08-31-2007 09:31 PM - edited 03-03-2019 06:33 PM
I have the following ACL
access-list 100 permit tcp host 192.168.0.252 any eq www
access-list 100 permit tcp host 192.168.0.252 any eq 443
access-list 100 permit udp host 192.168.0.252 any eq 443
access-list 100 permit udp host 172.16.16.5 host 67.69.184.163 eq domain
access-list 100 permit tcp host 172.16.16.5 any eq www
access-list 100 permit tcp host 172.16.16.5 host 209.226.175.83 eq pop3
access-list 100 permit tcp host 172.16.16.5 host 209.226.175.63 eq smtp
access-list 100 permit tcp host 172.16.16.5 any eq 443
access-list 100 permit udp host 172.16.16.5 any eq 443
access-list 100 permit tcp host 172.16.16.2 host 172.16.16.1 eq telnet
access-list 100 permit tcp host 172.16.16.2 host 1.1.1.1 eq telnet
access-list 100 permit tcp host 172.16.16.5 eq 3389 host 10.10.10.2
access-list 100 permit tcp host 172.16.16.2 host 10.10.10.2 eq 65534
access-list 100 deny tcp any any log
access-list 100 deny udp any any log
access-list 100 deny ip any any log
I apply it to the inbound direction of an interface. Only broadcast traffic dropped by the ACL appears on the syslog server - no unicast.
for example,
telnet 1.2.3.4 1232
Does not show that the connection is being dropped, although it is, and is not forwarded out any interfaces.
09-01-2007 02:13 AM
Hi,
I've copied your exact configuration and it worked perfectly as shown in the attached file, please make sure that you've enabled logging buffered or that you are accessing the router via console.
I've even tried to telnet to another port other than 23 as you've done and i got this:
*Jul 24 11:42:38.821: %SEC-6-IPACCESSLOGP: list 100 denied tcp 155.1.146.4(60849) -> 155.1.146.1(1232), 1 packet
HTH,
Mohammed Mahmoud.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide