RE: router CPU utilization on access lists? [7:75002]
So maybe permit and route to null0 in some cases? Then no unreachables are generated because there is a route? Martijn -Oorspronkelijk bericht- Van: Marty Adkins [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 9 september 2003 20:29 Aan: [EMAIL PROTECTED] Onderwerp: Re: router CPU utilization on access lists? [7:75002] Priscilla Oppenheimer wrote: Yes, that's true indeed that access lists don't cause process switching anymore, so wouldn't show up in IP Input. Two exceptions that I failed to mention are logging and the side effect of a deny. By default, a deny causes the generation of an ICMP admin. prohibited unreachable sent to the source of the blcoked packet. Since packets cannot be created in interrupt mode, process context is required. But these are rate limited to two/second by default as self protection. Plus normal traffic shouldn't result in very many denies. But you can inhibit this entirely by configuring no ip unreachables on an interface. If the matching ACE has the log keyword, then process context is required to create the log message and perform normal logging. This too is rate-limited. Thanks for everyone's advice. It sounds like Marty has the right approach. Although access lists aren't process switched, they are generally fast switched unless the router supports some other feature (like silicon switching) or some fancy configuration like CEF or NetFlow? So, the thing to look for is a high utilization caused by interrupts (the number after the slash). I can't safely turn them off and test, so I think I will try to simulate the network and traffic in a lab to test my theory that they are an issue. It's a 2621 router with lots of entries in the access lists that are applied. I think it's time to offload a lot of the policy represented by the lists to a PIX firewall. You can tune the lists by letting it run for a while and then noting the match counts (show access-list). Within each grouping of permit entries, you can reorder the statements to reduce the number of entries that must be compared to reach a match. If the ACL processing is as efficient as possible but is really impacting CPU utilization, then you could enable the turbo ACL feature (access-list compiled). Unfortunately, that's still only available on higher-end platforms, from 3700s on up. Here's a good URL on troubleshooting high CPU util, by the way: http://www.cisco.com/warp/public/63/highcpu.html Thanks Priscilla - Marty **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75233t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
Elijah Savage wrote: I have actually been told by TAC before IP Input, for what it is worth :) Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access lists were process switched, and thus would show up as extra time spent in 'IP Input'. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75043t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
M.C. van den Bovenkamp wrote: Elijah Savage wrote: I have actually been told by TAC before IP Input, for what it is worth :) Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access lists were process switched, and thus would show up as extra time spent in 'IP Input'. Yes, that's true indeed that access lists don't cause process switching anymore, so wouldn't show up in IP Input. Thanks for everyone's advice. It sounds like Marty has the right approach. Although access lists aren't process switched, they are generally fast switched unless the router supports some other feature (like silicon switching) or some fancy configuration like CEF or NetFlow? So, the thing to look for is a high utilization caused by interrupts (the number after the slash). I can't safely turn them off and test, so I think I will try to simulate the network and traffic in a lab to test my theory that they are an issue. It's a 2621 router with lots of entries in the access lists that are applied. I think it's time to offload a lot of the policy represented by the lists to a PIX firewall. Here's a good URL on troubleshooting high CPU util, by the way: http://www.cisco.com/warp/public/63/highcpu.html Thanks Priscilla Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75078t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
Priscilla Oppenheimer wrote: Yes, that's true indeed that access lists don't cause process switching anymore, so wouldn't show up in IP Input. Two exceptions that I failed to mention are logging and the side effect of a deny. By default, a deny causes the generation of an ICMP admin. prohibited unreachable sent to the source of the blcoked packet. Since packets cannot be created in interrupt mode, process context is required. But these are rate limited to two/second by default as self protection. Plus normal traffic shouldn't result in very many denies. But you can inhibit this entirely by configuring no ip unreachables on an interface. If the matching ACE has the log keyword, then process context is required to create the log message and perform normal logging. This too is rate-limited. Thanks for everyone's advice. It sounds like Marty has the right approach. Although access lists aren't process switched, they are generally fast switched unless the router supports some other feature (like silicon switching) or some fancy configuration like CEF or NetFlow? So, the thing to look for is a high utilization caused by interrupts (the number after the slash). I can't safely turn them off and test, so I think I will try to simulate the network and traffic in a lab to test my theory that they are an issue. It's a 2621 router with lots of entries in the access lists that are applied. I think it's time to offload a lot of the policy represented by the lists to a PIX firewall. You can tune the lists by letting it run for a while and then noting the match counts (show access-list). Within each grouping of permit entries, you can reorder the statements to reduce the number of entries that must be compared to reach a match. If the ACL processing is as efficient as possible but is really impacting CPU utilization, then you could enable the turbo ACL feature (access-list compiled). Unfortunately, that's still only available on higher-end platforms, from 3700s on up. Here's a good URL on troubleshooting high CPU util, by the way: http://www.cisco.com/warp/public/63/highcpu.html Thanks Priscilla - Marty Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75095t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
At 10:08 PM + 9/8/03, Priscilla Oppenheimer wrote: Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? Thanks, Priscilla This isn't a complete answer to your question, but look at http://www.networkcomputing.com/1004/1004ws2.html It's a very interesting article on benchmarking access lists done at Syracuse University. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75154t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
router CPU utilization on access lists? [7:75002]
Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? Thanks, Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75002t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
Priscilla Oppenheimer wrote: Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? You can't determine the portion due to ACL processing from any single display. You'd have to compare the result of show proc cpu with the ACL enabled and with it not enabled, for the essentially identical traffic stream. Within the display, note the percentage of time spent in interrupt mode, as indicated by the number after the / in the five second average. Interrupt stack time is almost totally due to switching packets and associated inspection of them such as ACLs. - Marty Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75010t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: router CPU utilization on access lists? [7:75002]
What am I looking for when I do a show processes cpu? I believe it's IP Input. Marko. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75009t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: router CPU utilization on access lists? [7:75002]
Aren't interfaces with access-lists process switched? So I would imagine it would be IP Input but this is rather vague as well. Correct me if im wrong. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 September 2003 8:09 AM To: [EMAIL PROTECTED] Subject: router CPU utilization on access lists? [7:75002] Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? Thanks, Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75008t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: router CPU utilization on access lists? [7:75002]
I have actually been told by TAC before IP Input, for what it is worth :) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2003 6:09 PM To: [EMAIL PROTECTED] Subject: router CPU utilization on access lists? [7:75002] Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? Thanks, Priscilla **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75015t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: class-map, access-lists, access-groups, and policy maps [7:72661]
The VLAN200 in class-map match-all VLAN200 is just specifying the class-map-name. From the IOS docs: Name of the class for the class map. The class name is used for both the class map and to configure policy for the class in the policy map. I believe you would use service-policy to attach it to a VLAN interface. You don't need match-all as you only have one match statement in the class-map. class-map match-all VLAN200 Match access-group 103 policy-map VLAN200-policy class VLAN200 priority percent 75 class class-default fair-queue The above should set the minimum guaranteed bandwidth (Percent Specifies that the amount of guaranteed bandwidth will be specified by the percent of available bandwidth) IF the traffic matches ACL 103, and if it does not match then it will default to the class-default and fall into using 256 dynamic queues (assuming the interface was 512Kbps bandwidth). It's all in the IOS documentation. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Coy, Jason (Jason) [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2003 9:58 PM To: [EMAIL PROTECTED] Subject: class-map, access-lists, access-groups, and policy maps [7:72643] I have been looking for a simple explanation as to how the three relate and their dependencies. Example configuration from a show run: class-map match-all VLAN200 Match access-group 103 Does the above subject all VLAN200 traffic to access group 103? Is that access group associated with the access-list? policy-map VLAN200-policy class VLAN200 priority percent 75 class class-default fair-queue What does the above do, allocate a maximum bandwidth, or set a priority queuing? I have been looking for a good reference to QoS policy's and how to determine what the router has set. Any recommendations? Jason Coy Field Assistance Support Team, Chicago 708-233-4274 Office 888-461-1323 Pager 708-975-4274 Cell [GroupStudy removed an attachment of type image/gif which had a name of image001.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72661t=72661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
class-map, access-lists, access-groups, and policy maps [7:72643]
I have been looking for a simple explanation as to how the three relate and their dependencies. Example configuration from a show run: class-map match-all VLAN200 Match access-group 103 Does the above subject all VLAN200 traffic to access group 103? Is that access group associated with the access-list? policy-map VLAN200-policy class VLAN200 priority percent 75 class class-default fair-queue What does the above do, allocate a maximum bandwidth, or set a priority queuing? I have been looking for a good reference to QoS policy's and how to determine what the router has set. Any recommendations? Jason Coy Field Assistance Support Team, Chicago 708-233-4274 Office 888-461-1323 Pager 708-975-4274 Cell [GroupStudy removed an attachment of type image/gif which had a name of image001.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72643t=72643 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MLS and access lists [7:66464]
Hi Priscilla, Quoting Multilayer Switching Companion Guide on p. 340... MLS creates flows based on access lists configured on the MLS-RP...the MLS-SE handles standard and extended access list PERMIT traffic...Route topology changes and the addition or modification of access lists are reflected in the IP MLS switching path automatically on the MLS-SE...the MLS-SE learns of the change through MLSP and immediately enforces security. I believe this is the reason why you need a L3 switch to do MLS. HTH. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, March 29, 2003 7:10 PM To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66559t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MLS and access lists [7:66464]
As far as I am aware, the 1st packet in the flow has to be L3 switched. A router just does not send an enable packet back to the SE if it fails an ACL. In terms of the telnet, FTP scenarios, I assume that the flow does not matter at the SE, cause the packet processing at the router justs denies it and an MLS flow never get created for that L4 based connection. Hope this helps. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: 30 March 2003 00:10 To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66491t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MLS and access lists [7:66464]
[EMAIL PROTECTED] wrote: As far as I am aware, the 1st packet in the flow has to be L3 switched. A router just does not send an enable packet back to the SE if it fails an ACL. In terms of the telnet, FTP scenarios, I assume that the flow does not matter at the SE, cause the packet processing at the router justs denies it and an MLS flow never get created for that L4 based connection. If a simple destination flow mask (the default) gets created on the SE that says how to send traffic to a host, both Telnet and FTP traffic will be sent to the host despite the access list on the router. It's a huge security hole. However, the Cisco developers thought of this, of course. (I wonder if it was an afterthought or if they realized this was a problem right away? :-) They created more complicated flow masks: * Destination-source flow mask to handle a standard access list or simple extended access list without L4 port numbers on the router * Full flow mask to handle an extended access list that uses L4 port numbers It turns out that MLSP is used by the router to signal to the SE which flow masks must be used. Thank-you Kennedy Clark and the other person who cleared that up. (Great to hear from Kennedy, author of one of the best Cisco Press books, Cisco LAN Switching. It's right up there with Doyle's books.) The books say that MLSP flushes the MLS cache when access lists are configured or changed, or the routing table changes, but they aren't too clear that on bootup, if a router has access lists, it better tell the SE to use a more specific flow mask. I'd like to see that protocol in action?! Of course, if it's a built-in RSP, that wouldn't be possible. Thanks everyone for replying. Priscilla Hope this helps. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: 30 March 2003 00:10 To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66500t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MLS and access lists [7:66464]
With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66464t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MLS and access lists [7:66464]
Hi Priscilla, Quoting Multilayer Switching Companion Guide on p. 340... MLS creates flows based on access lists configured on the MLS-RP...the MLS-SE handles standard and extended access list PERMIT traffic...Route topology changes and the addition or modification of access lists are reflected in the IP MLS switching path automatically on the MLS-SE...the MLS-SE learns of the change through MLSP and immediately enforces security. I believe this is the reason why you need a L3 switch to do MLS. HTH. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, March 29, 2003 7:10 PM To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66471t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MLS and access lists [7:66464]
Hi Priscilla, Your suspicion is 100% correct: the flow mask is signaled from the router (RP) to the switch (SE) via the MLSP protocol. Take care, Kennedy Priscilla Oppenheimer wrote: With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the show mls command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN switching papers at CertificationZone, but am still left wondering Thanks for your help. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66469t=66464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC Access Lists - Canonical or NonCanonical [7:64754]
I guess this would depend on the media / interface that you are applying the ACL to? EG for TR, you would use non-canonical, and if applying the address to ethernet interface canonical. Presumably, inbound packets from TR pass through any inbound ACL's, then get converted to canonical and passed out ethernet interface (or DLSW etc?? )( [EMAIL PROTECTED] wrote: Today I read two opposite posts about the MAC address format on MAC access-list. The article on 'http://www.netmasterclass.net/site/lib.php' (article Filtering DLSW) says that one should use non canonical format. The link 'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_r/brprt1/br1dtb.htm#1017750' says the opposite, one should use canonical (Ethernet) format. Any Thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64885t=64754 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MAC Access Lists - Canonical or NonCanonical [7:64754]
Today I read two opposite posts about the MAC address format on MAC access-list. The article on 'http://www.netmasterclass.net/site/lib.php' (article Filtering DLSW) says that one should use non canonical format. The link 'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_r/brprt1/br1dtb.htm#1017750' says the opposite, one should use canonical (Ethernet) format. Any Thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64754t=64754 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-lists [7:63520]
Hello all. I'am stumped on an access-list that i need to create. What i did was i set up two routers using rip and put loopbacks on one of them and advertised them in rip. I then attempted to build an access-list allowing just these networks to pass into the other router. The router with the loopbacks is A the destination is B. so I know this will be a standard access list (direction in) on router B's interface to router A. The requirements are allow any packet originating from 192.17.77.0 /24 allow any packet originating from 192.17.73.0 /24 allow any packet originating from 192.81.77.0 /24 allow any packet originating from 192.81.73.0 /24 allow any packet originating from 176.17.77.0 /24 allow any packet originating from 176.17.73.0 /24 allow any packet originating from 176.81.77.0 /24 allow any packet originating from 176.81.73.0 /24 Hers what i think i can do with the 182 address i can do permit ip 192.17.73.0 0.64.4.0 because the 64 will increase the second octet to 81 then the 4 in the third bit will increase the network to 77. Is this how i would impliment this filtering policy in just two statements? The same way with the 176 networks? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63520t=63520 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
You can use pdm ( Web based gui of Cisco PIX). It looks like checkpoint gui. You can insert lines between other statements, change nat definitions, monitor system resources etc. It is very useful. Ozan Akdemir -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 6:59 PM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61267t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61033t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Sam, I used to copy my list out to notepad and add the new line. Do a 'no access-list from-internet', then cut and paste the new one back in. Keep in mind this will briefly leave you with no access list on that interface. Then re-enter the 'access-group from-internet in interface outside' command, as it will remove it when you do the no access-list command. You can also use subnet masks if you have a group of IP's, for example adding 10.10.10.0/29 would grant access to hosts 10.10.10.1 - 7 Someone here also posted a good link to some new features that are available in 6.2 that might be useful, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00800d641d.shtml Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61037t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61060t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61062t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Nope, wouldn't work well in that situation, but if you're only talking a few entries then its not a problem Also, in that sort of situation if you wanted to put a deny before a permit (where order really does matter other than aesthetically), you remove the line permitting the traffic, add the deny, then put in the permit again and you're back to where you were. The most you'd have to readd after that would be a deny ip any any :) -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 8:38 AM To: [EMAIL PROTECTED] Subject: Re: applying PIX access-lists [7:61033] The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61070t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
Sam, you can do 2 method ie: CLI based and GUI based (PDM). If you using PDM, you just insert add rule it. CLI based: 1. access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet2 permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any 2. no access-group from-internet in interface outside access-group from-internet2 in interface outside 3. Clear Xlate. Hope this can help you. regards, Sugianto Sho Sam Sneed cc: Sent by: Fax to: nobody@groupst Subject: applying PIX access-lists [7:61033] udy.com 01/14/2003 11:58 PM Please respond to Sam Sneed I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61071t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access lists + static routing [7:58543]
n_guide_chapter09186a00800d9816.html This would be helpfull. I found it by searching the key words configurring access lists. Geert Loonbeek wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello I'm looking for a good and free of charge study guide on access lists/ static routing. I'd like to take the 640-607 cisco CCNA exam. Is there anybody who has some info on these topics. Thanks Geert Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58549t=58543 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: access lists + static routing [7:58543]
Guys, a reminder: you cannot begin a post to the mail list with an URL. Type a line of text first, then paste the URL. The filters are designed to look for an URL at the top of the post, to filter out spam. BJ ---Original Message--- From: Charlie Sent: 12/04/02 10:24 AM To: [EMAIL PROTECTED] Subject: Re: access lists + static routing [7:58543] n_guide_chapter09186a00800d9816.html This would be helpfull. I found it by searching the key words configurring access lists. Geert Loonbeek wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello I'm looking for a good and free of charge study guide on access lists/ static routing. I'd like to take the 640-607 cisco CCNA exam. Is there anybody who has some info on these topics. Thanks Geert Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58550t=58543 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: access lists + static routing [7:58543]
Thanks, I understand now! Here it is: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuratio n_guide_chapter09186a00800d9816.html B.J. Wilson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys, a reminder: you cannot begin a post to the mail list with an URL. Type a line of text first, then paste the URL. The filters are designed to look for an URL at the top of the post, to filter out spam. BJ ---Original Message--- From: Charlie Sent: 12/04/02 10:24 AM To: [EMAIL PROTECTED] Subject: Re: access lists + static routing [7:58543] n_guide_chapter09186a00800d9816.html This would be helpfull. I found it by searching the key words configurring access lists. Geert Loonbeek wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello I'm looking for a good and free of charge study guide on access lists/ static routing. I'd like to take the 640-607 cisco CCNA exam. Is there anybody who has some info on these topics. Thanks Geert Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58553t=58543 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clearing access lists counters [7:57241]
I tried this also and it did not work. He is what I did: R5-2503#clear ip access-list count R5-2503#show access-lists abc Extended IP access list abc Dynamic test permit ip any any permit ip host 10.10.110.16 any (38 matches) (time left 134) permit tcp any host 10.10.110.3 eq telnet R5-2503# Tim Metz wrote in message news:200211120457.EAA20795;groupstudy.com... although that should have worked, try clear ip access-list counter as well I just tested this on a 3662 and both commands worked (IOS 12.1) Tim John Tafasi wrote in message news:20022125.VAA01591;groupstudy.com... Can some one tell me how to clear access-list counters? I tried to use the command clear access-list counters but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (158 matches) permit tcp any host 10.10.110.3 eq telnet R5-2503# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57325t=57241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clearing access lists counters [7:57241]
Worked for me on 12.2(12a): clear ip access-list counters - Original Message - From: John Tafasi To: Sent: Tuesday, November 12, 2002 5:22 PM Subject: Re: Clearing access lists counters [7:57241] I tried this also and it did not work. He is what I did: R5-2503#clear ip access-list count R5-2503#show access-lists abc Extended IP access list abc Dynamic test permit ip any any permit ip host 10.10.110.16 any (38 matches) (time left 134) permit tcp any host 10.10.110.3 eq telnet R5-2503# Tim Metz wrote in message news:200211120457.EAA20795;groupstudy.com... although that should have worked, try clear ip access-list counter as well I just tested this on a 3662 and both commands worked (IOS 12.1) Tim John Tafasi wrote in message news:20022125.VAA01591;groupstudy.com... Can some one tell me how to clear access-list counters? I tried to use the command clear access-list counters but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (158 matches) permit tcp any host 10.10.110.3 eq telnet R5-2503# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57334t=57241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Clearing access lists counters [7:57241]
Can some one tell me how to clear access-list counters? I tried to use the command clear access-list counters but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (158 matches) permit tcp any host 10.10.110.3 eq telnet R5-2503# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57241t=57241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clearing access lists counters [7:57241]
restart the router. -- Curious MCSE, CCNP John Tafasi wrote in message news:20022125.VAA01591;groupstudy.com... Can some one tell me how to clear access-list counters? I tried to use the command clear access-list counters but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (158 matches) permit tcp any host 10.10.110.3 eq telnet R5-2503# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57247t=57241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clearing access lists counters [7:57241]
although that should have worked, try clear ip access-list counter as well I just tested this on a 3662 and both commands worked (IOS 12.1) Tim John Tafasi wrote in message news:20022125.VAA01591;groupstudy.com... Can some one tell me how to clear access-list counters? I tried to use the command clear access-list counters but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (158 matches) permit tcp any host 10.10.110.3 eq telnet R5-2503# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57271t=57241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Messing up Access Lists [7:54268]
I have 5 subnets: 172.29.10.x/24 in the U.S. 192.168.100.x/24 in the U.S. I would like to eliminate the 192.x.x.x subnet as it is mostly redundant, machines multihomed. 172.29.20.x/24 in Mexico 172.29.30.x/24 in Europe 172.29.40.x/24 in Mexico Europe office has a 1720 router and E1 connection. U.S. has 2621 and a T1 connection Europe needs to pull email and files from servers in U.S., but connection is terribly, terribly slow. At present I have them VPN out to the internet and into our VPN that way. Would like them to VPN or direct connect directly through internal subnets. Once that is fixed the learning experience should allow me to tweak the Mexico routes. The Europe sh int is as follows: sh int Ethernet0 is up, line protocol is up Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf) Description: connected to Internet Internet address is 217.117.229.138/29 MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10BaseT ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of show interface counters 1d19h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 778610 packets input, 355003767 bytes, 0 no buffer Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 676292 packets output, 134749411 bytes, 0 underruns(0/0/0) 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred --More-- 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out --More-- FastEthernet0 is up, line protocol is up Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a) Description: connected to EthernetLAN_1 Internet address is 172.29.30.1/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:00, output hang never Last clearing of show interface counters 1d19h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 683511 packets input, 104715200 bytes Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 800932 packets output, 317811070 bytes, 0 underruns(63/415/0) 165 output errors, 478 collisions, 0 interface resets --More-- 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out sc-ams-rtr-01enable Password: sc-ams-rtr-01#sh config Using 2357 out of 29688 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log datetime localtime no service password-encryption ! hostname sc-ams-rtr-01 ! no logging buffered no logging buffered logging rate-limit console 10 except errors enable password ! memory-size iomem 25 clock timezone MET 1 clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip finger ip name-server 217.117.224.93 ip name-server 217.117.224.94 ! --More-- ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key address x.171.120.11 ! ! crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac no crypto engine accelerator ! crypto map cm-cryptomap local-address Ethernet0 crypto map cm-cryptomap 1 ipsec-isakmp set peer x.171.120.11 set transform-set cm-transformset-1 match address 100 ! ! ! ! interface Ethernet0 --More-- description connected to Internet ip address 255.255.255.248 ip nat outside no ip route-cache no ip mroute-cache half-duplex crypto map cm-cryptomap ! interface FastEthernet0 description connected to EthernetLAN_1 ip address 172.29.30.1 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache speed auto ! router rip version 2 passive-interface Ethernet0 network 172.29.0.0 no auto-summary ! ip nat inside source list 101 interface Ethernet0 overload --More-- ip kerberos source-interface any ip classless ip route profile ip route 0.0.0.0 0.0.0.0 217.117.229.137 ip route 172.29.10.0 255.255.255.0
Messing up Access Lists [7:54268]
I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54268t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Messing up Access Lists [7:54268]
CTM, First of all, in my experience, writing down exactly what you want to do really helps. It gives you a visual map of what you want to go through and what you don't. Second of all (now correct me if I'm wrong) you want all deny statements at the end. That's how I've done it anyways. After you've figured out all of that, it's just a simple rewording of the access list. You may also want to keep in mind that where you place the access list matters (ie if it's an in or out access group). -Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54273t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Messing up Access Lists [7:54268]
You don't always want to put the deny at the end. For example, if you want to deny just one subnet, but permit everything else, putting the permit any statement at the beginning would allow the subnet you intended to deny. I know, a lot of permitting and denying going on in that sentence. :)- Nathan Nakao wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... CTM, First of all, in my experience, writing down exactly what you want to do really helps. It gives you a visual map of what you want to go through and what you don't. Second of all (now correct me if I'm wrong) you want all deny statements at the end. That's how I've done it anyways. After you've figured out all of that, it's just a simple rewording of the access list. You may also want to keep in mind that where you place the access list matters (ie if it's an in or out access group). -Nate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54274t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Messing up Access Lists [7:54268]
I sent you some comments on this last Fri. First look up the reload in xx min command. There is a way to have the router reboot in a given time interval unless you rescind the command. So if you lock yourself out of the router it reboots and restores the startup config which allows you back in. If your changes are not fatal then cancel the reload command. Then do a copy run start. My guess is that you are killing your VPN by removing the access list at the far end. You are most likely telnetting to that router from your local PC. Its traffic traverses the VPN. Instead bring up a console connection on your local router and telnet to the remote router. That won't use the VPN. I don't see an access list that would block that connection. There is an issue if you have statically NATed addresses. People out on the Internet can reach your local servers but folks on the far end of the VPN cannot. There is a solution on CCO. Last time I looked you had to start on the Documentation page and work towards it. The solution is not on the 707? page. I don't have time to look it up. Sort of goes like: interface Loopback0 ip address 2.2.2.1 255.255.255.0 interface FastEthernet0 (This is the interface where your servers are located.) ip route-cache policy ip policy route-map StaticNAT ip access-list extended StaticNAT remark Allows statically mapped NAT addresses through IPSec tunnel permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 (USE YOUR OWN IP ADDRESSES) route-map StaticNAT permit 10 match ip address StaticNAT set ip next-hop 2.2.2.2 (Note the address is not the address of the loopback.) To use a basketball analogy - a direct pass won't work because a blocker is in the way. Instead use a bounce pass. -Original Message- From: CTM CTM [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54275t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Messing up Access Lists [7:54268]
Hi, You did indeed send me comments, and most appreciated. You even bailed me out when I misapplied the advice, and again much appreciated. I'm taking baby steps with the wisdom offered, and seem to get deeper than intended, ultimately confused, then reach out for a breather. Thanks, as always, for your generous help, I will digest the latest. Daniel Cotts wrote: I sent you some comments on this last Fri. First look up the reload in xx min command. There is a way to have the router reboot in a given time interval unless you rescind the command. So if you lock yourself out of the router it reboots and restores the startup config which allows you back in. If your changes are not fatal then cancel the reload command. Then do a copy run start. My guess is that you are killing your VPN by removing the access list at the far end. You are most likely telnetting to that router from your local PC. Its traffic traverses the VPN. Instead bring up a console connection on your local router and telnet to the remote router. That won't use the VPN. I don't see an access list that would block that connection. There is an issue if you have statically NATed addresses. People out on the Internet can reach your local servers but folks on the far end of the VPN cannot. There is a solution on CCO. Last time I looked you had to start on the Documentation page and work towards it. The solution is not on the 707? page. I don't have time to look it up. Sort of goes like: interface Loopback0 ip address 2.2.2.1 255.255.255.0 interface FastEthernet0 (This is the interface where your servers are located.) ip route-cache policy ip policy route-map StaticNAT ip access-list extended StaticNAT remark Allows statically mapped NAT addresses through IPSec tunnel permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 (USE YOUR OWN IP ADDRESSES) route-map StaticNAT permit 10 match ip address StaticNAT set ip next-hop 2.2.2.2 (Note the address is not the address of the loopback.) To use a basketball analogy - a direct pass won't work because a blocker is in the way. Instead use a bounce pass. -Original Message- From: CTM CTM [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54277t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Messing up Access Lists [7:54268]
How about posting the complete config with a brief explaination? We don't need the passwords or the actual IP addresses. CTM CTM wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, You did indeed send me comments, and most appreciated. You even bailed me out when I misapplied the advice, and again much appreciated. I'm taking baby steps with the wisdom offered, and seem to get deeper than intended, ultimately confused, then reach out for a breather. Thanks, as always, for your generous help, I will digest the latest. Daniel Cotts wrote: I sent you some comments on this last Fri. First look up the reload in xx min command. There is a way to have the router reboot in a given time interval unless you rescind the command. So if you lock yourself out of the router it reboots and restores the startup config which allows you back in. If your changes are not fatal then cancel the reload command. Then do a copy run start. My guess is that you are killing your VPN by removing the access list at the far end. You are most likely telnetting to that router from your local PC. Its traffic traverses the VPN. Instead bring up a console connection on your local router and telnet to the remote router. That won't use the VPN. I don't see an access list that would block that connection. There is an issue if you have statically NATed addresses. People out on the Internet can reach your local servers but folks on the far end of the VPN cannot. There is a solution on CCO. Last time I looked you had to start on the Documentation page and work towards it. The solution is not on the 707? page. I don't have time to look it up. Sort of goes like: interface Loopback0 ip address 2.2.2.1 255.255.255.0 interface FastEthernet0 (This is the interface where your servers are located.) ip route-cache policy ip policy route-map StaticNAT ip access-list extended StaticNAT remark Allows statically mapped NAT addresses through IPSec tunnel permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 (USE YOUR OWN IP ADDRESSES) route-map StaticNAT permit 10 match ip address StaticNAT set ip next-hop 2.2.2.2 (Note the address is not the address of the loopback.) To use a basketball analogy - a direct pass won't work because a blocker is in the way. Instead use a bounce pass. -Original Message- From: CTM CTM [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54294t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
expanded range access lists? [7:53859]
Hey Spongebob fans - I've noticed a couple of new access-list ranges (1300-1999 and 2000-2699), which may not be all that new, but they're ones I've never encountered before. After a cursory search on CCO, I can't find any documentation that really explains what they really do. Anyone have any insight? Thanks, Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53859t=53859 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: expanded range access lists? [7:53859]
B.J. Wilson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hey Spongebob fans - I've noticed a couple of new access-list ranges (1300-1999 and CL: works precisely the same way as access-lists 1-99 2000-2699), which may not be all that new, but they're ones I've never CL: works precisely the same way as access-list 100-199 encountered before. After a cursory search on CCO, I can't find any documentation that really explains what they really do. CL: Router_7(config)#access-list ? 1-99IP standard access list 100-199 IP extended access list 1300-1999 IP standard access list (expanded range) 2000-2699 IP extended access list (expanded range) ( a few omitted ) CL: there are cases, particularly in complex enterprises and service prover environments, where more access-lists are required for various reasons. QoS, VPN, NAT, various security settings, customer requirements or committments, etc. Anyone have any insight? Thanks, Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53861t=53859 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: expanded range access lists? [7:53859]
Man, I certainly wouldln't want to troubleshoot a problem on a router with 800 extended IP access lists! I would suggest a redesign. :-) Priscilla Chuck's Long Road wrote: B.J. Wilson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hey Spongebob fans - I've noticed a couple of new access-list ranges (1300-1999 and CL: works precisely the same way as access-lists 1-99 2000-2699), which may not be all that new, but they're ones I've never CL: works precisely the same way as access-list 100-199 encountered before. After a cursory search on CCO, I can't find any documentation that really explains what they really do. CL: Router_7(config)#access-list ? 1-99IP standard access list 100-199 IP extended access list 1300-1999 IP standard access list (expanded range) 2000-2699 IP extended access list (expanded range) ( a few omitted ) CL: there are cases, particularly in complex enterprises and service prover environments, where more access-lists are required for various reasons. QoS, VPN, NAT, various security settings, customer requirements or committments, etc. Anyone have any insight? Thanks, Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53883t=53859 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: expanded range access lists? [7:53859]
Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Man, I certainly wouldln't want to troubleshoot a problem on a router with 800 extended IP access lists! I would suggest a redesign. :-) CL: certainly goes a long way towards explaining the attitudes of your ISP service desk ;- Priscilla Chuck's Long Road wrote: B.J. Wilson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hey Spongebob fans - I've noticed a couple of new access-list ranges (1300-1999 and CL: works precisely the same way as access-lists 1-99 2000-2699), which may not be all that new, but they're ones I've never CL: works precisely the same way as access-list 100-199 encountered before. After a cursory search on CCO, I can't find any documentation that really explains what they really do. CL: Router_7(config)#access-list ? 1-99IP standard access list 100-199 IP extended access list 1300-1999 IP standard access list (expanded range) 2000-2699 IP extended access list (expanded range) ( a few omitted ) CL: there are cases, particularly in complex enterprises and service prover environments, where more access-lists are required for various reasons. QoS, VPN, NAT, various security settings, customer requirements or committments, etc. Anyone have any insight? Thanks, Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53885t=53859 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How many committed access rate policies with access-lists [7:45840]
Once is a project, I was using CAR on a 7200 with 5 Fast etherner sub-interfaces. I was using various access-lists (all of them were Extended). CAR was limiting bith Recieving and Transmitting (SEND) traffic. With No NPEs or additional modelus installed, the CPU time went to 40-50% in peek times. The total BW was about 4 Mbps. HTH Hamid Cisco Breaker wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, My questions are regarding to CAR aka rate-limit. I have use rate-limit with access-list but I never wonder how many policies can I create with access-lists. How many committed access rate policies with access-lists can be applied to an interface? Documentations says 100 policies (can be either access-list or other type as I understand) to subinterface not to an interface. Is it limited to standard or extended access-list number limit 99? Can I use 99 standard access list and 99 extended access lists and apply each one of them to a different (200) CAR policy. Or am I limited to 100 policies only as stated. Also if I can use 200 policies how much cpu utilization could I see on a 3600 or 7200? Documentations only states that it would be a significant impact to use extended access-lists with car. I would really appreciate if anyone answers these questions. Best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45840t=45840 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How many committed access rate policies with access-lists can [7:45655]
Hi all, My questions are regarding to CAR aka rate-limit. I have use rate-limit with access-list but I never wonder how many policies can I create with access-lists. How many committed access rate policies with access-lists can be applied to an interface? Documentations says 100 policies (can be either access-list or other type as I understand) to subinterface not to an interface. Is it limited to standard or extended access-list number limit 99? Can I use 99 standard access list and 99 extended access lists and apply each one of them to a different (200) CAR policy. Or am I limited to 100 policies only as stated. Also if I can use 200 policies how much cpu utilization could I see on a 3600 or 7200? Documentations only states that it would be a significant impact to use extended access-lists with car. I would really appreciate if anyone answers these questions. Best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45655t=45655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help with extended access lists [7:40904]
Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40904t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Hi, The one which you mentioned is not the right one, A simple technique to get the Inverse mask is as 1.From you example let say you want to aggregate 192.168.1.10 to 192.168.1.15,First of all aggregate this addresses and find the summarized mask. The summarized mask in this case is 192.168.8/29 (ie 255.255.255.248) 2.To get the inverse mask subtract 255.255.255.248 from 255.255.255.255 which comes out 0.0.0.7 3.The result is 192.168.1.8 0.0.0.7 Kind Regards /Thangavel -- CCIE (qual),CCS,CCDP,CCNP,MCSE 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall . -- Nelson Mandela r Paul cc: Sent by: Fax to: nobody@groupsSubject: Help with extended access lists [7:40904] tudy.com 09/04/2002 10:12 Please respond to r Paul Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40905t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Thangavel What a great method - Thank you Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40907t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with extended access lists [7:40904]
Paul, You need to understand the wildcard format for access-lists. The best way to do this is to convert your ip addresses to binary. The beginning range address is 192.168.1.10 The ending range address is 192.168.1.15 We can quickly see that the first three octets are the same, so lets concentrate on the fourth. Range is: 10 : 1010 11 : 1011 12 : 1100 13 : 1101 14 : 1110 15 : As you can see, the left five bits stays the same, so you have to tell the access-list not to care about the right three bits. In a wildcard mask, the 0's represent that the bit value MUST be as specified, and the 1's represent that is doesn't care about the bit value. So we must create a wildcard for the fourth octet that looks like this: 0111 = 7 As for the first three octets, they must all match, so that's easy: 0.0.0 Now you have a wildcard mask that looks like this: 0.0.0.7 Since the left five bits were the same for range 10-15, lets take those five bits 1 and fill zero's to the right 000 = 1000 or 8. That's the value we want to use for the fourth octet in the ip address. And the access-list would look like this: access-list 110 permit tcp 192.168.1.8 0.0.0.7 The only problem with this, is that this will also allow .8 and .9, so if you wish to deny those two addresses, you must do some more match: .8 = 1000 .9 = 1001 As you can see, the only bit that changes is the right one, so if you do a wildcard octet of: 0001 You can test for that. Let's correct our access-list statements: access-list 110 deny tcp 192.168.1.8 0.0.0.1 .. access-list 110 permit tcp 192.168.1.8 0.0.0.7 .. As you can see, it's a little tricky to calculate, but once you have it down, it can be almost a fun little task to do. The best thing to do in the beginning, is to write the whole address range down in binary and look at the bits. That way you can see which ones change, and which ones stays the same. Sometimes you can cut a lot of statements down by looking at the pattern and creating some good wildcard masks, but that is both good and bad. It is good because it makes the acecss-list filter faster, but it's bad because it can be hard to read the next time you need to reconfigure something. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: r Paul [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 3:12 AM To: [EMAIL PROTECTED] Subject: Help with extended access lists [7:40904] Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40913t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access Lists for 3500 Switch [7:40350]
Can someone tell me the command sequence on a Cisco 3500 switch to set up an ACL? Thanks all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40350t=40350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists for 3500 Switch [7:40350]
Can someone tell me the command sequence on a Cisco 3500 switch to set up an ACL? It's just like a router: ACCESS-LIST 1 permit x.x.x.x Then you can apply it to your line interface: line vty 0 15 access-class 1 in Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40357t=40350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists are a bit mystifying [7:36164]
Yes, that does make sense. Thanx for the detailed reply. I did finally use the following: conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr Thanx again, Anil Gupte - Original Message - From: Tom Petzold To: Anil Gupte ; Sent: Friday, February 22, 2002 11:35 AM Subject: RE: Access Lists are a bit mystifying [7:36164] Remember the model OSI model. IP can have multiple higher level protocols running over it. So IP uses protocol numbers to identify the higher level protocol that it should send the data to. If you do a deny ? on a router you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp, udp). Once the IP layer passes the packet up to the transport layer the layer 4 protocol has to know which application to send the data to. So the TCP protocol will send traffic on port 80 to the web server and traffic to port 25 to the smtp server. Layer 7 - Application Layer 6 - Presentation Layer 5 - Session Layer 4 - Transport Layer 3 - NetworkLayer 2 - Datalink Layer 1 - Physical The first line will not work. IP is the layer 3 protocol, tcp, udp, icmp, etc are layer 4 protocols. So while tcp and udp have port numbers, ip doesn't. If I want to deny http traffic I must deny tcp port 80 because http uses TCP port 80. The same holds true for UDP. If I wanted to deny snmp traffic I would deny UDP port 161. If you set the last line to permit tcp any any it would allow any tcp based traffic but because there is a specific deny all at the end of all access-lists, you would deny udp, icmp, eigrp, ospf, etc. The permit ip any any says allow all layer 4 ip protocols. Does this make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Anil Gupte Sent: Thursday, February 21, 2002 11:24 PM To: [EMAIL PROTECTED] Subject: Re: Access Lists are a bit mystifying [7:36164] Actually my question was not clear, I think. My confusion is with the IP vs. TCP. In other words should it not be somthing like: deny ip any any eq 139 permit ip any any Why deny TCP and permit IP as opposed to deny IP and permit IP? Also, the purpose of these is that I am trying to block some suspicious activity on those ports (I think someone may be running an illegal IRC server on that port). Thanx for the reply (and the kid gloves). :-) Anil Gupte - Original Message - From: Scott Nawalaniec To: 'Anil Gupte' ; Sent: Thursday, February 21, 2002 10:17 PM Subject: RE: Access Lists are a bit mystifying [7:36164] Hi Anil, Sometimes its scaring posting to this group. =) To answer your question, if you don't the permit IP any any command, there is an implicit deny rule at the end of an access-list, which will drop all traffic that you have not allowed through the access-list. The other two deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36397t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists are a bit mystifying [7:36164]
Remember the model OSI model. IP can have multiple higher level protocols running over it. So IP uses protocol numbers to identify the higher level protocol that it should send the data to. If you do a deny ? on a router you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp, udp). Once the IP layer passes the packet up to the transport layer the layer 4 protocol has to know which application to send the data to. So the TCP protocol will send traffic on port 80 to the web server and traffic to port 25 to the smtp server. Layer 7 - Application Layer 6 - Presentation Layer 5 - Session Layer 4 - Transport Hi Anil, Sometimes its scaring posting to this group. =) To answer your question, if you don't the permit IP any any command, there is an implicit deny rule at the end of an access-list, which will drop all traffic that you have not allowed through the access-list. The other two deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36233t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
simple access-lists question [7:36240]
Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? access-list 101 permit 80 any any access-list 101 permit 21 any any access-list 101 permit 23 any any access-list 101 permit 53 any any access-list 101 permit icmp any any ip access-group 101 out (on ethernet of lab side) TIA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36240t=36240 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: simple access-lists question [7:36240]
I believe you need something like access-list 101 permit tcp any any eq www you have something that permits IP protocol numbers I think. Like 6 is tcp, 17 is udp, 9 is igrp, etc.. etc... -- RFC 1149 Compliant. NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? access-list 101 permit 80 any any access-list 101 permit 21 any any access-list 101 permit 23 any any access-list 101 permit 53 any any access-list 101 permit icmp any any ip access-group 101 out (on ethernet of lab side) TIA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36241t=36240 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: simple access-lists question [7:36240]
Hey, are you ever going to upgrade to RFC 2549 compliance? If you haven't already, you're behind the times by about three years! :-) John Steven A. Ridder 2/22/02 11:43:33 AM I believe you need something like access-list 101 permit tcp any any eq www you have something that permits IP protocol numbers I think. Like 6 is tcp, 17 is udp, 9 is igrp, etc.. etc... -- RFC 1149 Compliant. NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? access-list 101 permit 80 any any access-list 101 permit 21 any any access-list 101 permit 23 any any access-list 101 permit 53 any any access-list 101 permit icmp any any ip access-group 101 out (on ethernet of lab side) TIA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36250t=36240 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: simple access-lists question [7:36240]
Your syntax is wrong. You are permitting IP protocols 80, 21, 23 and 53 - NOT ports 80, 21, 23 and 53. The correct syntax would be: access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq telnet access-list 101 permit tcp any any eq ftp access-list 101 permit tcp any any eq domain access-list 101 permit icmp any any Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: NetEng [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 12:39 PM To: [EMAIL PROTECTED] Subject: simple access-lists question [7:36240] Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? access-list 101 permit 80 any any access-list 101 permit 21 any any access-list 101 permit 23 any any access-list 101 permit 53 any any access-list 101 permit icmp any any ip access-group 101 out (on ethernet of lab side) TIA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36251t=36240 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: simple access-lists question [7:36240]
Not enought customers have asked for that feature yet. :) Was RFC 1149 the precursor to wireless? John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hey, are you ever going to upgrade to RFC 2549 compliance? If you haven't already, you're behind the times by about three years! :-) John Steven A. Ridder 2/22/02 11:43:33 AM I believe you need something like access-list 101 permit tcp any any eq www you have something that permits IP protocol numbers I think. Like 6 is tcp, 17 is udp, 9 is igrp, etc.. etc... -- RFC 1149 Compliant. NetEng wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? access-list 101 permit 80 any any access-list 101 permit 21 any any access-list 101 permit 23 any any access-list 101 permit 53 any any access-list 101 permit icmp any any ip access-group 101 out (on ethernet of lab side) TIA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36275t=36240 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access Lists are a bit mystifying [7:36164]
Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36164t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists are a bit mystifying [7:36164]
Hi Anil, Sometimes its scaring posting to this group. =) To answer your question, if you don't the permit IP any any command, there is an implicit deny rule at the end of an access-list, which will drop all traffic that you have not allowed through the access-list. The other two deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36167t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists are a bit mystifying [7:36164]
Actually my question was not clear, I think. My confusion is with the IP vs. TCP. In other words should it not be somthing like: deny ip any any eq 139 permit ip any any Why deny TCP and permit IP as opposed to deny IP and permit IP? Also, the purpose of these is that I am trying to block some suspicious activity on those ports (I think someone may be running an illegal IRC server on that port). Thanx for the reply (and the kid gloves). :-) Anil Gupte - Original Message - From: Scott Nawalaniec To: 'Anil Gupte' ; Sent: Thursday, February 21, 2002 10:17 PM Subject: RE: Access Lists are a bit mystifying [7:36164] Hi Anil, Sometimes its scaring posting to this group. =) To answer your question, if you don't the permit IP any any command, there is an implicit deny rule at the end of an access-list, which will drop all traffic that you have not allowed through the access-list. The other two deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36168t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists are a bit mystifying [7:36164]
The key is to know which header the list statement is being applied to. Ports (source and destination) are a part of a TCP header or a UDP header. They are a means of identifying the application that is being multiplexed at the Transport Layer. IP headers do not have ports--they have source and destination addresses (logical addresses, of course--not physical). Look here-- http://www.rfc-editor.org/cgi-bin/rfcsearch.pl RFC791 is IP and has that lovely ASCII art header in paragraph 3.1. For TCP, the number is RFC793, also paragraph 3.1. UDP is RFC768--surprise! the header is right at the beginning. HTH Annlee Anil Gupte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually my question was not clear, I think. My confusion is with the IP vs. TCP. In other words should it not be somthing like: deny ip any any eq 139 permit ip any any Why deny TCP and permit IP as opposed to deny IP and permit IP? Also, the purpose of these is that I am trying to block some suspicious activity on those ports (I think someone may be running an illegal IRC server on that port). Thanx for the reply (and the kid gloves). :-) Anil Gupte - Original Message - From: Scott Nawalaniec To: 'Anil Gupte' ; Sent: Thursday, February 21, 2002 10:17 PM Subject: RE: Access Lists are a bit mystifying [7:36164] Hi Anil, Sometimes its scaring posting to this group. =) To answer your question, if you don't the permit IP any any command, there is an implicit deny rule at the end of an access-list, which will drop all traffic that you have not allowed through the access-list. The other two deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 permit ip any any int ethernet0/0 ip access-group secure2 out ip access-group secure2 in exit wr ** Why is it that you need to deny TCP and permit IP? Or did I not do this right? Thanx, Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36169t=36164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access Lists [7:34023]
I'm looking to buy a book on Access lists. Any recommendations? TIA Tim Fermanis GCCS System Administrator Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34023t=34023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:34023]
Cisco IOS Access Lists by Jeff Sedayao Published by O'Reilly ISBN 1-56592-385-5 HTH Dom Stocqueler Fermanis Tim G Contr USAFE To: [EMAIL PROTECTED] CSS/SCOG cc: Sent by: [EMAIL PROTECTED] m 01/02/2002 09:25 Please respond to Fermanis Tim G Contr USAFE CSS/SCOG I'm looking to buy a book on Access lists. Any recommendations? TIA Tim Fermanis GCCS System Administrator Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34026t=34023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:34023]
Tim, I found that most books are not nearly as good as the Cisco website. On CCO, I have so far always been able to find much more info than any book can give me, including configuration examples and various scenarios. Takes a little more effort, but I am almost convinced that you can much more detailed info on this from the web than from any book. Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34059t=34023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:34023]
Tim, IMHO, you can't go wrong with Cisco Access Lists by Gil Held Kent Hundley isbn 0072123354. This is one of the few books I keep close by. Kevin Fermanis Tim G Contr USAFE CSS/SCOG wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking to buy a book on Access lists. Any recommendations? TIA Tim Fermanis GCCS System Administrator Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34075t=34023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:34023]
Thats one of my favorites as well. Its well written and detailed, and most importantly concise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of kevhed Sent: Friday, February 01, 2002 10:54 AM To: [EMAIL PROTECTED] Subject: Re: Access Lists [7:34023] Tim, IMHO, you can't go wrong with Cisco Access Lists by Gil Held Kent Hundley isbn 0072123354. This is one of the few books I keep close by. Kevin Fermanis Tim G Contr USAFE CSS/SCOG wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking to buy a book on Access lists. Any recommendations? TIA Tim Fermanis GCCS System Administrator Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34093t=34023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Extended ipx access lists [7:31720]
