1.0 255.255.255.0 192.168.10.13
  !
  !
  no ip address of the http server
  IP mroute 10.5.0.0 Tunnel5 255.255.240.0
  IP mroute 10.25.0.0 255.255.240.0 Tunnel25
  !
  standard IP DENY access list
  deny all
  !
  interface FastEthernet0/0.1 source journaling
  logging server-arp
  record 10.4.0.1
  !
  !
  control plan
  !
  !
  Line con 0
  local connection
  line to 0
  line vty 0 4
  exec-timeout 0 0
  local connection
  transport telnet entry
  line vty 5 15
  exec-timeout 0 0
  opening of session
  transport telnet entry
  !
  Scheduler allocate 20000 1000
  NTP-period clock 17177530
  NTP 10.4.0.1 Server
  end

  R H1BR1 #.

  I guess you are looking for

  interface FastEthernet0/0.1
  Description * BACKROOM LAN *.
  encapsulation dot1Q 1 native
  IP 10.4.15.253 255.255.240.0
   neighbor-filter IP pim DENY

  ?

  Best regards

  Milan

• Cisco 837 and access list

  Hi all

  Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

  Here is my list of access

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

  If I want to delete only this line

  access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  I do not know how, I if do:

  no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

  all the access-list 120 is removed!

  Help, please!

  Olivier

  Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

  You can create a named extended access-list and have the sequence number for each statements.

  !

  Standard IP access list note

  permit 172.10.0.0 0.0.255.255

  10.1.1.0 permit 0.0.0.255

  permit 192.168.1.0 0.0.0.255

  deny all

  !

  and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

  Standard note of access-list (config) #ip

  (config-std-nacl) #no 3

  This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

  regds

• allow icmpv6 in ipv4-access list in the tunnel

  Hello

  I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

  My tunnel works and is as follows:

  interface Tunnel0

  no ip address

  IPv6 address

  enable IPv6

  source of tunnel

  ipv6ip tunnel mode

  tunnel destination

  So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

  Access list that I apply is the following:

  allow tcp any a Workbench

  allowed UDP any eq field all

  allowed any EQ 67 udp no matter what eq 68

  allowed UDP any eq 123 everything

  allowed UDP any eq 3740 everything

  allowed UDP any eq 41 everything

  allowed UDP any eq 5072 everything

  allow icmp a whole

  deny ip any any newspaper

  Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

  TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
  UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
  Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
  UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
  ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

  I missed something?

  sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

  Hope someone can help me.

  Hello

  In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

  If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

  Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

  But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

  -Jouni

• Order of access-list syntax

  Hello

  I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

  It looks like this when it did not work:

  (outside interface incoming traffic)

  access list 100 permit tcp any any established journal

  access-list 100 permit udp any any eq field journal

  access list 100 permit tcp any any eq field journal

  access-list 100 deny ip any any newspaper

  To make this work, I had to add these two lines:

  access-list 100 permit udp any eq field no matter what newspaper

  access list 100 permit tcp any eq field no matter what newspaper

  I do not understand the difference between

  access-list 100 permit udp any eq field all

  and

  access-list 100 permit udp any any eq field

  If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

  Hello

  Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

  When we look at how DNS works now in what concerns this ACL

  • DNS lookup is usually made at the port of destination UDP/53
  • PC uses the random source for the DNS lookup port
  • Responses from DNS server for research with source UDP/53 port
  • Responses from DNS server to the computer on the port that the source PC search DNS

  So naturally you'll see responses from the host source and source UDP/53 port DNS

  If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

  Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

  Hope this helps

  Be sure to mark it as answered in the affirmative.

  -Jouni

• access-list with PAT

  Hi guys,.

  I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

  example:

  access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

  permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

  If I won't 10.0.0.1 PATed.

  Hello

  It's perfectly legal and quite a common practice.

  Hope that help - rate pls post if it does.

  Paresh

• bug in iOS? startup-config + command access-list + an invalid entry detected

  I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

  Cisco 827

  IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

  SOFTWARE (fc1)

  I'm looking to use a host named in a more extended access list. The

  script I copy startup-config contains the following entries:

  ! the 2 following lines appear at the top of the script

  123.123.123.123 IP name-server 123.123.123.124

  IP domain-lookup

  ! the following line appears at the bottom of the script

  120 allow host passports - 01.mx.aol.com one ip access-list

  When I reboot the router, I saw the following message:

  Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

  120 allow host passports - 01.mx.aol.com one ip access-list

  ^

  Invalid entry % detected at ' ^' marker.

  It seems as if the entrance to the server name of the router is not processed

  prior to the access list. I can not even check with

  router02 access lists 120 #sh

  makes the access list entry * not * exist.

  But when I manually type the entry in the router I see the

  Next:

  router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

  any

  Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

  [OK]

  and I can confirm its creation:

  router02 access lists 120 #sh

  Extend the 120 IP access list

  allow the host ip 64.12.137.89 one

  I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

  Any help is very appreciated.

  Hello

  Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

  When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

  Router (config) #access - list 187 ip allow any host www.cisco.com

  Router (config) #^ Z

  router #show run | 187 Inc

  IP access-list 187 allow any host 198.133.219.25

  router #show worm | split 12

  IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE