Access-list Question

Answered Question
Mar 3rd, 2009
User Badges:

How do i get the (XX) after the ACL in show access-list command. It shows up on routers but not on a 3750. Is this a limitation or a command to turn it on?


#sho access-list

Extended IP access list 100

10 permit ip 10.120.1.0 0.0.0.255 10.120.14.0 0.0.1.255

20 deny ip any any



Question #2:

I have 2 networks that are separated. There will be a link between the 2. The only traffic i want to pass will be traffic allowing PCs to authenticate to active directory servers. And exchange the necessary AD stuff down. Any idea what ports to allow for that?



Correct Answer by Jon Marshall about 8 years 4 months ago

Mike


I came across this - looks like there are a few more ports than i thought.


http://lists.sans.org/pipermail/list/2005-August/021790.html


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Tue, 03/03/2009 - 05:05
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mike,

this is IOS dependent also on routers.


if I take an old IOS the automatic numbering of statements is off for numbered access-lists.


see for example:


RT-TO-CRN-SNA-E-2#sh access-l

Standard IP access list 24

permit 10.98.72.0, wildcard bits 0.0.3.255 (4879758 matches)

permit 10.55.48.0, wildcard bits 0.0.3.255 (565948 matches)

permit 10.110.162.0, wildcard bits 0.0.0.255


from a device in 122-19a


at some point in IOS the behaviour has changed before the numbers were usable and shown only for named ACLs


so it is possible to don't see the line numbers in c3750


Hope to help

Giuseppe




Jon Marshall Tue, 03/03/2009 - 05:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


Do you mean the hit count for each line ?


If so be aware that Catalyst switches process most ACL's in hardware and as such the hit count is not incremented in the way it is on a router.


You can use "show access-lists hardware counters" altho this won't show each individual line hit.


Question 2


Off the top of my head -


Port 445 - CIFS

port 389 - LDAP

port 135 - RPC (maybe)

port 88 - Kerberos


But there may well be more needed as this is Microsoft :-)


Jon

mikegrous Tue, 03/03/2009 - 05:51
User Badges:

Thanks Jon. You answered the first question. I will try those ports. I was going to do it today but it appears the AD servers are not here. Oh well. Anyone have any other ports that you think should be allowed?

Actions

This Discussion