Simple Question SSH Access-List

Similar Questions

• Question of access list for Cisco 1710 performing the 3DES VPN tunnel

  I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

  For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

  My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

  Any input or assistance would be greatly appreciated.

  Map Test 11 ipsec-isakmp crypto

  ..

  match address 120

  Interface Ethernet0

  ..

  card crypto Test

  IP nat inside source overload map route sheep interface Ethernet0

  access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 allow ip 192.168.100.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 130

  He would go through the interface e0 to the Internet in clear text without going above the tunnel

  Jean Marc

• Question of Access-list PIX

  The following access list works on a cisco router, however, the list will not work on the PIX (I change the mask to wildcards to a for the PIX subnet mask).

  Router (works)

  access allowed test tcp 192.168.1.50 list 0.0.0.5 host 10.10.10.1 eq 80

  PIX (does not work)

  access list permit test tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

  I get the error on the PIX:

  ERROR: Source, mask <192.168.1.50, 0.0.0.10="">address not pair

  Is it possible to group IP addresses as well as on the PIX in a similar way as Cisco IOS?

  Thank you!

  Domo Arigato!

  You can use

  192.168.1.48 255.255.255.248 for the source or if they are many hosts you must insert an individual entry for each source.

  Of course you can refuse the host 192.168.1.49 and

  Let the others allow 192.168.1.48 255.255.255.248

• simple question about access to information of predicate and filter

  Hello Experts

  I know that maybe this is a very simple and fundamental question. I read a lot of articles on explains the plan and trying to understand what are 'access' and 'filter' which means?
  Please correct me if I'm wrong, I guess when the index of explain plan can use predicate choose access if the explain command plan go with complete table filter scan (witout index) is chosen.

  My last question is, can you recommend me an article or document will contact plan to explain it in clear language and base level?

  Thanks in advance.

  Hello

  as the name suggests, access predicate is when data access based on a certain condition. Filter predicate is when the data is filtered by this condition after reading.

  For example, if you have a select * FROM T1 WHERE X =: x AND Y =: y, where X column is indexed, but column Y is not, you can get a map with an INDEX RANGE SCAN with access predicate = X: x (because you can use this condition to when selecting the data to be read and read only sheets of index blocks that meet this condition) and ACCESS BY ROWID from TABLE with the filter predicate Y =: y (because you cannot check this condition until after reading the table block).

  I'm not aware of any good articles on the subject, and unlike others I can't find Oracle enough detailed documentation. I suggest you read a book, for example Christian Antognini, "Troubleshooting Oracle performance problems."

  Best regards

  Nikolai

• Simple question of accessibility of the Checkbox

  Hello

  Apex 4.2.4 I a "simple checkbox" column in tabular form, with this definition:, (i.e. the means recorded Y, unchecked means NULL)

  The generated markup is as follows:

  < class td = "data" >

  < label = "f06_0003" class = "hideMeButHearMe" > PublicAccess? < / label >

  < input autocomplete = "off" name = "f06_NOSUBMIT" value = "Y" id = "f06_0003_01" onclick = "if (this.checked) {apex.jQuery('#f06_0003').val('Y') ;} else {apex.jQuery('#f06_0003').val (») ;} "type ="checkbox">

  < input autocomplete = "off" name = "f06" value = "" id = "f06_0003" type = "hidden" > "

  < table >

  As you can see, there is a divergence between current etiquette 'for' attribute and the entry id. This triggers an error our accessibility verification tool.

  I'm not an accessibility expert, but it seems wrong indeed and seems like a bug to me. Any ideas to fix this?

  Thank you

  Luis

  Luis Cabral says:

  Apex 4.2.4 I a "simple checkbox" column in tabular form, with this definition:, (i.e. the means recorded Y, unchecked means NULL)

  The generated markup is as follows:

  PublicAccess?

  As you can see, there is a divergence between current etiquette 'for' attribute and the entry id. This triggers an error our accessibility verification tool.

  I'm not an accessibility expert, but it seems wrong indeed and seems like a bug to me. Any ideas to fix this?

  Very bad. The HTML specification states that entry command such as hidden are not labelable. This Mozilla bug indicates that browsers (Firefox at least) will ignore these labels. Even if they don't always get you with a checkbox that is unlabelled. It is clearly a bug. APEX should show the for attribute of the label element the ID of the check box:

  PublicAccess?

  Workaround solutions:

  • Use a dynamic refresh action to execute some JavaScript to set the for attribute correctly.
  • Do not use the built-in simple checkbox control. Generate equivalent to the code above with the correct labelling as a column in the query source region.
  • Do not use a tabular presentation.

• Cisco ASA tunnel access list question

  We have created a site to IPSec tunnel. Initially, only two IP address were allowed access to the tunnel.  They ask now addresses.  My question is, if I use access-list extended inside_access_in permit ip any host 10.60.55.10, I also have to make a statement of NAT that allows this?

  And when we change the VPN Site to Site connection profile, I have to allow all through this tunnel as well, correct?

  I thank you and I hope this makes sense.  We were originally political thought based routing on the nearest core of the source.

  Dwane

  Hi Sylvie,.

  If you use NAT so I say yes you must consider from... Normally, in a private LAN on L2L scenario, you might have used no. - NAT... If you have LAN identical at both ends, then you might have using a NAT to a diff of subnets at both ends... If you use the NAT public IP then it will be on the public IP based L2L address... So it depends on your current configuration.

  If you use one to 10.60.55.10 (then your site any subnet which flows through the VPN Firewall to 10.60.55.10 is allowed... here you may need to modify NAT as a source...)

  But the problem comes from the other end... for them the source will be 10.60.55.10 and destination would... then all traffic from host 10.60.55.10 is taken through the tunnel...

  So instead of making a statement as any visit its respective great nets 172.16.0/16 for example...

  Concerning

  Knockaert

• Newbie question route-map/access-list

  I am quite new to the thing whole cisco here.  I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

  We have a router cisco 1811 (yes I know its old)

  We now have a road map and I'm trying to understand it to make it work the way we want.  Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1.  Our T1 uses an ASA5505 as a router.  I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject.  I am doing as a result.  Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1.  This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1.   If our cable goes down, everything for the T1 (by design).  We have a long list of defined access our route map - use corresponding ip.  I want to change the access list to not allow local network IP addresses.  I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more.  So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network.  I wouldn't pull the laminated cord and use the console.  (I really need get a USB serial interface).  Now, you understand a little more about my situation now for all numbers, etc.

  Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

  PTP VPN: 192.168.116.0/24 comes and goes out our T1.

  1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

  ASA: 90.0.0.50

  !

  follow the accessibility of ALS 40 ip 40

  delay the decline 90 60

  !

  interface Vlan1

  Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

  IP 90.0.0.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP tcp adjust-mss 1452

  route WEBPBR card intellectual property policy

  !

  interface Vlan10

  Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

  IP 192.168.0.254 255.255.255.0

  IP nat inside

  IP helper 90.0.0.2

  IP virtual-reassembly

  route WEBPBR card intellectual property policy

  !

  ! Static routes

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

  IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

  IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

  IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

  IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

  IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

  WEBTRAFFIC extended IP access list
  deny ip any host 208.67.222.222
  deny ip any 172.20.0.0 0.0.255.255
  refuse the host tcp 90.0.0.2 any eq www
  refuse 90.0.0.14 tcp host any eq www
  refuse 90.0.0.235 tcp host any eq www
  refuse the host ip 192.168.0.40 everything
  deny ip any host 192.168.0.40
  refuse the host ip 192.168.0.41 all
  deny ip any host 192.168.0.41
  deny ip any host 192.168.0.221
  refuse the host ip 192.168.0.221 all
  refuse the host ip 192.168.0.225 all
  refuse 90.0.0.10 tcp host any eq www
  deny ip any host 192.168.0.225
  refuse 90.0.0.11 tcp host any eq www
  refuse 90.0.0.9 tcp host any eq www
  refuse 90.0.0.8 tcp host any eq www
  refuse 90.0.0.7 tcp host any eq www
  refuse 90.0.0.6 tcp host any eq www
  refuse the 90.0.0.1 tcp host any eq www
  refuse 90.0.0.13 tcp host any eq www
  refuse 90.0.0.200 tcp host any eq www
  permit tcp any any eq www
  allow the host ip 192.168.0.131 one
  allow the host ip 192.168.0.130 one
  allow the host ip 192.168.0.132 one
  allow the host ip 192.168.0.133 one
  allow the host ip 192.168.0.134 one
  allow the host ip 192.168.0.135 one
  allow the host ip 192.168.0.136 one
  allow the host ip 192.168.0.137 one
  allow the host ip 192.168.0.138 one
  allow the host ip 192.168.0.139 one
  allow the host ip 192.168.0.140 one
  allow the host ip 192.168.0.141 one
  allow the host ip 192.168.0.142 one
  allow the host ip 192.168.0.143 one
  allow the host ip 192.168.0.144 a
  allow the host ip 192.168.0.145 one
  allow the host ip 192.168.0.146 one
  allow the host ip 192.168.0.147 one
  allow the host ip 192.168.0.148 one
  allow the host ip 192.168.0.149 one
  allow the host ip 192.168.0.150 one
  allow the host ip 90.0.0.80 one
  allow the host ip 90.0.0.81 one
  allow the host ip 90.0.0.82 one
  allow the host ip 90.0.0.83 one
  allow the host ip 90.0.0.84 one
  allow the host ip 90.0.0.85 one
  allow the host ip 90.0.0.86 one
  allow the host ip 90.0.0.87 one
  allow the host ip 90.0.0.88 one
  allow the host ip 90.0.0.89 one
  allow the host ip 90.0.0.90 one
  allow the host ip 90.0.0.91 one
  allow the host ip 90.0.0.92 one
  allow the host ip 90.0.0.93 one
  allow the host ip 90.0.0.94 one
  allow the host ip 90.0.0.95 one
  refuse the host tcp 90.0.0.3 any eq www

  ALS IP 40

  208.67.220.220 ICMP echo source interface Vlan1

  Timeout 6000

  frequency 20

  ALS annex IP 40 life never start-time now

  allowed WEBPBR 2 route map

  corresponds to the IP WEBTRAFFIC

  set ip next-hop to check the availability of the 197.164.245.109 1 track 40

  That is how we have it set up right now.  If I put in a few lines above WEBTRAFFIC with:

  deny ip any 192.168.0.0 0.0.0.255

  deny ip any 90.0.0.0 0.0.0.255

  deny ip any 192.168.116.0 0.0.0.255

  !  Etc with all internal networks

  * And then put at the bottom:

  allow an ip

  who will ALL break so we can not communicate with anything?  Or is that what I did to do this, we get internal routing etc.?  Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well?  (We have public IPS 14 (one for the T1 gateway) that would go as well?)  I don't want to try to put in those at the top and make sure no one can do anything.  I hope I made clear what I'm doing...

  Post edited by: Ryan Young

  I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

  HTH

  Rick

• Simple question - how to make an onchange event occur in a select list

  Simple question - how to make an onchange event occur in a list to start a process of selection?
  Thank you

  (1) with the ApEx selection about to submit list.
  You create a PL/SQL process after Submit. -> Request for conditional Type = Expression1. -> Expression1 is the name of your selection list. Treat the Source - > procedure you like. For example based on your select list value you add rows in different tables.
  (2) Javascript this example will change a system parameter value when changed

• PIX 501 ICMP access list Question

  According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

  PIX1 (config) # access - list ethernet1 permit icmp any any echo response

  PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

  Access-group ethernet1 PIX1 (config) # interface inside

  This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

  Thank you

  This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

  By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

  Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

  Let me know if it helps.

