question of mgt ASA
Internet<>
Hello! We have the configuration above in our environment. The box of the ASA is used to establish the tunnel at our headquarters if the MPLS WAN is down. I have question Manager box of the ASA of the network (internal LAN from other sites) other internal local network. I can ping to the internal interface of the ASA from other sites, but when I try to ssh or use the ASDM to manage, I see that there is a msg "routing cannot locate the next hop for TCP to inside inside xxxx xxxx." There is no FW between sites (thru Global WAN MPLS). I can ping each other between sites, and ssh/asdm mgt + acl to allow lan local + world was added. I also noticed that I cannot ping other sites of the ASA cli. I can only Ping IP ranges configured as a static route to the inside interface of the box of the SAA. What I see, everything works fine, it's just that I'm not able to manage the ASA box from other sites. What could be the problem here? THX If the error message is that the SAA could not find a route, then of course it sounds like a routing problem. My first suggestion would be to look at the error message, take the destination address of the message and check to see if the ASA has a route to this address (and to ensure that the route passes through the Interior because the error message indicates that he thinks that the destination is inside the interface) HTH Rick Tags: Cisco Security Updated AIP-SSM-10 on ASA 5510 Hello I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this. see you soon Let me give some clarification on a few points: 2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device. 5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface: For upgrades via the CLI: Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3): 6.2 (3) E4 7.0 (4) E4 You can go directly to each output. Scott Hi all, I have a new BGP configuration that consists of two asa 5510 and two routers 2911 in the back. My question is: do asa 5510 support BGP? Thank you. Hi Sotiris, Unfortunately, the ASA does not support BGP (you can peer through the ASA but the ASA cannot be a peer BGP itself). The following link has a list of supported on the SAA routing protocols: http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/route_overview.html -Mike Can the NAT of ASA configuration for vpn local pool We have a group of tunnel remote ipsec, clients address pool use 172.18.33.0/24 which setup from command "ip local pool. The remote cliens must use full ipsec tunnel. Because of IP overlap or route number, we would like to NAT this local basin of 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain servers or subnet via external interface of the ASA. I have nat mapping address command from an interface to another interface of Armi. The pool local vpn is not behind any physical interface of the ASA. My question is can ASA policy NAT configuration for vpn local pool. If so, how to set up this NAT. Thank you Haiying Elijah, NAT_VPNClients ip 172.18.33.0 access list allow 255.255.255.0 10.1.1.0 255.255.255.0 public static 192.168.33.0 (external, outside) - NAT_VPNClients access list The above configuration will be NAT 172.18.33.0/24 to 192.168.33.0/24 when you go to 10.1.1.0/24 (assuming that 10.1.1.0/24 is your subnet of servers). To allow the ASA to redirect rewritten traffic the same interface in which he receive, you must also order: permit same-security-traffic intra-interface Federico. I hope someone can help me to answer this question: Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V. Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary? Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series? Thanks for your help. -Joe Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet. Here's the Q & A on ASA1000V which includes more information: http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html Hope that answers your question. How to associate policies crypto with tunnel-group? Hi, when I review the configuration of the VPN from point to point, I have a question. The ASA has three peer-to-peer VPN configuration. So, there are also three groups of tunnel in there. My question is how each VPN to ensure encryption policy tunnel-group? In the anther Word, what encryption policy associated with tunnel-group? Thank you. This is the phase 1, they work from top to bottom. When you try to negotiate the tunnel between two counterparts, in the background, they send all of your policies and according to which is first (from top to bottom) is used. For example. If your counterpart device uses (3des, md5, pre-shared key and group 2), it will not match the policy 1 and the rest of the policy will not be considered. Kind regards Sandra I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently. For example: Access-List Corporate1 permit tcp any any eq www Access-List permits Corporate1 tcp everything any https eq Access list ip Inside_Out allow a whole Access-group Coprorate1 in interface outside Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1? I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated. -Jon Working with ACLs imply always two steps: (If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed. In your example: If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one If the output shows only the ACL lines, it is unused and can be removed. Or it is but not used must be used, and then apply the ACL for the desired purpose. Hi all I have a question in a test environment, mount the topology as the attachment and inserting the wing 172.16.2.0/24 road via 192.168.0.10 network the ping command works, but any protocol oriented to connect does not work. Monitors with the debug command and noticed that the parcel leaves the station whose 192.168.1.3 IP address to the IP 172.16.2.2 successfully, the package with the SYN flag arrives and when the 172.16.2.2 server responds with ACK flag returns without problem. But when the station which the IP 192.168.1.3 returns the package with flag SYN/ACK the Cisco ASA receives a packet and the acknowledgement of receipt is not returned by the ASA cisco asa result seems to lose the package and run a disassembly and the connection is not completed. I think it's because as the cisco asa can understand this behavior as a main-in-the-middle attack. Is there a way to disable this control in cisco ASA. I ask that the level of knowledge, because this scenario will not be used. Kind regards. 