[c-nsp] ACL does not work??

Sergey Velikanov [Intelsoft] sv at intelsoft.com
Thu Jul 13 07:20:41 EDT 2006 

Hi.

We protect customers from typical virus attacs with ACL, config looks like

interface Vlan136
  ip address 192.168.26.209 255.255.255.240
  ip access-group ipprotocols in
end

interface FastEthernet0/36
  description vlan 136
  switchport access vlan 136
  switchport mode access
  switchport port-security maximum 32
  switchport port-security
  switchport port-security aging time 30
  switchport port-security violation protect
  switchport port-security aging type inactivity
  speed 10
  storm-control broadcast level pps 4k
  storm-control multicast level pps 6k
  storm-control unicast level pps 6k
  storm-control action shutdown
  no cdp enable
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip igmp filter 10
  ip verify source port-security
end

ip access-list extended ipprotocols
  remark --= Deny windows RPC ports =--
  deny   tcp any any eq 139
  deny   tcp any any eq 135
  deny   tcp any any eq 445
  deny   udp any any eq 135
  deny   udp any any eq 445
   .....
  permit ip any any

In my logic any outgoing packet from client with dst port 445 should be dropped by cisco, but it doesn't happen.

16:58:16.342289 IP 192.168.26.219.2227 > 192.168.10.83.445: P 1:5(4) ack 1 win 17520
16:58:16.342318 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 5 win 65535
16:58:16.343113 IP 192.168.26.219.2227 > 192.168.10.83.445: P 5:138(133) ack 1 win 17520
16:58:16.343167 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 138 win 65535
16:58:16.837354 IP 192.168.10.83.445 > 192.168.26.219.2227: P 1:132(131) ack 138 win 65535
16:58:16.838213 IP 192.168.26.219.2227 > 192.168.10.83.445: P 138:142(4) ack 132 win 17389
16:58:16.838267 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 142 win 65531
16:58:16.841071 IP 192.168.26.219.2227 > 192.168.10.83.445: . 142:1602(1460) ack 132 win 17389
16:58:16.842409 IP 192.168.26.219.2227 > 192.168.10.83.445: . 1602:3062(1460) ack 132 win 17389


#sh access-lists ipprotocols
Extended IP access list ipprotocols
     10 deny tcp any any eq 139 (2266 matches)
     20 deny tcp any any eq 135 (955 matches)
     30 deny tcp any any eq 445 (2159 matches)
     40 deny udp any any eq 135
     50 deny udp any any eq 445
....

More information about the cisco-nsp mailing list