the conversion of the outgoing state access list

Similar Questions

• No not removed from the external interface access-list access list?

  PIX515

  customer wanted to modify the access list (add a new line)

  so he has first publish no access-list command can

  apply the change to the access list, but the access list has been

  removed from the interface outside

  is this a normal behavior? on routers access list stay connected

  for the event of the interface if you issue no access-list command

  Thanks in advance for any comments

  JYP

  Hi Thibault-

  No, it is not a normal behavior, sounds more like an error by the customer. It's always a good idea to copy the required ACL on a text editor (Notepad) do not forget to include "access-group command" i.e. "access-group interface inside inside' or 'access-group out in interface outside' - when copying the required ACL and then issues a 'no access-list inside' or 'no access-list outside' the first line in the ACL copied on your notebook before copy you it to the PIX , also make sure that you are using the config and make an "m wr" (write memory) after the ACL modified have been applied on the PIX.

  Hope this helps-

• On the Restriction of the time to access list

  Hello

  Nice day

  I know that when I assigned a security level of 0 on the external interface means that I'm welcome all types of traffic between the inside and outside at any time without ACL applied to the inside interface. However, I need to control some users inside my local network to access to certain destinations at the moment. This means I need to increase my security level to 50 on the external interface in order to apply an ACL slot inside the interface?

  I'll appreciate your quick response.

  Kind regards

  Turbo

  Hi Turbo,

  With no ACLs in use the PIX will allow traffic flows through one interface to another providing the source, the interface is of a higher security than the destination.

  You mentioned that you will need to create an ACL on the outside - you should only do this if you want to accept incoming connections that are made from the external interface. This has always been the case for you if your outside security level is 0.

  To create your ACL with a time interval, make sure your PIX clock is set to the correct time since it is the clock that the ACL allows action against their time slot.

  After that, the commands you indicated above should create the ACL allowing http to 192.168.3.0/24 throughout the hour and the date in your message.

  Are there error messages indicating when you attempt the connection?

  Ian

• Question of access list for Cisco 1710 performing the 3DES VPN tunnel

  I have a question about the use of access lists in the configuration of a router Cisco 1710 that uses access lists to control traffic through the VPN tunnel.

  For example the following lines in a configuration on the remote router. My question is whether or not the traffic that matches the definition of list access-130 (something other than 192.168.100.0/24), cross the VPN tunnel or go directly to the Ethernet0 interface.

  My understanding is that traffic that matches the access list 120 would be encrypted and sent through the IPSec tunnel. If there was "ban" set out in the statements of 120 access-list, the traffic for those would be sent through the IPSec tunnel but not encrypted (if possible). And finally, given that the definition of crypto card reference only "adapt to 120", any traffic that matches 130 access list would be sent Ethernet0 but not associated with the card encryption and thus not sent through the IPSec tunnel. "

  Any input or assistance would be greatly appreciated.

  Map Test 11 ipsec-isakmp crypto

  ..

  match address 120

  Interface Ethernet0

  ..

  card crypto Test

  IP nat inside source overload map route sheep interface Ethernet0

  access-list 120 allow ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 refuse ip 192.168.100.0 0.0.0.255 10.10.0.0 0.0.255.255

  access-list 130 allow ip 192.168.100.0 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 130

  He would go through the interface e0 to the Internet in clear text without going above the tunnel

  Jean Marc

• Access-list command not supported in the 2.2 FWSM (1)

  Hi Netpros

  I am facing a strange problem with one of my FWSM installed in my spare box 7609.

  I have a FWSM installed in live production network, in which the caught watch access list supported and I am able to set up their place, but in the alternative box, I am unable to do so when I have? to get the command supported, it doesn't either up the access-list command.

  The two boxes run upward with 2.2 (1) and on different 7609 boxes.

  Basically, I want to do the CLI or the tested features up to in my box of spare before you go and implement the same on the live production network.

  I have attached both the version of the show, but also the supporting documents.

  Pls do not help to find where I m lack somehting here :-(.

  regds

  Your spare module is configured in mode 'multiple context', where you can create up to 100 logical firewall within one FWSM. In this mode, when you the meeting into the FWSM, you enter in what we call the context of the system in which all you can do is set the other contexts. In the context of the system there is no notion of the lists of access or something like that, and that's why you can't see these commands you.

  You want to deliver the FWSM in unique context mode by running the command:

  simple mode

  Reboot and then when he comes back to the top you'll be good to go.

• access lists

  I have a question... or two... :) on access lists.

  My current access list looks like the following:

  access-list acl_outbound allow icmp a whole

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 80

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 21

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 22

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 8080

  acl_outbound list of access allowed tcp 192.168.50.0 255.255.255.0 any eq 443

  acl_outbound ip access list allow a whole

  access-list acl_inbound allow icmp a whole

  inside_nat0_outbound 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  outside_cryptomap_9 192.168.50.0 ip access list allow 255.255.255.0 host Bluff_Outside

  1. I get no response to external IP addresses with my permit icmp echo. I have to specify what type of ICMP traffic as echo response on the end of the statement of license? I assumed not to put a specific function of what ICMP permit would allow all ICMP traffic, but I guess I was wrong.

  2. also suggestions on how to improve my access lists would be appreciated. Just because it might "work" does not mean that it is the best way.

  As I noticed that I had to have the ip permit any one to make it work, but am not sure exactly what is happening when I apply that statement to allow permit tcp statement work correctly.

  My goals are:

  allow hosts listed web traffic (including https and ftp)

  allow ICMP pings pass from the inside to the outside and the response

  allow VPN tunnels to establish

  Thank you all for your help. This forum was very informative and useful with previous posts, I'm sure it will be with this one as well.

  Dave

  The question is now that you have an incomplete encryption card on your PIX, which effectively blocks ALL outgoing traffic. Add the following line:

  > card crypto outside_map 9 match address outside_cryptomap_9

  to your PIX. This should get the traffic flowing again. Although passed by the hit counters your ACL, try to ping the host Bluff_Outside to test your ping? If so, then your config crypto says to encrypt all traffic as well, which probably won't work unless the Bluff is configured correctly. Better to make things as simple as possible while you are testing, then I recommend to take the crypto stuff for now with:

  > no outside_map interface card crypto outside

  Reading through your original post, when you access list only allowing certain protocols TCP, and you found that it did not work, was it web browsing that didn't work? If so, whether you have been reviewed by name rather than IP address, and depending on where your DNS servers, you probably also needed to enable DNS lookups via (udp port 53). MANY people forget this.

  In addition, in my humble OPINION, most of the clients that I have seen that initially only allow certain outgoing protocols, eventually find it's more pain than anything like their users say "I need to use this Protocol" and "I need to use this Protocol. Just be tired if you want to go down this road without a valid reason, you can cause a lot of extra work for yourself. What could be easier is just to make sure that your inside the subnet and only your home subnet, can get out by doing:

  > acl_outbound 192.168.50.0 ip access list allow 255.255.255.0 any

  This limited kind of all other connections rear door inside your network by your PIX and Internet connection, but still allows all your users go out and do what they want. Oh you obviously.

• card crypto access lists / problem if more than one entry?

  Access list for IPSec enabled traffic.

  I've been recently setting up a VPN between two sites and I came across the following problem:

  I wanted to install a VPN that only 2 posts from site A to site B, a class C network

  So I created a list of access as follows:

  access-list 101 permit IP 192.168.0.1 host 192.168.1.0 0.0.0.255

  access-list 101 permit IP 192.168.0.2 host 192.168.1.0 0.0.0.255

  When I applied the access list above to map (match address 101) encryption, I quickly realized that only the first host (192.168.0.1) was successfully encrypted beeing while the other could not. I've been geeting on ipsec debugging errors saying that traffic to 192.168.0.2 denyed by the access list.

  When I changed the access list above with the following

  access-list 101 permit IP 192.168.0.1 0.0.0.255 192.168.1.0 0.0.0.255

  two items of work could successfully encrypted through IPSec tunnel.

  To look further into it, I realized that only the first entry of the IPsec access list has been really tested for the corresponding traffic!

  Is this a normal behavior or a known Bug? No work around for this problem?

  Kind regards.

  If you have ipsec-manual crypto map in crypto ACL, you can specify that an ACE. Check 12.2 docs:

  Access lists for labelled as ipsec-manual crypto map entries are limited to a single permit entry and the following entries are ignored. In other words, the security associations established by this particular entry card crypto are only for a single data stream. To be able to support several manually created security for different types of traffic associations, define multiple crypto access lists and then apply each a separate entrance card crypto ipsec-manual. Each access list should include a statement to define which traffic to protect.

• Routing VPN access list

  Hello

  I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.

  The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.

  I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Can I change the subnet mask in the first line and put the second line first?

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255

  Or should I let the deny at the end statement, and add a line for each of the other remote sites:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  ... (others)

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Thank you.

  John

  John

  Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?

  In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.

  Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.

  According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:

  IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255

  ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255

  This would allow 1 to 47 but not others.

  HTH

  Rick

• access-list [line-num]

  Too often, I see in the access list statement, there is a line number set to 1, like this:

  permit access-list id_test 1...

  Desc the doc said: "The line number to insert a note or an access control element (ACE)."

  I can understand his 'writing' but never 'really' understand. :)

  Someone could it explain by giving an example?

  Thank you for helping.

  Scott

  PIX (config) # access-list id_test sh

  id_test list of access; 5 elements

  id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

  id_test of access list row 2 allow accord any host 2.2.2.2 (hitcnt = 0)

  id_test of access list row 3 will allow any host 3.3.3.3 (hitcnt = 0)

  line 4 of the id_test of access list allow accord any host 4.4.4.4 (hitcnt = 0)

  access list id_test line 5 will allow any host 5.5.5.5 (hitcnt = 0)

  PIX (config) # access - list id_test line 2 Note Hello

  PIX (config) # access-list id_test sh

  id_test list of access; 5 elements

  id_test of access list row 1 will allow any host 1.1.1.1 (hitcnt = 0)

  Hello from note access-list id_test line 2

  id_test of access list row 3 will allow any host 2.2.2.2 (hitcnt = 0)

  line 4 of the id_test of access list allow accord any host 3.3.3.3 (hitcnt = 0)

  access list id_test line 5 will allow any host 4.4.4.4 (hitcnt = 0)

  id_test of access list line 6 will allow any host 5.5.5.5 (hitcnt = 0)

  allowed for pix (config) # access - list id_test line 1 icmp any host 1.1.1.1

  PIX (config) # access-list id_test sh

  id_test list of access; 6 items

  allowed to Access-list id_test line 1 icmp any host 1.1.1.1 (hitcnt = 0)

  id_test of access list row 2 allow accord any host 1.1.1.1 (hitcnt = 0)

  Note access-list id_test line 3 Hello

  line 4 of the id_test of access list allow accord any host 2.2.2.2 (hitcnt = 0)

  access list id_test line 5 will allow any host 3.3.3.3 (hitcnt = 0)

  id_test of access list line 6 will allow any host 4.4.4.4 (hitcnt = 0)

  access list id_test line 7 will allow any host 5.5.5.5 (hitcnt = 0)

  TRIS-NOC-FW1 (config) #.

  the golden rule of the acl, is that it works in order, from top to bottom. with the line number, you can precisely insert the new entry of acl or note everywhere where you want.

  for example, imagine you have a 200-entry acl, and now you want to allow one host before the other refuse registration. of course you don't want to interrupt the network by UN-apply and reapply the entire acl. in this case, the line number to save life.

• bug in iOS? startup-config + command access-list + an invalid entry detected

  I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

  Cisco 827

  IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

  SOFTWARE (fc1)

  I'm looking to use a host named in a more extended access list. The

  script I copy startup-config contains the following entries:

  ! the 2 following lines appear at the top of the script

  123.123.123.123 IP name-server 123.123.123.124

  IP domain-lookup

  ! the following line appears at the bottom of the script

  120 allow host passports - 01.mx.aol.com one ip access-list

  When I reboot the router, I saw the following message:

  Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

  120 allow host passports - 01.mx.aol.com one ip access-list

  ^

  Invalid entry % detected at ' ^' marker.

  It seems as if the entrance to the server name of the router is not processed

  prior to the access list. I can not even check with

  router02 access lists 120 #sh

  makes the access list entry * not * exist.

  But when I manually type the entry in the router I see the

  Next:

  router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

  any

  Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

  [OK]

  and I can confirm its creation:

  router02 access lists 120 #sh

  Extend the 120 IP access list

  allow the host ip 64.12.137.89 one

  I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

  Any help is very appreciated.

  Hello

  Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

  When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

  Router (config) #access - list 187 ip allow any host www.cisco.com

  Router (config) #^ Z

  router #show run | 187 Inc

  IP access-list 187 allow any host 198.133.219.25

  router #show worm | split 12

  IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE

• IOS VPN on 7200 12.3.1 and access-list problem

  I'm in IOS 12.3 (1) a 7200 and have configured it for VPN access. I use the Cisco VPN client. Wonder if someone has encountered the following problem, and if there is a fix.

  The external interface has the access-list standard applied that blocks incoming traffic. One of the rules is to block the IPs private, not routable, such as the 10.0.0.0 concern, for example.

  When I set my VPN connection, none of my packets get routed and I noticed that outside access list interface blocks the traffic. When I connect to the router through VPN, the router attributes to the client an IP address from a pool of the VPN as 10.1.1.0/24. But normal outside the access list denies this traffic as it should. But as soon as I have established a VPN connect, it seems that my encrypted VPN traffic must ignore the external interface access list.

  If I change my external access list to allow traffic from source address 10.1.1.0/24 my VPN traffic goes through correctly, but this goes against the application to have an outdoor access list that denies such traffic and have a VPN.

  Anyone else seen this problem or can recommend a software patch or version of IOS which works correctly?

  Thank you

  R

  That's how IOS has always worked, no way around it.

  The reasoning is to do with the internal routing on the router. Basically an encrypted packet inherits from the interface and initially past control of ACL as an encrypted packet. Then expelled the crypto engine and decrypted, so we now have this sitting pouch in the cryptographic engine part of the router. What do we with her now, keeping in mind users may want political route she is also, might want to exercise, qos, etc. etc. For this reason, the package is basically delivered on the external interface and running through everything, once again, this time as a decrypted packet. If the package hits the ACL twice, once encrypted and clear once.

  Your external ACL shall include the non encrypted and encrypted form of the package.

  Now, if you're afraid that people can then simply spoof packets to come from 10.1.1.0 and they will be allowed through your router, bzzzt, wrong. The first thing that the router checks when it receives a packet on an interface with a card encryption applied is that if the package needs to be encrypted, it is from his crypto ACL and its IP pools. If he receives a decrypted packet when it knows that it must have been encrypted, it will drop the package immediately and a flag a syslog something as "received the decrypted packet when it should have been."

  You can check on the old bug on this here:

  http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCdz54626&submit=search

  and take note of the section of the security implications, you may need to slightly modify your configuration.

• Effect of the access lists on free access of high to low by default

  I'll implement access rules list on PIX525 (V6.3) with several DMZ, but want to minimize the rules.

  Scenario - 3 interfaces (inside (secuity100, average security50 outside Security0)

  To allow hosts on the way to reach the inside I create an access list applied to a central interface. However, will be an implicit (or explicit) deny at the end of the access list prevents the intermediate hosts with default value to open access to the lower security outside the interface?

  Thank you

  Mick

  Level of security and access lists:

  To grant access of lower to higher level, you need to an access list and a static.

  Equal to equal level cannot talk to each other.

  Higher level of security can talk to lower levels, if there is no access on this interface list and the NAT is configured correctly.

  ACL will add at the end a "deny ip any any" after a statement of license. So getting back to your question: If you allow a DMZ host to connect internal host on a specific port that all other connections are blocked. You must specify all the tarffic in this access list otherwise they will be blocked.

  The only exception is the traffic may be from other interface access lists to the demilitarized zone, answers etc. For example, you are allowing port 80 to a dmz host outside this traffic will not be verified again by the dmz access list.

  sincerely

  Patrick

• Must have an e-mail virus, my Outlook send at least 10 people on my contact list a unsolicited to email that I got relative to earn money in your spare time in the United States.

  Must have an e-mail virus, my Outlook send at least 10 people on my contact list a unsolicited to email that I got relative to earn money in your spare time in the United States. How do is stop what's happening, I have anti virus and anti spyware programs but this is not enough!
  original title: e-mail viruses?

  The part that you do not know how?

• allow icmpv6 in ipv4-access list in the tunnel

  Hello

  I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

  My tunnel works and is as follows:

  interface Tunnel0

  no ip address

  IPv6 address

  enable IPv6

  source of tunnel

  ipv6ip tunnel mode

  tunnel destination

  So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

  Access list that I apply is the following:

  allow tcp any a Workbench

  allowed UDP any eq field all

  allowed any EQ 67 udp no matter what eq 68

  allowed UDP any eq 123 everything

  allowed UDP any eq 3740 everything

  allowed UDP any eq 41 everything

  allowed UDP any eq 5072 everything

  allow icmp a whole

  deny ip any any newspaper

  Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

  TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
  UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
  Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
  UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
  ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

  I missed something?

  sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

  Hope someone can help me.

