08-13-2008 08:04 AM - edited 03-11-2019 06:30 AM
I have a customer whom has a "permit ip any any statement" configured at the end of an ACL on his inside Firewall. This same statement is not configured on the Firewall that is on the OUtside Perimeter of the network.
Each time I have tried to remove the "permit ip any any " statement , eventually the Mail system will break.
I need to capture what traffic is being passed by this statement, but am not sure how to do so, as the capture command can specify an ACL, but not an individual line from an ACL.
Has anyone ever filtered somehow on just one line of a configured ACL and captured the traffic?
08-13-2008 09:04 AM
You can put the keyword "log" at the end of the line. Any traffic that matches it will be logged to the buffer/console/vty/syslog (if you have it configured). What I would do is make another ACL statement above that one that has the mail sever IP and log that one only. Logging on an 'IP any any' will generate a lot of log. Like you stated you could capture, just create a new ACL and point the capture to it (it does not have to be applied to an interface to work). Again I would restrict that ACL to the mail server instead of all traffic.
Good luck and I hope that helps.
08-13-2008 10:06 AM
Yes it does seem like this is working. What is interesting is that i see traffic in the capture that should in fact be matching line statements which are configured within the ACL i have applied to an interface to allow the traffic. But I am not getting any hits on the ACL. any idea why this behavior may be occuring?
Also, can you tell me what the letters "P" and "F" mean in the following trace packets from the capture?
90: 13:00:48.094004 172.16.1.6.44101 > 192.168.5.6.25: P 4063017374:4063017902(528) ack 995364230 win 64576
91: 13:00:48.106775 172.16.1.6.44101 > 192.168.5.6.25: P 4063017902:4063017908(6) ack 995364323 win 64483
92: 13:00:48.107050 172.16.1.6.44101 > 192.168.5.6.25: F 4063017908:4063017908(0) ack 995364396 win 64411
thx
08-13-2008 10:46 AM
It's hard to tell without seeing the config, it could be any number of things. I'm not sure what P,F,or S stands for. I'd bet something with the TCP state, but I don't know for sure
08-13-2008 10:52 AM
S stands for TCP SYN, R stands for TCP RESET
08-13-2008 11:34 AM
The "P" indicates the TCP PSH flag is set. Likewise, the "F" indicates a TCP FIN.
Hope that helps.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: