RE: Packets do not match ACL entries from Tyson Scott on 2010-09-27 (Ccielab archives 09/2010)

From: Tyson Scott <tscott_at_ipexpert.com>
Date: Mon, 27 Sep 2010 19:23:07 -0400

You will not always see hits in the ACL. Have you tried adding a "deny tcp
any any log" to see if you are actually dropping the traffic and not
permitting it with the permit ip any any at the end.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
sinanakyildiz_at_gmail.com
Sent: Monday, September 27, 2010 4:29 PM
To: ccielab_at_groupstudy.com
Subject: Packets do not match ACL entries

Hi Guys,

I have applied an inbound ACL on the Vlan interface of 7606. After
monitoring
the ACL it seems packet are not matching to the permit statements in the ACL
as
expected. (entries 40,50)
1.1.0.0/16 and 2.2.0.0/16 are just for example. One of the purpose of this
acl
is to deny all incoming TCP connection request but allow TCP session only
for
those initiated from inside of the network.
Any thoughts why packets are not matching? Is there any known issues for the
7606s or any special configuration missing here?

    10 deny ip 10.0.0.0 0.255.255.255 any (6 matches)
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 deny ip 172.16.0.0 0.15.255.255 any (4 matches)
    40 permit tcp any 1.1.0.0 0.0.255.255 established (16 matches)
    50 permit tcp any 2.2.2.0 0.0.255.255 established
    100 permit esp any any
    110 permit ahp any any
    120 permit icmp any any (7 matches)
    130 permit gre any any
    280 permit udp any any eq 6901
    310 deny ip any 1.1.0.0 0.0.0.255 (9024 matches)
    320 deny ip any 2.2.0.0 0.0.0.255 (5251 matches)
    350 permit ip any any (82 matches)

Moreover I observed that the ping packets are not matching to permit icmp
any
any entry as well.

Thanks in Advance

Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 27 2010 - 19:23:07 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:06 ART