  Hello

  In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

  If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

  Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

  But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

  -Jouni

• A possible bug related to the Cisco ASA "show access-list"?

  We had a strange problem in our configuration of ASA.

  In the "show running-config:

  Inside_access_in access-list CM000067 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:http_access

  Inside_access_in access-list CM000458 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:https_access

  Note to inside_access_in to access test 11111111111111111111111111 EXP:1/16/2014 OWN list: IT_Security BZU:Network_Security

  access-list extended inside_access_in permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 Journal

  access-list inside_access_in note CM000260 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - dgm

  access-list inside_access_in note CM006598 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ns

  access-list inside_access_in note CM000220 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:netbios - ssn

  access-list inside_access_in note CM000223 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:tcp / 445

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq www log

  inside_access_in allowed extended access list tcp 172.31.254.0 255.255.255.0 any https eq connect

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log

  inside_access_in list extended access permit udp 172.31.254.0 255.255.255.0 connect any eq netbios-ns

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log

  inside_access_in list extended access permitted tcp 172.31.254.0 connect any EQ 445 255.255.255.0

  Inside_access_in access-list CM000280 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:domain

  inside_access_in list extended access permitted tcp object 172.31.254.2 any newspaper domain eq

  inside_access_in list extended access permitted udp object 172.31.254.2 any newspaper domain eq

  Inside_access_in access-list CM000220 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:catch_all

  inside_access_in list extended access permitted ip object 172.31.254.2 any newspaper

  Inside_access_in access-list CM0000086 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:SSH_internal

  inside_access_in list extended access permitted tcp 172.31.254.0 255.255.255.0 interface inside the eq ssh log

  Inside_access_in access-list CM0000011 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in list extended access allow object TCPPortRange 172.31.254.0 255.255.255.0 host log 192.168.20.91

  Inside_access_in access-list CM0000012 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:FTP

  access-list extended inside_access_in permitted tcp object inside_range 1024 45000 192.168.20.91 host range eq ftp log

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  inside_access_in access list extended ip 192.168.20.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000014 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:DropIP

  inside_access_in list extended access permitted ip object windowsusageVM any newspaper

  inside_access_in list of allowed ip extended access any object testCSM

  inside_access_in access list extended ip 172.31.254.0 255.255.255.0 allow no matter what paper

  Inside_access_in access-list CM0000065 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:IP

  inside_access_in list extended access permit ip host 172.31.254.2 any log

  Inside_access_in access-list CM0000658 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security

  inside_access_in list extended access permit tcp host 192.168.20.95 any log eq www

  In the "show access-list":

  access-list inside_access_in line 1 comment CM000067 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:http_access

  access-list inside_access_in line 2 Note CM000458 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:https_access

  Line note 3 access-list inside_access_in test 11111111111111111111111111 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  4 extended access-list inside_access_in line allowed tcp host 1.1.1.1 host 192.168.20.86 eq newsletter interval 300 (hitcnt = 0) 81 0x0a 3bacc1

  line access list 5 Note CM000260 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - dgm

  line access list 6 Note CM006598 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ns

  line access list 7 Note CM000220 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:netbios - ssn

  line access list 8 Note CM000223 EXP:1/16/2014 OWN inside_access_in: IT_Security BZU:Network_Security JST:tcp / 445

  allowed to Access-list inside_access_in line 9 extended tcp 172.31.254.0 255.255.255.0 any interval information eq www journal 300 (hitcnt = 0) 0 x 06 85254 has

  allowed to Access-list inside_access_in 10 line extended tcp 172.31.254.0 255.255.255.0 any https eq log of information interval 300 (hitcnt = 0) 0 x7e7ca5a7

  allowed for line access list 11 extended udp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-dgm eq log of information interval 300 (hitcn t = 0) 0x02a111af

  allowed to Access-list inside_access_in line 12 extended udp 172.31.254.0 255.255.255.0 any netbios-ns eq log of information interval 300 (hitcnt = 0) 0 x 19244261

  allowed for line access list 13 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 any netbios-ssn eq log of information interval 300 (hitcn t = 0) 0x0dbff051

  allowed to Access-list inside_access_in line 14 extended tcp 172.31.254.0 255.255.255.0 no matter what eq 445 300 (hitcnt = 0) registration information interval 0 x 7 b798b0e

  access-list inside_access_in 15 Note CM000280 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:domain

  allowed to Access-list inside_access_in line 16 extended tcp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 16 extended host tcp 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 0x6c416 81 b

  allowed to Access-list inside_access_in line 17 extended udp object 172.31.254.2 any interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  allowed to Access-list inside_access_in line 17 extended udp host 172.31.254.2 all interval information journal field eq 300 (hitcnt = 0) 227 0xc53bf

  access-list inside_access_in 18 Note CM000220 EXP:1/16/2014 OWN line: IT_Security BZU:Network_Security JST:catch_all

  allowed to Access-list inside_access_in line 19 scope ip object 172.31.254.2 no matter what information recording interval 300 (hitcnt = 0) 0xd063707c

  allowed to Access-list inside_access_in line 19 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xd063707c

  access-list inside_access_in line 20 note CM0000086 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:SSH_internal

  permit for line access list extended 21 tcp 172.31.254.0 inside_access_in 255.255.255.0 interface inside the eq ssh information recording interval 300 (hitcnt = 0) 0x4951b794

  access-list inside_access_in line 22 NOTE CM0000011 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:PortRange

  permit for access list 23 inside_access_in line scope object TCPPortRange 172.31.254.0 255.255.255.0 192.168.20.91 host registration information interval 300 (hitcnt = 0) 0x441e6d68

  allowed for line access list 23 extended tcp 172.31.254.0 inside_access_in 255.255.255.0 192.168.20.91 host range ftp smtp log information interval 300 (hitcnt = 0) 0x441e6d68

  access-list inside_access_in line 24 Note CM0000012 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:FTP

  25 extended access-list inside_access_in line allowed tcp object inside_range Beach 1024 45000 host 192.168.20.91 eq ftp interval 300 0xe848acd5 newsletter

  allowed for access list 25 extended range tcp 12.89.235.2 inside_access_in line 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp interval 300 (hitcnt = 0) newsletter 0xe848acd5

  permit for access list 26 inside_access_in line scope ip 192.168.20.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xb6c1be37

  access-list inside_access_in line 27 Note CM0000014 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:DropIP

  allowed to Access-list inside_access_in line 28 scope ip object windowsusageVM no matter what information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 28 scope ip host 172.31.254.250 any which information recording interval 300 (hitcnt = 0) 0 x 22170368

  allowed to Access-list inside_access_in line 29 scope ip testCSM any object (hitcnt = 0) 0xa3fcb334

  allowed to Access-list inside_access_in line 29 scope ip any host 255.255.255.255 (hitcnt = 0) 0xa3fcb334

  permit for access list 30 inside_access_in line scope ip 172.31.254.0 255.255.255.0 no interval 300 (hitcnt = 0) newsletter 0xe361b6ed

  access-list inside_access_in line 31 Note CM0000065 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security JST:IP

  allowed to Access-list inside_access_in line 32 scope ip host 172.31.254.2 any which information recording interval 300 (hitcnt = 0) 0xed7670e1

  access-list inside_access_in line 33 note CM0000658 EXP:1/16/2014 OWN: IT_Security BZU:Network_Security

  allowed to Access-list inside_access_in line 34 extended host tcp 192.168.20.95 any interval information eq www 300 newspapers (hitcnt = 0) 0x8d07d70b

  There is a comment in the running configuration: (line 26)

  Inside_access_in access-list CM0000088 EXP:1/16/2014 OWN Note: IT_Security BZU:Network_Security JST:PortRange

  This comment is missing in 'display the access-list '. In the access list, for all lines after this comment, the line number is more correct. This poses problems when trying to use the line number to insert a new rule.

  Everyone knows about this problem before? Is this a known issue? I am happy to provide more information if necessary.

  Thanks in advance.

  See the version:

  Cisco Adaptive Security Appliance Software Version 4,0000 1

  Version 7.1 Device Manager (3)

  Updated Friday, June 14, 12 and 11:20 by manufacturers

  System image file is "disk0: / asa844-1 - k8.bin.

  The configuration file to the startup was "startup-config '.

  fmciscoasa up to 1 hour 56 minutes

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash M50FW016 @ 0xfff00000, 2048KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.06

  Number of Accelerators: 1

  Could be linked to the following bug:

  CSCtq12090: ACL note line is missing when the object range is set to ACL

  The 8.4 fixed (6), so update to a newer version and observe again.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni