RE: [nsp] Access-list weirdness

• Next message: Andrew: "RE: [nsp] regarding NAT"
• Previous message: Charles Sprickman: "[nsp] Access-list weirdness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Thanks. Just copying to the list before I get 30 of these replies :)

That was really stupid, I should have seen this. My only excuse is that
I've been working on Bay Networks routers for the last few days, and they
have caused me to think backwards in a number of ways.

Charles

| Charles Sprickman | Internet Channel
| INCH System Administration Team | (212)243-5200
| spork@inch.com | access@inch.com

On Wed, 29 Nov 2000, Rubens Kuhl Jr. wrote:

>
> Try
> permit tcp any host x.x.x.5 eq smtp log
>
> You were permitting packets with source port 25, and you probably meant
> otherwise.
>
>
> Rubens
>
>
> > -----Original Message-----
> > From: Charles Sprickman [mailto:spork@inch.com]
> > Sent: quarta-feira, 29 de novembro de 2000 18:46
> > To: cisco-nsp@puck.nether.net
> > Subject: [nsp] Access-list weirdness
> >
> >
> > Hi,
> >
> > I have a 2514 running 11.2(17), and I'm seeing some odd behaviour on a
> > named access list. The box is basically acting as a poor-man's screening
> > firewall, but it seems like the order of matches here is happening in a
> > strange way. Here's a snippet of the list:
> >
> > ! some things to allow at the top of the list
> > permit tcp any eq smtp host x.x.x.5 log
> > permit tcp any eq www host x.x.x.5 log
> > permit tcp any eq 1352 host x.x.x.5 log
> > ! let through "established" sessions
> > permit tcp any any established
> > ! block ranges of udp/tcp ports
> > deny tcp any any range 1 chargen
> > deny udp any any range 1 19
> > deny udp any any range 21 25
> > deny tcp any any range 21 25
> > [... more denies]
> > deny tcp any any
> > deny udp any any
> >
> > This is applied inbound on the outside ethernet interface, but I'm seeing
> > packets dropped to the specific host/port (x.x.x.5 / port 25) I've
> > permitted. They get through if I remove the entry further down the list
> > that denies tcp 21-25.
> >
> > I'm in the middle of bringing this router up to a more current rev of IOS,
> > but I was not able to spot anything in Bug Navigator on this. Am I just
> > doing something stupid that I'm not seeing?
> >
> > Thanks,
> >
> > Charles
> >
> > | Charles Sprickman | Internet Channel
> > | INCH System Administration Team | (212)243-5200
> > | spork@inch.com | access@inch.com
> >
>

• Next message: Andrew: "RE: [nsp] regarding NAT"
• Previous message: Charles Sprickman: "[nsp] Access-list weirdness"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:22 EDT