RE: Port 0 Filter (Repost)

From: David Hiers (David_Hiers@adp.com)
Date: Tue Apr 27 2004 - 18:01:50 GMT-3

• Next message: ccie2be: "Frame Relay qos-autosense"
• Previous message: Sergio Jimenez Arguedas: "BGP MED Scenario!!!"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Next in thread: Todd Veillette: "Re: Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Use some other tool to identify the traffic that is making it past the ACL.

Unless your acl specifies ports, IOS does not need to check ports. Since it does not need to check ports, the ACL saves time and ignores them. This means that the ACL logging CANNOT report the acutal port number, but simply writes a zero as a placeholder for the port number that it does not know.

The ACL is lying to you. Instead of writing a zero, it should write a null or prehaps a "?".

David

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
yuki hisano
Sent: Tuesday, April 27, 2004 9:51 AM
To: ccie@netchild.pub.sa
Cc: ccielab@groupstudy.com
Subject: Re: Port 0 Filter (Repost)

I have tried it.
Here is the result.

access-list 113 permit tcp any 192.168.128.0 0.0.0.255 log-input
access-list 113 permit udp any 192.168.128.0 0.0.0.255 log-input
access-list 113 permit ip any any

Apr 27 17:35:09: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
192.168.120.201(0)
(Serial0/1 *HDLC*) -> 192.168.128.83(0), 1 packet
Apr 27 17:35:19: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
192.168.120.101(0)
(Serial0/1 *HDLC*) -> 192.168.128.4(0), 13 packets
Apr 27 17:35:23: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
192.168.120.101(0)
(Serial0/1 *HDLC*) -> 192.168.128.226(0), 247 packets
glory-ny#$-6-IPACCESSLOGP: list 113 permitted tcp 192.168.120.201(0)
Apr 27 17:35:09: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
192.168.120.201(0)

Yuki

>From: "ccie" <ccie@netchild.pub.sa>
>To: "yuki hisano" <yukyhisano@hotmail.com>
>Subject: Re: Port 0 Filter (Repost)
>Date: Tue, 27 Apr 2004 20:18:46 +0300
>
>Hi Yuki,
>
> > I hooked some access-list just to see what type of port number it is
>using.
> > The result is like this:
> >
> > source: 192.168.X.X (0) destination 192.168.X.X (0) (they are either
>TCP
>or
> > UDP)
>
>This is not a port 0. We you deny with ip the syslog will show you the port
>as (0). To know the real port try to remove the denied ip and put deny
>tcp/udp. check the log and you will see the correct port number.
>
>NetChild,
>
>

• Next message: ccie2be: "Frame Relay qos-autosense"
• Previous message: Sergio Jimenez Arguedas: "BGP MED Scenario!!!"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Next in thread: Todd Veillette: "Re: Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:56 GMT-3