[c-nsp] ACL does not work??
Joe Zubkavich
joe.zubkavich at starchoice.com
Fri Jul 14 14:35:31 EDT 2006
Having the ACL on the switch at the VLAN level will only protect the switch. An IP set at the VLAN level only is for accessing the switch, not as a transit point for traffic going from one port to another.
Joe Zubkavich
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Sergey Velikanov
[Intelsoft]
Sent: July 13, 2006 10:36 PM
To: bep at whack.org
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACL does not work??
Bruce Pinsky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergey Velikanov [Intelsoft] wrote:
>
>>Hi.
>>
>>We protect customers from typical virus attacs with ACL, config looks like
>>
>>interface Vlan136
>> ip address 192.168.26.209 255.255.255.240
>> ip access-group ipprotocols in
>>end
>>
>>interface FastEthernet0/36
>> description vlan 136
>> switchport access vlan 136
>> switchport mode access
>> switchport port-security maximum 32
>> switchport port-security
>> switchport port-security aging time 30
>> switchport port-security violation protect
>> switchport port-security aging type inactivity
>> speed 10
>> storm-control broadcast level pps 4k
>> storm-control multicast level pps 6k
>> storm-control unicast level pps 6k
>> storm-control action shutdown
>> no cdp enable
>> spanning-tree portfast
>> spanning-tree bpduguard enable
>> ip igmp filter 10
>> ip verify source port-security
>>end
>>
>>ip access-list extended ipprotocols
>> remark --= Deny windows RPC ports =--
>> deny tcp any any eq 139
>> deny tcp any any eq 135
>> deny tcp any any eq 445
>> deny udp any any eq 135
>> deny udp any any eq 445
>> .....
>> permit ip any any
>>
>>In my logic any outgoing packet from client with dst port 445 should be dropped by cisco, but it doesn't happen.
>>
>>16:58:16.342289 IP 192.168.26.219.2227 > 192.168.10.83.445: P 1:5(4) ack 1 win 17520
>>16:58:16.342318 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 5 win 65535
>>16:58:16.343113 IP 192.168.26.219.2227 > 192.168.10.83.445: P 5:138(133) ack 1 win 17520
>>16:58:16.343167 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 138 win 65535
>>16:58:16.837354 IP 192.168.10.83.445 > 192.168.26.219.2227: P 1:132(131) ack 138 win 65535
>>16:58:16.838213 IP 192.168.26.219.2227 > 192.168.10.83.445: P 138:142(4) ack 132 win 17389
>>16:58:16.838267 IP 192.168.10.83.445 > 192.168.26.219.2227: . ack 142 win 65531
>>16:58:16.841071 IP 192.168.26.219.2227 > 192.168.10.83.445: . 142:1602(1460) ack 132 win 17389
>>16:58:16.842409 IP 192.168.26.219.2227 > 192.168.10.83.445: . 1602:3062(1460) ack 132 win 17389
>>
>>
>>#sh access-lists ipprotocols
>>Extended IP access list ipprotocols
>> 10 deny tcp any any eq 139 (2266 matches)
>> 20 deny tcp any any eq 135 (955 matches)
>> 30 deny tcp any any eq 445 (2159 matches)
>> 40 deny udp any any eq 135
>> 50 deny udp any any eq 445
>>....
>>
>>
>
>
> What platform, what version?
Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SED1, RELEASE SOFTWARE (fc1)
Is the tcpdump above taken from the client or
> the destination (presumably 192.168.10.83)?
from destination, 192.168.10.83 is my computer.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list