Security

Okay today i had an issue with the rules in which the user of  network A could not ping users in the same network A they didnt have access to the same network they were connected

I had this rues

ip access-list session STD
any any svc-dhcp permit
user alias DNS svc-dns permit
user alias Internal_Networks any deny
user any any permit

Internal networks are:

network 192.168.10.0 255.255.255.0
network 192.168.3.0 255.255.255.0
network 192.168.6.0 255.255.255.0
network 10.10.0.0 255.255.255.0

network 192.168.11.0 255.255.255.0

Okay

The Wireless network they were in that they coudlnt ping in the same network is 10.10.8.0/24

Now i THOUGH that with

user any any permit

he would be able to do that but they are not.... as the 10.10.8.0/24 is not listed in internal network....

Now i had to manually add not using "user" object i had to add a rule in which it says something liek this

Network  10.10.8.0 255.255.255.0 with the name i don tnkow mmm STD jsut to put it a name...

and add this rule

STD STD any permit

I had to permit STD to STD so they could ping.. of course i added also other rule in which they are denied the access to the ip of the controller and the default gateway... but what im confuse is what does "user" means... and when i should use it...

Because is not like any  could someone explain this better?

User means any user in the user table.

You are denying traffic to that network with your deny statement.

network 10.10.0.0 255.255.255.0

No im not denying traffic with that im deying yes 10.10.0.0/24

Im NOT denying 10.10.8.0/24  those are differente networks...

So thats not the reason of why it was being blocked....

type "show acl hits" to see what ACLs are hit when you try to access your clients.

Ill have to recreate it on a lab ill type the results  as i already fixed it like i said up in the client and well i cannot test this on the client again :)

Cheers

cjoseph here are the results

        0         664         8147
test           Test           user  any         any               permit
        14        642         8378
test                          any   any         0                 deny
        8         112         8379

Port Based Session ACL
----------------------
Policy     Src  Dst  Service  Action  Dest/Opcode  New Hits  Total Hits  Index
------     ---  ---  -------  ------  -----------  --------  ----------  -----
validuser  any  any  any      permit               0         4           7979

Port ACL Hits
-------------
ACL  ACE  New Hits  Total Hits  Index
---  ---  --------  ----------  -----

(AlterWifiLab) #

If you see the last one that got 112 hits its the rule that says this

i just got one rule in that role which is this one

ip access-list session Test
  user any any  permit

I cannot ping the machines in the same network in this test enviroment

But if you see the ACL hits

test                          any   any         0                 deny
        8         112         8379

On the service column i see 0 like if it not recognizing the service??? or what does it mean?

i attached you the complete show acl hits if you want to see it

Attachment(s)

aclhits.zip   693 B 1 version