[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cisco-nsp
Subject:    RE: [nsp] Access-list weirdness
From:       Charles Sprickman <spork () inch ! com>
Date:       2000-11-29 21:14:34
[Download RAW message or body]

Thanks.  Just copying to the list before I get 30 of these replies :)

That was really stupid, I should have seen this.  My only excuse is that
I've been working on Bay Networks routers for the last few days, and they
have caused me to think backwards in a number of ways.

Charles

| Charles Sprickman                  | Internet Channel
| INCH System Administration Team    | (212)243-5200
| spork@inch.com                     | access@inch.com

On Wed, 29 Nov 2000, Rubens Kuhl Jr. wrote:

>
> Try
> permit tcp any host x.x.x.5 eq smtp log
>
> You were permitting packets with source port 25, and you probably meant
> otherwise.
>
>
> Rubens
>
>
> > -----Original Message-----
> > From: Charles Sprickman [mailto:spork@inch.com]
> > Sent: quarta-feira, 29 de novembro de 2000 18:46
> > To: cisco-nsp@puck.nether.net
> > Subject: [nsp] Access-list weirdness
> >
> >
> > Hi,
> >
> > I have a 2514 running 11.2(17), and I'm seeing some odd behaviour on a
> > named access list.  The box is basically acting as a poor-man's screening
> > firewall, but it seems like the order of matches here is happening in a
> > strange way.  Here's a snippet of the list:
> >
> > ! some things to allow at the top of the list
> >  permit tcp any eq smtp host x.x.x.5 log
> >  permit tcp any eq www host x.x.x.5 log
> >  permit tcp any eq 1352 host x.x.x.5 log
> > ! let through "established" sessions
> >  permit tcp any any established
> > ! block ranges of udp/tcp ports
> >  deny   tcp any any range 1 chargen
> >  deny   udp any any range 1 19
> >  deny   udp any any range 21 25
> >  deny   tcp any any range 21 25
> > [... more denies]
> >  deny tcp any any
> >  deny udp any any
> >
> > This is applied inbound on the outside ethernet interface, but I'm seeing
> > packets dropped to the specific host/port (x.x.x.5 / port 25) I've
> > permitted.  They get through if I remove the entry further down the list
> > that denies tcp 21-25.
> >
> > I'm in the middle of bringing this router up to a more current rev of IOS,
> > but I was not able to spot anything in Bug Navigator on this.  Am I just
> > doing something stupid that I'm not seeing?
> >
> > Thanks,
> >
> > Charles
> >
> > | Charles Sprickman                  | Internet Channel
> > | INCH System Administration Team    | (212)243-5200
> > | spork@inch.com                     | access@inch.com
> >
>

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic