Hi,
I have a 2514 running 11.2(17), and I'm seeing some odd behaviour on a
named access list. The box is basically acting as a poor-man's screening
firewall, but it seems like the order of matches here is happening in a
strange way. Here's a snippet of the list:
! some things to allow at the top of the list
permit tcp any eq smtp host x.x.x.5 log
permit tcp any eq www host x.x.x.5 log
permit tcp any eq 1352 host x.x.x.5 log
! let through "established" sessions
permit tcp any any established
! block ranges of udp/tcp ports
deny tcp any any range 1 chargen
deny udp any any range 1 19
deny udp any any range 21 25
deny tcp any any range 21 25
[... more denies]
deny tcp any any
deny udp any any
This is applied inbound on the outside ethernet interface, but I'm seeing
packets dropped to the specific host/port (x.x.x.5 / port 25) I've
permitted. They get through if I remove the entry further down the list
that denies tcp 21-25.
I'm in the middle of bringing this router up to a more current rev of IOS,
but I was not able to spot anything in Bug Navigator on this. Am I just
doing something stupid that I'm not seeing?
Thanks,
Charles
| Charles Sprickman | Internet Channel
| INCH System Administration Team | (212)243-5200
| spork@inch.com | access@inch.com
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:22 EDT