Question list access

Hello

I have a question on the application of an external interface access list (I know it sounds a bit silly, but since I use on a deadline, I thought that it was preferable to order my question on this forum). This is for a router on which users can dial-in.

I have defined an access list that is extended with a permit number.

In the documentation that I found on the net, I noticed that there seem to be two ways to apply the access list to the interface.

One way seems to be using the Dialer group command on the interface (and later Dialer list to link the access list for the Dialer group).

A second way (I think :-), the normal way is to use the ip to the interface group-access command.

My problem is that I do not understand the difference in implementation. What is the difference? Is there a documentation available on the matter (of course I could just be implemented with the command "ip access-group name in", but I would like to know why this is the right way to do it (or not)).

Any help would be appreciated.

Kind regards

Ronny

Hello

The dialer list's composition by the Protocol or by a combination of a control protocol. It is used to grant or deny the composition of certain criteria.

You probably ip group-access control to allow or deny traffic with certain criteria.

Hope that helps

Roger

Tags: Cisco Network

Similar Questions

  • Question of access list for Cisco 1710 performing the 3DES VPN tunnel

    I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

    For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

    My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

    Any input or assistance would be greatly appreciated.

    Map Test 11 ipsec-isakmp crypto

    ..

    match address 120

    Interface Ethernet0

    ..

    card crypto Test

    IP nat inside source overload map route sheep interface Ethernet0

    access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

    access-list 130 allow ip 192.168.100.0 0.0.0.255 any

    sheep allowed 10 route map

    corresponds to the IP 130

    He would go through the interface e0 to the Internet in clear text without going above the tunnel

    Jean Marc

  • Question on access to multidimensional data Collection

    Hi all

    I have a multidimensional question on access to data using Collections.

    We use Oracle 11 GR 2.

    Our requirement is as shown below

    We get data from upstream via a stored procedure. The procedure store entry variable is a multidimensional complex type.

    I gave below the structure of the collection

    Step 1

    CREATE or REPLACE TYPE feature_type IS OBJECT

    (

    feature_code VARCHAR2 (10),

    feature_name VARCHAR2 (50).

    feature_value NUMBER

    );

    /

    Step 2

    CREATE or REPLACE TYPE feature_array IS TABLE OF THE feature_type;

    /

    Step 3

    TYPE to CREATE or REPLACE the argument subscriber_type IS OBJECT

    (

    subscriber_id NUMBER,

    first name VARCHAR2 (50).

    name VARCHAR2 (50).

    feature_data feature_array

    );

    /

    Step 4

    CREATE or REPLACE TYPE subscriber_array IS TABLE OF subscriber_type;

    /

    Step 5

    CREATE or REPLACE TYPE order_type IS OBJECT

    (

    order_id NUMBER,

    subscriber_data subscriber_array

    );

    /

    Step 6

    CREATE or REPLACE TYPE order_array IS TABLE OF THE order_type;

    /

    Suppose I have a procedure as shown below

    CREATE OR REPLACE PROCEDURE multidimensional_prc (p_dataarray order_array)

    IS

    lv_order order_array;

    BEGIN

    lv_order: = p_dataarray;

    lv_order: =.

    () order_array

    order_type)

    1,

    () subscriber_array

    subscriber_type argument)

    10,

    "Subscribed 10 first name."

    "Subscriber 10 Lst Name."

    () feature_array

    "feature_type ('F10', ' Featgure Code 10', 10 '))),"

    subscriber_type argument)

    11,

    "Subscriber 11 name."

    "Subscriber 11 Lst Name."

    () feature_array

    "feature_type ('F11', ' Featgure Code 11', 11 '))),"

    order_type)

    2,

    () subscriber_array

    subscriber_type argument)

    20,

    "Subscriber 2 first name."

    "Subscriber 2 Lst Name."

    feature_array (feature_type ("F2", "Featgure Code 2', 20 ')));

    FOR m1 in 1... lv_order. COUNTY

    LOOP

    Dbms_output.put_line (.order_id lv_order (m1));

    -FOR the m2 in 1... lv_order (M1). COUNTING LOOP

    -NULL;

    -END LOOP;

    END LOOP;

    END multidimensional_prc;

    /

    I am able to read the data until the order data as it is in level 1. But when I'm reading the data of the subscriber level 2nd level or level of functionality level (3rd), I make mistakes. Basically, I am unable to read the data into Sub levels.

    Very much appreciate your help here.

    Thank you

    Please ignore this one.

    FOR m1 in 1... lv_order. COUNTY

    LOOP

    Dbms_output.put_line ('- order identification-' | .order_id lv_order (m1));

    FOR m2 in 1... .subscriber_data lv_order (m1). COUNTING LOOP

    Dbms_output.put_line (' Subscriber ID => ' | lv_order (m1) .subscriber_data (m2) .subscriber_id);

    FOR m3 to 1... lv_order (m1) of .subscriber_data .feature_data (m2). COUNTING LOOP

    Dbms_output.put_line (' Code function => ' | lv_order (m1) .subscriber_data (m2) .feature_data (m3) .feature_code);

    Dbms_output.put_line (' include the name => ' | lv_order (m1) .subscriber_data (m2) .feature_data (m3) .feature_name);

    END LOOP;

    END LOOP;

    END LOOP;

    I got the answer.

  • Simple Question SSH Access-List

    I am allowing SSH access for all of our Cisco devices and you want to restrict access to all the following ip addresses: 192.168.200.1 - 192.168.200.50.  I forgot the exact configuration of access list to achieve this.  The subnet is 24 and I don't want the whole subnet - seulement.1-. 50.

    Thank you

    Thomas Reiling

    Hello

    If you use ssh, make sure that you have a domain name, host name and a rsa key is generated.  Assuing you have done this, the command vty ACL and following line will do the trick.  Note that the host 1-50 list is not on a subnet barrier.

    To get it exactly

    access-list 1 remark MANAGEMENT ALLOW
    access-list 1 permit 192.168.200.0 0.0.0.31

    access-list 1 permit 192.168.200.32 0.0.0.15

    access-list 1 permit 192.168.200.48 0.0.0.1

    host access-list 1 192.168.200.50

    access-list 1 refuse any newspaper

    It would be a good idea to put it on a limit, however, so the following would be much simpler and easier to read.

    access-list 1 remark MANAGEMENT ALLOW
    access-list 1 permit 192.168.200.0 0.0.0.63

    access-list 1 refuse any newspaper

    Apply the class of access on the vty lines and authentication, I would put something there too.

    line vty 0 4
    access-class 1
    entry ssh transport

    password Bonneau

    That should do it.

    Good luck!

    Brad

  • Question of Access-list PIX

    The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).

    Router (works)

    access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80

    PIX (does not work)

    access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

    I get the error on the PIX:

    ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair

    Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?

    Thank you!

    Domo Arigato!

    You can use

    192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.

    Of course you can refuse the host 192.168.1.49 and

    Let the others allow 192.168.1.48 255.255.255.248

  • How question list of access room.

    Hello

    What I try to do is:

    (1) Authenticate and connect to the account

    (2) the list of the room (as applicable)

    (3) validate if a certain margin exists against the room list

    So I connect successfully, but the list of the room is always null.

    I checked the documentation, it seems to be straight forward, but I can't get it to work.

    Someone at - it an example of code for this?

    Here is my code:

    public void authenticateSuccess(event:AccountManagerEvent):void
    {
    trace ("ROOM:" + event.list);
    try {}
    {if (IsMaster)}
    acctMgr.createRoom (roomName);
    }
    else {}
    return;
    }
    } catch (error) {}
    e.message = "the room that you are trying to create already exists!"
    throw e;
    }
    }

    Thanks in advance.

    Artour.

    LordAlex Works Inc.

    That doesn't really meet Nigel question (you do this in the Flex client? You can't unless you are the owner of the developer account).

    In addition, it is faster for you to call createRoom and capture/ignore the error instead of check if the room is first (it's always 1 server call vs potentially two calls to the server if the room does not exist)

  • Adapter LAN question, "no access to the network.

    Original title: LAN adapter issue

    Hi all, when connecting my laptop to a switch of the LED on the switch is green which means connected. The IP address on the laptop is entered manually, but when will the cmd and issue ipconfig it shows "media disconnected" and the network adapter in the Control Panel indicates "no access to the network. It also indicates that "this device is working propoerly! Please advice

    Hello

    What is the number and the model of the computer?

    Remember to make changes to the computer before the show?

    Thanks for posting in Microsoft Communities.  The problem description, I understand that you can not connect to the Internet.  Correct me I misunderstood the question

    Follow these steps:

    Method 1: Follow these steps:
    How to troubleshoot possible causes of Internet connection problems in Windows XP:
    http://support.microsoft.com/kb/314095

     

    Method 2: Follow these steps:


    Step 1:
    renew DHCP Dynamic Host Configuration Protocol)
    a. click Start, click run, type cmd and click OK.
    b. in the command prompt, type ipconfig / renew
    c. Close command prompt.
    d. check the result.

     

    Step 2: Try to obtain an IP address automatically
    a. open Internet Explorer, go to Tools, click on Internet Options, connections, LAN settings.

    b. uncheck all boxes except automatically detect connection settings
    c. click OK to apply the changes.
    d. check if the problem persists.

     

    Method 3: If the methods above do not help, check if the wireless card is very well and try to update the drivers on the manufacturer's Web site.

    a. click Start and right-click my computer.
    b. Select Properties and then click the hardware tab.
    c. click on Device Manager and expand network adapters in the list.
    d. right click on the adapter, then click Properties.
    e. click the driver tab and click Update the driver.

    Please follow the steps and let us know if this helped.  If the problem persists, answer and we will be happy to help you.

  • WRT610N question to access the data on the NAS

    Hello

    Just replaced my WRT54G (works perfectly) with a WRT610N and used the same configuration to access Internet and LAN.

    Upgrade to the latest Firmware for the 610N.

    The WRT610N that is connected to a SD2008 (1 GB of Linksys 8 - port Switch).

    SD2008 connected to a Synology DS209 + with the latest Firmware and PC XP. Access between PC and DS209 + works perfectly.

    WRT610N connected to a couple of wireless devices; such as iPhone, Vista and XP PC and wired for PS3.

    When you access any device (PC, PS3) through WRT610N, I see all the directories and content even as thumbs on DS209 +. Try to open or to copy one takes file (2 MB in size) incredibly long (about 3 minutes). .

    Copies of Vista or XP PC wireless to DS209 + large works and same file is copied in a few seconds. Internet download works fine with good performance as well.
    WRT610N with NAT enabled; Firewall disabled.

    Any suggestions or solutions?
    Thank you

    This is it.

    Bought new cables - same question, MTU has changed - same question. Changing the port on WRT - BINGO.

    Looks like Port 1 is defective,

    Thanks for your help amine.

    Concerning

  • list access inter vlan routing

    I've implemented on cisco switch access list 3560, but it never works.

    I want to block access to network B to network A and allow Ato b

    10.0.12.0/24 network.

    B 10.0.24.0/24 network

    The configuration is

    interface Vlan1

    Data VLAN description

    10.0.12.10 IP address 255.255.255.0

    !

    interface Vlan24

    training description VLAN

    IP 10.0.24.10 255.255.255.0

    !

    IP classless

    IP route 0.0.0.0 0.0.0.0 10.0.12.1

    IP http server

    IP http secure server

    !

    activate the IP sla response alerts

    access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

    access-list 101 deny ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

    access list 101 ip allow a whole

    Y at - it an idea that I can block the access of 10.0.24.0/24 t0 10.0.12.0/24

    Hi Marc,

    I see that you have created the access list but you have not applied it on the interface with the command "ip access-group. For that to work, you must apply the acl on the L3 interface as below.

    If you change the configuration as below.

    no access list 101 didn't allow ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

    access-list 101 deny ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

    access list 101 ip allow a whole

    !

    interface Vlan24

    training description VLAN

    IP 10.0.24.10 255.255.255.0

    IP access-group 101 in

    Concerning

    Najaf

    Please rate when there is place or useful!

  • No not removed from the external interface access-list access list?

    PIX515

    customer wanted to modify the access list (add a new line)

    so he has first publish no access-list command can

    apply the change to the access list, but the access list has been

    removed from the interface outside

    is this a normal behavior? on routers access list stay connected

    for the event of the interface if you issue no access-list command

    Thanks in advance for any comments

    JYP

    Hi Thibault-

    No, it is not a normal behavior, sounds more like an error by the customer. It's always a good idea to copy the required ACL on a text editor (Notepad) do not forget to include "access-group command" i.e. "access-group interface inside inside' or 'access-group out in interface outside' - when copying the required ACL and then issues a 'no access-list inside' or 'no access-list outside' the first line in the ACL copied on your notebook before copy you it to the PIX , also make sure that you are using the config and make an "m wr" (write memory) after the ACL modified have been applied on the PIX.

    Hope this helps-

  • Several statement list Access NAT (DMZ) 0

    Hello

    IM I have problems with remote VPN. The scenario is as follows:

    I have I have few clients who will connect remotely via VPN. Until today, one of them needed to enter my DMZ. But now I want a different profile (the cause is a new client) to access one of my server in the DMZ.

    So I said all of the VPN, the ACL settings, but when I want to declare the nat 2 access-list newclient (dmz) it does not work. But if I declare the nat 0 access-list newclient (dmz), it works, BUT it removes the previous 0 having my other client nat. Is there a way to create several access list statement 0 - nat (dmz)?. If this is not the case, how could I solve this problem?

    This is my config:

    vpnashi list extended access allowed host ip 192.168.16.28 192.168.125.0 255.255.255.0

    access extensive list ip 192.168.125.0 vpnashi allow 255.255.255.0 host 192.168.16.28

    vpnlati list extended access allowed host ip 192.168.16.50 192.168.125.0 255.255.255.0

    access extensive list ip 192.168.125.0 vpnlati allow 255.255.255.0 host 192.168.16.50

    IP local pool ippool 192.168.125.10 - 192.168.125.254
    Global 1 interface (outside)
    Global 2 200.32.97.254 (outside)
    NAT (outside) 1 192.168.125.0 255.255.255.0
    NAT (inside) 0-list of access vpnas
    NAT (inside) 2 access list ACL-NAT-LIM
    NAT (inside) 3 access-list vpnwip
    NAT (inside) 4 access-list vpnashi
    NAT (inside) 5-list of access vpnlati
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (wifi) 2 0.0.0.0 0.0.0.0
    NAT (dmz) 0-list of access vpnashi
    NAT (dmz) 1 192.168.16.0 255.255.255.0
    NAT (dmz) 2 access-list vpnlati
    internal group RA-ASHI strategy
    attributes of RA-ASHI-group policy
    Server DNS 172.16.1.100 value
    VPN-idle-timeout 30
    VPN-filter value vpnashi
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    Split-tunnel-policy tunnelspecified
    internal strategy of RA-LATI group
    attributes of RA-LATI-group policy
    Server DNS 172.16.1.100 value
    VPN-idle-timeout 30
    VPN-filter value vpnlati
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    Split-tunnel-policy tunnelspecified
    tunnel-group RA-ASHI type remote access
    tunnel-group RA-ASHI-global attributes
    ippool address pool
    authentication-server-group (outside partnerauth)
    Group Policy - by default-RA-ASHI
    tunnel-group RA-ASHI ipsec-attributes
    pre-shared-key *.
    tunnel-group RA-LVL type remote access
    tunnel-group RA-LATI-global attributes
    ippool address pool
    authentication-server-group (outside partnerauth)
    Group Policy - by default-RA-LATI
    tunnel-group RA-LATI ipsec-attributes
    pre-shared-key *.

    André,

    You can have as a NAT exempt list of access by interface (nat rule 0).  I understand what you are trying to accomplish.  You use the vpnashi and vpnlati access list to control access to devices for different customers through VPN group policies.

    What I do is the following:

    Create an ACL for the VPN client (that you have, with vpnashi and vpnlati)
    Create an ACL for NAT exemption for the interface (inside sheep, sheep-dmz, etc.).

    Create the ACEs within the exempt ACL of NAT that corresponds to your VPN client access-list.

    It is allowed to have multiple statements within a NAT exempt list to access.  This will not have a client VPN access to things, it shouldn't.

    For example:

    access-list sheep-dmz allowed extended host ip 192.168.16.28 192.168.125.0 255.255.255.0

    192.168.125.0 IP Access-list extended dmz sheep 255.255.255.0 allow host 192.168.16.28

    NAT 0 access-list sheep-dmz (dmz)

  • Problem list access control

    Hi guys, I'm faced with a problem with one of my ACL...

    I applied it ENTERING the interface of the router facing the Internet.

    I'm trying to restrict access, the only thing visible to the Internet is my Web page, but when I apply the ACL on the router Interface must be the Internet connection (I am running a ping on one of my internal hosts, but as soon as I apply this INCOMING ACL on the external Interface of my router it pick up any communication to the Internet).

    I think it's because the router is down all packages «back»

    I know that there is an argument (ESTABLISHED) that I can activate to allow those who return packages, but it applies only to TCP, but what happened to the ICMP, UDP protocol?

    It's the ACL I use:

    Note access-list 101 FW-outside-to-Inside

    access-list 101 deny ip 192.168.0.0 0.0.0.255 any

    access-list 101 deny ip 172.16.0.0 0.15.255.255 all

    access-list 101 deny ip 10.0.0.0 0.255.255.255 everything

    access-list 101 deny ip 127.0.0.0 0.255.255.255 everything

    access-list 101 deny ip 255.255.255.255 host everything

    access-list 101 deny host ip 0.0.0.0 0.0.0.0 all

    access-list 101 permit tcp 66.137.99.107 host any eq 1720

    access-list 101 permit tcp 66.137.99.108 host any eq 1720

    access-list 101 permit tcp 66.137.99.109 host any eq 1720

    access-list 101 permit host tcp 66.137.99.107 any range 16000-20000

    access-list 101 permit host tcp 66.137.99.108 any range 16000-20000

    access-list 101 permit host tcp 66.137.99.109 any range 16000-20000

    access-list 101 permit udp host 66.137.99.107 any 5000 5075 Beach

    access-list 101 permit udp host 66.137.99.108 any 5000 5075 Beach

    access-list 101 permit udp host 66.137.99.109 any 5000 5075 Beach

    access-list 101 permit tcp any host MYWEBSERVERSIP eq 80

    access-list 101 deny ip any one

    I hope you guys can give me a hint...

    Thank you!!!

    The last two deny statements (before your tax permit), "host 255.255.255.255 everything" and "host 0.0.0.0 0.0.0 everything" may be the problem. You have specified a reverse mask on the 0.0.0.0 0.0.0.0, which will replace the "host" command (I think) I would first try to remove these and see if it works, then re - insert them (without the mask) to see if it still works.

  • simple question about access to information of predicate and filter

    Hello Experts

    I know that maybe this is a very simple and fundamental question. I read a lot of articles on explains the plan and trying to understand what are 'access' and 'filter' which means?
    Please correct me if I'm wrong, I guess when the index of explain plan can use predicate choose access if the explain command plan go with complete table filter scan (witout index) is chosen.

    My last question is, can you recommend me an article or document will contact plan to explain it in clear language and base level?

    Thanks in advance.

    Hello

    as the name suggests, access predicate is when data access based on a certain condition. Filter predicate is when the data is filtered by this condition after reading.

    For example, if you have a select * FROM T1 WHERE X =: x AND Y =: y, where X column is indexed, but column Y is not, you can get a map with an INDEX RANGE SCAN with access predicate = X: x (because you can use this condition to when selecting the data to be read and read only sheets of index blocks that meet this condition) and ACCESS BY ROWID from TABLE with the filter predicate Y =: y (because you cannot check this condition until after reading the table block).

    I'm not aware of any good articles on the subject, and unlike others I can't find Oracle enough detailed documentation. I suggest you read a book, for example Christian Antognini, "Troubleshooting Oracle performance problems."

    Best regards

    Nikolai

  • IOM 9.1.0.2 - question of access policies

    Hi gurus,

    I have a strange behaviour in the characteristics of access policies.

    When users are inactivated in the IOM, they should be removed groups linked to the AP, but groups are still involved and because the AP is triggered again provisioning of resources to users.

    A person faces the question?

    Brgds,
    Carlos

    You must add to your group membership rules active status.

    -Kevin

  • Question on access to the dataProvider of a converter of element Info

    Hello

    I've been reading for some time on this topic and a lot of different information.

    I need to know how to access the data of a dataprovider of an itemRenderer.

    I want to do is use a checkbox in a DataGrid control, or possibly a ComboBox as part of rendering.

    I need to understand, for example, how to set the CheckBox.label = to a certain field in the data provider.

    The data provider is assigned, of course, for the parent component, in this case, the comboBox or dataGrid control.

    I saw the signs pointing to the idea that the 'data' field shows this value, but I do not see this value in one of the spark components.

    So, I guess my question is double:

    1. how to access information from a rendering in general item data provider?

    2. how to access the data provider info using spark components?

    Thanks in advance!

    Mx components could only be dropped as an itemRenderer.  There were

    General enough to it that we decided to not do that at the point of spark

    rendering engines.  Instead, you can encapsulate a component in an ItemRenderer and link to

    the data of the ItemRenderer property.  Or, if you really want to optimize, you

    can do the job to the subclass and to upgrade a component to implement

    IItemRenderer.

Maybe you are looking for

  • DVDSP format

    Has started a new project. Works very well.  Click on the button burn and immediately successful formatting window appears. Help. A burned DVD yesterday. Went to tweak it by adding a fade on in FCPX. Then, when not updated in DVDSP hear no sound. So

  • New tab opens when I click on email link, this does not happen with IE or Chrome

    I use a specific website for the work. When I click on a hyperlink on the website that is supposed to generate an e-mail, it also generates a new tab for no reason. It is a waste of time. Happening on the same site in IE or Chrome.

  • new Gfx card number double Y500

    Hello I just got my new Y500 with nvidia gt750m. I also ordered gfx card to work in sli with which is 650 m. I asked the tech if these cards will work in sli and he said that they work perfectly. I also ordered large extra food with her. Now, when I

  • need to reduce the files on hard drive Windows 7

    How to reduce the disk space on the drive hard it is 95% full computer is in Chinese I'm English.

  • Upgarading of Windows 7 Home basic to professional indicates the license key is not valid

    I bought a windows 7 Home premium to professional anytime upgrade, but he says that the license key is not valid. My laptop has Windows 7 base and I was advised to buy a Home Basic Home Premium anytime upgrade, and then use the home premium to profes