8.4 is not a valid version of ASA. You can run 8.0 (4). This bypass feature state TCP is available after 8.2 (1) or after. "permit ip any any" simply States that all UDP and TCP connections are allowed. However, the ASA will always inspect two fittings for security of State and others. In the case of TCP, the first packet MUST be a SYN. otherwise without the SYN, we should never see a SYN - ACK packet. A syslog message, 'Right TCP (no relation)', would ensue if we saw the SYN - ACK without the SYN packet Best regards Kevin Questions of pre-installation on IPS on Cisco ASA Cluster Hello I'm looking for some configuration directives and IPS. I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up. We have a customer who requires their web servers to be protected with the IPS Module. I have the following questions: 1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting? 2. can you syslog alerts? 3. is it possible to use snmp around alert also interrupts? 4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his) a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to the firewall, what is the best way to go about this? 5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert? 6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect a server? 7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.? A lot of questions! I hope someone can help Thanks a mill 1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting? Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA) 2. can you syslog alerts? N ° the cisco IPS OS doesn't support syslog. 3. is it possible to use snmp around alert also interrupts? Yes. But you must set the 'action' on each signature that you want to send a trap. 4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the Firewall and block traffic if they choose to do so? Is it possible for an administrator to block traffic (or leave if his) a false positive in IPS) without having to connect to the ASDM? If you have a scenario where you don't want to give users access to the firewall, what is the best way to go about this? Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe. 5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert? No syslog. You can set alerts email on a per-signature basis. 6. I'm afraid that if I put it with a profile he can start blocking valid traffic. What is the best way to start with IPS to protect a server? Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode. 7 if its possible to syslog, what kind of detail is the capture of syslog? Need name attack, etc.? No syslog. -Bob Question about authentication SDI on AnyConnct and ASA Hi all I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI. My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client. I understand that ASA provides two modes to allow authentication SDI. Native SDI - ASA communicates directly with the SDI server to manage authentication SDI I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI. So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes). The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say... I found the following information of CEC. ========== This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy? Your information would be appreciated. Best regards Shinichi Shinichi, I had a quick glance at the data sheet http://www.RSA.com/node.aspx?ID=3481 I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user) Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-) Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties. Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us. Marcin QOS with ASA - corresponding to questions of packages I have a few questions of mote of ASA and QOS - level code 8.2.5 Let's say I have the following... TG-NonVoice class-map corresponds to the tg-traffic-acl access list class-map-traffic TCP corresponds to the tcp-traffic-acl access list class-map voice-TG match dscp ef match tunnel-group x.x.x.x How to know the hierarchy of what the ASA uses to match a package? Since a package can only correspond to a class-map, I created the access list to refuse statements to ensure that the packet matches what I want. Example - tcp-traffic-acl access list, I didn't include the traffic tunnel so I denied the traffic of the tunnel at the beginning of the access list. This is the correct procedure given that I did not know what order the ASA aligns packages to my access to my class-maps lists. Y at - it an order? TG-voice has priority in the plan of the policy is it automatically get used to match first? Second example: Let's say I TG-NonVoice class-map match flow ip destination-address match tunnel-group x.x.x.x class-map-traffic TCP corresponds to the tcp-traffic-acl access list class-map voice-TG match dscp ef match tunnel-group x.x.x.x Here I have only an access list. How know if order used to filter packets? If I don't want the tcp-traffic-acl include NOT packages that could possibly correspond in the VPN tunnel that I put a refusal at the beginning of the list of access for VPN traffic to be sure? What would be the rate used by the ASA to determine if a packet matches a rule of class-card for a package would correspond to multiples, but from what I've read, that it does not get included in other once it corresponds to the first match. Understand? Thank you Hello I think that this price covers everything This is the best document I found on the web about the MPF. To take a reading http://blog.INE.com/2009/04/19/understanding-modular-policy-framework/ Note all useful posts! Kind regards Jcarvaja Follow me on http://laguiadelnetworking.com General question about the connections of 3DES side2side ASA Hello I have a question for a project: We have an office outside our main building is connected via a connection to radio waves of 34 MB and a 10 MB darkfiber.today the radiowaveconnection is not secured and the client wants a 3des encryption and that he will use 2 ASA5510.there are also the 2 questions: I have a connections between eigrp process running and I know that the asa cannot deliver this protocol.so can I use the asa in transparent mode only for encryption or as side2side connection? She I the first time I work with the ASA so any help is appreciated. concerning Klaus This document describes how to use the Cisco Adaptive Security Device Manager (ASDM) to configure the Cisco 5500 Series Adaptive Security Appliance (ASA) to act as a remote VPN server. The ASDM provides the safety management of world class and through a Web management interface that is intuitive and easy to use. Once the Cisco ASA configuration is complete, it can be verified by using the Cisco VPN Client. http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml ASA question routing models! Hello! I have a question about the routing function in ASA 5500. Scenario: the asa (inside int 192.168.1.1) is in default gateway for all inside nodes. We also have another network (192.168.2.0) inside, the asa route traffic to the net via only inside interface (192.168.1.1) can I know the pix dose NOT load this routing scenario, the asa will do? Cordially /Jonny Hi Jonny, It clarifies your question? If so, close the post, which may be useful to others. Concerning REDA Concentrator VPN VPN ASA Conversion question I sent our VPN3k config to the CTA and converted it to the format of the SAA. A major problem that I see is that the hub has enabled a group name (which is equivalent to a group of tunnel on the SAA) with spaces inside and the ASA does not work. Our primary RA VPN group is 'All staff' in the config converted, it's "All_Staff" and I guess that this is going to work for users with the existing VPN client configuration file. We have hundreds of users a new file of confiog or attempt to explain how to fix this problem manually is out of the question. Are there of the other workarounds? Thank you. Try to rename the group to "All staff" (including the quotation marks!) so dial type tunnel-group "everyone". HTH Herbert VPN between ASA and cisco router [phase2 question] Hi all I have a problem with IPSEC VPN between ASA and cisco router I think that there is a problem in the phase 2 Can you please guide me where could be the problem. Looking forward for your help Phase 1 is like that Cisco_router #sh crypto isakmp his IPv4 Crypto ISAKMP Security Association and ASA ASA # sh crypto isakmp his ITS enabled: 1 1 peer IKE: 78.x.x.41 Phase 2 on SAA ASA # sh crypto ipsec his Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172. #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813 local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41 Path mtu 1500, fresh ipsec generals 58, media, mtu 1500 SAS of the esp on arrival: Phase 2 on cisco router protégé of the vrf: (none) local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4 SAS of the esp on arrival: the arrival ah sas: SAS of the CFP on arrival: outgoing esp sas: outgoing ah sas: outgoing CFP sas: protégé of the vrf: (none) local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4 SAS of the esp on arrival:
the arrival ah sas: SAS of the CFP on arrival: outgoing esp sas: outgoing ah sas: outgoing CFP sas: VPN configuration is less in cisco router access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect sheep allowed 10 route map Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset mycryptomap 100 ipsec-isakmp crypto map crypto ISAKMP policy 100 Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL. You currently have: Extend the 105 IP access list It should be: Extend the 105 IP access list IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches) To remove it and add it to the bottom: 105 extended IP access list not 5 IP 172.19.194.0 allow 60 0.0.0.255 any Then ' delete ip nat trans. " and it should work now. I have the Pirate the TCP Ports, including the 49 # s, stuck in my firewall. This causes a VERY slow launch FF, but doesn't seem to have any effect on the actual operation. Is it possible to renounce these useless TCP queries? Qosmio X 500-Midi not found in Windows 7 64 bit Ive just bought Cakewalk its not finding any midi output for Windows 7 64-bit, in my Qosmio X 500.Can anyone help? Is the risk of malware infection Windows temp folder? C:\Windows\Temp there risk of malware infections, perhaps rootkit? I have files that start with HTT2377 or DF40 etc. DV7-4020sa: Dv7 powers on but does not start HI, I have a HP Pav Dv7-4020sa, which I hope someone can help solve for me. It was fine, I ran a virus scan, when I checked on the progress made, the system had to stop all work. Now, when I turn on, all I get is a blank screen, no cursor. Power ligh How to find scripts that run in the background Hey I'm looking for which scripts to run in the background Thank youSimilar Questions
sh run | inc Inside_Out
clear configure access-list Inside_Out
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0
current outbound SPI: C96393AB
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: Y
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
corresponds to the IP 105
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectMaybe you are looking for