[c-nsp] No ACL egress logging on 3550s (12.2(44)SE3)
Jeff Kell
jeff-kell at utc.edu
Fri May 8 09:28:24 EDT 2009
Jon Lewis wrote:
> I didn't think ACL logging worked in either direction on the 3550. I
> ran across something even more disturbing recently. A customer had an
> apparently compromised system found SSH scanning remote hosts. I put
> a simple ACL on the customer's layer 3 port (i.e. no switchport, ip
> address ...),
> ip access-list extended f0/48-in-acl
> deny tcp any any eq 22
> permit ip any any
>
> According to netflow (on our 6500s upstream of the 3550s) some SSH
> scanning traffic was still getting through...
That was "sort of" the case here. There was an ACL that enumerated a
list of IPs that were permitted to access a server, applied as "ip
access-group named-acl out" to the SVI of the server's subnet.
There was an addition to be made, the new address was in a ticket, but
when we called to verify, they said they "already had access".
That was when I discovered the no logging issue (there was a deny ip any
any log to catch the punted packets). I then nmapped the server from an
unauthorized IP, and got the expected "filtered" returns, but no logging.
I have been unable to reproduce the "traffic goes through anyway" case
(that's scarier than the no logging bit).
Don't have this problem with 3560s and up, they behave as expected.
(Just verified on a 3560 w/12.2(35)SE). Appears to be a 3550-thing.
Maybe I just need a stimulus upgrade grant :-)
Jeff
More information about the cisco-nsp
mailing list