[c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL
Mike Johnson
harbor235 at gmail.com
Tue Feb 6 18:28:17 EST 2007
Dave,
You need to be on 12.2(18)SXF7? (whatever the latest is) , there are alot of
bugs in
the other trains.
harbor235 ;}
On 2/6/07, David Prall <dcp at dcptech.com> wrote:
>
> Correct. User at 1.1.1.1 sends a tcp syn to 10.11.1.1 port 80. (inbound)
> 10.11.1.1 replies with a syn ack from port 80 to 1.1.1.1 which matches the
> established in the first line. (outbound)
> 1.1.1.1 sends an ack to 10.11.1.1 port 80. (inbound)
> 10.11.1.1 sends data to 1.1.1.1 which matches the established. (outbound)
>
> Your second line allows 10.11.x.x/16 to source tcp packets to anywhere on
> 1018 - 1023.
>
> David
>
> --
> http://dcp.dcptech.com
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan
> > Angel Menendez
> > Sent: Tuesday, February 06, 2007 4:52 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL
> >
> >
> >
> > Hi all,
> >
> > I have the folllowing configuration:
> >
> > interface vlan 7
> > ip address 10.11.0.0 255.255.0.0
> > ip access-group 170 out
> >
> > and then ...
> >
> > access-list 170 permit tcp any any established
> > access-list 170 permit tcp any any range 1018 1023
> >
> > I've found this ACL will permit any tcp connection to
> > network 10.11.0.0 to any port.
> >
> > IOS Version is 12.2(18)SXE6
> >
> > Any ideas ?
> >
> > Regards
> > Juan
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list