Thanks, that did the trick! In my case I was permitting traffic, so I added
another permit statement at the beginning that specified a port; in this
case, I allowed DNS traffic. Once I did that, the rest of the statements
started logging the actual port numbers being used by this application.
Thanks for making my Monday a little bit more manageable!
John
> Hi John,
>
> Basically, a zero is logged when you are denying tcp or udp, but have not
> specified a port number to deny (e.g. access-list 101 deny tcp host
> 192.168.1.1 any), whereas if you specify a port number in an entry, any
> further entries that just specify tcp (with no port) will indeed log the
> port. The router simply doesnt bother checking the packet in depth unless
> you have specfied this in the ACL.
>
> So,
>
> access-list 101 deny tcp host 192.168.1.1 any
> access-list 101 permit tcp any any
>
> will log no port numbers, whereas
>
> access-list 101 deny tcp host 192.168.1.1 any eq smtp
> access-list 101 permit tcp any any
>
> will log the port number.
>
> If I am in a situation where I must know the port numbers that are trying
to
> get thru, I normally make the first entry a deny statement thru to a
service
> that is definately not running on the host machine.
>
>
> ---
> Chris Miles
> Senior Support Engineer
> Customer Network Engineering
> REDNET Ltd
> +44 1494 513333
>
> ----- Original Message -----
> From: John Neiberger <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, January 22, 2001 4:13 PM
> Subject: ACL Logging question
>
>
> > I've noticed that when logging ip access lists, in some situations it
logs
> > the port number while other times it simply records a zero, and I can't
> > remember the cause of this behavior. It seems that in the nether
regions
> of
> > my memory, I recall once having heard an explanation for this but I
just
> > can't remember what it was.
> >
> > It's frustrating me this morning because I wanted to turn on logging to
> find
> > out what specific ports an application was using, but nothing but
zeroes
> > were showing up.
> >
> > Any thoughts?
> >
> > Thanks,
> > John
> >
> >
> >
> >
> >
> > _______________________________________________________
> > Send a cool gift with your E-Card
> > http://www.bluemountain.com/giftcenter/
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_______________________________________________________
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
