Reflexive access lists

Hello

It is a general question about your experiences with RACLs at the edge of the network.

How does this router resources affect in general?

Any particular issue, when it is executed on the devices of eBGP peers?

Thanks for sharing your experiences.

Use CBAC instead, this will help you with applications such as the passive ftp mode.

http://www.Cisco.com/en/us/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

RACL both CBAC have performance degradation. The amount depends on your platform, the size of the ACL, the amount of traffic, etc.

Hope that helps.

Tags: Cisco Security

Similar Questions

CBAC reflexive access lists vs

It seems to me that these characteristics have similar functions. CBAC replace essentially reflexive access due to the capacity of traffic lists application recongnise such as FTP RACL incompatible? The two can co-exist to allow RACLs match CBAC does not yet support applications?

Reflexive ACL is very basic, they just look outgoing traffic and allow the reverse to come back. They don't know anything about the specific protocols and not looking as far as src/dest addresses and ports in the package out.

CBAC, on the other hand, turns your router in a real similar to the PIX dynamic firewall. Incoming packets are allowed in from previous outgoing packets (similar to reflexive ACL) with CBAC, but incoming packets must be part of an existing session. For example, CBAC verifies the number of ACK/SEQ in a TCP packet incoming to check that it is part of a known TCP session. If this isn't the case, the packet is dropped. In addition, CBAC is specific to the Protocol and will open additional holes to allow certain types of traffic back in (to the FTP data channel, for example). Reflexive ACL will do this.

You cannot use both at the same time. If there is a specific protocol that does not support the CBAC, CBAC will again open a hole to allow the movement of return, as long as you have activated UDP and TCP inspection. In addition he always made sure packages are part of an existing session. It's even more reflexive ACL will do for you, so if you can run the CBAC then forget reflexive ACL.

Access list ASA Error | ERROR: % incomplete command

Hi all

I am trying to enter the following rule but I get an error message, I have a similar rule already inside the firewall, so I don't get really what is the problem and how to go about troubleshooting. Can anyone help?

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq https Journal

(network-config) # access - list extended acl_inside permitted object-group$

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 log https eq
^
ERROR: % name host not valid

SAME THING WITHOUT JOURNAL

(network-config) # access - list extended acl_inside permitted object-group$

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.
255.192.0 eq https
ERROR: % incomplete command

SAME STUPID MISTAKE,

THE SIMILAR RULE;

# ACCess-list HS | I have 132.235.192.0
permit for line acl_inside of access list extended 2767 tcp object-group 16/06/29 X-2 132.235.192.0 255.255.192.0 eq https

???????

I'm not sure that this ensures a case of cisco?

FW100ABCx (config) # 16-09-08F object-group network
FW100ABCx(config-Network) # host network-object 172.191.235.136
Add items (host to network-object 172.191.235.136) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.135
Add items (host to network-object 172.191.235.135) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.191.235.134
Add items (host to network-object 172.191.235.134) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) # host network-object 172.52.134.76
Add items (host to network-object 172.52.134.76) to grp has failed (16-09-08F); the object already exists
FW100ABCx(config-Network) #.
FW100ABCx(config-Network) # acl_inside of access allowed object-group list $

acl_inside list extended access allowed object-group 16-09-08F 132.235.192.0 255.255.192.0 eq 443
ERROR: % incomplete command

Hello Hassan.

You're missing the key word of Protocol (tcp/udp)
Try this:

the object-group 16-09-08F network
host of the object-Network 172.191.235.136

acl_inside list extended access permitted tcp object-group 16-09-08F 132.235.192.0 255.255.192.0

Concerning
Dinesh Moudgil

PS Please rate helpful messages.

Ipv6 access list does not apply autonomous Aironet 3602I-E

As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

interface Dot11Radio0.2
guest_ingress6 filter IPv6 traffic in
guest_egress6 filter IPv6 traffic on

and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
etc.

