,Hie
you could start with troubleshooting the dialer.
debug dialer
This will give insight as to what is happening
cheers
bosire
John Brandis wrote:
> having problems applying an access list to my dialer interface. After
> creating my access list, I then apply it to the interface but it do
This may seem like a dumb question, but what are you trying to get the
access list to do - specifically?
---JRE---
""John Brandis"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> having problems applying an access list to my dialer interface. After
> creating
>I have the Sybex book by Todd Lammle and in it he
>says:
>Place the IP standard access lists as close to the
>destination as possible.
>Place the IP extended access lists as close to the
>source as possible.
>But on the CD that has a practice exam on it, he has
>it the other way around. Could som
For Standard Access Lists the decision to forward is based on the source
address. This is why you need to place the list as close to the destination
as possible (to allow access to intermediary devices).
HTH,
Tom
--
Tom Keough MCSE CCNA
AT&T Global Network Solutions
Standard Access Management
Ma
Extended Access Lists give you more choices since they can filter on more
than the source address. The location depends on the purpose of the list.
Tom
--
Tom Keough MCSE CCNA
AT&T Global Network Solutions
Standard Access Management
Managed Router Service
Tier 2 Technical Support
Tampa, Florida
As a general rule, Standard access lists 0-99
should go as close to the destination as possible, and extended 100-199 should
be as close to the source as possible. The exception would be when
simplicity or ease is evident. apply it to one port on one router or
50 ports on 50 routers? go
I think it would make sense to put it on the Ethernet Interface (out) so
that the router applies the access list only once, instead of on each
individual dial-up port.
Is this right?
Original Message Follows
From: "Palis Michael" <[EMAIL PROTECTED]>
Reply-To: "Palis Michael" <[EMAIL P
But it still is only going to apply it once! On every individual dial-up!
-Original Message-
From: Ejay Hire [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 15, 2000 8:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Access-lists
I think it would make sense to put it on the Ethernet
Think in terms of the OSI model ( much as we all hate it and denigrate it )
At what layer is the switch operating? I.e. is it a layer 3 switch? What
device is doing the inter-vlan routing? The switch or an external router?
That said, will you ever need to telnet to the switch, which should help
Not seeing a line denying tcp:80 means something very important.
Possibly post your access-list here, and give us a small diagram of
addressing. Are you using extended, or standard access-lists?
For example, a standard
access-list 1 permit ip 10.0.0.0 0.0.255.255
will permit anything from sub
Title: Access-Lists
It has
something to do with DNS.
TIPS:
Access-lists is taken from the word Access Layer from Cisco 3 layer
system.
With Sincerity, Wisin http://www.ciscosite.com-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Deloso,
Elmer G.Sen
Well... So you don't have to type it in several times, I used to think...
But really, the logical way it is set up is creating the access list, and
applying the access group. You could ask this question of any config
command that you think should be applied at an individual interface.
Correct m
Let me explain.
There are several commands in IOS that use a
access-list to decide what to permit/deny, etc
(access-group, etc). You may be using several of these
commands in your configuration and they can point to
the same access-list # if you have a common rule set
up or different ACL #s if t
http://www.nwc.com/907/907ws1.html
Balal Mahmood wrote:
> can someone explain how access lists work?
___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct a
the difference would be if you were using standard or extended access
lists.
apply standard access lists at the destination router
apply extended access lists at the source router
so for your example to block access to lan B from lan A
apply a standard access list to the in port of router B
or
At 08:22 18.5.2000, Palis Michael wrote:
>I am configuring an access-list in oder to allow only WWW and DNS to go
>into my net.
>
>Here is the configuration
>
>
>internetrouter--internal network
>
>access list is
>
>access-list 110 permit tcp any any eq www
>access-list 110 permit tcp any any
The reply coming back will be on a random numbered port greater than 1023,
if you open up all UDP ports greater than 1023 then the response will be
allowed back in. Also you probably don't need to permit TCP domain. ALl DNS
lookups happen using UDP port 53. DNS zone transfers (which only need to
You have to grant access to the ports upper than
1024.
