Re: Packets do not match ACL entries

Hi Tyson,

I am using this inbound ACL to limiting access to my network. Actually the
original ACL is longer than the one I sent.
One of the problem here is how can I be sure that all ACL entries working
properly If I can not see matching packets in the output of show
access-list nn command? Should I add log keyword at the end of all entries?

I havent try deny tcp any any log. I will try it let you know.

Regards

On Tue, Sep 28, 2010 at 2:24 AM, Tyson Scott <tscott_at_ipexpert.com> wrote:

> Corrected response
>
> You will not always see hits in the ACL. Have you tried adding a "deny tcp
> any any log" to see if you are actually dropping the traffic and not
> permitting it with the permit ip any any at the end.
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
> Managing Partner / Sr. Instructor - IPexpert, Inc.
> Mailto: tscott_at_ipexpert.com
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> sinanakyildiz_at_gmail.com
> Sent: Monday, September 27, 2010 4:29 PM
> To: ccielab_at_groupstudy.com
> Subject: Packets do not match ACL entries
>
> Hi Guys,
>
> I have applied an inbound ACL on the Vlan interface of 7606. After
> monitoring
> the ACL it seems packet are not matching to the permit statements in the
> ACL
> as
> expected. (entries 40,50)
> 1.1.0.0/16 and 2.2.0.0/16 are just for example. One of the purpose of this
> acl
> is to deny all incoming TCP connection request but allow TCP session only
> for
> those initiated from inside of the network.
> Any thoughts why packets are not matching? Is there any known issues for
> the
> 7606s or any special configuration missing here?
>
>
> 10 deny ip 10.0.0.0 0.255.255.255 any (6 matches)
> 20 deny ip 192.168.0.0 0.0.255.255 any
> 30 deny ip 172.16.0.0 0.15.255.255 any (4 matches)
> 40 permit tcp any 1.1.0.0 0.0.255.255 established (16 matches)
> 50 permit tcp any 2.2.2.0 0.0.255.255 established
> 100 permit esp any any
> 110 permit ahp any any
> 120 permit icmp any any (7 matches)
> 130 permit gre any any
> 280 permit udp any any eq 6901
> 310 deny ip any 1.1.0.0 0.0.0.255 (9024 matches)
> 320 deny ip any 2.2.0.0 0.0.0.255 (5251 matches)
> 350 permit ip any any (82 matches)
>
> Moreover I observed that the ping packets are not matching to permit icmp
> any
> any entry as well.
>
> Thanks in Advance
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Sep 28 2010 - 08:45:20 ART