RE: Port 0 Filter (Repost)

From: David Hiers (David_Hiers@adp.com)
Date: Thu Apr 29 2004 - 12:30:44 GMT-3

• Next message: Peter van Oene: "RE: Another burning question on BGP"
• Previous message: Peter van Oene: "RE: Another burning question on BGP"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I need to reiterate that if you are using ONLY IOS logging to tell you what traffic is flowing, you do not know if this config worked or not. Please remember that access-lists that do not include the port numbers, it always logs as port 0.

Re-run your tests using a sniffer and you will notice that the packets logged as "port 0" are actually using an non-zero port.

In other words, IOS access-list logging happily lies to you, and you must understand its limitations.

David

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
yuki hisano
Sent: Wednesday, April 28, 2004 12:32 PM
To: ccie@netchild.pub.sa
Cc: ccielab@groupstudy.com
Subject: Re: Port 0 Filter (Repost)

This worked!

Thanks!

Yuki

>From: "ccie" <ccie@netchild.pub.sa>
>To: "yuki hisano" <yukyhisano@hotmail.com>
>Subject: Re: Port 0 Filter (Repost)
>Date: Wed, 28 Apr 2004 16:01:44 +0300
>
>Hi,
>
>try this access list
>
>access-list 113 permit tcp any 192.168.128.0 0.0.0.255 range 1-65535
>log-input
>access-list 113 permit udp any 192.168.128.0 0.0.0.255 range 1-65535
>log-input
>access-list 113 permit ip any any
>
>NetChild,
>----- Original Message -----
>From: "yuki hisano" <yukyhisano@hotmail.com>
>To: <ccie@netchild.pub.sa>
>Cc: <ccielab@groupstudy.com>
>Sent: Tuesday, April 27, 2004 8:51 PM
>Subject: Re: Port 0 Filter (Repost)
>
>
> > I have tried it.
> > Here is the result.
> >
> > access-list 113 permit tcp any 192.168.128.0 0.0.0.255 log-input
> > access-list 113 permit udp any 192.168.128.0 0.0.0.255 log-input
> > access-list 113 permit ip any any
> >
> >
> >
> > Apr 27 17:35:09: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
> > 192.168.120.201(0)
> > (Serial0/1 *HDLC*) -> 192.168.128.83(0), 1 packet
> > Apr 27 17:35:19: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
> > 192.168.120.101(0)
> > (Serial0/1 *HDLC*) -> 192.168.128.4(0), 13 packets
> > Apr 27 17:35:23: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
> > 192.168.120.101(0)
> > (Serial0/1 *HDLC*) -> 192.168.128.226(0), 247 packets
> > glory-ny#$-6-IPACCESSLOGP: list 113 permitted tcp 192.168.120.201(0)
> > Apr 27 17:35:09: %SEC-6-IPACCESSLOGP: list 113 permitted tcp
> > 192.168.120.201(0)
> >
> > Yuki
> >
> >
> > >From: "ccie" <ccie@netchild.pub.sa>
> > >To: "yuki hisano" <yukyhisano@hotmail.com>
> > >Subject: Re: Port 0 Filter (Repost)
> > >Date: Tue, 27 Apr 2004 20:18:46 +0300
> > >
> > >Hi Yuki,
> > >
> > > > I hooked some access-list just to see what type of port number it is
> > >using.
> > > > The result is like this:
> > > >
> > > > source: 192.168.X.X (0) destination 192.168.X.X (0) (they are
>either
> > >TCP
> > >or
> > > > UDP)
> > >
> > >This is not a port 0. We you deny with ip the syslog will show you the
>port
> > >as (0). To know the real port try to remove the denied ip and put deny
> > >tcp/udp. check the log and you will see the correct port number.
> > >
> > >NetChild,
> > >
> > >
> >
> > _________________________________________________________________
> > MSN 8 with e-mail virus protection service: 2 months FREE*
> > http://join.msn.com/?page=features/virus
> >
> >
>
>

• Next message: Peter van Oene: "RE: Another burning question on BGP"
• Previous message: Peter van Oene: "RE: Another burning question on BGP"
• Maybe in reply to: yuki hisano: "Port 0 Filter (Repost)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:57 GMT-3