In addition, when creating a list like this ipv6 access:

guest_egress6 IPv6 access list
refuse an entire ipv6

The other is automatically created:

IPv6-guest_egress6 role-based access list
refuse an entire ipv6

A deletion also removes the other.

What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

Please rate helpful messages... :-)

Access list ID # on a PIX firewall

Is anyone know what of the identifier access list on a pix firewall?

Standard IOS = 1-99

Extended IOS is 100-199.

SW = PIX?

There is no "limit" by Word to say in the Pix. These limits are in IOS because they define what 'type' of acl, it's IE APPLETALK, IPX, IP etc etc. Pix IP is therefore not necessary for this type of identification.

access-list 100000000000000; 1 items

allow line of the access list 1 100000000000000 ip any a (hitcnt = 0)

Jason

line 300 deny access-list

Everyone;

I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

Thanks in advance;

gmaurice

No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)

Router Access List - where it is applied?

I seem to be missing something here. I have a 1841 router that has an access list configured and it actually loses packages based on this access list. I can't for the life of me see where this Access List is applied. Can anyone provide an overview? Here is the result of the "Show Run":

R - H1BR1 #sh run
Building configuration...

Current configuration: 3391 bytes
!
! No change since the last restart configuration
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
R-H1BR1 host name
!
boot-start-marker
boot-end-marker
!
County of logging
logging buffered 51200
no console logging
!
No aaa new-model
IP cef
!
!
!
!
no ip domain search
domain IP p911.positron name - psap.com
name of the IP-server 10.4.0.1
name of the IP-server 10.4.0.2
name of the IP-server 10.5.0.3
name of the IP-server 10.5.0.4
IP multicast routing
Authenticated MultiLink bundle-name Panel
!
!
username * secret privilege 15 5 *.
Archives
The config log
hidekeys
!
!
TFTP IP source interface FastEthernet0/0.1
!
!
!
interface Tunnel5
Description * TUNNEL to NODE B (Multicast only) *.
IP 10.250.4.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.5.15.254
!
interface Tunnel25
Description * TUNNEL at 25 SATELLITE (Multicast only) *.
IP 10.250.25.1 255.255.255.252
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
IP tcp adjust-mss 1436
KeepAlive 1 6
tunnel source 10.4.15.254
tunnel destination 10.25.15.254
!
interface FastEthernet0/0
Description * to switch 1 last Port *.
no ip address
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY
IP pim dr-priority 255
IP pim-interval between queries 1
origination-State pim IP 4 refresh rate
PIM dense mode IP
no ip mroute-cache
KeepAlive 1
45 minimum waiting time charge 60
Watch 1 ip 10.4.15.254
1 1 3 sleep timers
1 standby preempt delay minimum charge 15 15 15 sync
!
interface FastEthernet0/1
Description * BETWEEN R1 and R2 *.
IP 10.252.204.1 255.255.255.252
no ip proxy-arp
IP-range of greeting 1 2604 eigrp
IP - eigrp 2604 2 hold time
no ip mroute-cache
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/0
Description * WAN to H2 connection *.
IP 172.16.215.246 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
!
interface FastEthernet0/0/1
Description * connection to AAU *.
IP 192.168.10.1 255.255.255.0
Speed 100
full-duplex
KeepAlive 1
45 minimum waiting time charge 60
Watch 3 ip 192.168.10.3
sleep timers 3 1 3
3 standby preempt delay minimum charge 15 15 15 sync
!
Router eigrp 2604
redistribute static
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0/1
10.4.0.0 network 0.0.15.255
Network 10.252.0.0 0.0.255.255
network 172.16.215.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 10.119.138.0 255.255.254.0 192.168.10.13
IP route 10.121.1.0 255.255.255.0 192.168.10.13
!
!
no ip address of the http server
IP mroute 10.5.0.0 Tunnel5 255.255.240.0
IP mroute 10.25.0.0 255.255.240.0 Tunnel25
!
standard IP DENY access list
deny all
!
interface FastEthernet0/0.1 source journaling
logging server-arp
record 10.4.0.1
!
!
control plan
!
!
Line con 0
local connection
line to 0
line vty 0 4
exec-timeout 0 0
local connection
transport telnet entry
line vty 5 15
exec-timeout 0 0
opening of session
transport telnet entry
!
Scheduler allocate 20000 1000
NTP-period clock 17177530
NTP 10.4.0.1 Server
end

R H1BR1 #.