""Palis Michael"" <[EMAIL PROTECTED]> wrote in
message 005501bfc0a2$39dd42a0$[EMAIL PROTECTED]">news:005501bfc0a2$39dd42a0$[EMAIL PROTECTED]...
I am configuring an access-list in oder to allow
only WWW and DNS to go into my net.
Why don't you just use one access list on the 192.168.x.x network router to
deny it from seeing any traffic from the 10 network?
eg.
#access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
#access-list 101 permit any any
Apply this outbound to the 192.168.x.x interface and you sh
Extended ACLs place the source address first, so that line should read:
access-list 101 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
Even this won't have the entire desired effect. This may prevent the setup
of TCP connections, but UDP traffic from th
OTECTED]] On Behalf Of John
Neiberger
Sent: Wednesday, July 05, 2000 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Access Lists
Extended ACLs place the source address first, so that line should read:
access-list 101 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 10
Hi Guys,
Just as a side note to the current ACL discussions, I recently added a
section to my web site that contains a collection of articles and resources
that deal with Cisco ACL issues. See http://www.itprc.com/security.htm
The articles are:
Access Lists: Tricks of the Trade - CertificationZ
Use a terminal emulator (I know Procomm Plus does this) and cut the access
list. Put it to notepad and edit the list just the way that you want it in
the correct order.
You will need to prepend to this list the correct access list command and
access list number that you want to use. Then paste
remove
the old access-list with a no access-list # before pasteing back the new
one.
Johnny
- Original Message -
From: "Swart, Douwe" <[EMAIL PROTECTED]>
To: "'Palikhey, Niraj'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, June 15,
"Swart, Douwe" wrote:
>
> Use a terminal emulator (I know Procomm Plus does this) and cut the
> access list. Put it to notepad and edit the list just the way that
> you want it in the correct order.
You will need to prepend a 'no access-list xxx' or 'no ip access-list
extended xyzzy' (or what
How about named access lists?
"Palikhey, Niraj" wrote:
> Hi,
> I am trying to understand something with access-lists. They say that when
> you put in a new entry to an existing access-list, it will be written at the
> end of the existing list. So If I have a deny any any at the end of the list
>
Niraj'; [EMAIL PROTECTED]
Subject: Re: Access-lists question??
Guys, be very careful with advice on access-list on production routers. The
best practice for adding or changing access-list is to remove it from the
interface before modifying it. The implicit deny all can be a real disaster
with typ
On Nov 5, 11:41am, "Johnny Dedon" wrote:
}
} Guys, be very careful with advice on access-list on production routers. The
} best practice for adding or changing access-list is to remove it from the
} interface before modifying it. The implicit deny all can be a real disaster
} with typos and the
Thank you very much!!
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 28, 2000 5:18 AM
To: Johnny Dedon; Swart, Douwe; Palikhey, Niraj; [EMAIL PROTECTED]
Subject: Re: Access-lists question??
On Nov 5, 11:41am, "Johnny Dedon" wrote
Assuming a /24 prefix a statement to permit all odd source addresses in
the last octet would look like this:
access-list 101 permit ip 0.0.0.1 255.255.255.254 any
The mask of 255.255.255.254 indicates all bit postitions except the last
position in the last octet are "don't care" bits. Therefore
Standard access lists should be placed as close as possible to the
destination of the filtered traffic.
Extended access lists should be placed as close as possible to the source of
the filtered traffic.
Peter Kurdziel
CCNA, CCDA, 1/4 CCNP (BCSN), MCSE, MCP+i
Flash: www.inotez.com
Cisco IOS Access Lists by Jeff Sedayao
Published by O'Reilly
ISBN 1-56592-385-5
HTH
Dom Stocqueler
"Fermanis Tim
G
Contr USAFE
Tim,
I found that most books are not nearly as good as the Cisco website. On CCO,
I have so far always been able to find much more info than any book can give
me, including configuration examples and various scenarios. Takes a little
more effort, but I am almost convinced that you can much more d
Tim,
IMHO, you can't go wrong with "Cisco Access Lists" by Gil Held & Kent
Hundley isbn 0072123354. This is one of the few books I keep close by.
Kevin
"Fermanis Tim G Contr USAFE CSS/SCOG" wrote
in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm looking to buy a book on Access lis
Thats one of my favorites as well. Its well written and detailed, and most
importantly concise.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
kevhed
Sent: Friday, February 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Access Lists [7:34023
access-list 101 permit tcp any any established
access-list 101 deny ip any any
""Joe Morabito"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> How can you apply an access list to a serial interface to block all
internet
> traffic without disabling the inside people from getting
Joe,
If you are implying that you dont want users / hackers /
crackers from outside your company getting access to your internal network ,
then here is what u need 2 do...
create an extended access list with an established setting pointing
inwards... and deny everything else. that sh
I would use something like the access-list below and apply it inbound to
your serial interface. Replace the 210.145.3.128 0.0.0.63 with your subnet.
It might be a good idea to log the deny packets to a syslog server.
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny
might that second line more properly be:
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
from the context, it would appear you want to deny inbound from the private
IP space 172.16.0.0 through 172.31.255.255
0001 thru
0001
the match is ?
otherwise I read i
If CBAC is available, use it along with access-list
ip inspect name tcp
ip inspect name ucp
It will give you a stateful firewall.
-Michael
"Joe Morabito" wrote in message ...
>How can you apply an access list to a serial interface to block all
internet
>traffic without disabling the inside peop
use a reflexive access list
-Original Message-
From: Santosh Koshy [mailto:[EMAIL PROTECTED]]
Sent: 28 July 2001 04:02
To: [EMAIL PROTECTED]
Subject: Re: access lists [7:13928]
Joe,
If you are implying that you dont want users / hackers /
crackers from outside your company
O'Reilly's book on Cisco access lists is pretty good...
""newbie newbie"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello All,
>
> Can anyone recommend good books to read when one wants to configure
> access-lists on Cisco devices?
>
> Thanks
>
> James
Message Posted a
Thanks for the input Dennis, I will check it out.
James
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16721&t=16693
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and
also check out Held & Hundley - Cisco Access List Field Guide, or something
like that. Excellent reading. lots of config examples.
Chuck
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 10:09 AM
To: [EMAIL PROTECTED]
Subject: Access-Lis
Are your people dialing in having to go through your company proxy server to
get to the internet? If so, they're probably talking with the proxy server,
which no doubt would have an internal address and be let through by that
access list.
Which interface are you applying this access-list? In wh
Is 165.5.x.x the range of your internal network or the range of addresses
that your dial in users are assigned to? This list says that any packet
whose source address is 165.5.x.x can be destined for anywhere. If you want
to restrict which subnets they can get to make some more lines specifyi
Jill,
How did you apply the list? To what interface? In which direction?
Timothy Estes NA,DA
-Original Message-
From: J. Johnson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 2:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up.
On what interface(s) is that ACL applied? The way you've written it, the
ACL permits IP traffic with a source address of 165.5.x.x, and the
second (unnecessary) line denies all other traffic. If that ACL is
applied on the interfaces that your users dial into, then it won't
accomplish much. If you'
You Probably have to provide more information.
1. Are your users dialing into a router(Access server) or through a RAS card
on a
computer system?
2. The answer to ques1 is through a router, then is the router also the
router that
connect to the internet or you have another gateway router
You don't give much info. What addresses are you handing out via your
pool? Where are you applying the acess-list?
When I had done something similiar long time ago, employees and
faculty total access, customers limited. Set up two access-lists and
access lists were applied to user via authen
On what interface(s) is that ACL applied? The way you've written it, the
ACL permits IP traffic with a source address of 165.5.x.x, and the
second (unnecessary) line denies all other traffic. If that ACL is
applied on the interfaces that your users dial into, then it won't
accomplish much. If you'
Yes. You are allowing anyone coming from 165.5.0.0 to go anywhere and
denying from anywhere to anywhere.
Not knowing you IP structure I would say.
access-list 110 permit ip x.x.x.0 0.0.0.255 (IP range assigned to dial-in)
165.5.0.0 0.0.255.255 (IP range of your internal network)
access-list 110
Jill,
Your acl says "allow any source ip from 165.5.0.0 to access any destination
IP address". This is probably not what you want. You probably want to
allow any IP address to access anything in the 165.5.0.0 address range.
(assuming that 165.5.0.0 is your internal network.)
Your acl should be
Hi
There is an explicit deny any any invisible at the end of each access list.
You are denying all traffic.
Try something like:
access-list 101 deny tcp any any eq www
access-list 101 permit ip any any
""norsyam ariffin"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi guys
If that is your entire access list then you are missing some permit
statements. Remember that there is an implicit "deny all" at the end of
an access list, so in your case you are denying everything. Add the
necessary permit statements and all should be well.
HTH,
John
>>> "norsyam ariffin" 9
Looks like you probably want to change to "ip access-group 101 in" on your
ethernet as well, if you are trying to block users on your ethernet
interface, otherwise, you're just stopping people outside browsing web
servers on your network.
Gaz
""John Neiberger"" wrote in message
[EMAIL PROTECTE
Being a somewhat paranoid fellow, have u thought about permitting the mail
retrieval port and blocking all else??
Brian "Sonic" Whalen
Success = Preparation + Opportunity
On Wed, 19 Sep 2001, Antonio Del Grosso wrote:
> Hi
>
> There is an explicit deny any any invisible at the end of each acce
Scott,
The following example will block the full suite of NetBios inbound to you
(presumably 195.50.79.0/24). This is not a complete ACL -- it will be
necessary to either specifically allow the traffic you desire inbound, or
add another line to the bottom (currently commented out) permitting
Woah! Make sure you do a permit any any first. Remember that there is an
implicit deny any at the end of your access list! There shouldn't be a
problem stopping NetBIOS at the router, a better example might look like
below.
Ex.:
access-list 101 deny udp any any eq 137
access-list 101 permit a
Hi
If you need to pass VPN traffic you will need to add permits for GRE and ESP
as well.
HTH
John Hardman CCNP MCSE+I
"John Starta" <[EMAIL PROTECTED]> wrote in message
5.0.2.1.2.20010117135118.037b0d10@popcorn">news:5.0.2.1.2.20010117135118.037b0d10@popcorn...
> Scott,
>
> The following examp
Remember, the fewer lines an ACL is, the faster it is parsed, the faster
packets pass:
access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 137 139
--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [E
Thanks everyone for helping out. I think Jason's suggestion along with the
permit any/any line is probably the way to go for us. So basically, I will
have the following:
access-list 101 deny udp any 195.50.79.0 0.0.0.255 range 137 139
access-list 101 deny tcp any 195.50.79.0 0.0.0.255 range 13
OK I'm a little confused, but I'm assuming you mean reverse NAT used as a
static translation to provide a public IP to an internal IP? If so you only
open the needed ports to that server. If you know all of the networks and
subnets that users will be coming from you can limit source IP's to only
If no host replies to the routers arp request, the packet is dropped.
Does anybody know if a ICMP host unreachable message may be sent from the
router?
-Ejay
-Original Message-
From: Stephen Hoover [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 21, 2001 4:30 PM
To:
Subject: Access-li
ny
no cdp run
!
line con 0
transport input none
!
end
- Original Message -
From: "Allen May"
To:
Sent: Thursday, June 21, 2001 4:09 PM
Subject: Re: Access-lists and NAT [7:9417]
> OK I'm a little confused, but I'm assuming you mean reverse NAT used as a
>
Hi,
This depends on what you are trying to acheive but under most circumstances
one would tend to block the traffic at the entry point. For example, if it
was traffic from the WAN the block it coming in on the WAN interface. If
however you wanted to see the traffic in the router for some reason
endorsed by it.
***
-Original Message-
From: Tony van Ree [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 16:41
To: [EMAIL PROTECTED]
Subject: Re: Access List
x27;t originate a connection. This last step would make the current IIS
worm die pretty quickly.
Brian
- Original Message -
From: "Tony van Ree"
To:
Sent: Monday, August 13, 2001 12:11 AM
Subject: Re: Access Lists On Routers [7:15830]
> Hi,
>
> This depends on what y
n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words "configurring
access lists".
""Geert Loonbeek"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello
> I'm looking for a good and free of charge study guide on access lists/
> sta
The "block size" will usually be a factor of 2, and the actual value of
octets will usually be (factor of 2)-1.
I think you'll find that, if the above is not the case, then the addresses
will not be consecutive.
I think there was a thread a few weeks ago, where someone wanted to filter
odd or even
written.nothe exam covers a lot of things (some basic...like what
happens when a particular signal is recived on an ethernet line)
but no Reflexive(enought though they are cool)
on the lab..again no but the lab seems to be changeing daily??...
HTH
Steve
>From: "Cesar Sugui
What does the lab criteria on the Cisco website state?
If it is listed. Then it CAN and WILL be there.
http://www.cisco.com/warp/public/625/ccie/certifications/routing.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5433&t=5366
--
> Can someone tell me the command sequence on a Cisco 3500
> switch to set up an ACL?
It's just like a router:
ACCESS-LIST 1 permit x.x.x.x
Then you can apply it to your line interface:
line vty 0 15
access-class 1 in
Message Posted at:
http://www.groupstudy.com/f
PROTECTED]
Subject: Re: access lists + static routing [7:58543]
> n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words "configurring
access lists".
""Geert Loonbeek"" wrote in message
[EMAIL PROTECTED]">news:[
t begin a post to the mail list with an URL.
> Type a line of text first, then paste the URL. The filters are designed
to
> look for an URL at the top of the post, to filter out spam.
>
> BJ
>
>
> ---Original Message---
> From: Charlie
> Sent: 12/04/02 10:24 AM
&g
Hi Anil,
Sometimes its scaring posting to this group. =)
To answer your question,
if you don't the permit IP any any command, there is an implicit deny rule
at the end of an access-list, which will drop all traffic that you have not
allowed through the access-list.
The other two deny statement
21, 2002 10:17 PM
Subject: RE: Access Lists are a bit mystifying [7:36164]
> Hi Anil,
>
> Sometimes its scaring posting to this group. =)
>
> To answer your question,
> if you don't the permit IP any any command, there is an implicit deny rule
> at the end of an ac
gt;
> Thanx for the reply (and the kid gloves). :-)
> Anil Gupte
>
> - Original Message -
> From: "Scott Nawalaniec"
> To: "'Anil Gupte'" ;
> Sent: Thursday, February 21, 2002 10:17 PM
> Subject: RE: Access Lists are a bit mystifying [7:36164]
>
>
Remember the model OSI model. IP can have multiple higher level protocols
running over it. So IP uses protocol numbers to identify the higher level
protocol that it should send the data to. If you do a deny ? on a router
you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp
access-group secure2 in
exit
wr
Thanx again,
Anil Gupte
- Original Message -
From: "Tom Petzold"
To: "Anil Gupte" ;
Sent: Friday, February 22, 2002 11:35 AM
Subject: RE: Access Lists are a bit mystifying [7:36164]
> Remember the model OSI model. IP can hav
Last time I looked it up, Unless software has changed, the 2948G-L3 only
supported standard access-lists.
I could be wrong, did you try upgrading software ?
Tony M.
- Original Message -
From: "sam sneed"
To:
Sent: Wednesday, August 22, 2001 7:42 AM
Subject: access-lists supported on
I haven't upgraded. I have only been working with cisco stuff for 3 months
so I'm kind of new to this and passing my CCNA didn't do me much good with
this problem.
This is the version. I think its current:
Cisco-2948GL3#sh ver
Cisco Internetwork Operating System Software
IOS (tm) L3 Switch/Router
I just did a PIX install, and I don't recall the "inbound / outbound"
statements, I do recall applying the ACL's with an inbound statement. I
even remember that ACL's can only be applied inbound, which I thought of as
a limitation, though I can't come up with a scenario off the top of my head
to
83 matches
Mail list logo
