[c-nsp] ACL does not work??

Bruce Pinsky bep at whack.org
Thu Jul 13 13:46:09 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sergey Velikanov [Intelsoft] wrote:
> Hi.
> 
> We protect customers from typical virus attacs with ACL, config looks like
> 
> interface Vlan136
>   ip address 192.168.26.209 255.255.255.240
>   ip access-group ipprotocols in
> end
> 
> interface FastEthernet0/36
>   description vlan 136
>   switchport access vlan 136
>   switchport mode access
>   switchport port-security maximum 32
>   switchport port-security
>   switchport port-security aging time 30
>   switchport port-security violation protect
>   switchport port-security aging type inactivity
>   speed 10
>   storm-control broadcast level pps 4k
>   storm-control multicast level pps 6k
>   storm-control unicast level pps 6k
>   storm-control action shutdown
>   no cdp enable
>   spanning-tree portfast
>   spanning-tree bpduguard enable
>   ip igmp filter 10
>   ip verify source port-security
> end
> 
> ip access-list extended ipprotocols
>   remark --= Deny windows RPC ports =--
>   deny   tcp any any eq 139
>   deny   tcp any any eq 135
>   deny   tcp any any eq 445
>   deny   udp any any eq 135
>   deny   udp any any eq 445
>    .....
>   permit ip any any
> 
> In my logic any outgoing packet from client with dst port 445 should be dropped by cisco, but it doesn't happen.
> 
> 16:58:16.342289 IP 192.168.26.219.2227 > 192.168.10.83.445: P 1:5(4) ack 1 win 17520
> 16:58:16.342318 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 5 win 65535
> 16:58:16.343113 IP 192.168.26.219.2227 > 192.168.10.83.445: P 5:138(133) ack 1 win 17520
> 16:58:16.343167 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 138 win 65535
> 16:58:16.837354 IP 192.168.10.83.445 > 192.168.26.219.2227: P 1:132(131) ack 138 win 65535
> 16:58:16.838213 IP 192.168.26.219.2227 > 192.168.10.83.445: P 138:142(4) ack 132 win 17389
> 16:58:16.838267 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 142 win 65531
> 16:58:16.841071 IP 192.168.26.219.2227 > 192.168.10.83.445: . 142:1602(1460) ack 132 win 17389
> 16:58:16.842409 IP 192.168.26.219.2227 > 192.168.10.83.445: . 1602:3062(1460) ack 132 win 17389
> 
> 
> #sh access-lists ipprotocols
> Extended IP access list ipprotocols
>      10 deny tcp any any eq 139 (2266 matches)
>      20 deny tcp any any eq 135 (955 matches)
>      30 deny tcp any any eq 445 (2159 matches)
>      40 deny udp any any eq 135
>      50 deny udp any any eq 445
> ....
> 
> 

What platform, what version?  Is the tcpdump above taken from the client or
the destination (presumably 192.168.10.83)?

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEtobhE1XcgMgrtyYRAhZcAKCKxz1aqZrkUOT7dzP9Oscd6/1i0wCfUCcU
gDqCQclducCklK7oEl01vF4=
=76xu
-----END PGP SIGNATURE-----

More information about the cisco-nsp mailing list