Simple Question SSH Access-List
I am allowing SSH access for all of our Cisco devices and you want to restrict access to all the following ip addresses: 192.168.200.1 - 192.168.200.50. I forgot the exact configuration of access list to achieve this. The subnet is 24 and I don't want the whole subnet - seulement.1-. 50.
Thank you
Thomas Reiling
Hello
If you use ssh, make sure that you have a domain name, host name and a rsa key is generated. Assuing you have done this, the command vty ACL and following line will do the trick. Note that the host 1-50 list is not on a subnet barrier.
To get it exactly
access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.31
access-list 1 permit 192.168.200.32 0.0.0.15
access-list 1 permit 192.168.200.48 0.0.0.1
host access-list 1 192.168.200.50
access-list 1 refuse any newspaper
It would be a good idea to put it on a limit, however, so the following would be much simpler and easier to read.
access-list 1 remark MANAGEMENT ALLOW
access-list 1 permit 192.168.200.0 0.0.0.63
access-list 1 refuse any newspaper
Apply the class of access on the vty lines and authentication, I would put something there too.
line vty 0 4
access-class 1
entry ssh transport
password Bonneau
That should do it.
Good luck!
Brad
Tags: Cisco Security
Similar Questions
-
Question of access list for Cisco 1710 performing the 3DES VPN tunnel
I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.
For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.
My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "
Any input or assistance would be greatly appreciated.
Map Test 11 ipsec-isakmp crypto
..
match address 120
Interface Ethernet0
..
card crypto Test
IP nat inside source overload map route sheep interface Ethernet0
access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 130 allow ip 192.168.100.0 0.0.0.255 any
sheep allowed 10 route map
corresponds to the IP 130
He would go through the interface e0 to the Internet in clear text without going above the tunnel
Jean Marc
-
The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).
Router (works)
access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80
PIX (does not work)
access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80
I get the error on the PIX:
ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair
Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?
Thank you!
Domo Arigato!
You can use
192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.
Of course you can refuse the host 192.168.1.49 and
Let the others allow 192.168.1.48 255.255.255.248
192.168.1.50,> -
simple question about access to information of predicate and filter
Hello Experts
I know that maybe this is a very simple and fundamental question. I read a lot of articles on explains the plan and trying to understand what are 'access' and 'filter' which means?
Please correct me if I'm wrong, I guess when the index of explain plan can use predicate choose access if the explain command plan go with complete table filter scan (witout index) is chosen.My last question is, can you recommend me an article or document will contact plan to explain it in clear language and base level?
Thanks in advance.
Hello
as the name suggests, access predicate is when data access based on a certain condition. Filter predicate is when the data is filtered by this condition after reading.
For example, if you have a select * FROM T1 WHERE X =: x AND Y =: y, where X column is indexed, but column Y is not, you can get a map with an INDEX RANGE SCAN with access predicate = X: x (because you can use this condition to when selecting the data to be read and read only sheets of index blocks that meet this condition) and ACCESS BY ROWID from TABLE with the filter predicate Y =: y (because you cannot check this condition until after reading the table block).
I'm not aware of any good articles on the subject, and unlike others I can't find Oracle enough detailed documentation. I suggest you read a book, for example Christian Antognini, "Troubleshooting Oracle performance problems."
Best regards
Nikolai
-
Simple question of accessibility of the Checkbox
Hello
Apex 4.2.4 I a "simple checkbox" column in tabular form, with this definition:, (i.e. the means recorded Y, unchecked means NULL)
The generated markup is as follows:
< class td = "data" >
< label = "f06_0003" class = "hideMeButHearMe" > PublicAccess? < / label >
< input autocomplete = "off" name = "f06_NOSUBMIT" value = "Y" id = "f06_0003_01" onclick = "if (this.checked) {apex.jQuery('#f06_0003').val('Y') ;} else {apex.jQuery('#f06_0003').val (») ;} "type ="checkbox">
< input autocomplete = "off" name = "f06" value = "" id = "f06_0003" type = "hidden" > "
< table >
As you can see, there is a divergence between current etiquette 'for' attribute and the entry id. This triggers an error our accessibility verification tool.
I'm not an accessibility expert, but it seems wrong indeed and seems like a bug to me. Any ideas to fix this?
Thank you
Luis
Luis Cabral says:
Apex 4.2.4 I a "simple checkbox" column in tabular form, with this definition:, (i.e. the means recorded Y, unchecked means NULL)
The generated markup is as follows:
As you can see, there is a divergence between current etiquette 'for' attribute and the entry id. This triggers an error our accessibility verification tool.
I'm not an accessibility expert, but it seems wrong indeed and seems like a bug to me. Any ideas to fix this?
Very bad. The HTML specification states that entry command such as
hidden
are not labelable. This Mozilla bug indicates that browsers (Firefox at least) will ignore these labels. Even if they don't always get you with a checkbox that is unlabelled. It is clearly a bug. APEX should show thefor
attribute of thelabel
element the ID of the check box:Workaround solutions:
- Use a dynamic refresh action to execute some JavaScript to set the
for
attribute correctly. - Do not use the built-in simple checkbox control. Generate equivalent to the code above with the correct labelling as a column in the query source region.
- Do not use a tabular presentation.
- Use a dynamic refresh action to execute some JavaScript to set the
-
Cisco ASA tunnel access list question
We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel. They ask now addresses. My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?
And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?
I thank you and I hope this makes sense. We were originally political thought based routing on the nearest core of the source.
Dwane
Hi Sylvie,.
If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.
If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)
But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...
So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...
Concerning
Knockaert
-
Newbie question route-map/access-list
I am quite new to the thing whole cisco here. I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)
We have a router cisco 1811 (yes I know its old)
We now have a road map and I'm trying to understand it to make it work the way we want. Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1. Our T1 uses an ASA5505 as a router. I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject. I am doing as a result. Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1. This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1. If our cable goes down, everything for the T1 (by design). We have a long list of defined access our route map - use corresponding ip. I want to change the access list to not allow local network IP addresses. I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more. So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network. I wouldn't pull the laminated cord and use the console. (I really need get a USB serial interface). Now, you understand a little more about my situation now for all numbers, etc.
Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)
PTP VPN: 192.168.116.0/24 comes and goes out our T1.
1811 router: 90.0.0.254/192.168.30.254/192.168.0.254
ASA: 90.0.0.50
!
follow the accessibility of ALS 40 ip 40
delay the decline 90 60
!
interface Vlan1
Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$
IP 90.0.0.254 255.255.255.0
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
route WEBPBR card intellectual property policy
!
interface Vlan10
Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$
IP 192.168.0.254 255.255.255.0
IP nat inside
IP helper 90.0.0.2
IP virtual-reassembly
route WEBPBR card intellectual property policy
!
! Static routes
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20
IP route 0.0.0.0 0.0.0.0 197.164.245.109 200
IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent
IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent
IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent
IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent
WEBTRAFFIC extended IP access list
deny ip any host 208.67.222.222
deny ip any 172.20.0.0 0.0.255.255
refuse the host tcp 90.0.0.2 any eq www
refuse 90.0.0.14 tcp host any eq www
refuse 90.0.0.235 tcp host any eq www
refuse the host ip 192.168.0.40 everything
deny ip any host 192.168.0.40
refuse the host ip 192.168.0.41 all
deny ip any host 192.168.0.41
deny ip any host 192.168.0.221
refuse the host ip 192.168.0.221 all
refuse the host ip 192.168.0.225 all
refuse 90.0.0.10 tcp host any eq www
deny ip any host 192.168.0.225
refuse 90.0.0.11 tcp host any eq www
refuse 90.0.0.9 tcp host any eq www
refuse 90.0.0.8 tcp host any eq www
refuse 90.0.0.7 tcp host any eq www
refuse 90.0.0.6 tcp host any eq www
refuse the 90.0.0.1 tcp host any eq www
refuse 90.0.0.13 tcp host any eq www
refuse 90.0.0.200 tcp host any eq www
permit tcp any any eq www
allow the host ip 192.168.0.131 one
allow the host ip 192.168.0.130 one
allow the host ip 192.168.0.132 one
allow the host ip 192.168.0.133 one
allow the host ip 192.168.0.134 one
allow the host ip 192.168.0.135 one
allow the host ip 192.168.0.136 one
allow the host ip 192.168.0.137 one
allow the host ip 192.168.0.138 one
allow the host ip 192.168.0.139 one
allow the host ip 192.168.0.140 one
allow the host ip 192.168.0.141 one
allow the host ip 192.168.0.142 one
allow the host ip 192.168.0.143 one
allow the host ip 192.168.0.144 a
allow the host ip 192.168.0.145 one
allow the host ip 192.168.0.146 one
allow the host ip 192.168.0.147 one
allow the host ip 192.168.0.148 one
allow the host ip 192.168.0.149 one
allow the host ip 192.168.0.150 one
allow the host ip 90.0.0.80 one
allow the host ip 90.0.0.81 one
allow the host ip 90.0.0.82 one
allow the host ip 90.0.0.83 one
allow the host ip 90.0.0.84 one
allow the host ip 90.0.0.85 one
allow the host ip 90.0.0.86 one
allow the host ip 90.0.0.87 one
allow the host ip 90.0.0.88 one
allow the host ip 90.0.0.89 one
allow the host ip 90.0.0.90 one
allow the host ip 90.0.0.91 one
allow the host ip 90.0.0.92 one
allow the host ip 90.0.0.93 one
allow the host ip 90.0.0.94 one
allow the host ip 90.0.0.95 one
refuse the host tcp 90.0.0.3 any eq wwwALS IP 40
208.67.220.220 ICMP echo source interface Vlan1
Timeout 6000
frequency 20
ALS annex IP 40 life never start-time now
allowed WEBPBR 2 route map
corresponds to the IP WEBTRAFFIC
set ip next-hop to check the availability of the 197.164.245.109 1 track 40
That is how we have it set up right now. If I put in a few lines above WEBTRAFFIC with:
deny ip any 192.168.0.0 0.0.0.255
deny ip any 90.0.0.0 0.0.0.255
deny ip any 192.168.116.0 0.0.0.255
! Etc with all internal networks
* And then put at the bottom:
allow an ip
who will ALL break so we can not communicate with anything? Or is that what I did to do this, we get internal routing etc.? Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well? (We have public IPS 14 (one for the T1 gateway) that would go as well?) I don't want to try to put in those at the top and make sure no one can do anything. I hope I made clear what I'm doing...
