RE: router CPU utilization on access lists? [7:75002]

[[EMAIL PROTECTED]]

So maybe permit and route to null0 in some cases? Then no unreachables are
generated because there is a route?

Martijn 


-Oorspronkelijk bericht-
Van: Marty Adkins [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 9 september 2003 20:29
Aan: [EMAIL PROTECTED]
Onderwerp: Re: router CPU utilization on access lists? [7:75002]


Priscilla Oppenheimer wrote:

 Yes, that's true indeed that access lists don't cause process switching
 anymore, so wouldn't show up in IP Input.
 
Two exceptions that I failed to mention are logging and the side effect
of a deny.  By default, a deny causes the generation of an ICMP admin.
prohibited unreachable sent to the source of the blcoked packet.  Since
packets cannot be created in interrupt mode, process context is required.
But these are rate limited to two/second by default as self protection.
Plus normal traffic shouldn't result in very many denies.  But you can
inhibit this entirely by configuring no ip unreachables on an interface.

If the matching ACE has the log keyword, then process context is required
to create the log message and perform normal logging.  This too is
rate-limited.

 Thanks for everyone's advice. It sounds like Marty has the right approach.
 Although access lists aren't process switched, they are generally fast
 switched unless the router supports some other feature (like silicon
 switching) or some fancy configuration like CEF or NetFlow?
 
 So, the thing to look for is a high utilization caused by interrupts (the
 number after the slash).
 
 I can't safely turn them off and test, so I think I will try to simulate
the
 network and traffic in a lab to test my theory that they are an issue.
 
 It's a 2621 router with lots of entries in the access lists that are
 applied. I think it's time to offload a lot of the policy represented by
the
 lists to a PIX firewall.
 
You can tune the lists by letting it run for a while and then noting the
match counts (show access-list).  Within each grouping of permit entries,
you
can reorder the statements to reduce the number of entries that must be
compared to reach a match.

If the ACL processing is as efficient as possible but is really impacting
CPU
utilization, then you could enable the turbo ACL feature (access-list
compiled).
Unfortunately, that's still only available on higher-end platforms, from
3700s
on up.

 Here's a good URL on troubleshooting high CPU util, by the way:
 
 http://www.cisco.com/warp/public/63/highcpu.html
 
 Thanks
 
 Priscilla
 
- Marty
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75233t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[M.C. van den Bovenkamp]

Elijah Savage wrote:

 I have actually been told by TAC before IP Input, for what it is worth
 :)

Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access 
lists were process switched, and thus would show up as extra time spent 
in 'IP Input'.

Regards,

Marco.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75043t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[Priscilla Oppenheimer]

M.C. van den Bovenkamp wrote:
 
 Elijah Savage wrote:
 
  I have actually been told by TAC before IP Input, for what it
 is worth
  :)
 
 Not much, anymore :-). It's been a *long* time (IOS 10.x?)
 since access
 lists were process switched, and thus would show up as extra
 time spent
 in 'IP Input'.

Yes, that's true indeed that access lists don't cause process switching
anymore, so wouldn't show up in IP Input.

Thanks for everyone's advice. It sounds like Marty has the right approach.
Although access lists aren't process switched, they are generally fast
switched unless the router supports some other feature (like silicon
switching) or some fancy configuration like CEF or NetFlow?

So, the thing to look for is a high utilization caused by interrupts (the
number after the slash).

I can't safely turn them off and test, so I think I will try to simulate the
network and traffic in a lab to test my theory that they are an issue.

It's a 2621 router with lots of entries in the access lists that are
applied. I think it's time to offload a lot of the policy represented by the
lists to a PIX firewall.

Here's a good URL on troubleshooting high CPU util, by the way:

http://www.cisco.com/warp/public/63/highcpu.html

Thanks

Priscilla


 
   Regards,
 
   Marco.
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75078t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[Marty Adkins]

Priscilla Oppenheimer wrote:

 Yes, that's true indeed that access lists don't cause process switching
 anymore, so wouldn't show up in IP Input.
 
Two exceptions that I failed to mention are logging and the side effect
of a deny.  By default, a deny causes the generation of an ICMP admin.
prohibited unreachable sent to the source of the blcoked packet.  Since
packets cannot be created in interrupt mode, process context is required.
But these are rate limited to two/second by default as self protection.
Plus normal traffic shouldn't result in very many denies.  But you can
inhibit this entirely by configuring no ip unreachables on an interface.

If the matching ACE has the log keyword, then process context is required
to create the log message and perform normal logging.  This too is
rate-limited.

 Thanks for everyone's advice. It sounds like Marty has the right approach.
 Although access lists aren't process switched, they are generally fast
 switched unless the router supports some other feature (like silicon
 switching) or some fancy configuration like CEF or NetFlow?
 
 So, the thing to look for is a high utilization caused by interrupts (the
 number after the slash).
 
 I can't safely turn them off and test, so I think I will try to simulate
the
 network and traffic in a lab to test my theory that they are an issue.
 
 It's a 2621 router with lots of entries in the access lists that are
 applied. I think it's time to offload a lot of the policy represented by
the
 lists to a PIX firewall.
 
You can tune the lists by letting it run for a while and then noting the
match counts (show access-list).  Within each grouping of permit entries, you
can reorder the statements to reduce the number of entries that must be
compared to reach a match.

If the ACL processing is as efficient as possible but is really impacting CPU
utilization, then you could enable the turbo ACL feature (access-list
compiled).
Unfortunately, that's still only available on higher-end platforms, from
3700s
on up.

 Here's a good URL on troubleshooting high CPU util, by the way:
 
 http://www.cisco.com/warp/public/63/highcpu.html
 
 Thanks
 
 Priscilla
 
- Marty




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75095t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[Howard C. Berkowitz]

At 10:08 PM + 9/8/03, Priscilla Oppenheimer wrote:
Maybe a dumb question, but I know you guys can help me. :-)

How would I know if a router is using excessive CPU on IP access lists?

What am I looking for when I do a show processes cpu?

Thanks,

Priscilla


This isn't a complete answer to your question, but look at 
http://www.networkcomputing.com/1004/1004ws2.html

It's a very interesting article on benchmarking access lists done at 
Syracuse University.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75154t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

router CPU utilization on access lists? [7:75002]

[Priscilla Oppenheimer]

Maybe a dumb question, but I know you guys can help me. :-)

How would I know if a router is using excessive CPU on IP access lists?

What am I looking for when I do a show processes cpu?

Thanks,

Priscilla


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75002t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[Marty Adkins]

Priscilla Oppenheimer wrote:

 Maybe a dumb question, but I know you guys can help me. :-)
 
 How would I know if a router is using excessive CPU on IP access lists?
 
 What am I looking for when I do a show processes cpu?
 
You can't determine the portion due to ACL processing from any single
display.  You'd have to compare the result of show proc cpu with
the ACL enabled and with it not enabled, for the essentially identical
traffic stream.  Within the display, note the percentage of time spent
in interrupt mode, as indicated by the number after the / in the
five second average.  Interrupt stack time is almost totally due to
switching packets and associated inspection of them such as ACLs.

- Marty




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75010t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: router CPU utilization on access lists? [7:75002]

[Marko Milivojevic]

 What am I looking for when I do a show processes cpu?

I believe it's IP Input.


Marko.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75009t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: router CPU utilization on access lists? [7:75002]

[Degracia, Alex]

Aren't interfaces with access-lists process switched?

So I would imagine it would be IP Input but this is rather vague as
well.

Correct me if im wrong.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 9 September 2003 8:09 AM
To: [EMAIL PROTECTED]
Subject: router CPU utilization on access lists? [7:75002]

Maybe a dumb question, but I know you guys can help me. :-)

How would I know if a router is using excessive CPU on IP access lists?

What am I looking for when I do a show processes cpu?

Thanks,

Priscilla
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75008t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: router CPU utilization on access lists? [7:75002]

[Elijah Savage]

I have actually been told by TAC before IP Input, for what it is worth
:)

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 08, 2003 6:09 PM
To: [EMAIL PROTECTED]
Subject: router CPU utilization on access lists? [7:75002]

Maybe a dumb question, but I know you guys can help me. :-)

How would I know if a router is using excessive CPU on IP access lists?

What am I looking for when I do a show processes cpu?

Thanks,

Priscilla
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75015t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

RE: class-map, access-lists, access-groups, and policy maps [7:72661]

[Reimer, Fred]

The VLAN200 in class-map match-all VLAN200 is just specifying the
class-map-name.  From the IOS docs: Name of the class for the class map.
The class name is used for both the class map and to configure policy for
the class in the policy map.  I believe you would use service-policy to
attach it to a VLAN interface.  You don't need match-all as you only have
one match statement in the class-map.

class-map match-all VLAN200
  Match access-group 103
policy-map VLAN200-policy
  class VLAN200
   priority percent 75
  class class-default
   fair-queue

The above should set the minimum guaranteed bandwidth (Percent Specifies
that the amount of guaranteed bandwidth will be specified by the percent of
available bandwidth) IF the traffic matches ACL 103, and if it does not
match then it will default to the class-default and fall into using 256
dynamic queues (assuming the interface was  512Kbps bandwidth).

It's all in the IOS documentation.

Fred Reimer - CCNA


Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338
Phone: 404-847-5177  Cell: 770-490-3071  Pager: 888-260-2050


NOTICE; This email contains confidential or proprietary information which
may be legally privileged. It is intended only for the named recipient(s).
If an addressing or transmission error has misdirected the email, please
notify the author by replying to this message. If you are not the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.


-Original Message-
From: Coy, Jason (Jason) [mailto:[EMAIL PROTECTED] 
Sent: Saturday, July 19, 2003 9:58 PM
To: [EMAIL PROTECTED]
Subject: class-map, access-lists, access-groups, and policy maps [7:72643]

I have been looking for a simple explanation as to how the three relate
and their dependencies.  Example configuration from a show run:

class-map match-all VLAN200
  Match access-group 103

Does the above subject all VLAN200 traffic to access group 103?
Is that access group associated with the access-list?

policy-map VLAN200-policy
  class VLAN200
   priority percent 75
  class class-default
   fair-queue

What does the above do, allocate a maximum bandwidth, or set a priority
queuing?
I have been looking for a good reference to QoS policy's and how to
determine what the router has set.  Any recommendations?
Jason Coy
Field Assistance Support Team, Chicago
708-233-4274 Office
888-461-1323 Pager
708-975-4274 Cell

[GroupStudy removed an attachment of type image/gif which had a name of
image001.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72661t=72661
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

class-map, access-lists, access-groups, and policy maps [7:72643]

[Coy, Jason (Jason)]

I have been looking for a simple explanation as to how the three relate
and their dependencies.  Example configuration from a show run:

class-map match-all VLAN200
  Match access-group 103

Does the above subject all VLAN200 traffic to access group 103?
Is that access group associated with the access-list?

policy-map VLAN200-policy
  class VLAN200
   priority percent 75
  class class-default
   fair-queue

What does the above do, allocate a maximum bandwidth, or set a priority
queuing?
I have been looking for a good reference to QoS policy's and how to
determine what the router has set.  Any recommendations?
Jason Coy
Field Assistance Support Team, Chicago
708-233-4274 Office
888-461-1323 Pager
708-975-4274 Cell

[GroupStudy removed an attachment of type image/gif which had a name of
image001.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=72643t=72643
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MLS and access lists [7:66464]

[cebuano]

Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected in the IP MLS switching path automatically on the MLS-SE...the
MLS-SE learns of the change through MLSP  and immediately enforces
security.
I believe this is the reason why you need a L3 switch to do MLS.
HTH.
Elmer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 29, 2003 7:10 PM
To: [EMAIL PROTECTED]
Subject: MLS and access lists [7:66464]

With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know
that
the router (MLS-RP) has an access list? In other words, how does the
switch
know that it should use a destination flow mask, a destination-source
flow
mask, or a full-flow mask? The access list, afterall, is on the router,
not
the switch, according to descriptions of MLS.

The switch definitely knows, because you see different output with the
show
mls command, but how does it know? Does the router pass it to the
switch in
MLSP messages, or is there something more obvious that I'm missing.

With some access lists, an enable packet would never come back from the
router. Is that what triggers the switch to use the more advanced flow
masks? This would imply that the switch is always looking at upper
layers
and knows that Telnet between 2 hosts results in an enable packet but
FTP
(or whatever) does not. That seems like a lot of burden to put on a
switch.

I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN
switching papers at CertificationZone, but am still left wondering

Thanks for your help.

Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66559t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MLS and access lists [7:66464]

[[EMAIL PROTECTED]]

As far as I am aware, the 1st packet in the flow has to be L3 switched.  A
router just does not send an enable packet back to the SE if it fails an
ACL.  In terms of the telnet, FTP scenarios, I assume that the flow does not
matter at the SE, cause the packet processing at the router justs denies it
and an MLS flow never get created for that L4 based connection.

Hope this helps.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: 30 March 2003 00:10
To: [EMAIL PROTECTED]
Subject: MLS and access lists [7:66464]


With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that
the router (MLS-RP) has an access list? In other words, how does the switch
know that it should use a destination flow mask, a destination-source flow
mask, or a full-flow mask? The access list, afterall, is on the router, not
the switch, according to descriptions of MLS.

The switch definitely knows, because you see different output with the show
mls command, but how does it know? Does the router pass it to the switch in
MLSP messages, or is there something more obvious that I'm missing.

With some access lists, an enable packet would never come back from the
router. Is that what triggers the switch to use the more advanced flow
masks? This would imply that the switch is always looking at upper layers
and knows that Telnet between 2 hosts results in an enable packet but FTP
(or whatever) does not. That seems like a lot of burden to put on a switch.

I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN
switching papers at CertificationZone, but am still left wondering

Thanks for your help.

Priscilla
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66491t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MLS and access lists [7:66464]

[Priscilla Oppenheimer]

[EMAIL PROTECTED] wrote:
 
 As far as I am aware, the 1st packet in the flow has to be L3
 switched.  A
 router just does not send an enable packet back to the SE if it
 fails an
 ACL.  In terms of the telnet, FTP scenarios, I assume that the
 flow does not
 matter at the SE, cause the packet processing at the router
 justs denies it
 and an MLS flow never get created for that L4 based connection.

If a simple destination flow mask (the default) gets created on the SE that
says how to send traffic to a host, both Telnet and FTP traffic will be sent
to the host despite the access list on the router. It's a huge security
hole. However, the Cisco developers thought of this, of course. (I wonder if
it was an afterthought or if they realized this was a problem right away?
:-) They created more complicated flow masks:

* Destination-source flow mask to handle a standard access list or simple
extended access list without L4 port numbers on the router

* Full flow mask to handle an extended access list that uses L4 port numbers

It turns out that MLSP is used by the router to signal to the SE which flow
masks must be used. Thank-you Kennedy Clark and the other person who cleared
that up. (Great to hear from Kennedy, author of one of the best Cisco Press
books, Cisco LAN Switching. It's right up there with Doyle's books.)

The books say that MLSP flushes the MLS cache when access lists are
configured or changed, or the routing table changes, but they aren't too
clear that on bootup, if a router has access lists, it better tell the SE to
use a more specific flow mask. I'd like to see that protocol in action?! Of
course, if it's a built-in RSP, that wouldn't be possible.

Thanks everyone for replying.

Priscilla


 
 Hope this helps.
 
 -Original Message-
 From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
 Sent: 30 March 2003 00:10
 To: [EMAIL PROTECTED]
 Subject: MLS and access lists [7:66464]
 
 
 With Multilayer Switching (MLS), how does the MLS Switch
 (MLS-SE) know that
 the router (MLS-RP) has an access list? In other words, how
 does the switch
 know that it should use a destination flow mask, a
 destination-source flow
 mask, or a full-flow mask? The access list, afterall, is on the
 router, not
 the switch, according to descriptions of MLS.
 
 The switch definitely knows, because you see different output
 with the show
 mls command, but how does it know? Does the router pass it to
 the switch in
 MLSP messages, or is there something more obvious that I'm
 missing.
 
 With some access lists, an enable packet would never come back
 from the
 router. Is that what triggers the switch to use the more
 advanced flow
 masks? This would imply that the switch is always looking at
 upper layers
 and knows that Telnet between 2 hosts results in an enable
 packet but FTP
 (or whatever) does not. That seems like a lot of burden to put
 on a switch.
 
 I checked Clark and Hamilton Cisco LAN Switching, and the
 Ethernet LAN
 switching papers at CertificationZone, but am still left
 wondering
 
 Thanks for your help.
 
 Priscilla
 For more information about Barclays Capital, please
 visit our web site at http://www.barcap.com.
 
 
 Internet communications are not secure and therefore the
 Barclays
 Group does not accept legal responsibility for the contents of
 this
 message.  Although the Barclays Group operates anti-virus
 programmes,
 it does not accept responsibility for any damage whatsoever
 that is
 caused by viruses being passed.  Any views or opinions
 presented are
 solely those of the author and do not necessarily represent
 those of the
 Barclays Group.  Replies to this email may be monitored by the
 Barclays
 Group for operational or business reasons.
 
 
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66500t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

MLS and access lists [7:66464]

[Priscilla Oppenheimer]

With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that
the router (MLS-RP) has an access list? In other words, how does the switch
know that it should use a destination flow mask, a destination-source flow
mask, or a full-flow mask? The access list, afterall, is on the router, not
the switch, according to descriptions of MLS.

The switch definitely knows, because you see different output with the show
mls command, but how does it know? Does the router pass it to the switch in
MLSP messages, or is there something more obvious that I'm missing.

With some access lists, an enable packet would never come back from the
router. Is that what triggers the switch to use the more advanced flow
masks? This would imply that the switch is always looking at upper layers
and knows that Telnet between 2 hosts results in an enable packet but FTP
(or whatever) does not. That seems like a lot of burden to put on a switch.

I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN
switching papers at CertificationZone, but am still left wondering

Thanks for your help.

Priscilla



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66464t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MLS and access lists [7:66464]

[cebuano]

Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected in the IP MLS switching path automatically on the MLS-SE...the
MLS-SE learns of the change through MLSP  and immediately enforces
security.
I believe this is the reason why you need a L3 switch to do MLS.
HTH.
Elmer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 29, 2003 7:10 PM
To: [EMAIL PROTECTED]
Subject: MLS and access lists [7:66464]

With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know
that
the router (MLS-RP) has an access list? In other words, how does the
switch
know that it should use a destination flow mask, a destination-source
flow
mask, or a full-flow mask? The access list, afterall, is on the router,
not
the switch, according to descriptions of MLS.

The switch definitely knows, because you see different output with the
show
mls command, but how does it know? Does the router pass it to the
switch in
MLSP messages, or is there something more obvious that I'm missing.

With some access lists, an enable packet would never come back from the
router. Is that what triggers the switch to use the more advanced flow
masks? This would imply that the switch is always looking at upper
layers
and knows that Telnet between 2 hosts results in an enable packet but
FTP
(or whatever) does not. That seems like a lot of burden to put on a
switch.

I checked Clark and Hamilton Cisco LAN Switching, and the Ethernet LAN
switching papers at CertificationZone, but am still left wondering

Thanks for your help.

Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66471t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MLS and access lists [7:66464]

[Kennedy Clark]

Hi Priscilla,

Your suspicion is 100% correct: the flow mask is signaled from the router
(RP) to the switch (SE) via the MLSP protocol.

Take care,
Kennedy  

Priscilla Oppenheimer wrote:
 
 With Multilayer Switching (MLS), how does the MLS Switch
 (MLS-SE) know that the router (MLS-RP) has an access list? In
 other words, how does the switch know that it should use a
 destination flow mask, a destination-source flow mask, or a
 full-flow mask? The access list, afterall, is on the router,
 not the switch, according to descriptions of MLS.
 
 The switch definitely knows, because you see different output
 with the show mls command, but how does it know? Does the
 router pass it to the switch in MLSP messages, or is there
 something more obvious that I'm missing.
 
 With some access lists, an enable packet would never come back
 from the router. Is that what triggers the switch to use the
 more advanced flow masks? This would imply that the switch is
 always looking at upper layers and knows that Telnet between 2
 hosts results in an enable packet but FTP (or whatever) does
 not. That seems like a lot of burden to put on a switch.
 
 I checked Clark and Hamilton Cisco LAN Switching, and the
 Ethernet LAN switching papers at CertificationZone, but am
 still left wondering
 
 Thanks for your help.
 
 Priscilla
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66469t=66464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MAC Access Lists - Canonical or NonCanonical [7:64754]

[Troy Leliard]

I guess this would depend on the media / interface that you are applying the
ACL to?  EG for TR, you would use non-canonical, and if applying the address
to ethernet interface canonical.

Presumably, inbound packets from TR pass through any inbound ACL's, then
get converted to canonical and passed out ethernet interface (or DLSW etc?? )(
[EMAIL PROTECTED] wrote:
 
 Today I read two opposite posts about the MAC address format on
 MAC
 access-list.
 
 The article on 'http://www.netmasterclass.net/site/lib.php'
 (article
 Filtering DLSW) says that one should use non canonical format.
 
 The link

'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_r/brprt1/br1dtb.htm#1017750'
 
   says the opposite,  one should use canonical (Ethernet)
 format.
 
 Any Thoughts?
 
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64885t=64754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

MAC Access Lists - Canonical or NonCanonical [7:64754]

[[EMAIL PROTECTED]]

Today I read two opposite posts about the MAC address format on MAC
access-list.

The article on 'http://www.netmasterclass.net/site/lib.php' (article
Filtering DLSW) says that one should use non canonical format.

The link
'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ibm_r/brprt1/br1dtb.htm#1017750'

  says the opposite,  one should use canonical (Ethernet) format.

Any Thoughts?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64754t=64754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

access-lists [7:63520]

[Jason Steig]

Hello all. I'am stumped on an access-list that i need to create. What i did
was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router with the
loopbacks is A the destination is B. so I know this will be a standard
access list (direction in) on router B's interface to router A.

The requirements are 

allow any packet originating from 192.17.77.0 /24 
allow any packet originating from 192.17.73.0 /24 
allow any packet originating from 192.81.77.0 /24 
allow any packet originating from 192.81.73.0 /24 
allow any packet originating from 176.17.77.0 /24 
allow any packet originating from 176.17.73.0 /24 
allow any packet originating from 176.81.77.0 /24 
allow any packet originating from 176.81.73.0 /24 

Hers what i think i can do 

with the 182 address i can do 
permit ip 192.17.73.0 0.64.4.0 

because the 64 will increase the second octet to 81 then the 4 in the third
bit will increase the network to 77. Is this how i would impliment this
filtering policy in just two statements? The same way with the 176 networks?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63520t=63520
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: applying PIX access-lists [7:61033]

[Ozan Akdemir]

You can use pdm ( Web based gui of Cisco PIX). It looks like checkpoint gui.
You can insert lines between other statements, change nat definitions,
monitor system resources etc. It is very useful.

Ozan Akdemir


-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 14, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]

I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group? Do you
need to do clear xlate after changing access-lists?

how about the following scenatio:

I have PIX that has interface outside with the follwoing access-list:

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
access-list from-internet deny ip any any

and

access-group from-internet in interface outside

now I want to add  access-list from-internet permit ip any host 10.10.10.2
before access-list from-internet permit ip any host 10.10.10.4.

What is the best way to do this?
I thought maybe I would create a new list :

access-list from-internet2 permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2
access-list from-internet2 permit ip any host 10.10.10.4
access-list from-internet2 permit ip any host 10.10.10.5
access-list from-internet2 deny ip any any

than remove the old and apply the new one in successive commands.
Is this the standard way of amking changes or do you more experienced admins
have a better way. I'm migrating from a checkpoint environment so this
wasn't an issue when administering them.

How about this for a good question Why aren't the access-lists on the
PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61267t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

applying PIX access-lists [7:61033]

[Sam Sneed]

I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group? Do you
need to do clear xlate after changing access-lists?

how about the following scenatio:

I have PIX that has interface outside with the follwoing access-list:

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
access-list from-internet deny ip any any

and

access-group from-internet in interface outside

now I want to add  access-list from-internet permit ip any host 10.10.10.2
before access-list from-internet permit ip any host 10.10.10.4.

What is the best way to do this?
I thought maybe I would create a new list :

access-list from-internet2 permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2
access-list from-internet2 permit ip any host 10.10.10.4
access-list from-internet2 permit ip any host 10.10.10.5
access-list from-internet2 deny ip any any

than remove the old and apply the new one in successive commands.
Is this the standard way of amking changes or do you more experienced admins
have a better way. I'm migrating from a checkpoint environment so this
wasn't an issue when administering them.

How about this for a good question Why aren't the access-lists on the
PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61033t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: applying PIX access-lists [7:61033]

[Waters, Kristina]

Sam,

I used to copy my list out to notepad and add the new line. Do a 'no
access-list from-internet', then cut and paste the new one back in. Keep in
mind this will briefly leave you with no access list on that interface. Then
re-enter the 'access-group from-internet in interface outside' command, as
it will remove it when you do the no access-list command.

You can also use subnet masks if you have a group of IP's, for example
adding 10.10.10.0/29 would grant access to hosts 10.10.10.1 - 7

Someone here also posted a good link to some new features that are available
in 6.2 that might be useful,


http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech
_note09186a00800d641d.shtml


Kris.
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 14, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]


I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group? Do you
need to do clear xlate after changing access-lists?

how about the following scenatio:

I have PIX that has interface outside with the follwoing access-list:

access-list from-internet permit ip any host 10.10.10.1 
access-list from-internet permit ip any host 10.10.10.4 
access-list from-internet permit ip any host 10.10.10.5 
access-list from-internet deny ip any any

and

access-group from-internet in interface outside

now I want to add  access-list from-internet permit ip any host 10.10.10.2
before access-list from-internet permit ip any host 10.10.10.4.

What is the best way to do this?
I thought maybe I would create a new list :

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2 
access-list from-internet2 permit ip any host 10.10.10.4 
access-list from-internet2 permit ip any host 10.10.10.5 
access-list from-internet2 deny ip any any

than remove the old and apply the new one in successive commands. Is this
the standard way of amking changes or do you more experienced admins have a
better way. I'm migrating from a checkpoint environment so this wasn't an
issue when administering them.

How about this for a good question Why aren't the access-lists on the
PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
easy to work with?
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender by email, delete and destroy this message and its 
attachments.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61037t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: applying PIX access-lists [7:61033]

[Emilia Lambros]

Why don't you try removing the line you want it to be below (as well as the
deny ip any any at the end) then put in the new line, the next line(s) and
the deny line?

ie
no access-list from-internet permit ip any host 10.10.10.4
no access-list from-internet permit ip any host 10.10.10.5
no access-list from-internet deny ip any any

access-list from-internet permit ip any host 10.10.10.2
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
no access-list from-internet deny ip any any

That should leave you with 

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
access-list from-internet deny ip any any

Its a little shuffling but it gets you there ;)  Is there any reason other
than numerical order that the 10.10.10.2 line needs to be above the
10.10.10.2 line since they're all permits anyway?

Also, for my own interest, is the deny ip any any required?  I was of the
impression that everything was closed until you opened it which means there
should already be an implicit deny ip any any.. ?

Em




-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 15 January 2003 3:29 AM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]


I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group? Do you
need to do clear xlate after changing access-lists?

how about the following scenatio:

I have PIX that has interface outside with the follwoing access-list:

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
access-list from-internet deny ip any any

and

access-group from-internet in interface outside

now I want to add  access-list from-internet permit ip any host 10.10.10.2
before access-list from-internet permit ip any host 10.10.10.4.

What is the best way to do this?
I thought maybe I would create a new list :

access-list from-internet2 permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2
access-list from-internet2 permit ip any host 10.10.10.4
access-list from-internet2 permit ip any host 10.10.10.5
access-list from-internet2 deny ip any any

than remove the old and apply the new one in successive commands.
Is this the standard way of amking changes or do you more experienced admins
have a better way. I'm migrating from a checkpoint environment so this
wasn't an issue when administering them.

How about this for a good question Why aren't the access-lists on the
PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61060t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: applying PIX access-lists [7:61033]

[Sam Sneed]

The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was  hit

as far as your suggestion goes, it may not work as well if you have over 100
access-lists and you need to put one in lets say 8th spot.

Emilia Lambros  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why don't you try removing the line you want it to be below (as well as
the
 deny ip any any at the end) then put in the new line, the next line(s) and
 the deny line?

 ie
 no access-list from-internet permit ip any host 10.10.10.4
 no access-list from-internet permit ip any host 10.10.10.5
 no access-list from-internet deny ip any any

 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 no access-list from-internet deny ip any any

 That should leave you with

 access-list from-internet permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 access-list from-internet deny ip any any

 Its a little shuffling but it gets you there ;)  Is there any reason other
 than numerical order that the 10.10.10.2 line needs to be above the
 10.10.10.2 line since they're all permits anyway?

 Also, for my own interest, is the deny ip any any required?  I was of the
 impression that everything was closed until you opened it which means
there
 should already be an implicit deny ip any any.. ?

 Em




 -Original Message-
 From: Sam Sneed [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, 15 January 2003 3:29 AM
 To: [EMAIL PROTECTED]
 Subject: applying PIX access-lists [7:61033]


 I am new to PIX and have a simple question. What methods do you (PIX
Admins)
 use to change and apply access-lists. Unlike IOS access-lists it seems you
 can remove statements from the middle of the list. When you do this does
the
 change occur immediately or do you have to reapply the access-group? Do
you
 need to do clear xlate after changing access-lists?

 how about the following scenatio:

 I have PIX that has interface outside with the follwoing access-list:

 access-list from-internet permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 access-list from-internet deny ip any any

 and

 access-group from-internet in interface outside

 now I want to add  access-list from-internet permit ip any host
10.10.10.2
 before access-list from-internet permit ip any host 10.10.10.4.

 What is the best way to do this?
 I thought maybe I would create a new list :

 access-list from-internet2 permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet2 permit ip any host 10.10.10.4
 access-list from-internet2 permit ip any host 10.10.10.5
 access-list from-internet2 deny ip any any

 than remove the old and apply the new one in successive commands.
 Is this the standard way of amking changes or do you more experienced
admins
 have a better way. I'm migrating from a checkpoint environment so this
 wasn't an issue when administering them.

 How about this for a good question Why aren't the access-lists on the
 PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
 easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61062t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: applying PIX access-lists [7:61033]

[Emilia Lambros]

Nope, wouldn't work well in that situation, but if you're only talking a few
entries then its not a problem

Also, in that sort of situation if you wanted to put a deny before a permit
(where order really does matter other than aesthetically), you remove the
line permitting the traffic, add the deny, then put in the permit again and
you're back to where you were.  The most you'd have to readd after that
would be a deny ip any any :)



-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 15 January 2003 8:38 AM
To: [EMAIL PROTECTED]
Subject: Re: applying PIX access-lists [7:61033]


The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was  hit

as far as your suggestion goes, it may not work as well if you have over 100
access-lists and you need to put one in lets say 8th spot.

Emilia Lambros  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why don't you try removing the line you want it to be below (as well as
the
 deny ip any any at the end) then put in the new line, the next line(s) and
 the deny line?

 ie
 no access-list from-internet permit ip any host 10.10.10.4
 no access-list from-internet permit ip any host 10.10.10.5
 no access-list from-internet deny ip any any

 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 no access-list from-internet deny ip any any

 That should leave you with

 access-list from-internet permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 access-list from-internet deny ip any any

 Its a little shuffling but it gets you there ;)  Is there any reason other
 than numerical order that the 10.10.10.2 line needs to be above the
 10.10.10.2 line since they're all permits anyway?

 Also, for my own interest, is the deny ip any any required?  I was of the
 impression that everything was closed until you opened it which means
there
 should already be an implicit deny ip any any.. ?

 Em




 -Original Message-
 From: Sam Sneed [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, 15 January 2003 3:29 AM
 To: [EMAIL PROTECTED]
 Subject: applying PIX access-lists [7:61033]


 I am new to PIX and have a simple question. What methods do you (PIX
Admins)
 use to change and apply access-lists. Unlike IOS access-lists it seems you
 can remove statements from the middle of the list. When you do this does
the
 change occur immediately or do you have to reapply the access-group? Do
you
 need to do clear xlate after changing access-lists?

 how about the following scenatio:

 I have PIX that has interface outside with the follwoing access-list:

 access-list from-internet permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.4
 access-list from-internet permit ip any host 10.10.10.5
 access-list from-internet deny ip any any

 and

 access-group from-internet in interface outside

 now I want to add  access-list from-internet permit ip any host
10.10.10.2
 before access-list from-internet permit ip any host 10.10.10.4.

 What is the best way to do this?
 I thought maybe I would create a new list :

 access-list from-internet2 permit ip any host 10.10.10.1
 access-list from-internet permit ip any host 10.10.10.2
 access-list from-internet2 permit ip any host 10.10.10.4
 access-list from-internet2 permit ip any host 10.10.10.5
 access-list from-internet2 deny ip any any

 than remove the old and apply the new one in successive commands.
 Is this the standard way of amking changes or do you more experienced
admins
 have a better way. I'm migrating from a checkpoint environment so this
 wasn't an issue when administering them.

 How about this for a good question Why aren't the access-lists on the
 PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
 easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61070t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: applying PIX access-lists [7:61033]

[[EMAIL PROTECTED]]

Sam,
you can do 2 method ie: CLI based and GUI based (PDM).
If you using PDM, you just insert add rule it.

CLI based:
1.   access-list from-internet2 permit ip any host 10.10.10.1
 access-list from-internet2 permit ip any host 10.10.10.2
 access-list from-internet2 permit ip any host 10.10.10.4
 access-list from-internet2 permit ip any host 10.10.10.5
 access-list from-internet2 deny ip any any

2.   no access-group from-internet in interface outside
 access-group from-internet2 in interface outside

3.   Clear Xlate.

Hope this can help you.

regards,
Sugianto Sho




   

Sam
Sneed
  
cc:
Sent by: Fax
to:
nobody@groupst   Subject: applying PIX
access-lists [7:61033]
   
udy.com
   

   

   
01/14/2003
11:58
PM
Please
respond
to Sam
Sneed
   

   





I am new to PIX and have a simple question. What methods do you (PIX
Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does
the
change occur immediately or do you have to reapply the access-group? Do you
need to do clear xlate after changing access-lists?

how about the following scenatio:

I have PIX that has interface outside with the follwoing access-list:

access-list from-internet permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.4
access-list from-internet permit ip any host 10.10.10.5
access-list from-internet deny ip any any

and

access-group from-internet in interface outside

now I want to add  access-list from-internet permit ip any host
10.10.10.2
before access-list from-internet permit ip any host 10.10.10.4.

What is the best way to do this?
I thought maybe I would create a new list :

access-list from-internet2 permit ip any host 10.10.10.1
access-list from-internet permit ip any host 10.10.10.2
access-list from-internet2 permit ip any host 10.10.10.4
access-list from-internet2 permit ip any host 10.10.10.5
access-list from-internet2 deny ip any any

than remove the old and apply the new one in successive commands.
Is this the standard way of amking changes or do you more experienced
admins
have a better way. I'm migrating from a checkpoint environment so this
wasn't an issue when administering them.

How about this for a good question Why aren't the access-lists on the
PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and
easy to work with?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61071t=61033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access lists + static routing [7:58543]

[Charlie]

n_guide_chapter09186a00800d9816.html

This would be helpfull. I found it by searching the key words configurring
access lists.


Geert Loonbeek  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hello
 I'm looking for a good and free of charge study guide on access lists/
 static routing.  I'd like to take the 640-607 cisco CCNA exam.

 Is there anybody who has some info on these topics.

 Thanks

 Geert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58549t=58543
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re: access lists + static routing [7:58543]

[B.J. Wilson]

Guys, a reminder: you cannot begin a post to the mail list with an URL. 
Type a line of text first, then paste the URL.  The filters are designed to
look for an URL at the top of the post, to filter out spam.

BJ


---Original Message---
From: Charlie 
Sent: 12/04/02 10:24 AM
To: [EMAIL PROTECTED]
Subject: Re: access lists + static routing [7:58543]

 n_guide_chapter09186a00800d9816.html

This would be helpfull. I found it by searching the key words configurring
access lists.


Geert Loonbeek  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hello
 I'm looking for a good and free of charge study guide on access lists/
 static routing.  I'd like to take the 640-607 cisco CCNA exam.

 Is there anybody who has some info on these topics.

 Thanks

 Geert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58550t=58543
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re: access lists + static routing [7:58543]

[Charlie]

Thanks,

I understand now! Here it is:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuratio
n_guide_chapter09186a00800d9816.html


B.J. Wilson  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Guys, a reminder: you cannot begin a post to the mail list with an URL.
 Type a line of text first, then paste the URL.  The filters are designed
to
 look for an URL at the top of the post, to filter out spam.

 BJ


 ---Original Message---
 From: Charlie
 Sent: 12/04/02 10:24 AM
 To: [EMAIL PROTECTED]
 Subject: Re: access lists + static routing [7:58543]

  n_guide_chapter09186a00800d9816.html

 This would be helpfull. I found it by searching the key words
configurring
 access lists.


 Geert Loonbeek  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hello
  I'm looking for a good and free of charge study guide on access lists/
  static routing.  I'd like to take the 640-607 cisco CCNA exam.
 
  Is there anybody who has some info on these topics.
 
  Thanks
 
  Geert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58553t=58543
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[John Tafasi]

I tried this also and it did not work. He is what I did:


R5-2503#clear ip access-list count

R5-2503#show access-lists abc
Extended IP access list abc
Dynamic test permit ip any any
  permit ip host 10.10.110.16 any (38 matches) (time left 134)
permit tcp any host 10.10.110.3 eq telnet
R5-2503#

Tim Metz  wrote in message
news:200211120457.EAA20795;groupstudy.com...
 although that should have worked, try clear ip access-list counter as
 well I just tested this on a 3662 and both commands worked (IOS 12.1)

 Tim

 John Tafasi  wrote in message
 news:20022125.VAA01591;groupstudy.com...
  Can some one tell me how to clear access-list counters? I tried to use
the
  command clear access-list counters but it did not work. Please see the
  output of the show command below.
 
  R5-2503#show access-lis abc
  Extended IP access list abc
  Dynamic test permit ip any any
permit ip any any (158 matches)
  permit tcp any host 10.10.110.3 eq telnet
  R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57325t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[Maximus]

Worked for me on 12.2(12a):

clear ip access-list counters

- Original Message -
From: John Tafasi 
To: 
Sent: Tuesday, November 12, 2002 5:22 PM
Subject: Re: Clearing access lists counters [7:57241]


 I tried this also and it did not work. He is what I did:


 R5-2503#clear ip access-list count

 R5-2503#show access-lists abc
 Extended IP access list abc
 Dynamic test permit ip any any
   permit ip host 10.10.110.16 any (38 matches) (time left 134)
 permit tcp any host 10.10.110.3 eq telnet
 R5-2503#

 Tim Metz  wrote in message
 news:200211120457.EAA20795;groupstudy.com...
  although that should have worked, try clear ip access-list counter as
  well I just tested this on a 3662 and both commands worked (IOS
12.1)
 
  Tim
 
  John Tafasi  wrote in message
  news:20022125.VAA01591;groupstudy.com...
   Can some one tell me how to clear access-list counters? I tried to use
 the
   command clear access-list counters but it did not work. Please see
the
   output of the show command below.
  
   R5-2503#show access-lis abc
   Extended IP access list abc
   Dynamic test permit ip any any
 permit ip any any (158 matches)
   permit tcp any host 10.10.110.3 eq telnet
   R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57334t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Clearing access lists counters [7:57241]

[John Tafasi]

Can some one tell me how to clear access-list counters? I tried to use the
command clear access-list counters but it did not work. Please see the
output of the show command below.

R5-2503#show access-lis abc
Extended IP access list abc
Dynamic test permit ip any any
  permit ip any any (158 matches)
permit tcp any host 10.10.110.3 eq telnet
R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57241t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[Curious]

restart the router.


--
Curious

MCSE, CCNP
John Tafasi  wrote in message
news:20022125.VAA01591;groupstudy.com...
 Can some one tell me how to clear access-list counters? I tried to use the
 command clear access-list counters but it did not work. Please see the
 output of the show command below.

 R5-2503#show access-lis abc
 Extended IP access list abc
 Dynamic test permit ip any any
   permit ip any any (158 matches)
 permit tcp any host 10.10.110.3 eq telnet
 R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57247t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[Tim Metz]

although that should have worked, try clear ip access-list counter as
well I just tested this on a 3662 and both commands worked (IOS 12.1)

Tim

John Tafasi  wrote in message
news:20022125.VAA01591;groupstudy.com...
 Can some one tell me how to clear access-list counters? I tried to use the
 command clear access-list counters but it did not work. Please see the
 output of the show command below.

 R5-2503#show access-lis abc
 Extended IP access list abc
 Dynamic test permit ip any any
   permit ip any any (158 matches)
 permit tcp any host 10.10.110.3 eq telnet
 R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57271t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

[CTM CTM]

I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.

I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.

172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico

Europe office has a 1720 router and E1 connection.
U.S. has 2621 and a T1 connection

Europe needs to pull email and files from servers in U.S., but connection is
terribly, terribly slow. At present I have them VPN out to the internet and
into our VPN that way. Would like them to VPN or direct connect directly
through internal subnets. Once that is fixed the learning experience should
allow me to tweak the Mexico routes.

The Europe sh int is as follows:

sh int
Ethernet0 is up, line protocol is up 
  Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf)
  Description: connected to Internet
  Internet address is 217.117.229.138/29
  MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of show interface counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
 778610 packets input, 355003767 bytes, 0 no buffer
 Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 676292 packets output, 134749411 bytes, 0 underruns(0/0/0)
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 --More--  0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
 --More-- FastEthernet0 is up, line protocol is up 
  Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a)
  Description: connected to EthernetLAN_1
  Internet address is 172.29.30.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of show interface counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 683511 packets input, 104715200 bytes
 Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog
 0 input packets with dribble condition detected
 800932 packets output, 317811070 bytes, 0 underruns(63/415/0)
 165 output errors, 478 collisions, 0 interface resets
 --More--  0 babbles, 0 late collision, 0
deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
sc-ams-rtr-01enable
Password: 
sc-ams-rtr-01#sh config
Using 2357 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log datetime localtime
no service password-encryption
!
hostname sc-ams-rtr-01
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password 
!
memory-size iomem 25
clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip name-server 217.117.224.93
ip name-server 217.117.224.94
!
 --More-- ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key  address x.171.120.11
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac 
no crypto engine accelerator
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp   
 set peer x.171.120.11
 set transform-set cm-transformset-1 
 match address 100
!
!
!
!
interface Ethernet0
 --More--  description connected to Internet
 ip address  255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap
!
interface FastEthernet0
 description connected to EthernetLAN_1
 ip address 172.29.30.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 172.29.0.0
 no auto-summary
!
ip nat inside source list 101 interface Ethernet0 overload
 --More-- ip kerberos source-interface any
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 217.117.229.137
ip route 172.29.10.0 255.255.255.0 

Messing up Access Lists [7:54268]

[CTM CTM]

I've been trying to optimize communications between two distant routers. So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54268t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

[Nathan Nakao]

CTM,

  First of all, in my experience, writing down exactly what you want to
do really helps.  It gives you a visual map of what you want to go
through and what you don't.  Second of all (now correct me if I'm wrong)
you want all deny statements at the end.  That's how I've done it
anyways.  After you've figured out all of that, it's just a simple
rewording of the access list.  You may also want to keep in mind that
where you place the access list matters (ie if it's an in or out
access group).

-Nate

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]


I've been trying to optimize communications between two distant routers.
So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the
literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54273t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

[Robert Edmonds]

You don't always want to put the deny at the end.  For example, if you want
to deny just one subnet, but permit everything else, putting the permit any
statement at the beginning would allow the subnet you intended to deny.  I
know, a lot of permitting and denying going on in that sentence.  :)-
Nathan Nakao  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 CTM,

   First of all, in my experience, writing down exactly what you want to
 do really helps.  It gives you a visual map of what you want to go
 through and what you don't.  Second of all (now correct me if I'm wrong)
 you want all deny statements at the end.  That's how I've done it
 anyways.  After you've figured out all of that, it's just a simple
 rewording of the access list.  You may also want to keep in mind that
 where you place the access list matters (ie if it's an in or out
 access group).

 -Nate

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 26, 2002 12:54 PM
 To: [EMAIL PROTECTED]
 Subject: Messing up Access Lists [7:54268]


 I've been trying to optimize communications between two distant routers.
 So
 far I've managed to lock myself out of the far router three times, folks
 over there are getting weary of my mistakes ;-)

 I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
 latter
 is physically the same devices multihomed as 192.168.100.0/24.

 I realize my NAT is messed up and I'm wrapping my head around the
 literature
 pulled from Cisco (led to by links provided by you generous folks).
 Looks like I also need to look in depth at access lists. I'm taking baby
 steps but am slowly making progress.

 Would love to solicit comments/advice on the following:

 ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
 255.255.255.224
 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
 ip nat inside source static 172.29.10.20 64.172.228.154
 ip nat inside source static 192.168.100.20 64.172.228.132
 ip nat inside source static 192.168.100.135 64.172.228.135
 ip nat inside source static 172.29.20.20 64.172.228.133
 ip classless
 ip route 0.0.0.0 0.0.0.0 Serial0/0.1
 ip route 172.29.20.0 255.255.255.0 Serial0/1.474
 ip route 172.29.40.0 255.255.255.0 Serial0/1.474
 !
 logging history size 250
 logging history errors
 logging facility syslog
 access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
 access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
 access-list 101 permit ip 192.168.100.0 0.0.0.255 any
 access-list 101 permit ip 172.29.10.0 0.0.0.255 any
 route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54274t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

[Daniel Cotts]

I sent you some comments on this last Fri.
First look up the reload in xx min command. There is a way to have the
router reboot in a given time interval unless you rescind the command. So if
you lock yourself out of the router it reboots and restores the startup
config which allows you back in. If your changes are not fatal then cancel
the reload command. Then do a copy run start.
My guess is that you are killing your VPN by removing the access list at the
far end. You are most likely telnetting to that router from your local PC.
Its traffic traverses the VPN. Instead bring up a console connection on your
local router and telnet to the remote router. That won't use the VPN. I
don't see an access list that would block that connection.
There is an issue if you have statically NATed addresses. People out on the
Internet can reach your local servers but folks on the far end of the VPN
cannot. There is a solution on CCO. Last time I looked you had to start on
the Documentation page and work towards it. The solution is not on the 707?
page. I don't have time to look it up. Sort of goes like: 
interface Loopback0
 ip address 2.2.2.1 255.255.255.0
interface FastEthernet0
(This is the interface where your servers are located.)
 ip route-cache policy
 ip policy route-map StaticNAT

ip access-list extended StaticNAT
 remark Allows statically mapped NAT addresses through IPSec tunnel
 permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
(USE YOUR OWN IP ADDRESSES)

route-map StaticNAT permit 10
 match ip address StaticNAT
 set ip next-hop 2.2.2.2
(Note the address is not the address of the loopback.)

To use a basketball analogy - a direct pass won't work because a blocker is
in the way. Instead use a bounce pass.

 -Original Message-
 From: CTM CTM [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 26, 2002 2:54 PM
 To: [EMAIL PROTECTED]
 Subject: Messing up Access Lists [7:54268]
 
 
 I've been trying to optimize communications between two 
 distant routers. So
 far I've managed to lock myself out of the far router three 
 times, folks
 over there are getting weary of my mistakes ;-)
 
 I have a subnet of 172.29.30.0/24 and a subnet of 
 172.29.10.0/24, the latter
 is physically the same devices multihomed as 192.168.100.0/24.
 
 I realize my NAT is messed up and I'm wrapping my head around 
 the literature
 pulled from Cisco (led to by links provided by you generous folks).
 Looks like I also need to look in depth at access lists. I'm 
 taking baby
 steps but am slowly making progress.
 
