[c-nsp] when is an acl entry created? router ios

Pete Lumbis alumbis at gmail.com
Thu Mar 21 14:26:28 EDT 2013


My guess is it is default ACL logging rate limiting.

I'd suggest taking off the "log" keyword and looking at the counts in "show
access-list"



On Thu, Mar 21, 2013 at 6:57 PM, false <jctx09 at yahoo.com> wrote:

> Hello,
>
>
> I need to know what exactly constitutes a hit on an access-list. I was
> doing some troubleshooting and I did not get the expected results. I
> thought the first packet to match would be equal but it looks like it may
> require a 3-way handshake.
>
> I have an extended access-list in place on a 2811 router for
> troubleshooting/logging. I was troubleshooting inbound traffic so I
> stripped away the cbac and existing ACLs from the interface. I then began
> doing a telnet test such as "telnet 192.168.2.80 80" from windows machine
> and then I would review the log to verify it got hit by the ACL. This test
> worked.
>
> I then set up a dummy NAT entry with port 27. I do not have a service
> running on port 27 (of course) but i wanted to see if the initial SYN
> packet would cause it log a hit. It never did. So does the ACL entry create
> require a 3-way handshake.?
>
> My original goal was to determine why smtp (port 25) traffic isn't hitting
> my mail server. I never see any hits. Thank you.
>
> interface FastEthernet0/1
> ip address dhcp client-id FastEthernet0/1
> ip access-group 124 in
> no ip redirects
> no ip unreachabes
> no ip proxy-arp
> ip flow ingress
> ip nat outside
> ip virtual-reassembly in
> duplex auto
> speed auto
> no mop enabled
>
>
> ip nat inside source static tcp 192.168.2.41 25 interface FastEthernet0/1
> 25
> ip nat inside source static tcp 192.168.2.34 1723 interface
> FastEthernet0/1 1723
> ip nat inside source static tcp 192.168.2.34 3389 interface
> FastEthernet0/1 3389
> ip nat inside source static tcp 192.168.2.34 80 interface FastEthernet0/1
> 80
> ip nat inside source static tcp 192.168.2.34 25 interface FastEthernet0/1
> 25
> ip nat inside source static tcp 192.168.2.34 27 interface FastEthernet0/1
> 27
> ip nat inside source route-map test_pmap interface FastEthernet0/1 overload
>
>
> ROUTER01#sh log | inc 24.201.81.44
> 037251: Mar 18 20:05:08.467 PCTime: %SEC-6-IPACCESSLOGP: list 124
> permitted tcp 24.201.81.44(17743) -> 134.134.134.134(1723), 1 packet
> 037358: Mar 18 20:08:32.052 PCTime: %SEC-6-IPACCESSLOGP: list 124
> permitted tcp 24.201.81.44(17850) -> 134.134.134.134(80), 1 packet
>
> ROUTER01#
> access-list 124 permit udp any gt 0 any gt 0 log
> access-list 124 permit tcp any gt 0 any gt 0 log
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list