My guess is it is default ACL logging rate limiting. I'd suggest taking off the "log" keyword and looking at the counts in "show access-list"
On Thu, Mar 21, 2013 at 6:57 PM, false <jct...@yahoo.com> wrote: > Hello, > > > I need to know what exactly constitutes a hit on an access-list. I was > doing some troubleshooting and I did not get the expected results. I > thought the first packet to match would be equal but it looks like it may > require a 3-way handshake. > > I have an extended access-list in place on a 2811 router for > troubleshooting/logging. I was troubleshooting inbound traffic so I > stripped away the cbac and existing ACLs from the interface. I then began > doing a telnet test such as "telnet 192.168.2.80 80" from windows machine > and then I would review the log to verify it got hit by the ACL. This test > worked. > > I then set up a dummy NAT entry with port 27. I do not have a service > running on port 27 (of course) but i wanted to see if the initial SYN > packet would cause it log a hit. It never did. So does the ACL entry create > require a 3-way handshake.? > > My original goal was to determine why smtp (port 25) traffic isn't hitting > my mail server. I never see any hits. Thank you. > > interface FastEthernet0/1 > ip address dhcp client-id FastEthernet0/1 > ip access-group 124 in > no ip redirects > no ip unreachabes > no ip proxy-arp > ip flow ingress > ip nat outside > ip virtual-reassembly in > duplex auto > speed auto > no mop enabled > > > ip nat inside source static tcp 192.168.2.41 25 interface FastEthernet0/1 > 25 > ip nat inside source static tcp 192.168.2.34 1723 interface > FastEthernet0/1 1723 > ip nat inside source static tcp 192.168.2.34 3389 interface > FastEthernet0/1 3389 > ip nat inside source static tcp 192.168.2.34 80 interface FastEthernet0/1 > 80 > ip nat inside source static tcp 192.168.2.34 25 interface FastEthernet0/1 > 25 > ip nat inside source static tcp 192.168.2.34 27 interface FastEthernet0/1 > 27 > ip nat inside source route-map test_pmap interface FastEthernet0/1 overload > > > ROUTER01#sh log | inc 24.201.81.44 > 037251: Mar 18 20:05:08.467 PCTime: %SEC-6-IPACCESSLOGP: list 124 > permitted tcp 24.201.81.44(17743) -> 134.134.134.134(1723), 1 packet > 037358: Mar 18 20:08:32.052 PCTime: %SEC-6-IPACCESSLOGP: list 124 > permitted tcp 24.201.81.44(17850) -> 134.134.134.134(80), 1 packet > > ROUTER01# > access-list 124 permit udp any gt 0 any gt 0 log > access-list 124 permit tcp any gt 0 any gt 0 log > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/