 Would love to solicit comments/advice on the following:
 
 ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
 64.172.228.158 netmask
 255.255.255.224
 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
 ip nat inside source static 172.29.10.20 64.172.228.154
 ip nat inside source static 192.168.100.20 64.172.228.132
 ip nat inside source static 192.168.100.135 64.172.228.135
 ip nat inside source static 172.29.20.20 64.172.228.133
 ip classless
 ip route 0.0.0.0 0.0.0.0 Serial0/0.1
 ip route 172.29.20.0 255.255.255.0 Serial0/1.474
 ip route 172.29.40.0 255.255.255.0 Serial0/1.474
 !
 logging history size 250
 logging history errors
 logging facility syslog
 access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
 0.0.0.255
 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
 0.0.0.255
 access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
 0.0.0.255
 access-list 101 permit ip 192.168.100.0 0.0.0.255 any
 access-list 101 permit ip 172.29.10.0 0.0.0.255 any
 route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54275t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

[CTM CTM]

Hi,

You did indeed send me comments, and most appreciated. You even bailed me
out when I misapplied the advice, and again much appreciated.
I'm taking baby steps with the wisdom offered, and seem to get deeper than
intended, ultimately confused, then reach out for a breather.

Thanks, as always, for your generous help, I will digest the latest.

Daniel Cotts wrote:
 
 I sent you some comments on this last Fri.
 First look up the reload in xx min command. There is a way to
 have the
 router reboot in a given time interval unless you rescind the
 command. So if
 you lock yourself out of the router it reboots and restores the
 startup
 config which allows you back in. If your changes are not fatal
 then cancel
 the reload command. Then do a copy run start.
 My guess is that you are killing your VPN by removing the
 access list at the
 far end. You are most likely telnetting to that router from
 your local PC.
 Its traffic traverses the VPN. Instead bring up a console
 connection on your
 local router and telnet to the remote router. That won't use
 the VPN. I
 don't see an access list that would block that connection.
 There is an issue if you have statically NATed addresses.
 People out on the
 Internet can reach your local servers but folks on the far end
 of the VPN
 cannot. There is a solution on CCO. Last time I looked you had
 to start on
 the Documentation page and work towards it. The solution is not
 on the 707?
 page. I don't have time to look it up. Sort of goes like: 
 interface Loopback0
  ip address 2.2.2.1 255.255.255.0
 interface FastEthernet0
 (This is the interface where your servers are located.)
  ip route-cache policy
  ip policy route-map StaticNAT
 
 ip access-list extended StaticNAT
  remark Allows statically mapped NAT addresses through IPSec
 tunnel
  permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
 (USE YOUR OWN IP ADDRESSES)
 
 route-map StaticNAT permit 10
  match ip address StaticNAT
  set ip next-hop 2.2.2.2
 (Note the address is not the address of the loopback.)
 
 To use a basketball analogy - a direct pass won't work because
 a blocker is
 in the way. Instead use a bounce pass.
 
  -Original Message-
  From: CTM CTM [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, September 26, 2002 2:54 PM
  To: [EMAIL PROTECTED]
  Subject: Messing up Access Lists [7:54268]
  
  
  I've been trying to optimize communications between two 
  distant routers. So
  far I've managed to lock myself out of the far router three 
  times, folks
  over there are getting weary of my mistakes ;-)
  
  I have a subnet of 172.29.30.0/24 and a subnet of 
  172.29.10.0/24, the latter
  is physically the same devices multihomed as 192.168.100.0/24.
  
  I realize my NAT is messed up and I'm wrapping my head around 
  the literature
  pulled from Cisco (led to by links provided by you generous
 folks).
  Looks like I also need to look in depth at access lists. I'm 
  taking baby
  steps but am slowly making progress.
  
  Would love to solicit comments/advice on the following:
  
  ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
  64.172.228.158 netmask
  255.255.255.224
  ip nat inside source list 101 pool SCISANRTR001-natpool-1
 overload
  ip nat inside source static 172.29.10.20 64.172.228.154
  ip nat inside source static 192.168.100.20 64.172.228.132
  ip nat inside source static 192.168.100.135 64.172.228.135
  ip nat inside source static 172.29.20.20 64.172.228.133
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0.1
  ip route 172.29.20.0 255.255.255.0 Serial0/1.474
  ip route 172.29.40.0 255.255.255.0 Serial0/1.474
  !
  logging history size 250
  logging history errors
  logging facility syslog
  access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
  0.0.0.255
  access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
  0.0.0.255
  access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
  0.0.0.255
  access-list 101 permit ip 192.168.100.0 0.0.0.255 any
  access-list 101 permit ip 172.29.10.0 0.0.0.255 any
  route-map nonat permit 10
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54277t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

[John Huston]

How about posting the complete config with a brief explaination?  We don't
need
the passwords or the actual IP addresses.




CTM CTM  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 You did indeed send me comments, and most appreciated. You even bailed me
 out when I misapplied the advice, and again much appreciated.
 I'm taking baby steps with the wisdom offered, and seem to get deeper than
 intended, ultimately confused, then reach out for a breather.

 Thanks, as always, for your generous help, I will digest the latest.

 Daniel Cotts wrote:
 
  I sent you some comments on this last Fri.
  First look up the reload in xx min command. There is a way to
  have the
  router reboot in a given time interval unless you rescind the
  command. So if
  you lock yourself out of the router it reboots and restores the
  startup
  config which allows you back in. If your changes are not fatal
  then cancel
  the reload command. Then do a copy run start.
  My guess is that you are killing your VPN by removing the
  access list at the
  far end. You are most likely telnetting to that router from
  your local PC.
  Its traffic traverses the VPN. Instead bring up a console
  connection on your
  local router and telnet to the remote router. That won't use
  the VPN. I
  don't see an access list that would block that connection.
  There is an issue if you have statically NATed addresses.
  People out on the
  Internet can reach your local servers but folks on the far end
  of the VPN
  cannot. There is a solution on CCO. Last time I looked you had
  to start on
  the Documentation page and work towards it. The solution is not
  on the 707?
  page. I don't have time to look it up. Sort of goes like:
  interface Loopback0
   ip address 2.2.2.1 255.255.255.0
  interface FastEthernet0
  (This is the interface where your servers are located.)
   ip route-cache policy
   ip policy route-map StaticNAT
 
  ip access-list extended StaticNAT
   remark Allows statically mapped NAT addresses through IPSec
  tunnel
   permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
  (USE YOUR OWN IP ADDRESSES)
 
  route-map StaticNAT permit 10
   match ip address StaticNAT
   set ip next-hop 2.2.2.2
  (Note the address is not the address of the loopback.)
 
  To use a basketball analogy - a direct pass won't work because
  a blocker is
  in the way. Instead use a bounce pass.
 
   -Original Message-
   From: CTM CTM [mailto:[EMAIL PROTECTED]]
   Sent: Thursday, September 26, 2002 2:54 PM
   To: [EMAIL PROTECTED]
   Subject: Messing up Access Lists [7:54268]
  
  
   I've been trying to optimize communications between two
   distant routers. So
   far I've managed to lock myself out of the far router three
   times, folks
   over there are getting weary of my mistakes ;-)
  
   I have a subnet of 172.29.30.0/24 and a subnet of
   172.29.10.0/24, the latter
   is physically the same devices multihomed as 192.168.100.0/24.
  
   I realize my NAT is messed up and I'm wrapping my head around
   the literature
   pulled from Cisco (led to by links provided by you generous
  folks).
   Looks like I also need to look in depth at access lists. I'm
   taking baby
   steps but am slowly making progress.
  
   Would love to solicit comments/advice on the following:
  
   ip nat pool SCISANRTR001-natpool-1 64.172.228.155
   64.172.228.158 netmask
   255.255.255.224
   ip nat inside source list 101 pool SCISANRTR001-natpool-1
  overload
   ip nat inside source static 172.29.10.20 64.172.228.154
   ip nat inside source static 192.168.100.20 64.172.228.132
   ip nat inside source static 192.168.100.135 64.172.228.135
   ip nat inside source static 172.29.20.20 64.172.228.133
   ip classless
   ip route 0.0.0.0 0.0.0.0 Serial0/0.1
   ip route 172.29.20.0 255.255.255.0 Serial0/1.474
   ip route 172.29.40.0 255.255.255.0 Serial0/1.474
   !
   logging history size 250
   logging history errors
   logging facility syslog
   access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0
   0.0.0.255
   access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0
   0.0.0.255
   access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0
   0.0.0.255
   access-list 101 permit ip 192.168.100.0 0.0.0.255 any
   access-list 101 permit ip 172.29.10.0 0.0.0.255 any
   route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54294t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

expanded range access lists? [7:53859]

[B.J. Wilson]

Hey Spongebob fans -

I've noticed a couple of new access-list ranges (1300-1999 and
2000-2699), which may not be all that new, but they're ones I've never
encountered before.  After a cursory search on CCO, I can't find any
documentation that really explains what they really do.  Anyone have any
insight?

Thanks,

Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53859t=53859
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: expanded range access lists? [7:53859]

[Chuck's Long Road]

B.J. Wilson  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hey Spongebob fans -

 I've noticed a couple of new access-list ranges (1300-1999 and

CL: works precisely the same way as access-lists 1-99


 2000-2699), which may not be all that new, but they're ones I've never

CL: works precisely the same way as access-list 100-199


 encountered before.  After a cursory search on CCO, I can't find any
 documentation that really explains what they really do.


CL: Router_7(config)#access-list ?
  1-99IP standard access list
  100-199 IP extended access list
  1300-1999   IP standard access list (expanded range)
  2000-2699   IP extended access list (expanded range)
  ( a few omitted )

CL:   there are cases, particularly in complex enterprises and service
prover environments, where more access-lists are required for various
reasons. QoS, VPN, NAT, various security settings, customer requirements or
committments, etc.





Anyone have any
 insight?

 Thanks,

 Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53861t=53859
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: expanded range access lists? [7:53859]

[Priscilla Oppenheimer]

Man, I certainly wouldln't want to troubleshoot a problem on a router with
800 extended IP access lists! I would suggest a redesign. :-)

Priscilla

Chuck's Long Road wrote:
 
 B.J. Wilson  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hey Spongebob fans -
 
  I've noticed a couple of new access-list ranges
 (1300-1999 and
 
 CL: works precisely the same way as access-lists 1-99
 
 
  2000-2699), which may not be all that new, but they're ones
 I've never
 
 CL: works precisely the same way as access-list 100-199
 
 
  encountered before.  After a cursory search on CCO, I can't
 find any
  documentation that really explains what they really do.
 
 
 CL: Router_7(config)#access-list ?
   1-99IP standard access list
   100-199 IP extended access list
   1300-1999   IP standard access list (expanded range)
   2000-2699   IP extended access list (expanded range)
   ( a few omitted )
 
 CL:   there are cases, particularly in complex enterprises and
 service
 prover environments, where more access-lists are required for
 various
 reasons. QoS, VPN, NAT, various security settings, customer
 requirements or
 committments, etc.
 
 
 
 
 
 Anyone have any
  insight?
 
  Thanks,
 
  Patrick
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53883t=53859
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: expanded range access lists? [7:53859]

[Chuck's Long Road]

Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Man, I certainly wouldln't want to troubleshoot a problem on a router with
 800 extended IP access lists! I would suggest a redesign. :-)

CL: certainly goes a long way towards explaining the attitudes of your ISP
service desk ;-


 Priscilla

 Chuck's Long Road wrote:
 
  B.J. Wilson  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hey Spongebob fans -
  
   I've noticed a couple of new access-list ranges
  (1300-1999 and
 
  CL: works precisely the same way as access-lists 1-99
 
 
   2000-2699), which may not be all that new, but they're ones
  I've never
 
  CL: works precisely the same way as access-list 100-199
 
 
   encountered before.  After a cursory search on CCO, I can't
  find any
   documentation that really explains what they really do.
 
 
  CL: Router_7(config)#access-list ?
1-99IP standard access list
100-199 IP extended access list
1300-1999   IP standard access list (expanded range)
2000-2699   IP extended access list (expanded range)
( a few omitted )
 
  CL:   there are cases, particularly in complex enterprises and
  service
  prover environments, where more access-lists are required for
  various
  reasons. QoS, VPN, NAT, various security settings, customer
  requirements or
  committments, etc.
 
 
 
 
 
  Anyone have any
   insight?
  
   Thanks,
  
   Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53885t=53859
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How many committed access rate policies with access-lists [7:45840]

[Hamid]

Once is a project, I was using CAR on a 7200 with 5 Fast etherner
sub-interfaces. I was using various access-lists (all of them were
Extended). CAR was limiting bith Recieving and Transmitting (SEND) traffic.
With No NPEs or additional modelus installed, the CPU time went to 40-50% in
peek times. The total BW was about 4 Mbps.

HTH
Hamid

Cisco Breaker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,

 My questions are regarding to CAR aka rate-limit. I have use rate-limit
with
 access-list but I never wonder how many policies can I create with
 access-lists.

 How many committed access rate policies with access-lists can be applied
to
 an interface?

 Documentations says 100 policies (can be either access-list or other type
as
 I understand) to subinterface not to an interface. Is it limited to
standard
 or extended access-list number limit 99? Can I use 99 standard access list
 and 99 extended access lists and apply each one of them to a different
(200)
 CAR policy. Or am I limited to 100 policies only as stated.

 Also if I can use 200 policies how much cpu utilization could I see on a
 3600 or 7200? Documentations only states that it would be a significant
 impact to use extended access-lists with car.

 I would really appreciate if anyone  answers these questions.

 Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45840t=45840
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How many committed access rate policies with access-lists can [7:45655]

[Cisco Breaker]

Hi all,

My questions are regarding to CAR aka rate-limit. I have use rate-limit with
access-list but I never wonder how many policies can I create with
access-lists.

How many committed access rate policies with access-lists can be applied to
an interface?

Documentations says 100 policies (can be either access-list or other type as
I understand) to subinterface not to an interface. Is it limited to standard
or extended access-list number limit 99? Can I use 99 standard access list
and 99 extended access lists and apply each one of them to a different (200)
CAR policy. Or am I limited to 100 policies only as stated.

Also if I can use 200 policies how much cpu utilization could I see on a
3600 or 7200? Documentations only states that it would be a significant
impact to use extended access-lists with car.

I would really appreciate if anyone  answers these questions.

Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45655t=45655
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Help with extended access lists [7:40904]

[r Paul]

Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40904t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with extended access lists [7:40904]

[[EMAIL PROTECTED]]

Hi,

The one which you mentioned is not the right one,

A simple technique to get the Inverse mask  is as

1.From you example let say you want to aggregate 192.168.1.10 to
192.168.1.15,First of all aggregate this addresses and find the summarized
mask.
The summarized mask in this case is 192.168.8/29 (ie 255.255.255.248)

2.To get the inverse mask subtract 255.255.255.248 from 255.255.255.255
which comes out 0.0.0.7

3.The result is 192.168.1.8 0.0.0.7


Kind Regards /Thangavel
--
CCIE (qual),CCS,CCDP,CCNP,MCSE

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall .
 -- Nelson Mandela




   
   
r
Paul
  
cc:
Sent by: Fax
to:
nobody@groupsSubject: Help with extended
access lists [7:40904]
   
tudy.com
   
   
   
   
   
09/04/2002
   
10:12
   
Please
respond to
r
   
Paul
   
   
   
   




Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not
all
consequtive. What I want to do is use the minimum entry to cover each
block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul
**
This e-mail is from 186k Ltd and is intended only for the 
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named 
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England 
 Wales No. 3751494 Registered Office 130 Jermyn Street 
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40905t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with extended access lists [7:40904]

[Richard Botham]

Thangavel 
What a great method - Thank you


Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40907t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Help with extended access lists [7:40904]

[Ole Drews Jensen]

Paul,

You need to understand the wildcard format for access-lists. The best way to
do this is to convert your ip addresses to binary.

The beginning range address is 192.168.1.10
The ending range address is 192.168.1.15

We can quickly see that the first three octets are the same, so lets
concentrate on the fourth.

Range is:

10  :  1010
11  :  1011
12  :  1100
13  :  1101
14  :  1110
15  :  

As you can see, the left five bits stays the same, so you have to tell the
access-list not to care about the right three bits.

In a wildcard mask, the 0's represent that the bit value MUST be as
specified, and the 1's represent that is doesn't care about the bit value.

So we must create a wildcard for the fourth octet that looks like this:

 0111 = 7

As for the first three octets, they must all match, so that's easy: 0.0.0

Now you have a wildcard mask that looks like this: 0.0.0.7

Since the left five bits were the same for range 10-15, lets take those five
bits 1 and fill zero's to the right 000 =  1000 or 8. That's the
value we want to use for the fourth octet in the ip address.

And the access-list would look like this:

access-list 110 permit tcp 192.168.1.8 0.0.0.7 

The only problem with this, is that this will also allow .8 and .9, so if
you wish to deny those two addresses, you must do some more match:

.8  =  1000
.9  =  1001

As you can see, the only bit that changes is the right one, so if you do a
wildcard octet of:

 0001

You can test for that.

Let's correct our access-list statements:

access-list 110 deny tcp 192.168.1.8 0.0.0.1 ..
access-list 110 permit tcp 192.168.1.8 0.0.0.7 ..

As you can see, it's a little tricky to calculate, but once you have it
down, it can be almost a fun little task to do. The best thing to do in the
beginning, is to write the whole address range down in binary and look at
the bits. That way you can see which ones change, and which ones stays the
same. Sometimes you can cut a lot of statements down by looking at the
pattern and creating some good wildcard masks, but that is both good and
bad. It is good because it makes the acecss-list filter faster, but it's bad
because it can be hard to read the next time you need to reconfigure
something.

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: r Paul [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 3:12 AM
To: [EMAIL PROTECTED]
Subject: Help with extended access lists [7:40904]


Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40913t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Access Lists for 3500 Switch [7:40350]

[Christian Fredrickson]

Can someone tell me the command sequence on a Cisco 3500 switch to set up an
ACL?

Thanks all.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40350t=40350
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists for 3500 Switch [7:40350]

[Lomker, Michael]

 Can someone tell me the command sequence on a Cisco 3500 
 switch to set up an ACL?

It's just like a router:  
ACCESS-LIST 1 permit x.x.x.x

Then you can apply it to your line interface: 
line vty 0 15
access-class 1 in




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40357t=40350
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists are a bit mystifying [7:36164]

[Anil Gupte]

Yes, that does make sense.  Thanx for the detailed reply.  I did finally use
the following:

conf t
int ethernet0/0
no ip access-list extended secure2
ip access-list extended secure2
deny tcp any any eq 
deny tcp any any eq 139
permit ip any any

int ethernet0/0
ip access-group secure2 out
ip access-group secure2 in

exit
wr

Thanx again,
Anil Gupte


- Original Message -
From: Tom Petzold 
To: Anil Gupte ; 
Sent: Friday, February 22, 2002 11:35 AM
Subject: RE: Access Lists are a bit mystifying [7:36164]


 Remember the model OSI model.  IP can have multiple higher level protocols
 running over it.  So IP uses protocol numbers to identify the higher level
 protocol that it should send the data to.  If you do a deny ? on a router
 you will see all the different protocols (eigrp, gre, icmp, ospf, pim,
tcp,
 udp).  Once the IP layer passes the packet up to the transport layer the
 layer 4 protocol has to know which application to send the data to.  So
the
 TCP protocol will send traffic on port 80 to the web server and traffic to
 port 25 to the smtp server.

 Layer 7 - Application
 Layer 6 - Presentation
 Layer 5 - Session
 Layer 4 - Transport  Layer 3 - NetworkLayer 2 - Datalink   Layer 1 -
Physical

 The first line will not work.  IP is the layer 3 protocol, tcp, udp, icmp,
 etc are layer 4 protocols.  So while tcp and udp have port numbers, ip
 doesn't.  If I want to deny http traffic I must deny tcp port 80 because
 http uses TCP port 80.  The same holds true for UDP.  If I wanted to deny
 snmp traffic I would deny UDP port 161.

 If you set the last line to permit tcp any any it would allow any tcp
 based traffic but because there is a specific deny all at the end of all
 access-lists, you would deny udp, icmp, eigrp, ospf, etc. The permit ip
any
 any says allow all layer 4 ip protocols.

 Does this make sense?

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Anil Gupte
 Sent: Thursday, February 21, 2002 11:24 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Access Lists are a bit mystifying [7:36164]


 Actually my question was not clear, I think.  My confusion is with the IP
 vs. TCP.  In other words should it not be somthing like:

 deny ip any any eq 139
 permit ip any any

 Why deny TCP and permit IP as opposed to deny IP and permit IP?

 Also, the purpose of these is that I am trying to block some suspicious
 activity on those ports (I think someone may be running an illegal IRC
 server on that port).

 Thanx for the reply (and the kid gloves). :-)
 Anil Gupte

 - Original Message -
 From: Scott Nawalaniec
 To: 'Anil Gupte' ;
 Sent: Thursday, February 21, 2002 10:17 PM
 Subject: RE: Access Lists are a bit mystifying [7:36164]


  Hi Anil,
 
  Sometimes its scaring posting to this group. =)
 
  To answer your question,
  if you don't the permit IP any any command, there is an implicit deny
rule
  at the end of an access-list, which will drop all traffic that you have
 not
  allowed through the access-list.
 
  The other two deny statements are dropping netbios port 139 and
something
  that uses port .
 
  Hope this helps.
 
  Scott
 
  -Original Message-
  From: Anil Gupte [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, February 21, 2002 7:59 PM
  To: [EMAIL PROTECTED]
  Subject: Access Lists are a bit mystifying [7:36164]
 
 
  Hi All!
 
  I watch this list occassionally (when I have time).  This is my first
post
  to this list, so be kind. :p)
 
  In the access list below:
  **
  conf t
  int ethernet0/0
  no ip access-list extended secure2
  ip access-list extended secure2
  deny tcp any any eq 
  deny tcp any any eq 139
  permit ip any any
 
  int ethernet0/0
  ip access-group secure2 out
  ip access-group secure2 in
 
  exit
  wr
  **
  Why is it that you need to deny TCP and permit IP?  Or did I not do this
  right?
 
  Thanx,
  Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36397t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists are a bit mystifying [7:36164]

[Tom Petzold]

Remember the model OSI model.  IP can have multiple higher level protocols
running over it.  So IP uses protocol numbers to identify the higher level
protocol that it should send the data to.  If you do a deny ? on a router
you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp,
udp).  Once the IP layer passes the packet up to the transport layer the
layer 4 protocol has to know which application to send the data to.  So the
TCP protocol will send traffic on port 80 to the web server and traffic to
port 25 to the smtp server.

Layer 7 - Application
Layer 6 - Presentation
Layer 5 - Session
Layer 4 - Transport  Hi Anil,

 Sometimes its scaring posting to this group. =)

 To answer your question,
 if you don't the permit IP any any command, there is an implicit deny rule
 at the end of an access-list, which will drop all traffic that you have
not
 allowed through the access-list.

 The other two deny statements are dropping netbios port 139 and something
 that uses port .

 Hope this helps.

 Scott

 -Original Message-
 From: Anil Gupte [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 21, 2002 7:59 PM
 To: [EMAIL PROTECTED]
 Subject: Access Lists are a bit mystifying [7:36164]


 Hi All!

 I watch this list occassionally (when I have time).  This is my first post
 to this list, so be kind. :p)

 In the access list below:
 **
 conf t
 int ethernet0/0
 no ip access-list extended secure2
 ip access-list extended secure2
 deny tcp any any eq 
 deny tcp any any eq 139
 permit ip any any

 int ethernet0/0
 ip access-group secure2 out
 ip access-group secure2 in

 exit
 wr
 **
 Why is it that you need to deny TCP and permit IP?  Or did I not do this
 right?

 Thanx,
 Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36233t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

simple access-lists question [7:36240]

[NetEng]

Why is this simple task beating me?

I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?

access-list 101 permit 80 any any
access-list 101 permit 21 any any
access-list 101 permit 23 any any
access-list 101 permit 53 any any
access-list 101 permit icmp any any

ip access-group 101 out (on ethernet of lab side)

TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36240t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[Steven A. Ridder]

I believe you need something like

access-list 101 permit tcp any any eq www

you have something that permits IP protocol numbers I think.   Like 6 is
tcp, 17 is udp, 9 is igrp, etc..

etc...

--
RFC 1149 Compliant.


NetEng  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why is this simple task beating me?

 I have a router with 2eth. that separates my lab from the corporate
network.
 I would like web/ftp/telnet access from the lab to the world and back. I
 created an access list and applied it to my lab's ethernet int. This is
the
 list. Am I missing something?

 access-list 101 permit 80 any any
 access-list 101 permit 21 any any
 access-list 101 permit 23 any any
 access-list 101 permit 53 any any
 access-list 101 permit icmp any any

 ip access-group 101 out (on ethernet of lab side)

 TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36241t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[John Neiberger]

Hey, are you ever going to upgrade to RFC 2549 compliance?  If you
haven't already, you're behind the times by about three years!  :-)

John

 Steven A. Ridder  2/22/02 11:43:33 AM

I believe you need something like

access-list 101 permit tcp any any eq www

you have something that permits IP protocol numbers I think.   Like 6
is
tcp, 17 is udp, 9 is igrp, etc..

etc...

--
RFC 1149 Compliant.


NetEng  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why is this simple task beating me?

 I have a router with 2eth. that separates my lab from the corporate
network.
 I would like web/ftp/telnet access from the lab to the world and
back. I
 created an access list and applied it to my lab's ethernet int. This
is
the
 list. Am I missing something?

 access-list 101 permit 80 any any
 access-list 101 permit 21 any any
 access-list 101 permit 23 any any
 access-list 101 permit 53 any any
 access-list 101 permit icmp any any

 ip access-group 101 out (on ethernet of lab side)

 TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36250t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: simple access-lists question [7:36240]

[Ole Drews Jensen]

Your syntax is wrong.

You are permitting IP protocols 80, 21, 23 and 53 - NOT ports 80, 21, 23 and
53.

The correct syntax would be:

access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq domain
access-list 101 permit icmp any any

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: NetEng [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:39 PM
To: [EMAIL PROTECTED]
Subject: simple access-lists question [7:36240]


Why is this simple task beating me?

I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?

access-list 101 permit 80 any any
access-list 101 permit 21 any any
access-list 101 permit 23 any any
access-list 101 permit 53 any any
access-list 101 permit icmp any any

ip access-group 101 out (on ethernet of lab side)

TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36251t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[Steven A. Ridder]

Not enought customers have asked for that feature yet.  :)  Was RFC 1149 the
precursor to wireless?


John Neiberger  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hey, are you ever going to upgrade to RFC 2549 compliance?  If you
 haven't already, you're behind the times by about three years!  :-)

 John

  Steven A. Ridder  2/22/02 11:43:33 AM
 
 I believe you need something like

 access-list 101 permit tcp any any eq www

 you have something that permits IP protocol numbers I think.   Like 6
 is
 tcp, 17 is udp, 9 is igrp, etc..

 etc...

 --
 RFC 1149 Compliant.


 NetEng  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Why is this simple task beating me?
 
  I have a router with 2eth. that separates my lab from the corporate
 network.
  I would like web/ftp/telnet access from the lab to the world and
 back. I
  created an access list and applied it to my lab's ethernet int. This
 is
 the
  list. Am I missing something?
 
  access-list 101 permit 80 any any
  access-list 101 permit 21 any any
  access-list 101 permit 23 any any
  access-list 101 permit 53 any any
  access-list 101 permit icmp any any
 
  ip access-group 101 out (on ethernet of lab side)
 
  TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36275t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Access Lists are a bit mystifying [7:36164]

[Anil Gupte]

Hi All!

I watch this list occassionally (when I have time).  This is my first post
to this list, so be kind. :p)

In the access list below:
**
conf t
int ethernet0/0
no ip access-list extended secure2
ip access-list extended secure2
deny tcp any any eq 
deny tcp any any eq 139
permit ip any any

int ethernet0/0
ip access-group secure2 out
ip access-group secure2 in

exit
wr
**
Why is it that you need to deny TCP and permit IP?  Or did I not do this
right?

Thanx,
Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36164t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists are a bit mystifying [7:36164]

[Scott Nawalaniec]

Hi Anil,

Sometimes its scaring posting to this group. =)

To answer your question, 
if you don't the permit IP any any command, there is an implicit deny rule
at the end of an access-list, which will drop all traffic that you have not
allowed through the access-list.

The other two deny statements are dropping netbios port 139 and something
that uses port . 

Hope this helps.

Scott

-Original Message-
From: Anil Gupte [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 7:59 PM
To: [EMAIL PROTECTED]
Subject: Access Lists are a bit mystifying [7:36164]


Hi All!

I watch this list occassionally (when I have time).  This is my first post
to this list, so be kind. :p)

In the access list below:
**
conf t
int ethernet0/0
no ip access-list extended secure2
ip access-list extended secure2
deny tcp any any eq 
deny tcp any any eq 139
permit ip any any

int ethernet0/0
ip access-group secure2 out
ip access-group secure2 in

exit
wr
**
Why is it that you need to deny TCP and permit IP?  Or did I not do this
right?

Thanx,
Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36167t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists are a bit mystifying [7:36164]

[Anil Gupte]

Actually my question was not clear, I think.  My confusion is with the IP
vs. TCP.  In other words should it not be somthing like:

deny ip any any eq 139
permit ip any any

Why deny TCP and permit IP as opposed to deny IP and permit IP?

Also, the purpose of these is that I am trying to block some suspicious
activity on those ports (I think someone may be running an illegal IRC
server on that port).

Thanx for the reply (and the kid gloves). :-)
Anil Gupte

- Original Message -
From: Scott Nawalaniec 
To: 'Anil Gupte' ; 
Sent: Thursday, February 21, 2002 10:17 PM
Subject: RE: Access Lists are a bit mystifying [7:36164]


 Hi Anil,

 Sometimes its scaring posting to this group. =)

 To answer your question,
 if you don't the permit IP any any command, there is an implicit deny rule
 at the end of an access-list, which will drop all traffic that you have
not
 allowed through the access-list.

 The other two deny statements are dropping netbios port 139 and something
 that uses port .

 Hope this helps.

 Scott

 -Original Message-
 From: Anil Gupte [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 21, 2002 7:59 PM
 To: [EMAIL PROTECTED]
 Subject: Access Lists are a bit mystifying [7:36164]


 Hi All!

 I watch this list occassionally (when I have time).  This is my first post
 to this list, so be kind. :p)

 In the access list below:
 **
 conf t
 int ethernet0/0
 no ip access-list extended secure2
 ip access-list extended secure2
 deny tcp any any eq 
 deny tcp any any eq 139
 permit ip any any

 int ethernet0/0
 ip access-group secure2 out
 ip access-group secure2 in

 exit
 wr
 **
 Why is it that you need to deny TCP and permit IP?  Or did I not do this
 right?

 Thanx,
 Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36168t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists are a bit mystifying [7:36164]

[Annlee Hines]

The key is to know which header the list statement is being applied to.
Ports (source and destination) are a part of a TCP header or a UDP header.
They are a means of identifying the application that is being multiplexed at
the Transport Layer.

IP headers do not have ports--they have source and destination addresses
(logical addresses, of course--not physical).

Look here--
http://www.rfc-editor.org/cgi-bin/rfcsearch.pl
RFC791 is IP and has that lovely ASCII art header in paragraph 3.1. For TCP,
the number is RFC793, also paragraph 3.1. UDP is RFC768--surprise! the
header is right at the beginning.

HTH

Annlee
Anil Gupte  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Actually my question was not clear, I think.  My confusion is with the IP
 vs. TCP.  In other words should it not be somthing like:

 deny ip any any eq 139
 permit ip any any

 Why deny TCP and permit IP as opposed to deny IP and permit IP?

 Also, the purpose of these is that I am trying to block some suspicious
 activity on those ports (I think someone may be running an illegal IRC
 server on that port).

 Thanx for the reply (and the kid gloves). :-)
 Anil Gupte

 - Original Message -
 From: Scott Nawalaniec
 To: 'Anil Gupte' ;
 Sent: Thursday, February 21, 2002 10:17 PM
 Subject: RE: Access Lists are a bit mystifying [7:36164]


  Hi Anil,
 
  Sometimes its scaring posting to this group. =)
 
  To answer your question,
  if you don't the permit IP any any command, there is an implicit deny
rule
  at the end of an access-list, which will drop all traffic that you have
 not
  allowed through the access-list.
 
  The other two deny statements are dropping netbios port 139 and
something
  that uses port .
 
  Hope this helps.
 
  Scott
 
  -Original Message-
  From: Anil Gupte [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, February 21, 2002 7:59 PM
  To: [EMAIL PROTECTED]
  Subject: Access Lists are a bit mystifying [7:36164]
 
 
  Hi All!
 
  I watch this list occassionally (when I have time).  This is my first
post
  to this list, so be kind. :p)
 
  In the access list below:
  **
  conf t
  int ethernet0/0
  no ip access-list extended secure2
  ip access-list extended secure2
  deny tcp any any eq 
  deny tcp any any eq 139
  permit ip any any
 
  int ethernet0/0
  ip access-group secure2 out
  ip access-group secure2 in
 
  exit
  wr
  **
  Why is it that you need to deny TCP and permit IP?  Or did I not do this
  right?
 
  Thanx,
  Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36169t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Access Lists [7:34023]

[Fermanis Tim G Contr USAFE CSS/SCOG]

I'm looking to buy a book on Access lists.  Any recommendations?


TIA

Tim Fermanis
GCCS System Administrator




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34023t=34023
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:34023]

[[EMAIL PROTECTED]]

Cisco IOS Access Lists by Jeff Sedayao

Published by O'Reilly

ISBN 1-56592-385-5

HTH

Dom Stocqueler



   
   
Fermanis Tim
G
Contr USAFE To:
[EMAIL PROTECTED]
CSS/SCOG  
cc:
   
 
Sent
by:
   
[EMAIL PROTECTED]
   
m
   
   
   
   
01/02/2002
09:25
Please respond
to
Fermanis Tim
G
Contr
USAFE
   
CSS/SCOG
   
   
   
   




I'm looking to buy a book on Access lists.  Any recommendations?


TIA

Tim Fermanis
GCCS System Administrator




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34026t=34023
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:34023]

[Georg Pauwen]

Tim,

I found that most books are not nearly as good as the Cisco website. On CCO,
I have so far always been able to find much more info than any book can give
me, including configuration examples and various scenarios. Takes a little
more effort, but I am almost convinced that you can much more detailed info
on this from the web than from any book.

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34059t=34023
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:34023]

[kevhed]

Tim,

IMHO, you can't go wrong with Cisco Access Lists by Gil Held  Kent
Hundley  isbn 0072123354.  This is one of the few books I keep close by.

Kevin
Fermanis Tim G Contr USAFE CSS/SCOG  wrote
in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking to buy a book on Access lists.  Any recommendations?


 TIA

 Tim Fermanis
 GCCS System Administrator




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34075t=34023
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:34023]

[William Gragido]

Thats one of my favorites as well.  Its well written and detailed, and most
importantly concise.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
kevhed
Sent: Friday, February 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Access Lists [7:34023]


Tim,

IMHO, you can't go wrong with Cisco Access Lists by Gil Held  Kent
Hundley  isbn 0072123354.  This is one of the few books I keep close by.

Kevin
Fermanis Tim G Contr USAFE CSS/SCOG  wrote
in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking to buy a book on Access lists.  Any recommendations?


 TIA

 Tim Fermanis
 GCCS System Administrator




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34093t=34023
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Extended ipx access lists [7:31720]

[Richard Botham]

Hi all,
I have a lab with a hub and spoke network,r1 is the hub and r2,r3,r4 are the
spokes.
IPX eigrp is running on the frame cloud and IPX rip on the edge.
I am trying to make sure that only network 100 at r1 is advertised to r2 and
not to the remaining routers r3 and r4.
Can someone help me with the syntax for the access-lists asit's driving me
mad.
The network is addressed in the wan as follows:
r1 serial 0.0.1 = 110.1.1.1
r2 serial 0/0   = 110.2.2.2
r3 serial 0/0   = 110.3.3.3
r4 serial 0/0   = 110.4.4.4
I have tried the following acls but without success:
access-list 905 permit any 100 eigrp 110.0002.0002.0002
access-list 906 permit any 100 eigrp 110.0002.0002.0002 F.000f.000f.000f
access-list 907 permit any 100 eigrp 110.0002.0002.0002 0...

What am I doing wrong chaps.

Many thanks in advance

Richard





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31720t=31720
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Michael Williams]

Are your people dialing in having to go through your company proxy server to
get to the internet?  If so, they're probably talking with the proxy server,
which no doubt would have an internal address and be let through by that
access list.

Which interface are you applying this access-list?  In which direction
(in/out)?

Mike W.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28961t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Access Lists [7:28927]

[J. Johnson]

We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
network when they dial in.  We do not want everyone to get on the internet
when they dial-in.  This is what my access list look like

access-list 110 permit ip  165.5.0.0 0.0.255.255 any
 access-list 110 deny ip any any

Everyone can get to our network and get on the internet with the above list.
Can you see anything wrong?

Thanks.

Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28927t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:28927]

[Jeff Smith]

Is 165.5.x.x the range of your internal network or the range of addresses 
that your dial in users are assigned to?  This list says that any packet 
whose source address is 165.5.x.x can be destined for anywhere.  If you want 
to restrict which subnets they can get to make some more lines specifying 
your internal subnets.  Not to insult, but dont' forget to apply it to an 
interface.


From: J. Johnson 
Reply-To: J. Johnson 
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
Date: Wed, 12 Dec 2001 14:24:16 -0500

We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
network when they dial in.  We do not want everyone to get on the internet
when they dial-in.  This is what my access list look like

access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any

Everyone can get to our network and get on the internet with the above 
list.
Can you see anything wrong?

Thanks.

Jill
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28940t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Estes, Timothy R.]

Jill,

How did you apply the list? To what interface? In which direction?



Timothy Estes NA,DA

-Original Message-
From: J. Johnson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 2:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]


We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
network when they dial in.  We do not want everyone to get on the internet
when they dial-in.  This is what my access list look like

access-list 110 permit ip  165.5.0.0 0.0.255.255 any
 access-list 110 deny ip any any

Everyone can get to our network and get on the internet with the above list.
Can you see anything wrong?

Thanks.

Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28972t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Logan, Harold]

On what interface(s) is that ACL applied? The way you've written it, the
ACL permits IP traffic with a source address of 165.5.x.x, and the
second (unnecessary) line denies all other traffic. If that ACL is
applied on the interfaces that your users dial into, then it won't
accomplish much. If you're trying to filter based on destination IP
address, then the first line should be written access-list 110 permit
ip any 165.5.0.0 0.0.0.255

hth,

Hal 


 -Original Message-
 From: J. Johnson [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, December 12, 2001 2:24 PM
 To: [EMAIL PROTECTED]
 Subject: Access Lists [7:28927]
 
 
 We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
 network when they dial in.  We do not want everyone to get on 
 the internet
 when they dial-in.  This is what my access list look like
 
 access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any
 
 Everyone can get to our network and get on the internet with 
 the above list.
 Can you see anything wrong?
 
 Thanks.
 
 Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28949t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:28927]

[Godswill HO]

You Probably have to provide more information.

1. Are your users dialing into a router(Access server) or through a RAS card
on a
computer system?
2. The answer to ques1 is through a router, then is the router also the
router that
 connect to the internet or you have another gateway router?
3. Then the interfaces to which you apply the the access-list also counts,
so say more
on the interfaces you have on your router and the ones you applied the
access-list
   on and again in which direction (in or out)?

Regards

- Original Message -
From: J. Johnson 
To: 
Sent: Wednesday, December 12, 2001 11:24 AM
Subject: Access Lists [7:28927]


 We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
 network when they dial in.  We do not want everyone to get on the internet
 when they dial-in.  This is what my access list look like

 access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any

 Everyone can get to our network and get on the internet with the above
list.
 Can you see anything wrong?

 Thanks.

 Jill
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28967t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:28927]

[MADMAN]

You don't give much info.  What addresses are you handing out via your
pool?  Where are you applying the acess-list?

  When I had done something similiar long time ago, employees and
faculty total access, customers limited.  Set up two access-lists and
access lists were applied to user via authentication on TACACs server. 
I think this is what you want to do.  You can also use Radius, TACACs is
free, only need a UNIX hac.

Dave

J. Johnson wrote:
 
 We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
 network when they dial in.  We do not want everyone to get on the internet
 when they dial-in.  This is what my access list look like
 
 access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any
 
 Everyone can get to our network and get on the internet with the above
list.
 Can you see anything wrong?
 
 Thanks.
 
 Jill
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28947t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Logan, Harold]

On what interface(s) is that ACL applied? The way you've written it, the
ACL permits IP traffic with a source address of 165.5.x.x, and the
second (unnecessary) line denies all other traffic. If that ACL is
applied on the interfaces that your users dial into, then it won't
accomplish much. If you're trying to filter based on destination IP
address, then the first line should be written access-list 110 permit
ip any 165.5.0.0 0.0.0.255

hth,

Hal 


 -Original Message-
 From: J. Johnson [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, December 12, 2001 2:24 PM
 To: [EMAIL PROTECTED]
 Subject: Access Lists [7:28927]
 
 
 We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
 network when they dial in.  We do not want everyone to get on 
 the internet
 when they dial-in.  This is what my access list look like
 
 access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any
 
 Everyone can get to our network and get on the internet with 
 the above list.
 Can you see anything wrong?
 
 Thanks.
 
 Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28949t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Bill Carter]

Yes.  You are allowing anyone coming from 165.5.0.0 to go anywhere and
denying from anywhere to anywhere.

Not knowing you IP structure I would say.

access-list 110 permit ip x.x.x.0 0.0.0.255 (IP range assigned to dial-in)
165.5.0.0 0.0.255.255 (IP range of your internal network)
access-list 110 deny ip any any

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
J. Johnson
Sent: Wednesday, December 12, 2001 1:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]


We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
network when they dial in.  We do not want everyone to get on the internet
when they dial-in.  This is what my access list look like

access-list 110 permit ip  165.5.0.0 0.0.255.255 any
 access-list 110 deny ip any any

Everyone can get to our network and get on the internet with the above list.
Can you see anything wrong?

Thanks.

Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28987t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists [7:28927]

[Kent Hundley]

Jill,

Your acl says allow any source ip from 165.5.0.0 to access any destination
IP address.  This is probably not what you want.  You probably want to
allow any IP address to access anything in the 165.5.0.0 address range.
(assuming that 165.5.0.0 is your internal network.)

Your acl should be:

access-list 110 permit ip any 165.50.0 0.0.255.255

You don't need the deny ip any any at the end, it is implied.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
J. Johnson
Sent: Wednesday, December 12, 2001 11:24 AM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]


We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
network when they dial in.  We do not want everyone to get on the internet
when they dial-in.  This is what my access list look like

access-list 110 permit ip  165.5.0.0 0.0.255.255 any
 access-list 110 deny ip any any

Everyone can get to our network and get on the internet with the above list.
Can you see anything wrong?

Thanks.

Jill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28996t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Allen May]

As long as you initiate it.  There are ActiveX filters and other filters you
can enable on the PIX to block most malicious web server traffic.  In any
type of NAT it will allow inside users full access to the internet unless
blocked or unsupported by NAT.

Allen
- Original Message -
From: Steve Alston 
To: 
Sent: Thursday, November 29, 2001 3:59 PM
Subject: Re: PIX conduit  access lists [7:26684]


 Thanks again Allen,
   Does that mean the responses to my outbound requests are allowed in by
 default?  For example, my request for a web page is allowed through the
 firewall. Would the page in response of that request be allowed through
the
 firewall?

 Steve

 Allen May  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  NAT or internal servers with real IP addresses using NAT 0 can access
  anything until you block it.  Outbound requests (such as http, ftp, etc)
 are
  all enabled by default.  Users outside the firewall cannot access
internal
  IPs without access-list or conduit statements.
 
  In short, all outbound enabled and all inbound disabled by default.
 
  For your conduit permit icmp any any I would enable echo reply only
rather
  than full icmp.  Echo reply only allows replies back to the person
pinging
  or tracerouting.  Full icmp can be exploited in DOS attacks.
  example:
  access-list 10 permit icmp any any echo-reply
  access-group 10 interface outside
  (apply one to interface inside for outbound)
 
  Allen
 
  - Original Message -
  From: Steve Alston
  To:
  Sent: Wednesday, November 28, 2001 4:08 PM
  Subject: Re: PIX conduit  access lists [7:26684]
 
 
   Patrick  Allen,
 Thanks for the responses -- helps loads.  I'm still slightly
confused.
  
   I did a clear conduit expecting to block all incoming traffic.
 Following
   the clear conduit, I did a show  conduit  to  verify   there were not
 any
   conduits  in operation.  At that time, I was still able to receive web
   traffic at my workstation.  For that matter, the conduit statements
only
   applied to specific servers so why am I able to receive http at my
   workstation?  I did try to PING an IP address which failed  when I
 removed
   the conduits and  worked when I restored conduit permit icmp any
 any --
   that behaved as expected.
  
  
   Thanks,
   Steve
  
   Allen May  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Very true and a good point, but the original question was about
 conduits
which only apply to lower-higher.  Higher-lower requires NAT.  I
accidentally typed access-list below but meant conduit. ;)  *slap
self
 
   get
more coffee*.  It still applies but wasn't what I meant to say.
   
Thanks for pointing that out though.
   
   
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit  access lists [7:26684]
   
   
 Allen May  wrote in message
 news:[EMAIL PROTECTED]...
  I'm not sure if this was answered or not, but a firewall always
   assumes
a
  deny all at the end of the access-list for inbound.  Outbound is
different
  since it allows all by default.
 

 Remeber this:  Higher security level to lower security level,
  implicitly
 allowed.  Lower security level to higher security level,
implicitly
denied.
 Otherwise it gets tricky once you start messing with multipile
DMZs.
    
      Also, access-lists are the way to go since conduits will be
phased
  out
in
  the near future.
 
  Allen
 
  - Original Message -
  From: Steve Alston
  To:
  Sent: Monday, November 19, 2001 9:25 AM
  Subject: Re: PIX conduit  access lists [7:26684]
 
 
   Carroll,
 Thanks for the reply.  I'm using conduits now, but will
switch
  to
     access
   lists in the future.  (I'd like to fully understand the
   configuration
I
   inherited before I start making changes)  Are implicit denys
   inserted
  behind
   each conduit as well?
  
  
   Carroll Kong  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Implicit denys behind every access-list are inserted.  Are
you
mixing conduits and access-lists?  You really should not.
Use
  ALL
   conduits
    or ALL access-lists.  If both are used, conduits take
priority
  and
   override
    your access-lists.  Access-lists are first match, conduits
are
  any
  match.
   
At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after
  setting
up
 a
permit conduit or access list.

I appear to be receiving more traffic (e.g. NTP) than my
  conduit
   statements
allow.

Thanks much,
Steve
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/re

Re: PIX conduit access lists [7:26684]

[Steve Alston]

Thanks again Allen,
  Does that mean the responses to my outbound requests are allowed in by
default?  For example, my request for a web page is allowed through the
firewall. Would the page in response of that request be allowed through the
firewall?

Steve

Allen May  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 NAT or internal servers with real IP addresses using NAT 0 can access
 anything until you block it.  Outbound requests (such as http, ftp, etc)
are
 all enabled by default.  Users outside the firewall cannot access internal
 IPs without access-list or conduit statements.

 In short, all outbound enabled and all inbound disabled by default.

 For your conduit permit icmp any any I would enable echo reply only rather
 than full icmp.  Echo reply only allows replies back to the person pinging
 or tracerouting.  Full icmp can be exploited in DOS attacks.
 example:
 access-list 10 permit icmp any any echo-reply
 access-group 10 interface outside
 (apply one to interface inside for outbound)

 Allen

 - Original Message -
 From: Steve Alston
 To:
 Sent: Wednesday, November 28, 2001 4:08 PM
 Subject: Re: PIX conduit  access lists [7:26684]


  Patrick  Allen,
Thanks for the responses -- helps loads.  I'm still slightly confused.
 
  I did a clear conduit expecting to block all incoming traffic.
Following
  the clear conduit, I did a show  conduit  to  verify   there were not
any
  conduits  in operation.  At that time, I was still able to receive web
  traffic at my workstation.  For that matter, the conduit statements only
  applied to specific servers so why am I able to receive http at my
  workstation?  I did try to PING an IP address which failed  when I
removed
  the conduits and  worked when I restored conduit permit icmp any
any --
  that behaved as expected.
 
 
  Thanks,
  Steve
 
  Allen May  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Very true and a good point, but the original question was about
conduits
   which only apply to lower-higher.  Higher-lower requires NAT.  I
   accidentally typed access-list below but meant conduit. ;)  *slap self

  get
   more coffee*.  It still applies but wasn't what I meant to say.
  
   Thanks for pointing that out though.
  
  
   - Original Message -
   From: Patrick W. Bass
   To:
   Sent: Sunday, November 25, 2001 10:14 PM
   Subject: Re: PIX conduit  access lists [7:26684]
  
  
Allen May  wrote in message
news:[EMAIL PROTECTED]...
 I'm not sure if this was answered or not, but a firewall always
  assumes
   a
 deny all at the end of the access-list for inbound.  Outbound is
   different
 since it allows all by default.

   
Remeber this:  Higher security level to lower security level,
 implicitly
allowed.  Lower security level to higher security level, implicitly
   denied.
Otherwise it gets tricky once you start messing with multipile DMZs.
   
     Also, access-lists are the way to go since conduits will be phased
 out
   in
 the near future.

 Allen

 - Original Message -
 From: Steve Alston
 To:
 Sent: Monday, November 19, 2001 9:25 AM
 Subject: Re: PIX conduit  access lists [7:26684]


  Carroll,
Thanks for the reply.  I'm using conduits now, but will switch
 to
    access
  lists in the future.  (I'd like to fully understand the
  configuration
   I
  inherited before I start making changes)  Are implicit denys
  inserted
 behind
  each conduit as well?
 
 
  Carroll Kong  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Implicit denys behind every access-list are inserted.  Are you
   mixing conduits and access-lists?  You really should not.  Use
 ALL
  conduits
   or ALL access-lists.  If both are used, conduits take priority
 and
      override
   your access-lists.  Access-lists are first match, conduits are
 any
 match.
  
   At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
   Does the PIX 506 require an explicit deny statement after
 setting
   up
a
   permit conduit or access list.
   
   I appear to be receiving more traffic (e.g. NTP) than my
 conduit
  statements
   allow.
   
   Thanks much,
   Steve
   -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27737t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Steve Alston]

Patrick  Allen,
  Thanks for the responses -- helps loads.  I'm still slightly confused.

I did a clear conduit expecting to block all incoming traffic.  Following
the clear conduit, I did a show  conduit  to  verify   there were not any
conduits  in operation.  At that time, I was still able to receive web
traffic at my workstation.  For that matter, the conduit statements only
applied to specific servers so why am I able to receive http at my
workstation?  I did try to PING an IP address which failed  when I removed
the conduits and  worked when I restored conduit permit icmp any any --
that behaved as expected.


Thanks,
Steve

Allen May  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Very true and a good point, but the original question was about conduits
 which only apply to lower-higher.  Higher-lower requires NAT.  I
 accidentally typed access-list below but meant conduit. ;)  *slap self 
get
 more coffee*.  It still applies but wasn't what I meant to say.

 Thanks for pointing that out though.


 - Original Message -
 From: Patrick W. Bass
 To:
 Sent: Sunday, November 25, 2001 10:14 PM
 Subject: Re: PIX conduit  access lists [7:26684]


  Allen May  wrote in message
  news:[EMAIL PROTECTED]...
   I'm not sure if this was answered or not, but a firewall always
assumes
 a
   deny all at the end of the access-list for inbound.  Outbound is
 different
   since it allows all by default.
  
 
  Remeber this:  Higher security level to lower security level, implicitly
  allowed.  Lower security level to higher security level, implicitly
 denied.
  Otherwise it gets tricky once you start messing with multipile DMZs.
 
   Also, access-lists are the way to go since conduits will be phased out
 in
   the near future.
  
   Allen
  
   - Original Message -
   From: Steve Alston
   To:
   Sent: Monday, November 19, 2001 9:25 AM
   Subject: Re: PIX conduit  access lists [7:26684]
  
  
Carroll,
  Thanks for the reply.  I'm using conduits now, but will switch to
  access
    lists in the future.  (I'd like to fully understand the
configuration
 I
inherited before I start making changes)  Are implicit denys
inserted
   behind
each conduit as well?
   
   
Carroll Kong  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Implicit denys behind every access-list are inserted.  Are you
 mixing conduits and access-lists?  You really should not.  Use ALL
conduits
     or ALL access-lists.  If both are used, conduits take priority and
override
 your access-lists.  Access-lists are first match, conduits are any
   match.

 At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
 Does the PIX 506 require an explicit deny statement after setting
 up
  a
 permit conduit or access list.
 
 I appear to be receiving more traffic (e.g. NTP) than my conduit
statements
 allow.
 
 Thanks much,
 Steve
 -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27588t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Allen May]

NAT or internal servers with real IP addresses using NAT 0 can access
anything until you block it.  Outbound requests (such as http, ftp, etc) are
all enabled by default.  Users outside the firewall cannot access internal
IPs without access-list or conduit statements.

In short, all outbound enabled and all inbound disabled by default.

For your conduit permit icmp any any I would enable echo reply only rather
than full icmp.  Echo reply only allows replies back to the person pinging
or tracerouting.  Full icmp can be exploited in DOS attacks.
example:
access-list 10 permit icmp any any echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)

Allen

- Original Message -
From: Steve Alston 
To: 
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit  access lists [7:26684]


 Patrick  Allen,
   Thanks for the responses -- helps loads.  I'm still slightly confused.

 I did a clear conduit expecting to block all incoming traffic.  Following
 the clear conduit, I did a show  conduit  to  verify   there were not any
 conduits  in operation.  At that time, I was still able to receive web
 traffic at my workstation.  For that matter, the conduit statements only
 applied to specific servers so why am I able to receive http at my
 workstation?  I did try to PING an IP address which failed  when I removed
 the conduits and  worked when I restored conduit permit icmp any any --
 that behaved as expected.


 Thanks,
 Steve

 Allen May  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Very true and a good point, but the original question was about conduits
  which only apply to lower-higher.  Higher-lower requires NAT.  I
  accidentally typed access-list below but meant conduit. ;)  *slap self 
 get
  more coffee*.  It still applies but wasn't what I meant to say.
 
  Thanks for pointing that out though.
 
 
  - Original Message -
  From: Patrick W. Bass
  To:
  Sent: Sunday, November 25, 2001 10:14 PM
  Subject: Re: PIX conduit  access lists [7:26684]
 
 
   Allen May  wrote in message
   news:[EMAIL PROTECTED]...
I'm not sure if this was answered or not, but a firewall always
 assumes
  a
deny all at the end of the access-list for inbound.  Outbound is
  different
since it allows all by default.
   
  
   Remeber this:  Higher security level to lower security level,
implicitly
   allowed.  Lower security level to higher security level, implicitly
  denied.
   Otherwise it gets tricky once you start messing with multipile DMZs.
  
    Also, access-lists are the way to go since conduits will be phased
out
  in
the near future.
   
Allen
   
- Original Message -
From: Steve Alston
To:
Sent: Monday, November 19, 2001 9:25 AM
Subject: Re: PIX conduit  access lists [7:26684]
   
   
 Carroll,
   Thanks for the reply.  I'm using conduits now, but will switch
to
   access
     lists in the future.  (I'd like to fully understand the
 configuration
  I
 inherited before I start making changes)  Are implicit denys
 inserted
behind
 each conduit as well?


 Carroll Kong  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Implicit denys behind every access-list are inserted.  Are you
  mixing conduits and access-lists?  You really should not.  Use
ALL
 conduits
      or ALL access-lists.  If both are used, conduits take priority
and
 override
  your access-lists.  Access-lists are first match, conduits are
any
match.
 
  At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
  Does the PIX 506 require an explicit deny statement after
setting
  up
   a
  permit conduit or access list.
  
  I appear to be receiving more traffic (e.g. NTP) than my
conduit
 statements
  allow.
  
  Thanks much,
  Steve
  -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27642t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Allen May]

Very true and a good point, but the original question was about conduits
which only apply to lower-higher.  Higher-lower requires NAT.  I
accidentally typed access-list below but meant conduit. ;)  *slap self  get
more coffee*.  It still applies but wasn't what I meant to say.

Thanks for pointing that out though.


- Original Message -
From: Patrick W. Bass 
To: 
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit  access lists [7:26684]


 Allen May  wrote in message
 news:[EMAIL PROTECTED]...
  I'm not sure if this was answered or not, but a firewall always assumes
a
  deny all at the end of the access-list for inbound.  Outbound is
different
  since it allows all by default.
 

 Remeber this:  Higher security level to lower security level, implicitly
 allowed.  Lower security level to higher security level, implicitly
denied.
 Otherwise it gets tricky once you start messing with multipile DMZs.

  Also, access-lists are the way to go since conduits will be phased out
in
  the near future.
 
  Allen
 
  - Original Message -
  From: Steve Alston
  To:
  Sent: Monday, November 19, 2001 9:25 AM
  Subject: Re: PIX conduit  access lists [7:26684]
 
 
   Carroll,
 Thanks for the reply.  I'm using conduits now, but will switch to
 access
   lists in the future.  (I'd like to fully understand the configuration
I
   inherited before I start making changes)  Are implicit denys inserted
  behind
   each conduit as well?
  
  
   Carroll Kong  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Implicit denys behind every access-list are inserted.  Are you
mixing conduits and access-lists?  You really should not.  Use ALL
   conduits
    or ALL access-lists.  If both are used, conduits take priority and
   override
    your access-lists.  Access-lists are first match, conduits are any
  match.
   
At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after setting
up
 a
permit conduit or access list.

I appear to be receiving more traffic (e.g. NTP) than my conduit
   statements
allow.

Thanks much,
Steve
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27320t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Patrick W. Bass]

Allen May  wrote in message
news:[EMAIL PROTECTED]...
 I'm not sure if this was answered or not, but a firewall always assumes a
 deny all at the end of the access-list for inbound.  Outbound is different
 since it allows all by default.


Remeber this:  Higher security level to lower security level, implicitly
allowed.  Lower security level to higher security level, implicitly denied.
Otherwise it gets tricky once you start messing with multipile DMZs.

 Also, access-lists are the way to go since conduits will be phased out in
 the near future.

 Allen

 - Original Message -
 From: Steve Alston
 To:
 Sent: Monday, November 19, 2001 9:25 AM
 Subject: Re: PIX conduit  access lists [7:26684]


  Carroll,
Thanks for the reply.  I'm using conduits now, but will switch to
access
  lists in the future.  (I'd like to fully understand the configuration I
  inherited before I start making changes)  Are implicit denys inserted
 behind
  each conduit as well?
 
 
  Carroll Kong  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Implicit denys behind every access-list are inserted.  Are you
   mixing conduits and access-lists?  You really should not.  Use ALL
  conduits
   or ALL access-lists.  If both are used, conduits take priority and
  override
   your access-lists.  Access-lists are first match, conduits are any
 match.
  
   At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
   Does the PIX 506 require an explicit deny statement after setting up
a
   permit conduit or access list.
   
   I appear to be receiving more traffic (e.g. NTP) than my conduit
  statements
   allow.
   
   Thanks much,
   Steve
   -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27293t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX conduit access lists [7:26684]

[Steve Alston]

Does the PIX 506 require an explicit deny statement after setting up a
permit conduit or access list.

I appear to be receiving more traffic (e.g. NTP) than my conduit statements
allow.

Thanks much,
Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26684t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Carroll Kong]

Implicit denys behind every access-list are inserted.  Are you 
mixing conduits and access-lists?  You really should not.  Use ALL conduits 
or ALL access-lists.  If both are used, conduits take priority and override 
your access-lists.  Access-lists are first match, conduits are any match.

At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after setting up a
permit conduit or access list.

I appear to be receiving more traffic (e.g. NTP) than my conduit statements
allow.

Thanks much,
Steve
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26694t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Steve Alston]

Carroll,
  Thanks for the reply.  I'm using conduits now, but will switch to access
lists in the future.  (I'd like to fully understand the configuration I
inherited before I start making changes)  Are implicit denys inserted behind
each conduit as well?


Carroll Kong  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Implicit denys behind every access-list are inserted.  Are you
 mixing conduits and access-lists?  You really should not.  Use ALL
conduits
 or ALL access-lists.  If both are used, conduits take priority and
override
 your access-lists.  Access-lists are first match, conduits are any match.

 At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
 Does the PIX 506 require an explicit deny statement after setting up a
 permit conduit or access list.
 
 I appear to be receiving more traffic (e.g. NTP) than my conduit
statements
 allow.
 
 Thanks much,
 Steve
 -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26700t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Carroll Kong]

I believe so.

At 10:25 AM 11/19/01 -0500, Steve Alston wrote:
Carroll,
   Thanks for the reply.  I'm using conduits now, but will switch to access
lists in the future.  (I'd like to fully understand the configuration I
inherited before I start making changes)  Are implicit denys inserted behind
each conduit as well?


Carroll Kong  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Implicit denys behind every access-list are inserted.  Are you
  mixing conduits and access-lists?  You really should not.  Use ALL
conduits
  or ALL access-lists.  If both are used, conduits take priority and
override
  your access-lists.  Access-lists are first match, conduits are any match.
 
  At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
  Does the PIX 506 require an explicit deny statement after setting up a
  permit conduit or access list.
  
  I appear to be receiving more traffic (e.g. NTP) than my conduit
statements
  allow.
  
  Thanks much,
  Steve
  -Carroll Kong
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26705t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Bridging and Access-lists [7:24791]

[Ole Drews Jensen]

I have an ethernet segment that I would like to put some restrictions on,
and after having played around with several solutions, I came to one that I
believe is the best. Please do not reply with why don't you use the
firewall, or similar suggestions - because I am looking for a way to get
this solution to work.

I have placed a Cisco 2514 on a segment so I can create access-lists to
filter traffic. I want my segment to have the same IP addresses and be on
the same network, so I have assigned the 2514 as a bridge where both
ethernet interfaces has the same IP address, and are in the same
bridge-group. IP routing has been disabled.

This all works fine, except that any access-lists I create on any of the two
ethernet interfaces does not block anything at all - it's like access-lists
are being ignored when the interfaces works in bridging mode.

Here's how it looks very simpyfied:

  internet---router---firewall---2514---switch---users and servers

A part of the config:

no ip routing
!
interface Ethernet0
 ip address 10.25.14.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
interface Ethernet1
 ip address 10.25.14.1 255.0.0.0
 ip access-group 100 in
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
bridge 1 protocol dec
!
ip classless
!
access-list 100 deny   ip any any
!

The e0 interface is connected to the firewall, the gateway router, and
eventually the Internet.
The e1 interface is connected to the switch connecting a workstation.

From that workstation I am browsing the web, but even with the deny ip any
any, I can keep browsing without being blocked.

Can someone explain this, and perhaps come up with a solution to fix this
problem on this router?

Thanks in advance,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24791t=24791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Bridging and Access-lists [7:24791]

[Ole Drews Jensen]

I think that would work, however, I would then look at layer 2 addresses
instead of layer 3 addresses, and controlling a group of people who can
access the web all the time, another group who can access it in certain time
frames, and a third group that cannot access it - would be a nightmare to
control with MAC addresses, instead of simply an array of IP addresses
specified by a wildcard.

Hmm, I got to dig a little more...

Thanks,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 10:57 AM
To: [EMAIL PROTECTED]
Subject: RE: Bridging and Access-lists [7:24791]


Ole,

My thinking on this ...

When your ethernet frame (L2) hits the e1 interface the router will bridge
(L2) this to the e0 interface and not route (L3) it. Therefore the IP
access-list (L3) will not be used.

I did some work a couple of years ago on a dial-on-demand Bridging solution.
After a lot of head scratching we learned about extended bridging ACLs,
maybe you could use these?

I think they are range 1000 to 1100, you will need to check this.

What do you think?

Steven Dangerfield CCNP, CCSA, CSE

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: 31 October 2001 16:08
To: [EMAIL PROTECTED]
Subject: Bridging and Access-lists [7:24791]


I have an ethernet segment that I would like to put some restrictions on,
and after having played around with several solutions, I came to one that I
believe is the best. Please do not reply with why don't you use the
firewall, or similar suggestions - because I am looking for a way to get
this solution to work.

I have placed a Cisco 2514 on a segment so I can create access-lists to
filter traffic. I want my segment to have the same IP addresses and be on
the same network, so I have assigned the 2514 as a bridge where both
ethernet interfaces has the same IP address, and are in the same
bridge-group. IP routing has been disabled.

This all works fine, except that any access-lists I create on any of the two
ethernet interfaces does not block anything at all - it's like access-lists
are being ignored when the interfaces works in bridging mode.

Here's how it looks very simpyfied:

  internet---router---firewall---2514---switch---users and servers

A part of the config:

no ip routing
!
interface Ethernet0
 ip address 10.25.14.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
interface Ethernet1
 ip address 10.25.14.1 255.0.0.0
 ip access-group 100 in
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
bridge 1 protocol dec
!
ip classless
!
access-list 100 deny   ip any any
!

The e0 interface is connected to the firewall, the gateway router, and
eventually the Internet.
The e1 interface is connected to the switch connecting a workstation.

From that workstation I am browsing the web, but even with the deny ip any
any, I can keep browsing without being blocked.

Can someone explain this, and perhaps come up with a solution to fix this
problem on this router?

Thanks in advance,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24800t=24791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridging and Access-lists [7:24791]

[Ed Horley]

Is there a good reason that the bridge is set up as protocol dec?  I don't
know if it would work the way you have it configured using ieee instead.
Just a thought.

Ed

Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think that would work, however, I would then look at layer 2 addresses
 instead of layer 3 addresses, and controlling a group of people who can
 access the web all the time, another group who can access it in certain
time
 frames, and a third group that cannot access it - would be a nightmare to
 control with MAC addresses, instead of simply an array of IP addresses
 specified by a wildcard.

 Hmm, I got to dig a little more...

 Thanks,

 Ole

 ~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~~~
  http://www.RouterChief.com
 ~~~
  NEED A JOB ???
  http://www.oledrews.com/job
 ~~~


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 31, 2001 10:57 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Bridging and Access-lists [7:24791]


 Ole,

 My thinking on this ...

 When your ethernet frame (L2) hits the e1 interface the router will bridge
 (L2) this to the e0 interface and not route (L3) it. Therefore the IP
 access-list (L3) will not be used.

 I did some work a couple of years ago on a dial-on-demand Bridging
solution.
 After a lot of head scratching we learned about extended bridging ACLs,
 maybe you could use these?

 I think they are range 1000 to 1100, you will need to check this.

 What do you think?

 Steven Dangerfield CCNP, CCSA, CSE

 -Original Message-
 From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
 Sent: 31 October 2001 16:08
 To: [EMAIL PROTECTED]
 Subject: Bridging and Access-lists [7:24791]


 I have an ethernet segment that I would like to put some restrictions on,
 and after having played around with several solutions, I came to one that
I
 believe is the best. Please do not reply with why don't you use the
 firewall, or similar suggestions - because I am looking for a way to get
 this solution to work.

 I have placed a Cisco 2514 on a segment so I can create access-lists to
 filter traffic. I want my segment to have the same IP addresses and be on
 the same network, so I have assigned the 2514 as a bridge where both
 ethernet interfaces has the same IP address, and are in the same
 bridge-group. IP routing has been disabled.

 This all works fine, except that any access-lists I create on any of the
two
 ethernet interfaces does not block anything at all - it's like
access-lists
 are being ignored when the interfaces works in bridging mode.

 Here's how it looks very simpyfied:

   internet---router---firewall---2514---switch---users and servers

 A part of the config:

 no ip routing
 !
 interface Ethernet0
  ip address 10.25.14.1 255.0.0.0
  no ip directed-broadcast
  no ip route-cache
  no mop enabled
  bridge-group 1
 !
 interface Ethernet1
  ip address 10.25.14.1 255.0.0.0
  ip access-group 100 in
  no ip directed-broadcast
  no ip route-cache
  no mop enabled
  bridge-group 1
 !
 bridge 1 protocol dec
 !
 ip classless
 !
 access-list 100 deny   ip any any
 !

 The e0 interface is connected to the firewall, the gateway router, and
 eventually the Internet.
 The e1 interface is connected to the switch connecting a workstation.

 From that workstation I am browsing the web, but even with the deny ip
any
 any, I can keep browsing without being blocked.

 Can someone explain this, and perhaps come up with a solution to fix this
 problem on this router?

 Thanks in advance,

 Ole

 ~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~~~
  http://www.RouterChief.com
 ~~~
  NEED A JOB ???
  http://www.oledrews.com/job
 ~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24808t=24791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Bridging and Access-lists [7:24791]

[Ole Drews Jensen]

It works as I said, and yes I have wondered why it set it to DEC, but I used
the auto setup procedure during startup after an erase star command, and
said yes to put both ethernet interfaces in bridging mode. It came up and
did the bridge 1 protocol dec by itself.

And I have tried to use the IEEE instead without any differences related to
my problem.

As I see it now - I would have to do one of two things:

1) Change some of my IP addresses so I can place devices on each side of the
router on different subnets (seen from the router's view), and then set it
up as routing instead of switching.

2) Add all the MAC addresses to the groups they belong, and then use
access-lists 700-799 (mac addresses).

Both solutions sucks, so I am still looking for an easier 3rd solution.

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: Ed Horley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 12:31 PM
To: [EMAIL PROTECTED]
Subject: Re: Bridging and Access-lists [7:24791]


Is there a good reason that the bridge is set up as protocol dec?  I don't
know if it would work the way you have it configured using ieee instead.
Just a thought.

Ed

Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think that would work, however, I would then look at layer 2 addresses
 instead of layer 3 addresses, and controlling a group of people who can
 access the web all the time, another group who can access it in certain
time
 frames, and a third group that cannot access it - would be a nightmare to
 control with MAC addresses, instead of simply an array of IP addresses
 specified by a wildcard.

 Hmm, I got to dig a little more...

 Thanks,

 Ole

 ~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~~~
  http://www.RouterChief.com
 ~~~
  NEED A JOB ???
  http://www.oledrews.com/job
 ~~~


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 31, 2001 10:57 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Bridging and Access-lists [7:24791]


 Ole,

 My thinking on this ...

 When your ethernet frame (L2) hits the e1 interface the router will bridge
 (L2) this to the e0 interface and not route (L3) it. Therefore the IP
 access-list (L3) will not be used.

 I did some work a couple of years ago on a dial-on-demand Bridging
solution.
 After a lot of head scratching we learned about extended bridging ACLs,
 maybe you could use these?

 I think they are range 1000 to 1100, you will need to check this.

 What do you think?

 Steven Dangerfield CCNP, CCSA, CSE

 -Original Message-
 From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
 Sent: 31 October 2001 16:08
 To: [EMAIL PROTECTED]
 Subject: Bridging and Access-lists [7:24791]


 I have an ethernet segment that I would like to put some restrictions on,
 and after having played around with several solutions, I came to one that
I
 believe is the best. Please do not reply with why don't you use the
 firewall, or similar suggestions - because I am looking for a way to get
 this solution to work.

 I have placed a Cisco 2514 on a segment so I can create access-lists to
 filter traffic. I want my segment to have the same IP addresses and be on
 the same network, so I have assigned the 2514 as a bridge where both
 ethernet interfaces has the same IP address, and are in the same
 bridge-group. IP routing has been disabled.

 This all works fine, except that any access-lists I create on any of the
two
 ethernet interfaces does not block anything at all - it's like
access-lists
 are being ignored when the interfaces works in bridging mode.

 Here's how it looks very simpyfied:

   internet---router---firewall---2514---switch---users and servers

 A part of the config:

 no ip routing
 !
 interface Ethernet0
  ip address 10.25.14.1 255.0.0.0
  no ip directed-broadcast
  no ip route-cache
  no mop enabled
  bridge-group 1
 !
 interface Ethernet1
  ip address 10.25.14.1 255.0.0.0
  ip access-group 100 in
  no ip directed-broadcast
  no ip route-cache
  no mop enabled
  bridge-group 1
 !
 bridge 1 protocol dec
 !
 ip classless
 !
 access-list 100 deny   ip any any
 !

 The e0 interface is connected to the firewall, the gateway router, and
 eventually the Internet.
 The e1 interface is connected to the switch connecting a workstation.

 From that workstation I am browsing the web, but even with the deny ip
any
 any, I can keep browsing without being blocked.

 Can someone explain this, and perhaps come up with a 

Access-lists: Time-based and 700's [7:24821]

[Ole Drews Jensen]

I am not very lucky with this.

It seems like I have to use a 700's access-list to filter bridged interfaces
on their mac address, but that throws me into a new problem. As far as I can
see, the time-range option does not work on 700's access-lists - so I am
back to squarre 1 where I probably have to rearrange my entire networks IP
address scheme, so I can change the router where I want to filter from doing
bridging between interfaces, to doing routing.

If anyone has a better idea, PLEASE let me know.

Thanks,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24821t=24821
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Bridging and Access-lists [7:24791]

[Bob Johnson]

If you are bridging you can only use a layer 2 access list...
Essentially you'll only be able to block traffic based on MAC addressing...
I think the layer2 access lists start at 700...



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ole Drews Jensen
Sent: Wednesday, October 31, 2001 8:08 AM
To: [EMAIL PROTECTED]
Subject: Bridging and Access-lists [7:24791]


I have an ethernet segment that I would like to put some restrictions on,
and after having played around with several solutions, I came to one that I
believe is the best. Please do not reply with why don't you use the
firewall, or similar suggestions - because I am looking for a way to get
this solution to work.

I have placed a Cisco 2514 on a segment so I can create access-lists to
filter traffic. I want my segment to have the same IP addresses and be on
the same network, so I have assigned the 2514 as a bridge where both
ethernet interfaces has the same IP address, and are in the same
bridge-group. IP routing has been disabled.

This all works fine, except that any access-lists I create on any of the two
ethernet interfaces does not block anything at all - it's like access-lists
are being ignored when the interfaces works in bridging mode.

Here's how it looks very simpyfied:

  internet---router---firewall---2514---switch---users and servers

A part of the config:

no ip routing
!
interface Ethernet0
 ip address 10.25.14.1 255.0.0.0
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
interface Ethernet1
 ip address 10.25.14.1 255.0.0.0
 ip access-group 100 in
 no ip directed-broadcast
 no ip route-cache
 no mop enabled
 bridge-group 1
!
bridge 1 protocol dec
!
ip classless
!
access-list 100 deny   ip any any
!

The e0 interface is connected to the firewall, the gateway router, and
eventually the Internet.
The e1 interface is connected to the switch connecting a workstation.

From that workstation I am browsing the web, but even with the deny ip any
any, I can keep browsing without being blocked.

Can someone explain this, and perhaps come up with a solution to fix this
problem on this router?

Thanks in advance,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24797t=24791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridging and Access-lists [7:24791]

[Ed Horley]

I know you said in the initial set up that you didn't want a firewall
comment however I may have a solution that you are interested in.
The NetScreen firewalls can operate in what is called transparent mode.  It
then is a layer 2 filter that does wire speed packet inspection for layer
3/4 rules.  Way cool stuff.  It doesn't have actual IP addresses on the
actual Ethernet Interfaces, it does have an IP for management of the
Netscreen.  My understanding is it acts like a bridge however it can still
inspect packets and apply rules based on layer 2/4 rules.  That might do
what you are looking for.

Regards,
Ed


Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 It works as I said, and yes I have wondered why it set it to DEC, but I
used
 the auto setup procedure during startup after an erase star command, and
 said yes to put both ethernet interfaces in bridging mode. It came up and
 did the bridge 1 protocol dec by itself.

 And I have tried to use the IEEE instead without any differences related
to
 my problem.

 As I see it now - I would have to do one of two things:

 1) Change some of my IP addresses so I can place devices on each side of
the
 router on different subnets (seen from the router's view), and then set it
 up as routing instead of switching.

 2) Add all the MAC addresses to the groups they belong, and then use
 access-lists 700-799 (mac addresses).

 Both solutions sucks, so I am still looking for an easier 3rd solution.

 Ole

 ~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~~~
  http://www.RouterChief.com
 ~~~
  NEED A JOB ???
  http://www.oledrews.com/job
 ~~~


 -Original Message-
 From: Ed Horley [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 31, 2001 12:31 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Bridging and Access-lists [7:24791]


 Is there a good reason that the bridge is set up as protocol dec?  I don't
 know if it would work the way you have it configured using ieee instead.
 Just a thought.

 Ed

 Ole Drews Jensen  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I think that would work, however, I would then look at layer 2 addresses
  instead of layer 3 addresses, and controlling a group of people who can
  access the web all the time, another group who can access it in certain
 time
  frames, and a third group that cannot access it - would be a nightmare
to
  control with MAC addresses, instead of simply an array of IP addresses
  specified by a wildcard.
 
  Hmm, I got to dig a little more...
 
  Thanks,
 
  Ole
 
  ~~~
   Ole Drews Jensen
   Systems Network Manager
   CCNP, MCSE, MCP+I
   RWR Enterprises, Inc.
   [EMAIL PROTECTED]
  ~~~
   http://www.RouterChief.com
  ~~~
   NEED A JOB ???
   http://www.oledrews.com/job
  ~~~
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
  Sent: Wednesday, October 31, 2001 10:57 AM
  To: [EMAIL PROTECTED]
  Subject: RE: Bridging and Access-lists [7:24791]
 
 
  Ole,
 
  My thinking on this ...
 
  When your ethernet frame (L2) hits the e1 interface the router will
bridge
  (L2) this to the e0 interface and not route (L3) it. Therefore the IP
  access-list (L3) will not be used.
 
  I did some work a couple of years ago on a dial-on-demand Bridging
 solution.
  After a lot of head scratching we learned about extended bridging ACLs,
  maybe you could use these?
 
  I think they are range 1000 to 1100, you will need to check this.
 
  What do you think?
 
  Steven Dangerfield CCNP, CCSA, CSE
 
  -Original Message-
  From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
  Sent: 31 October 2001 16:08
  To: [EMAIL PROTECTED]
  Subject: Bridging and Access-lists [7:24791]
 
 
  I have an ethernet segment that I would like to put some restrictions
on,
  and after having played around with several solutions, I came to one
that
 I
  believe is the best. Please do not reply with why don't you use the
  firewall, or similar suggestions - because I am looking for a way to
get
  this solution to work.
 
  I have placed a Cisco 2514 on a segment so I can create access-lists to
  filter traffic. I want my segment to have the same IP addresses and be
on
  the same network, so I have assigned the 2514 as a bridge where both
  ethernet interfaces has the same IP address, and are in the same
  bridge-group. IP routing has been disabled.
 
  This all works fine, except that any access-lists I create on any of the
 two
  ethernet interfaces does not block anything at all - it's like
 access-lists
  are being ignored when the interfaces works in bridging mode.
 
  Here's how it looks very simpyfied:
 
internet---router--

PIX subnet access-lists [7:23797]

[John Zei]

Does anyone know the access-list command that would allow an entire subnet
into an ftp site.  Here are some examples of what I've tried:
access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host
124.49.114.6 eq ftp
access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host
124.49.114.6 255.255.255.255 eq ftp

Neither of these worked.

Thanks,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23797t=23797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]