Hello, I need to know what exactly constitutes a hit on an access-list. I was doing some troubleshooting and I did not get the expected results. I thought the first packet to match would be equal but it looks like it may require a 3-way handshake. I have an extended access-list in place on a 2811 router for troubleshooting/logging. I was troubleshooting inbound traffic so I stripped away the cbac and existing ACLs from the interface. I then began doing a telnet test such as "telnet 192.168.2.80 80" from windows machine and then I would review the log to verify it got hit by the ACL. This test worked.
I then set up a dummy NAT entry with port 27. I do not have a service running on port 27 (of course) but i wanted to see if the initial SYN packet would cause it log a hit. It never did. So does the ACL entry create require a 3-way handshake.? My original goal was to determine why smtp (port 25) traffic isn't hitting my mail server. I never see any hits. Thank you. interface FastEthernet0/1 ip address dhcp client-id FastEthernet0/1 ip access-group 124 in no ip redirects no ip unreachabes no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly in duplex auto speed auto no mop enabled ip nat inside source static tcp 192.168.2.41 25 interface FastEthernet0/1 25 ip nat inside source static tcp 192.168.2.34 1723 interface FastEthernet0/1 1723 ip nat inside source static tcp 192.168.2.34 3389 interface FastEthernet0/1 3389 ip nat inside source static tcp 192.168.2.34 80 interface FastEthernet0/1 80 ip nat inside source static tcp 192.168.2.34 25 interface FastEthernet0/1 25 ip nat inside source static tcp 192.168.2.34 27 interface FastEthernet0/1 27 ip nat inside source route-map test_pmap interface FastEthernet0/1 overload ROUTER01#sh log | inc 24.201.81.44 037251: Mar 18 20:05:08.467 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 24.201.81.44(17743) -> 134.134.134.134(1723), 1 packet 037358: Mar 18 20:08:32.052 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 24.201.81.44(17850) -> 134.134.134.134(80), 1 packet ROUTER01# access-list 124 permit udp any gt 0 any gt 0 log access-list 124 permit tcp any gt 0 any gt 0 log _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/