problem of access lists

Hello, I have a problem with PIX Firewall Version 6.0 (1), the problem is:

I have a pix with interface 3 inside, outside and dmz.

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

I need to make an acl where only 3 PC inside access server installed in the demilitarized zone, with a public ip, but the LCD is not working.

Here is the ACL, but I change the IP addresses.

access-list 108 allow ip 200.115.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 108 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.10.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.20.0 255.255.255.0

access-list 88 allow ip 200.115.10.0 255.255.255.0 200.105.30.0 255.255.255.0

pager lines 24

opening of session

interface ethernet0 car

Auto interface ethernet1

Auto interface ethernet2

Outside 1500 MTU

Within 1500 MTU

MTU 1500 dmz

IP address outside x.x.x.2 255.255.255.248

IP address inside 200.115.10.10 255.255.255.0

192.168.6.28 dmz IP address 255.255.255.0

alarm action IP verification of information

alarm action attack IP audit

172.16.1.1 - 172.16.1.254 test IP local pool

no failover

failover timeout 0:00:00

failover poll 15

failover outside 0.0.0.0 ip address

IP Failover inside 0.0.0.0

failover dmz 0.0.0.0 ip address

history of PDM activate

ARP timeout 14400

Global 1 interface (outside)

Global (dmz) 1 192.168.6.10

NAT (inside) - 0 108 access list

NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

NAT (dmz) 1 0.0.0.0 0.0.0.0 0 0

(inside) alias x.x.x.5 192.168.6.30 255.255.255.255

static (inside, outside) x.x.x.6 10.10.70.1 netmask 255.255.255.255 0 0

static (inside, outside) x.x.x.4 200.115.10.16 netmask 255.255.255.255 0 0

static (dmz, external) x.x.x.5 192.168.6.30 netmask 255.255.255.255 0 0

conduct permitted tcp x.x.x.6 eq lotusnotes host everything

conduct permitted tcp 2x.x.x.4 eq www host everything

conduct permitted tcp x.x.x.4 eq lotusnotes host everything

conduct permitted tcp x.x.x.5 eq www host everything

driving allowed host tcp x.x.x.5 eq field all

allow icmp a conduit

driving allowed host tcp https eq x.x.x.5 all

conduct permitted tcp 2x.x.x.5 eq 21010 host everything

the public IP address I need to access it from the inside is x.x.x.5

Hello

The ACL you provide will always be the same when shorten you it to this:

access-list 110 deny tcp host 200.115.10.0 host x.x.x.5

Access-group 110 in the interface inside

(it wouldn't work well, because the host 200.115.10.0 * watch the zero * probably does not exist)

Assuming that your dmz has a lower securitylevel then your inside interface, you must remember that if the packages are make from the highest to the lowest level of security the PIX performs the following operations:

(1) if it is an existing stream, leave the package through

(2) if it is not an existing stream, see ACL

(3) if the ACL refuses, then drop the package, if ACL allows, leave package through

(4) if the ACL does not at all, leave the package through (since it is the high level of low security)

But I guess that this is not what you want to achieve.

I think you need something like this:

access-list 110 permit tcp host 200.115.10.40 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.41 x.x.x.5 eq www

access-list 110 permit tcp host 200.115.10.42 x.x.x.5 eq www

access-list 110 deny ip 200.115.10.0 255.255.255.0 255.255.255.0 x.x.x.0

(assuming that you have a 24 - bit subnet on your dmz)

access ip-list 110 permit a whole

Access-group 110 in the interface inside

This will allow three internal hosts to access the server x.x.x.5 you dmz with HTTP, than anyone else on the 200.115.10.0/24 subnet to the dmz and allow traffic on all the others outside.

I hope this helps.

Kind regards

Leo

Tags: Cisco Security

Similar Questions

  • ACCESS LIST QUESTIONS?

    I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.

    192.168.1x

    * THE REMOTE SITE

    access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

    access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

    access-list 101 permit ip 192.168.1.0 0.0.0.255 any

    not run cdp

    sheep allowed 10 route map

    corresponds to the IP 101

    192.168.0.X

    HAND ROUTER

    recording of debug trap

    access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

    access-list 101 permit ip 192.168.0.0 0.0.0.255 any

    access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

    access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

    access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

    not run cdp

    sheep allowed 10 route map

    corresponds to the IP 101

    !

    IP tcp mss<68-10000>

    Hope this helps,

    Gilbert

  • IOS VPN on 7200 12.3.1 and access-list problem

    I'm in IOS 12.3 (1) a 7200 and have configured it for VPN access. I use the Cisco VPN client. Wonder if someone has encountered the following problem, and if there is a fix.

    The external interface has the access-list standard applied that blocks incoming traffic. One of the rules is to block the IPs private, not routable, such as the 10.0.0.0 concern, for example.

    When I set my VPN connection, none of my packets get routed and I noticed that outside access list interface blocks the traffic. When I connect to the router through VPN, the router attributes to the client an IP address from a pool of the VPN as 10.1.1.0/24. But normal outside the access list denies this traffic as it should. But as soon as I have established a VPN connect, it seems that my encrypted VPN traffic must ignore the external interface access list.

    If I change my external access list to allow traffic from source address 10.1.1.0/24 my VPN traffic goes through correctly, but this goes against the application to have an outdoor access list that denies such traffic and have a VPN.

    Anyone else seen this problem or can recommend a software patch or version of IOS which works correctly?

    Thank you

    R

    That's how IOS has always worked, no way around it.

    The reasoning is to do with the internal routing on the router. Basically an encrypted packet inherits from the interface and initially past control of ACL as an encrypted packet. Then expelled the crypto engine and decrypted, so we now have this sitting pouch in the cryptographic engine part of the router. What do we with her now, keeping in mind users may want political route she is also, might want to exercise, qos, etc. etc. For this reason, the package is basically delivered on the external interface and running through everything, once again, this time as a decrypted packet. If the package hits the ACL twice, once encrypted and clear once.

    Your external ACL shall include the non encrypted and encrypted form of the package.

    Now, if you're afraid that people can then simply spoof packets to come from 10.1.1.0 and they will be allowed through your router, bzzzt, wrong. The first thing that the router checks when it receives a packet on an interface with a card encryption applied is that if the package needs to be encrypted, it is from his crypto ACL and its IP pools. If he receives a decrypted packet when it knows that it must have been encrypted, it will drop the package immediately and a flag a syslog something as "received the decrypted packet when it should have been."

    You can check on the old bug on this here:

    http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCdz54626&submit=search

    and take note of the section of the security implications, you may need to slightly modify your configuration.

  • card crypto access lists / problem if more than one entry?

    Access list for IPSec enabled traffic.

    I've been recently setting up a VPN between two sites and I came across the following problem:

    I wanted to install a VPN that only 2 posts from site A to site B, a class C network

    So I created a list of access as follows:

    access-list 101 permit IP 192.168.0.1 host 192.168.1.0 0.0.0.255

    access-list 101 permit IP 192.168.0.2 host 192.168.1.0 0.0.0.255

    When I applied the access list above to map (match address 101) encryption, I quickly realized that only the first host (192.168.0.1) was successfully encrypted beeing while the other could not. I've been geeting on ipsec debugging errors saying that traffic to 192.168.0.2 denyed by the access list.

    When I changed the access list above with the following

    access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255

    two items of work could successfully encrypted through IPSec tunnel.

    To look further into it, I realized that only the first entry of the IPsec access list has been really tested for the corresponding traffic!

    Is this a normal behavior or a known Bug? No work around for this problem?

    Kind regards.

    If you have ipsec-manual crypto map in crypto ACL, you can specify that an ACE. Check 12.2 docs:

    Access lists for labelled as ipsec-manual crypto map entries are limited to a single permit entry and the following entries are ignored. In other words, the security associations established by this particular entry card crypto are only for a single data stream. To be able to support several manually created security for different types of traffic associations, define multiple crypto access lists and then apply each a separate entrance card crypto ipsec-manual. Each access list should include a statement to define which traffic to protect.

  • PIX Firewall 525 access list problem

    Hello.

    I have the following problem. After insertion of an access list, despite seeing the packages associated with the list, they do not "match", that is, it is as if the list wasn't doing his job.

    Who can be the cause of this behavior?

    PIX 525 model

    IOS 6.3 (4)

    Thank you.

    Marulanda Ramiro Z.

    Are all of syslogs sent properly to the remote host? If so, I would say that the udp connection is never closed by the PIX. Let's say that the connection never hit the timeout in the pix config. If the connection remains open and doesnot increments the hit count for your access list. I have a PIX that makes the same behavior.

    The increase in the number of accesses is also based on the connection and not on each packet passing through the PIX.

    You can use a debug command to see the packets through the PIX.

    HTH

    Mike

  • Access list ASA Error | ERROR: % incomplete command

    Hi all

    I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
    255.192.0 log https eq
    ^
    ERROR: % name host not valid

    SAME THING WITHOUT JOURNAL

    (network-config) # access - list extended acl_inside permitted object-group$

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
    255.192.0 eq https
    ERROR: % incomplete command

    SAME STUPID MISTAKE,

    THE SIMILAR RULE;

    # ACCess-list HS | I have 132.235.192.0
    permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

    ???????

    I'm not sure that this ensures a case of cisco?

    FW100ABCx (config) # 16-09-08F object-group network
    FW100ABCx(config-Network) # host network-object 172.191.235.136
    Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.191.235.135
    Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.191.235.134
    Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) # host network-object 172.52.134.76
    Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
    FW100ABCx(config-Network) #.
    FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

    acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
    ERROR: % incomplete command

    Hello Hassan.

    You're missing the key word of Protocol (tcp/udp)
    Try this:

    the object-group 16-09-08F network
    host of the object-Network 172.191.235.136

    acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

    Concerning
    Dinesh Moudgil

    PS Please rate helpful messages.

  • line 300 deny access-list

    Everyone;

    I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

    Thanks in advance;

    gmaurice

    No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)

  • Cisco 837 and access list

    Hi all

    Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

    Here is my list of access

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

    If I want to delete only this line

    access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    I do not know how, I if do:

    no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

    all the access-list 120 is removed!

    Help, please!

    Olivier

    Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

    You can create a named extended access-list and have the sequence number for each statements.

    !

    Standard IP access list note

    permit 172.10.0.0 0.0.255.255

    10.1.1.0 permit 0.0.0.255

    permit 192.168.1.0 0.0.0.255

    deny all

    !

    and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

    Standard note of access-list (config) #ip

    (config-std-nacl) #no 3

    This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

    regds

  • allow icmpv6 in ipv4-access list in the tunnel

    Hello

    I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

    My tunnel works and is as follows:

    interface Tunnel0

    no ip address

    IPv6 address

    enable IPv6

    source of tunnel

    ipv6ip tunnel mode

    tunnel destination

    So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

    Access list that I apply is the following:

    allow tcp any a Workbench

    allowed UDP any eq field all

    allowed any EQ 67 udp no matter what eq 68

    allowed UDP any eq 123 everything

    allowed UDP any eq 3740 everything

    allowed UDP any eq 41 everything

    allowed UDP any eq 5072 everything

    allow icmp a whole

    deny ip any any newspaper

    Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

    TCP 3874 TIC.sixxs.net IPv4 ICT (Information Tunnel & Control Protocol) Used to retrieve the information of tunnel (for instance AICCU) Uses the TCP protocol and should work without problems
    UDP 3740 PoP IPv4 Heartbeat Protocol Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive the user only to pop out
    Protocol 41 PoP IPv4 IPv6 over IPv4 (6 in 4 tunnel) Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat) We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
    UDP 5072 PoP IPv4 AYIYA (anything in anything) Used for tunneling IPv6 over IPv4 (AYIYA tunnels) Must cross most NAT and even firewalls without any problem
    ICMPv6 echo response. Tunnel endpoints IPv6 Internet Control Message Protocol for IPv6 Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel No, because it is happening inside the tunnel

    I missed something?

    sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

    Hope someone can help me.

    Hello

    In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

    If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

    Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

    But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

    -Jouni

  • A possible bug related to the Cisco ASA "show access-list"?

    We had a strange problem in our configuration of ASA.

    In the "show running-config:

    Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

    Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

    Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

    access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

    access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

    access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

    access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

    access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

    inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

    inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

    inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

    Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

    inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

    inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

    Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

    inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

    Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

    inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

    Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

    Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

    access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

    inside_access_in list extended access permitted ip object windowsusageVM any newspaper

    inside_access_in list of allowed ip extended access any object testCSM

    inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

    Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

    inside_access_in list extended access permit ip host 172.31.254.2 any log

    Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

    inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

    In the "show access-list":

    access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

    access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

    Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

    line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

    line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

    line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

    line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

    allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

    allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

    allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

    allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

    allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

    allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

    access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

    allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

    allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

    access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

    allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

    allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

    access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

    permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

    access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

    permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

    allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

    access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

    25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

    allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

    permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

    access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

    allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

    allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

    allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

    permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

    access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

    allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

    access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

    allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

    There is a comment in the running configuration: (line 26)

    Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

    This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

    Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

    Thanks in advance.

    See the version:

    Cisco Adaptive Security Appliance Software Version 4,0000 1

    Version 7.1 Device Manager (3)

    Updated Friday, June 14, 12 and 11:20 by manufacturers

    System image file is "disk0: / asa844-1 - k8.bin.

    The configuration file to the startup was "startup-config '.

    fmciscoasa up to 1 hour 56 minutes

    Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

    Internal ATA Compact Flash, 128 MB

    BIOS Flash M50FW016 @ 0xfff00000, 2048KB

    Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

    Start firmware: CN1000-MC-BOOT - 2.00

    SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

    Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

    Number of Accelerators: 1

    Could be linked to the following bug:

    CSCtq12090: ACL note line is missing when the object range is set to ACL

    The 8.4 fixed (6), so update to a newer version and observe again.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Access list does not work

    I want that no package would leave f0/0 (R2).

    Here is my configuration:

    R1:

    !

    interface FastEthernet0/0

    IP 192.168.1.1 255.255.255.0

    !

    R2:

    !

    interface FastEthernet0/0

    IP 192.168.1.2 255.255.255.0

    IP access-group 101 out

    !

    access-list 101 deny ip any one

    !

    Given the configs shown in the original post R2 will be able to ping to R1 and I guess this (or something very similar) is what brings the original poster said that the ACL does not work.

    The problem here is that a list of access applied on an interface will not process the traffic generated by the router itself. The illustrious ACL will be very effective in preventing transit traffic (traffic that came from somewhere to R2 and must be DISPATCHED f0/0). But it will not work on the packages generated by R2.

    HTH

    Rick

  • Cisco ISE and WLC Access-List Design/scalability

    Hello

    I have a scenario that wireless clients are authenticated by the ISE and different ACL is applied depending on the rules in the ISE. The problem I have seen is due to the limitation on the Cisco WLC that limit only 64 input access list. As the installer has only a few IVR/interfaces and several different access lists are applied to the same base on user groups interface; I was wondering if there may be an evolutionary design / approach according to which the access list entries can evolve next to create a vlan for each group of users and apply the access list on the interface of layer 3 instead? I illustrated the configuration below for reference:

    Group of users 1 - apply ACL 1 - on Vlan 1

    User 2 group - apply ACL 2 - on the Vlan 1

    3 user group - apply ACL 3 - on the Vlan 1

    The problem appears only for wireless users, he does not see on wired users as the ACLs can be applied successfully without restriction as to the switches.

    Any suggestion is appreciated.

    Thank you.

    In fact, you have limitations on the side of the switch as well. Long ACL can deplete resources AAGR of the switch. Take a look at this link:

    http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-3750-series-switches/68461-high-CPU-utilization-cat3750.html

    The new WLCs based on IOS XE and not the old OS Wireless/Aironet will provide the best experience in these matters.

    Overall, I see three ways to overcome your current number:

    1. reduce the ACL by making them less specific

    2 use L3 interfaces on a switch L3 or FW and the ACL is applied to them

    3. use the SGT/SGA

    I hope this helps!

    Thank you for evaluating useful messages!

  • Different 'outside_cryptomap access-list"for each VPN?

    Hello

    Just for my understanding.

    I have a VPN connected to my Cisco ASA 5520 when I tried to add an another VPN, the I must create a 2nd cryptomap, can I not create a group so there is only one card encryption?

    Currently I have:

    access-list 1 permit line outside_cryptomap_1 extended ip 0.0.0.0 0.0.0.0 172.19.15.0 255.255.255.0

    I just added outside_cryptomap_2 line access-list 1 permit extended ip 0.0.0.0 0.0.0.0 172.19.2.0 255.255.255.0

    But I was wondering if I could use something like:

    access-list 1 permit line outside_mycryptomap extended ip 0.0.0.0 0.0.0.0 VPN_Remote_Networks object-group

    When I do this, but I guess that this will cause a problem with the address in hand?

    You must use different access-list in cryptomap for each VPN.

  • Packet capture vpn access list filter

    I just install a VPN filter to secure traffic between two of our facilities. As a good security admin, I am only allowing good ports and blocks everything else. Now I see one-way packet loss.

    I wanted to set up a capture of packets to detect which packages were being allowed and which were dropped. However, none of my packet captures are showing all the captured packets. I tried the following shots.

    capture the data interface type DPEP bullies xo [Capturing - 0 bytes]
    match ip 10.1.8.0 255.255.252.0 all

    capture the data type DPEP raw access-list 105 interface xo [Capturing - 0 bytes]

    capture the data interface type DPEP raw asa_dataplane [Capturing - 0 bytes]
    match ip 10.1.8.0 255.255.252.0 all

    It is certainly a problem of formatting on my part that I am does not detect traffic to subnets that the traffic that goes with success.

    Any help would be appreciated. Thank you.

    Hi Michael,

    do not change the VPN filter... you created a dummy access just to capture list and who as a rule and use it to capture.

    Concerning

    Knockaert

  • Cisco ASA tunnel access list question

    We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel.  They ask now addresses.  My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?

    And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?

    I thank you and I hope this makes sense.  We were originally political thought based routing on the nearest core of the source.

    Dwane

    Hi Sylvie,.

    If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.

    If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)

    But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...

    So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...

    Concerning

    Knockaert

Maybe you are looking for

  • How can I find my favorites on an old hard drive?

    I bought a new computer and installed Firefox. Firefox has also been installed on my old computer, and I have the old hard drive connected to my new computer as drive E. I would get my favorites copied from the old drive to my current profile on my n

  • Satellite 1700-200: how to upgrade the RAM

    I have an old laptop that Toshiba Satellite 1700-200, with the warranty has expired. Now, I need increase ram (only the wealthy 64 MB, not enough to properly run an installation of Windows XP or a Linux distribution real), and I don't know how to do

  • Error 8007000D on update KB938371

    Hello I can't update KB938371 on a laptop Toshiba U300 of 32 bits. Whenever I try to run it, both manually or by update, it fails with the 8007000D error. I also tried to install Vista SP1, but get the same error. I installed update readiness tool. T

  • Uninstalling my Malwarebytes program!

    Please help me to uninstall Malwarebytes.

  • The processor high/weird CPU usage and about 20 to 25% system interruptions.

    Hello I use an AMD phemon IIx4 965 processor. (never had proplems with this till now.) One of its mainstays bed use ranging from 70-99% in Task Manager exercising while the other 3 are normally working / reading normal numbers. The question comes at