Hi all, I have a lab with a hub and spoke network,r1 is the hub and r2,r3,r4 are the spokes. IPX eigrp is running on the frame cloud and IPX rip on the edge. I am trying to make sure that only network 100 at r1 is advertised to r2 and not to the remaining routers r3 and r4. Can someone help me with the syntax for the access-lists asit's driving me mad. The network is addressed in the wan as follows: r1 serial 0.0.1 = 110.1.1.1 r2 serial 0/0 = 110.2.2.2 r3 serial 0/0 = 110.3.3.3 r4 serial 0/0 = 110.4.4.4 I have tried the following acls but without success: access-list 905 permit any 100 eigrp 110.0002.0002.0002 access-list 906 permit any 100 eigrp 110.0002.0002.0002 F.000f.000f.000f access-list 907 permit any 100 eigrp 110.0002.0002.0002 0... What am I doing wrong chaps. Many thanks in advance Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31720t=31720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Are your people dialing in having to go through your company proxy server to get to the internet? If so, they're probably talking with the proxy server, which no doubt would have an internal address and be let through by that access list. Which interface are you applying this access-list? In which direction (in/out)? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28961t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28927t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
Is 165.5.x.x the range of your internal network or the range of addresses that your dial in users are assigned to? This list says that any packet whose source address is 165.5.x.x can be destined for anywhere. If you want to restrict which subnets they can get to make some more lines specifying your internal subnets. Not to insult, but dont' forget to apply it to an interface. From: J. Johnson Reply-To: J. Johnson To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] Date: Wed, 12 Dec 2001 14:24:16 -0500 We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28940t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Jill, How did you apply the list? To what interface? In which direction? Timothy Estes NA,DA -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28972t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
On what interface(s) is that ACL applied? The way you've written it, the ACL permits IP traffic with a source address of 165.5.x.x, and the second (unnecessary) line denies all other traffic. If that ACL is applied on the interfaces that your users dial into, then it won't accomplish much. If you're trying to filter based on destination IP address, then the first line should be written access-list 110 permit ip any 165.5.0.0 0.0.0.255 hth, Hal -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28949t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
You Probably have to provide more information. 1. Are your users dialing into a router(Access server) or through a RAS card on a computer system? 2. The answer to ques1 is through a router, then is the router also the router that connect to the internet or you have another gateway router? 3. Then the interfaces to which you apply the the access-list also counts, so say more on the interfaces you have on your router and the ones you applied the access-list on and again in which direction (in or out)? Regards - Original Message - From: J. Johnson To: Sent: Wednesday, December 12, 2001 11:24 AM Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28967t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access Lists [7:28927]
You don't give much info. What addresses are you handing out via your pool? Where are you applying the acess-list? When I had done something similiar long time ago, employees and faculty total access, customers limited. Set up two access-lists and access lists were applied to user via authentication on TACACs server. I think this is what you want to do. You can also use Radius, TACACs is free, only need a UNIX hac. Dave J. Johnson wrote: We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28947t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
On what interface(s) is that ACL applied? The way you've written it, the ACL permits IP traffic with a source address of 165.5.x.x, and the second (unnecessary) line denies all other traffic. If that ACL is applied on the interfaces that your users dial into, then it won't accomplish much. If you're trying to filter based on destination IP address, then the first line should be written access-list 110 permit ip any 165.5.0.0 0.0.0.255 hth, Hal -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28949t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Yes. You are allowing anyone coming from 165.5.0.0 to go anywhere and denying from anywhere to anywhere. Not knowing you IP structure I would say. access-list 110 permit ip x.x.x.0 0.0.0.255 (IP range assigned to dial-in) 165.5.0.0 0.0.255.255 (IP range of your internal network) access-list 110 deny ip any any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Johnson Sent: Wednesday, December 12, 2001 1:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28987t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access Lists [7:28927]
Jill, Your acl says allow any source ip from 165.5.0.0 to access any destination IP address. This is probably not what you want. You probably want to allow any IP address to access anything in the 165.5.0.0 address range. (assuming that 165.5.0.0 is your internal network.) Your acl should be: access-list 110 permit ip any 165.50.0 0.0.255.255 You don't need the deny ip any any at the end, it is implied. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Johnson Sent: Wednesday, December 12, 2001 11:24 AM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyone can get to our network and get on the internet with the above list. Can you see anything wrong? Thanks. Jill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28996t=28927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
As long as you initiate it. There are ActiveX filters and other filters you can enable on the PIX to block most malicious web server traffic. In any type of NAT it will allow inside users full access to the internet unless blocked or unsupported by NAT. Allen - Original Message - From: Steve Alston To: Sent: Thursday, November 29, 2001 3:59 PM Subject: Re: PIX conduit access lists [7:26684] Thanks again Allen, Does that mean the responses to my outbound requests are allowed in by default? For example, my request for a web page is allowed through the firewall. Would the page in response of that request be allowed through the firewall? Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... NAT or internal servers with real IP addresses using NAT 0 can access anything until you block it. Outbound requests (such as http, ftp, etc) are all enabled by default. Users outside the firewall cannot access internal IPs without access-list or conduit statements. In short, all outbound enabled and all inbound disabled by default. For your conduit permit icmp any any I would enable echo reply only rather than full icmp. Echo reply only allows replies back to the person pinging or tracerouting. Full icmp can be exploited in DOS attacks. example: access-list 10 permit icmp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit access lists [7:26684] Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/re
Re: PIX conduit access lists [7:26684]
Thanks again Allen, Does that mean the responses to my outbound requests are allowed in by default? For example, my request for a web page is allowed through the firewall. Would the page in response of that request be allowed through the firewall? Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... NAT or internal servers with real IP addresses using NAT 0 can access anything until you block it. Outbound requests (such as http, ftp, etc) are all enabled by default. Users outside the firewall cannot access internal IPs without access-list or conduit statements. In short, all outbound enabled and all inbound disabled by default. For your conduit permit icmp any any I would enable echo reply only rather than full icmp. Echo reply only allows replies back to the person pinging or tracerouting. Full icmp can be exploited in DOS attacks. example: access-list 10 permit icmp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit access lists [7:26684] Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27737t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27588t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
NAT or internal servers with real IP addresses using NAT 0 can access anything until you block it. Outbound requests (such as http, ftp, etc) are all enabled by default. Users outside the firewall cannot access internal IPs without access-list or conduit statements. In short, all outbound enabled and all inbound disabled by default. For your conduit permit icmp any any I would enable echo reply only rather than full icmp. Echo reply only allows replies back to the person pinging or tracerouting. Full icmp can be exploited in DOS attacks. example: access-list 10 permit icmp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit access lists [7:26684] Patrick Allen, Thanks for the responses -- helps loads. I'm still slightly confused. I did a clear conduit expecting to block all incoming traffic. Following the clear conduit, I did a show conduit to verify there were not any conduits in operation. At that time, I was still able to receive web traffic at my workstation. For that matter, the conduit statements only applied to specific servers so why am I able to receive http at my workstation? I did try to PING an IP address which failed when I removed the conduits and worked when I restored conduit permit icmp any any -- that behaved as expected. Thanks, Steve Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27642t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Very true and a good point, but the original question was about conduits which only apply to lower-higher. Higher-lower requires NAT. I accidentally typed access-list below but meant conduit. ;) *slap self get more coffee*. It still applies but wasn't what I meant to say. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit access lists [7:26684] Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27320t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Allen May wrote in message news:[EMAIL PROTECTED]... I'm not sure if this was answered or not, but a firewall always assumes a deny all at the end of the access-list for inbound. Outbound is different since it allows all by default. Remeber this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. Also, access-lists are the way to go since conduits will be phased out in the near future. Allen - Original Message - From: Steve Alston To: Sent: Monday, November 19, 2001 9:25 AM Subject: Re: PIX conduit access lists [7:26684] Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27293t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX conduit access lists [7:26684]
Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26684t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26694t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26700t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
I believe so. At 10:25 AM 11/19/01 -0500, Steve Alston wrote: Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26705t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bridging and Access-lists [7:24791]
I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. From that workstation I am browsing the web, but even with the deny ip any any, I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a solution to fix this problem on this router? Thanks in advance, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24791t=24791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bridging and Access-lists [7:24791]
I think that would work, however, I would then look at layer 2 addresses instead of layer 3 addresses, and controlling a group of people who can access the web all the time, another group who can access it in certain time frames, and a third group that cannot access it - would be a nightmare to control with MAC addresses, instead of simply an array of IP addresses specified by a wildcard. Hmm, I got to dig a little more... Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple of years ago on a dial-on-demand Bridging solution. After a lot of head scratching we learned about extended bridging ACLs, maybe you could use these? I think they are range 1000 to 1100, you will need to check this. What do you think? Steven Dangerfield CCNP, CCSA, CSE -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: 31 October 2001 16:08 To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. From that workstation I am browsing the web, but even with the deny ip any any, I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a solution to fix this problem on this router? Thanks in advance, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24800t=24791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridging and Access-lists [7:24791]
Is there a good reason that the bridge is set up as protocol dec? I don't know if it would work the way you have it configured using ieee instead. Just a thought. Ed Ole Drews Jensen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think that would work, however, I would then look at layer 2 addresses instead of layer 3 addresses, and controlling a group of people who can access the web all the time, another group who can access it in certain time frames, and a third group that cannot access it - would be a nightmare to control with MAC addresses, instead of simply an array of IP addresses specified by a wildcard. Hmm, I got to dig a little more... Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple of years ago on a dial-on-demand Bridging solution. After a lot of head scratching we learned about extended bridging ACLs, maybe you could use these? I think they are range 1000 to 1100, you will need to check this. What do you think? Steven Dangerfield CCNP, CCSA, CSE -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: 31 October 2001 16:08 To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. From that workstation I am browsing the web, but even with the deny ip any any, I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a solution to fix this problem on this router? Thanks in advance, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24808t=24791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bridging and Access-lists [7:24791]
It works as I said, and yes I have wondered why it set it to DEC, but I used the auto setup procedure during startup after an erase star command, and said yes to put both ethernet interfaces in bridging mode. It came up and did the bridge 1 protocol dec by itself. And I have tried to use the IEEE instead without any differences related to my problem. As I see it now - I would have to do one of two things: 1) Change some of my IP addresses so I can place devices on each side of the router on different subnets (seen from the router's view), and then set it up as routing instead of switching. 2) Add all the MAC addresses to the groups they belong, and then use access-lists 700-799 (mac addresses). Both solutions sucks, so I am still looking for an easier 3rd solution. Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ed Horley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 12:31 PM To: [EMAIL PROTECTED] Subject: Re: Bridging and Access-lists [7:24791] Is there a good reason that the bridge is set up as protocol dec? I don't know if it would work the way you have it configured using ieee instead. Just a thought. Ed Ole Drews Jensen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think that would work, however, I would then look at layer 2 addresses instead of layer 3 addresses, and controlling a group of people who can access the web all the time, another group who can access it in certain time frames, and a third group that cannot access it - would be a nightmare to control with MAC addresses, instead of simply an array of IP addresses specified by a wildcard. Hmm, I got to dig a little more... Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple of years ago on a dial-on-demand Bridging solution. After a lot of head scratching we learned about extended bridging ACLs, maybe you could use these? I think they are range 1000 to 1100, you will need to check this. What do you think? Steven Dangerfield CCNP, CCSA, CSE -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: 31 October 2001 16:08 To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. From that workstation I am browsing the web, but even with the deny ip any any, I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a
Access-lists: Time-based and 700's [7:24821]
I am not very lucky with this. It seems like I have to use a 700's access-list to filter bridged interfaces on their mac address, but that throws me into a new problem. As far as I can see, the time-range option does not work on 700's access-lists - so I am back to squarre 1 where I probably have to rearrange my entire networks IP address scheme, so I can change the router where I want to filter from doing bridging between interfaces, to doing routing. If anyone has a better idea, PLEASE let me know. Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24821t=24821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bridging and Access-lists [7:24791]
If you are bridging you can only use a layer 2 access list... Essentially you'll only be able to block traffic based on MAC addressing... I think the layer2 access lists start at 700... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ole Drews Jensen Sent: Wednesday, October 31, 2001 8:08 AM To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. From that workstation I am browsing the web, but even with the deny ip any any, I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a solution to fix this problem on this router? Thanks in advance, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24797t=24791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridging and Access-lists [7:24791]
I know you said in the initial set up that you didn't want a firewall comment however I may have a solution that you are interested in. The NetScreen firewalls can operate in what is called transparent mode. It then is a layer 2 filter that does wire speed packet inspection for layer 3/4 rules. Way cool stuff. It doesn't have actual IP addresses on the actual Ethernet Interfaces, it does have an IP for management of the Netscreen. My understanding is it acts like a bridge however it can still inspect packets and apply rules based on layer 2/4 rules. That might do what you are looking for. Regards, Ed Ole Drews Jensen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It works as I said, and yes I have wondered why it set it to DEC, but I used the auto setup procedure during startup after an erase star command, and said yes to put both ethernet interfaces in bridging mode. It came up and did the bridge 1 protocol dec by itself. And I have tried to use the IEEE instead without any differences related to my problem. As I see it now - I would have to do one of two things: 1) Change some of my IP addresses so I can place devices on each side of the router on different subnets (seen from the router's view), and then set it up as routing instead of switching. 2) Add all the MAC addresses to the groups they belong, and then use access-lists 700-799 (mac addresses). Both solutions sucks, so I am still looking for an easier 3rd solution. Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Ed Horley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 12:31 PM To: [EMAIL PROTECTED] Subject: Re: Bridging and Access-lists [7:24791] Is there a good reason that the bridge is set up as protocol dec? I don't know if it would work the way you have it configured using ieee instead. Just a thought. Ed Ole Drews Jensen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think that would work, however, I would then look at layer 2 addresses instead of layer 3 addresses, and controlling a group of people who can access the web all the time, another group who can access it in certain time frames, and a third group that cannot access it - would be a nightmare to control with MAC addresses, instead of simply an array of IP addresses specified by a wildcard. Hmm, I got to dig a little more... Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple of years ago on a dial-on-demand Bridging solution. After a lot of head scratching we learned about extended bridging ACLs, maybe you could use these? I think they are range 1000 to 1100, you will need to check this. What do you think? Steven Dangerfield CCNP, CCSA, CSE -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: 31 October 2001 16:08 To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with why don't you use the firewall, or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router--
PIX subnet access-lists [7:23797]
Does anyone know the access-list command that would allow an entire subnet into an ftp site. Here are some examples of what I've tried: access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host 124.49.114.6 eq ftp access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host 124.49.114.6 255.255.255.255 eq ftp Neither of these worked. Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23797t=23797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]