Is there a "dry run" mode for access lists before apply
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by =?iso-8859-1?b?QW5kcuk=?= Rodi on May 22, 2008, 6:47 am
Please log in for more thread options I'm relatively new in Cisco administration, so if my question seems to be evident, or if the answer is already in a printed manual, thanks to answer to me anyway. I'm frustrated each time I ask a question on this group without answer. Also, English is not my mother-tong language. Now, the problem : After properly configured a static NAT on a Cisco ASA 5510, I'd like to create access lists, based on roles, using object-groups. For instance, service object groups called web servers, mail servers, database servers, etc. These object groups will be linked with object groups called mails users, storage customers, administrators, etc... using access lists. I hope it's clear. Now, I have two questions : 1. Is this approach is good. I'd like to just add an IP address into an object group without need to reconfigure access lists. 2. Is there a way to apply an access-list for debug, without activating the final blocking or rejection. A sort of dry-run, that make me sure that I'll not break my remote connection for administration. For instance, when I use iptables with Linux, the last rule of incoming traffic is log, and I fix the Policy flag to drop only when I'm sure that I can continue to administrate the server remotely. Thanks, André Rodier. | ||||||||||||||||
|
Posted by on May 22, 2008, 7:57 am
Please log in for more thread options I am not familiar with the Cisco ASA 5510 however on a router which has many similarities - and some deadly differences - it would be possible to create the ACL with only permit statements (remember the permit any any at the end) and to log the ACL matches. Once you were happy recast with deny where required. this would be pretty tedious and error prone though. look for access-list x permit any any log sort of thing. | ||||||||||||||||
|
Posted by =?iso-8859-1?b?QW5kcuk=?= Rodi on May 22, 2008, 8:47 am
Please log in for more thread options On Thu, 22 May 2008 04:57:48 -0700, Bod43 wrote:
>> Hello all,
>> >> I'm relatively new in Cisco administration, so if my question seems to >> be evident, or if the answer is already in a printed manual, thanks to >> answer to me anyway. I'm frustrated each time I ask a question on this >> group without answer. >> >> Also, English is not my mother-tong language. Now, the problem : >> >> After properly configured a static NAT on a Cisco ASA 5510, I'd like to >> create access lists, based on roles, using object-groups. >> >> For instance, service object groups called web servers, mail servers, >> database servers, etc. These object groups will be linked with object >> groups called mails users, storage customers, administrators, etc... >> using access lists. >> >> I hope it's clear. >> >> Now, I have two questions : >> 1. Is this approach is good. I'd like to just add an IP address into an >> object group without need to reconfigure access lists. >> >> 2. Is there a way to apply an access-list for debug, without activating >> the final blocking or rejection. A sort of dry-run, that make me sure >> that I'll not break my remote connection for administration. >> >> For instance, when I use iptables with Linux, the last rule of incoming >> traffic is log, and I fix the Policy flag to drop only when I'm sure >> that I can continue to administrate the server remotely. >> >> Thanks, >> André Rodier. >
> I am not familiar with the Cisco ASA 5510 however on a router which has > many similarities - and some deadly differences - it would be possible > to create the ACL with only permit statements (remember the permit any > any at the end) and to log the ACL matches. > > Once you were happy recast with deny where required. > > this would be pretty tedious and error prone though. > > look for > > access-list x permit any any log > > sort of thing. Thank you Bod43, I'll try that. | ||||||||||||||||
| Similar Threads | Posted |
| Is there a "dry run" mode for access lists before apply | May 22, 2008, 6:47 am |
| Using switchport mode access vlan x and switchport mode trunk on the same interface | July 27, 2006, 9:43 am |
| Access lists | November 13, 2007, 6:42 am |
| Different access-lists for VPN clients in a PIX | August 30, 2005, 11:18 am |
| subnets in access lists... | December 8, 2005, 12:52 pm |
| access-lists URGENT | January 9, 2006, 11:29 am |
| ACCESS CONTROL LiSTS | August 16, 2006, 11:00 pm |
| Deny Access Lists | September 11, 2007, 6:42 pm |
| PIX access-lists and static NAT | October 15, 2007, 3:41 pm |
| Pix access control lists | November 9, 2007, 11:41 am |
| Cisco PIX VPN access-lists | June 16, 2008, 1:18 pm |
| Access Control Lists - What Don't I Understand | July 11, 2005, 3:53 pm |
| Simple question about access lists | June 1, 2006, 4:55 pm |
| Easy IPSEC Access Lists | July 11, 2006, 5:27 am |
| FWSM reflexive access lists | March 6, 2008, 9:30 am |
>
> I'm relatively new in Cisco administration, so if my question seems to be
> evident, or if the answer is already in a printed manual, thanks to
> answer to me anyway. I'm frustrated each time I ask a question on this
> group without answer.
>
> Also, English is not my mother-tong language. Now, the problem :
>
> After properly configured a static NAT on a Cisco ASA 5510, I'd like to
> create access lists, based on roles, using object-groups.
>
> For instance, service object groups called web servers, mail servers,
> database servers, etc. These object groups will be linked with object
> groups called mails users, storage customers, administrators, etc...
> using access lists.
>
> I hope it's clear.
>
> Now, I have two questions :
> 1. Is this approach is good. I'd like to just add an IP address into an
> object group without need to reconfigure access lists.
>
> 2. Is there a way to apply an access-list for debug, without activating
> the final blocking or rejection. A sort of dry-run, that make me sure
> that I'll not break my remote connection for administration.
>
> For instance, when I use iptables with Linux, the last rule of incoming
> traffic is log, and I fix the Policy flag to drop only when I'm sure that
> I can continue to administrate the server remotely.
>
> Thanks,
> Andr=E9 Rodier.