I guess you are looking for

interface FastEthernet0/0.1
Description * BACKROOM LAN *.
encapsulation dot1Q 1 native
IP 10.4.15.253 255.255.240.0
neighbor-filter IP pim DENY

?

Best regards

Milan

Cisco 837 and access list

Hi all

Sorry if my question sounds stupid, but I had a lot of problems with the syntax of the access list, especially to remove a line in an access list, for example:

Here is my list of access

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.17.0.0 0.0.255.255

If I want to delete only this line

access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

I do not know how, I if do:

no access-list 120 allow ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255

all the access-list 120 is removed!

Help, please!

Olivier

Hi, this is the usual behavior, if you delete the access list of the entire statement with sequence number is deleted.

You can create a named extended access-list and have the sequence number for each statements.

!

Standard IP access list note

permit 172.10.0.0 0.0.255.255

10.1.1.0 permit 0.0.0.255

permit 192.168.1.0 0.0.0.255

deny all

!

and if you want to delete something in between, or any particular line, you can run the command like this that will remove this line instead of the entire ACL itself...

Standard note of access-list (config) #ip

(config-std-nacl) #no 3

This configuration lines will remove the third line only (which is to allow the 192.168.1.0 0.0.0.255, leaving the other statements)

regds

allow icmpv6 in ipv4-access list in the tunnel

Hello

I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

My tunnel works and is as follows:

interface Tunnel0

no ip address

IPv6 address

enable IPv6

source of tunnel

ipv6ip tunnel mode

tunnel destination

So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

Access list that I apply is the following:

allow tcp any a Workbench

allowed UDP any eq field all

allowed any EQ 67 udp no matter what eq 68

allowed UDP any eq 123 everything

allowed UDP any eq 3740 everything

allowed UDP any eq 41 everything

allowed UDP any eq 5072 everything

allow icmp a whole

deny ip any any newspaper

Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

I missed something?

sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

Hope someone can help me.

Hello

In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

-Jouni

Order of access-list syntax

Hello

I have a small question about the order in the syntax for an access list. I made my list of access work now, but I don't understand why.

It looks like this when it did not work:

(outside interface incoming traffic)

access list 100 permit tcp any any established journal

access-list 100 permit udp any any eq field journal

access list 100 permit tcp any any eq field journal

access-list 100 deny ip any any newspaper

To make this work, I had to add these two lines:

access-list 100 permit udp any eq field no matter what newspaper

access list 100 permit tcp any eq field no matter what newspaper

I do not understand the difference between

access-list 100 permit udp any eq field all

and

access-list 100 permit udp any any eq field

If you're wondering what the main goal with the list, it is to allow traffic from the inside to the outside and deny all other traffic, except the connections from the inside and the UDP traffic that is necessary because UDP doesn't have a domain.

Hello

Again, I think knowing that this 100 ACL is attached to the router's WAN interface in the direction 'in '. This means that its traffic control entering your network LAN.

When we look at how DNS works now in what concerns this ACL
- DNS lookup is usually made at the port of destination UDP/53
- PC uses the random source for the DNS lookup port
- Responses from DNS server for research with source UDP/53 port
- Responses from DNS server to the computer on the port that the source PC search DNS
So naturally you'll see responses from the host source and source UDP/53 port DNS

If the ACL with the port of destination UDP/53 became all success, this would mean that you would host a DNS server and the DNS lookups were intended for your network.

Also to your other question. If you set no ports using TCP/UDP in the ACL then he accepts any source/destination port

Hope this helps

Be sure to mark it as answered in the affirmative.