• A simple (I think) - compensation access list hitcounts

  How can I clear counters hitcnt for access lists? Also a reload...

  These hitcounts (as in "show access-list"):

  access list to the INSIDE of the line 1 permit ip 10.100.10.0 255.255.255.0 host CrazyLarry (hitcnt = 107575)<>

  Thank you.

  This gives a shot:

  access-list aclname Clear counters

  Scott

• ACCESS LIST QUESTIONS?

  I have a hand router Cisco 871 and 5 remote sites using the Cisco 850. The tunnel comes up fine and can ping back from the 850 to the 871. However, I think that I have a problem of access list because I can't open the main database which is on the main site of any of the 5 locations nor do I get on the internet that the proxy server get no not at other sites. I can ping these remote sites, but cannot use them in fact. These rules are very different, and then the PIX.

  192.168.1x

  * THE REMOTE SITE

  access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

  access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

  access-list 101 permit ip 192.168.1.0 0.0.0.255 any

  not run cdp

  sheep allowed 10 route map

  corresponds to the IP 101

  192.168.0.X

  HAND ROUTER

  recording of debug trap

  access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

  access-list 101 permit ip 192.168.0.0 0.0.0.255 any

  access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255

  access-list 103 allow ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255

  access-list 104. allow ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255

  not run cdp

  sheep allowed 10 route map

  corresponds to the IP 101

  !

  IP tcp mss<68-10000>

  Hope this helps,

  Gilbert

• Create a group of users to ACS 3.3 - simple question

  Hello

  I have a simple question:

  How can I create a group of additional users at the ACS 3.3?

  I don't see the option to delete or create groups of users. Perhaps is it not possible?

  Thanks in advance

  All groups that you have already exist in the list of groups (0 to 499). To "create" a new group, just rename one of the unused existing groups and use.

  If you don't see the groups in your list, you must verify that you have access to see all these groups.

  Verifier check in the control of the Administration, select your admin user ID. In the second table below marked 'administrator', you will see the "available groups" and the editable section 'groups '. move the groups that you want to use available for editable.

  Present and then OU should be able to see these groups on your drop-down list in the section groups.

• access lists

  I have a question... or two... :) on access lists.

  My current access list looks like the following:

  access-list acl_outbound allow icmp a whole

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443

  acl_outbound ip access list allow a whole

  access-list acl_inbound allow icmp a whole

  inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.

  2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.

  As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.

  My goals are:

  allow hosts listed web traffic (including https and ftp)

  allow ICMP pings pass from the inside to the outside and the response

  allow VPN tunnels to establish

  Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.

  Dave

  The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:

  > card crypto outside_map 9 match address outside_cryptomap_9

  to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:

  > no outside_map interface card crypto outside

  Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.

  In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:

  > acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any

  This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.

• Simple question about the signing of the app

  Hello.

  I develop libraries to be used in other apps.

  It will be a cod file, its name will be added to the jad as a dependency.

  My library has access to the secure API (call of the browser), so I have a simple question:

  can I register only my cod library or application that uses my library is expected to be signed in too?

  THX.

  You should be ok just signature cod of the library, if your application uses any API secure. However, I just make a habit to sign everything just in case.

• line 300 deny access-list

  Everyone;

  I need a few questions answered on how to condense on a 300 line refuse access-list into something maybe shorter. Right now, we want to put the abbreviated version of access on the border router 7204 VXR if possible list. It is an attempt to block possible known bad IP address that are not network friendly. Currently there are 2 ASA 5540 behind the border router.

  Thanks in advance;

  gmaurice

  No problem! Let us know if you have any other questions. Otherwise, please mark the thread as "answered" :)