Post edited by: Ryan Young
I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.
HTH
Rick
-
Simple question - how to make an onchange event occur in a select list
Simple question - how to make an onchange event occur in a list to start a process of selection?
Thank you(1) with the ApEx selection about to submit list.
You create a PL/SQL process after Submit. -> Request for conditional Type = Expression1. -> Expression1 is the name of your selection list. Treat the Source - > procedure you like. For example based on your select list value you add rows in different tables.
(2) Javascript this example will change a system parameter value when changed -
PIX 501 ICMP access list Question
According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:
PIX1 (config) # access - list ethernet1 permit icmp any any echo response
PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible
Access-group ethernet1 PIX1 (config) # interface inside
This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.
Thank you
This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.
By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.
Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.
Let me know if it helps.
-
A simple (I think) - compensation access list hitcounts
How can I clear counters hitcnt for access lists? Also a reload...
These hitcounts (as in "show access-list"):
access list to the INSIDE of the line 1 permit ip 10.100.10.0 255.255.255.0 host CrazyLarry (hitcnt = 107575)<>
Thank you.
This gives a shot:
access-list aclname Clear counters
Scott
-
I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.
192.168.1x
* THE REMOTE SITE
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
192.168.0.X
HAND ROUTER
recording of debug trap
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
not run cdp
sheep allowed 10 route map
corresponds to the IP 101
!
IP tcp mss<68-10000>
Hope this helps,
Gilbert
68-10000> -
Create a group of users to ACS 3.3 - simple question
Hello
I have a simple question:
How can I create a group of additional users at the ACS 3.3?
I don't see the option to delete or create groups of users. Perhaps is it not possible?
Thanks in advance
All groups that you have already exist in the list of groups (0 to 499). To "create" a new group, just rename one of the unused existing groups and use.
If you don't see the groups in your list, you must verify that you have access to see all these groups.
Verifier check in the control of the Administration, select your admin user ID. In the second table below marked 'administrator', you will see the "available groups" and the editable section 'groups '. move the groups that you want to use available for editable.
Present and then OU should be able to see these groups on your drop-down list in the section groups.
-
I have a question... or two... :) on access lists.
My current access list looks like the following:
access-list acl_outbound allow icmp a whole
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080
acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443
acl_outbound ip access list allow a whole
access-list acl_inbound allow icmp a whole
inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside
1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.
2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.
As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.
My goals are:
allow hosts listed web traffic (including https and ftp)
allow ICMP pings pass from the inside to the outside and the response
allow VPN tunnels to establish
Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.
Dave
The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:
> card crypto outside_map 9 match address outside_cryptomap_9
to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:
> no outside_map interface card crypto outside
Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.
In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:
> acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any
This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.
-
Simple question about the signing of the app
Hello.
I develop libraries to be used in other apps.
It will be a cod file, its name will be added to the jad as a dependency.
My library has access to the secure API (call of the browser), so I have a simple question:
can I register only my cod library or application that uses my library is expected to be signed in too?
THX.
You should be ok just signature cod of the library, if your application uses any API secure. However, I just make a habit to sign everything just in case.
-
Everyone;
I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.
Thanks in advance;
gmaurice
No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)
Maybe you are looking for
-
The next MacOs health activity. (GPS Track and Periforments.
The next MacOs health activity. (GPS Track and Periforments!
-
Syntax error when you use FindIndex in TestStand functions
Hi all I used this function well before that was functional for me, but don't know what I'm doing poorly able to do my work. This is my scenario, I have a local variable of the table 1 d of chain bear (Locals.XXX) I need to get the first value of the
-
I can't go to the administrator
I tried to go to the control panel and clicking on change user and I keep getting an alert you must be an administrator to run this program, but it will not pass me.
-
Windows 7 and Canon BJC printer drivers?
New laptop Dell Inspiron 14 has Windows 7 OS. It recognizes my Canon BJC-80 on buy infrared does not print. No error message. Seems that the printer does not appear in my devices. The original CD has not helped. Downloaded drivers from Canon doesn't
-
Anyone know how to do this character?
I've had no chance of finding in the glyphs.Thanks Ian