Re: Packets do not match ACL entries

i discovered one more thing.

I have two access-lists

Extended IP access list 156
    10 permit icmp any any log
    20 permit ip any any log
Extended IP access list 157
    10 permit icmp any any
    20 permit ip any any

When acl 156 applied to the interface (in) it is not possible to ping inside
from outside. However with ACL 157 pings are successfull. There is
definetely an issue with 7600 ACL s.
Regards

2010/9/28 sinan akyD1ldD1z <sinanakyildiz_at_gmail.com>

> Hi Tyson,
>
>
> I am using this inbound ACL to limiting access to my network. Actually the
> original ACL is longer than the one I sent.
> One of the problem here is how can I be sure that all ACL entries working
> properly If I can not see matching packets in the output of show
> access-list nn command? Should I add log keyword at the end of all entries?
>
> I havent try deny tcp any any log. I will try it let you know.
>
>
> Regards
>
>
>
> On Tue, Sep 28, 2010 at 2:24 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>
>> Corrected response
>>
>> You will not always see hits in the ACL. Have you tried adding a "deny
>> tcp
>> any any log" to see if you are actually dropping the traffic and not
>> permitting it with the permit ip any any at the end.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> sinanakyildiz_at_gmail.com
>> Sent: Monday, September 27, 2010 4:29 PM
>> To: ccielab_at_groupstudy.com
>> Subject: Packets do not match ACL entries
>>
>> Hi Guys,
>>
>> I have applied an inbound ACL on the Vlan interface of 7606. After
>> monitoring
>> the ACL it seems packet are not matching to the permit statements in the
>> ACL
>> as
>> expected. (entries 40,50)
>> 1.1.0.0/16 and 2.2.0.0/16 are just for example. One of the purpose of
>> this
>> acl
>> is to deny all incoming TCP connection request but allow TCP session only
>> for
>> those initiated from inside of the network.
>> Any thoughts why packets are not matching? Is there any known issues for
>> the
>> 7606s or any special configuration missing here?
>>
>>
>> 10 deny ip 10.0.0.0 0.255.255.255 any (6 matches)
>> 20 deny ip 192.168.0.0 0.0.255.255 any
>> 30 deny ip 172.16.0.0 0.15.255.255 any (4 matches)
>> 40 permit tcp any 1.1.0.0 0.0.255.255 established (16 matches)
>> 50 permit tcp any 2.2.2.0 0.0.255.255 established
>> 100 permit esp any any
>> 110 permit ahp any any
>> 120 permit icmp any any (7 matches)
>> 130 permit gre any any
>> 280 permit udp any any eq 6901
>> 310 deny ip any 1.1.0.0 0.0.0.255 (9024 matches)
>> 320 deny ip any 2.2.0.0 0.0.0.255 (5251 matches)
>> 350 permit ip any any (82 matches)
>>
>> Moreover I observed that the ping packets are not matching to permit icmp
>> any
>> any entry as well.
>>
>> Thanks in Advance
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 28 2010 - 14:04:22 ART