[c-nsp] when is an acl entry created? router ios

Thu, 21 Mar 2013 11:03:00 -0700 

Hello,

 
I need to know what exactly constitutes a hit on an access-list. I was doing 
some troubleshooting and I did not get the expected results. I thought the 
first packet to match would be equal but it looks like it may require a 3-way 
handshake. 
 
I have an extended access-list in place on a 2811 router for 
troubleshooting/logging. I was troubleshooting inbound traffic so I stripped 
away the cbac and existing ACLs from the interface. I then began doing a telnet 
test such as "telnet 192.168.2.80 80" from windows machine and then I would 
review the log to verify it got hit by the ACL. This test worked. 

I then set up a dummy NAT entry with port 27. I do not have a service running 
on port 27 (of course) but i wanted to see if the initial SYN packet would 
cause it log a hit. It never did. So does the ACL entry create require a 3-way 
handshake.? 

My original goal was to determine why smtp (port 25) traffic isn't hitting my 
mail server. I never see any hits. Thank you.
 
interface FastEthernet0/1
ip address dhcp client-id FastEthernet0/1
ip access-group 124 in
no ip redirects
no ip unreachabes
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled

 
ip nat inside source static tcp 192.168.2.41 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.2.34 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.2.34 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.2.34 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.2.34 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.2.34 27 interface FastEthernet0/1 27
ip nat inside source route-map test_pmap interface FastEthernet0/1 overload

 
ROUTER01#sh log | inc 24.201.81.44
037251: Mar 18 20:05:08.467 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 
24.201.81.44(17743) -> 134.134.134.134(1723), 1 packet
037358: Mar 18 20:08:32.052 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 
24.201.81.44(17850) -> 134.134.134.134(80), 1 packet

ROUTER01#
access-list 124 permit udp any gt 0 any gt 0 log
access-list 124 permit tcp any gt 0 any gt 0 log

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to