[c-nsp] ACL does not work??

Sergey Velikanov [Intelsoft] sv at intelsoft.com
Thu Jul 13 22:35:33 EDT 2006 

Bruce Pinsky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sergey Velikanov [Intelsoft] wrote:
> 
>>Hi.
>>
>>We protect customers from typical virus attacs with ACL, config looks like
>>
>>interface Vlan136
>>  ip address 192.168.26.209 255.255.255.240
>>  ip access-group ipprotocols in
>>end
>>
>>interface FastEthernet0/36
>>  description vlan 136
>>  switchport access vlan 136
>>  switchport mode access
>>  switchport port-security maximum 32
>>  switchport port-security
>>  switchport port-security aging time 30
>>  switchport port-security violation protect
>>  switchport port-security aging type inactivity
>>  speed 10
>>  storm-control broadcast level pps 4k
>>  storm-control multicast level pps 6k
>>  storm-control unicast level pps 6k
>>  storm-control action shutdown
>>  no cdp enable
>>  spanning-tree portfast
>>  spanning-tree bpduguard enable
>>  ip igmp filter 10
>>  ip verify source port-security
>>end
>>
>>ip access-list extended ipprotocols
>>  remark --= Deny windows RPC ports =--
>>  deny   tcp any any eq 139
>>  deny   tcp any any eq 135
>>  deny   tcp any any eq 445
>>  deny   udp any any eq 135
>>  deny   udp any any eq 445
>>   .....
>>  permit ip any any
>>
>>In my logic any outgoing packet from client with dst port 445 should be dropped by cisco, but it doesn't happen.
>>
>>16:58:16.342289 IP 192.168.26.219.2227 > 192.168.10.83.445: P 1:5(4) ack 1 win 17520
>>16:58:16.342318 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 5 win 65535
>>16:58:16.343113 IP 192.168.26.219.2227 > 192.168.10.83.445: P 5:138(133) ack 1 win 17520
>>16:58:16.343167 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 138 win 65535
>>16:58:16.837354 IP 192.168.10.83.445 > 192.168.26.219.2227: P 1:132(131) ack 138 win 65535
>>16:58:16.838213 IP 192.168.26.219.2227 > 192.168.10.83.445: P 138:142(4) ack 132 win 17389
>>16:58:16.838267 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 142 win 65531
>>16:58:16.841071 IP 192.168.26.219.2227 > 192.168.10.83.445: . 142:1602(1460) ack 132 win 17389
>>16:58:16.842409 IP 192.168.26.219.2227 > 192.168.10.83.445: . 1602:3062(1460) ack 132 win 17389
>>
>>
>>#sh access-lists ipprotocols
>>Extended IP access list ipprotocols
>>     10 deny tcp any any eq 139 (2266 matches)
>>     20 deny tcp any any eq 135 (955 matches)
>>     30 deny tcp any any eq 445 (2159 matches)
>>     40 deny udp any any eq 135
>>     50 deny udp any any eq 445
>>....
>>
>>
> 
> 
> What platform, what version?  
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SED1, RELEASE SOFTWARE (fc1)

Is the tcpdump above taken from the client or
> the destination (presumably 192.168.10.83)?

from destination, 192.168.10.83 is my computer.

More information about the cisco-nsp mailing list