[c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL
David Prall
dcp at dcptech.com
Tue Feb 6 17:18:56 EST 2007
Correct. User at 1.1.1.1 sends a tcp syn to 10.11.1.1 port 80. (inbound)
10.11.1.1 replies with a syn ack from port 80 to 1.1.1.1 which matches the
established in the first line. (outbound)
1.1.1.1 sends an ack to 10.11.1.1 port 80. (inbound)
10.11.1.1 sends data to 1.1.1.1 which matches the established. (outbound)
Your second line allows 10.11.x.x/16 to source tcp packets to anywhere on
1018 - 1023.
David
--
http://dcp.dcptech.com
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan
> Angel Menendez
> Sent: Tuesday, February 06, 2007 4:52 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL
>
>
>
> Hi all,
>
> I have the folllowing configuration:
>
> interface vlan 7
> ip address 10.11.0.0 255.255.0.0
> ip access-group 170 out
>
> and then ...
>
> access-list 170 permit tcp any any established
> access-list 170 permit tcp any any range 1018 1023
>
> I've found this ACL will permit any tcp connection to
> network 10.11.0.0 to any port.
>
> IOS Version is 12.2(18)SXE6
>
> Any ideas ?
>
> Regards
> Juan
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list