-Jouni

access-list with PAT

Hi guys,.

I would like to know if the accesslist with PAT, you can refuse statements. IE reject the order under the access list for the traffic that you do not want to be PATed.

example:

access list acl-pat deny ip 10.0.0.1 0.0.0.0 all

permit access-list acl - pat ip 10.0.0.0 0.0.0.255 any

If I won't 10.0.0.1 PATed.

Hello

It's perfectly legal and quite a common practice.

Hope that help - rate pls post if it does.

Paresh

bug in iOS? startup-config + command access-list + an invalid entry detected

I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

Cisco 827

IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

SOFTWARE (fc1)

I'm looking to use a host named in a more extended access list. The

script I copy startup-config contains the following entries:

! the 2 following lines appear at the top of the script

123.123.123.123 IP name-server 123.123.123.124

IP domain-lookup

! the following line appears at the bottom of the script

120 allow host passports - 01.mx.aol.com one ip access-list

When I reboot the router, I saw the following message:

Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

120 allow host passports - 01.mx.aol.com one ip access-list

^

Invalid entry % detected at ' ^' marker.

It seems as if the entrance to the server name of the router is not processed

prior to the access list. I can not even check with

router02 access lists 120 #sh

makes the access list entry * not * exist.

But when I manually type the entry in the router I see the

Next:

router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

any

Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

[OK]

and I can confirm its creation:

router02 access lists 120 #sh

Extend the 120 IP access list

allow the host ip 64.12.137.89 one

I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

Any help is very appreciated.

Hello

Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

Router (config) #access - list 187 ip allow any host www.cisco.com

Router (config) #^ Z

router #show run | 187 Inc

IP access-list 187 allow any host 198.133.219.25

router #show worm | split 12

IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE

How PIX cross access lists?

I'm new with PIX.

I would like to know how this fw through access lists. I mean, it's in what order it checks the rules. I guess it can be quite an important issue if you want to keep performance with more than 400 rules and a flow of traffic.

I thank the of for any comment.

Hello

the pix treats the ACL from top to bottom. Put the rules used most frequently at the top. After a match, the pix stop processing the ACL.

Kind regards

Tom

A possible bug related to the Cisco ASA "show access-list"?

We had a strange problem in our configuration of ASA.

In the "show running-config:

Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

inside_access_in list extended access permitted ip object windowsusageVM any newspaper

inside_access_in list of allowed ip extended access any object testCSM

inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

inside_access_in list extended access permit ip host 172.31.254.2 any log

Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

In the "show access-list":

access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

There is a comment in the running configuration: (line 26)

Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

Thanks in advance.

See the version:

Cisco Adaptive Security Appliance Software Version 4,0000 1

Version 7.1 Device Manager (3)

Updated Friday, June 14, 12 and 11:20 by manufacturers

System image file is "disk0: / asa844-1 - k8.bin.

The configuration file to the startup was "startup-config '.

fmciscoasa up to 1 hour 56 minutes

Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

Internal ATA Compact Flash, 128 MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

Start firmware: CN1000-MC-BOOT - 2.00

SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

Number of Accelerators: 1

Could be linked to the following bug:

CSCtq12090: ACL note line is missing when the object range is set to ACL

The 8.4 fixed (6), so update to a newer version and observe again.

--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni

ISE pre authorise access-list

Dear,

I created a list of access-pre approval for cisco ise 1.4, depending on the Switch Configuration required to Support Cisco ISE 2.0 functions, properly profiled Cisco IP phone and download a good list of permit ip access IE, but when I make a PSTN call I hear a one-way audio, when I see the switch connects it show me that RTP has been blocked by default access-list , I have a question when my DACL list is downloaded correctly then why the default ACL is interrupting the RTP, also I see the port number 2000 & 2443 is blocked by default access-list by phone losses its connection to the server, which are used to to the CUCM keepalive.

Something I'm missing?

Thank you

Which is not the same thing?

Try using the 'details' after the command

Reflexive access lists

Similar Questions

Maybe you are looking for