Question about access-list of Cisco1812

Unanswered Question
Apr 5th, 2009
User Badges:

Hello everyone,


I tested the following compositions.


Client ---------- Cisco 1812

   10.0.0.0/24

-----

・Cisco 1812 config(Excerpt)

!

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

access-list 100 permit ip any any log

!

------


When I access "http://10.0.0.1/",

Cisco 1812 outputs this log.


*Apr 6 14:23:01.455 JST: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.10(0) -> 10.0.0.1(0), 5 packets


I don't know why Cisco 1812 outputs this log "(0)". And I tested two IOS version but both output this log.

・12.4(24)T

・12.3(8)YI2

Is it bug, restriction or other ??


Thanks

Reiji

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Tue, 04/07/2009 - 13:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Reiji


The link provided by Laurent gives a reasonable explanation of the log function used in an access list. But I am not sure that it really addresses the central point of your question. If I am understanding correctly what you really want to know is why the port numbers in the log report are (0) rather than the (80) that you would normally expect for HTTP traffic. This is one of the subtle behaviors of the log function. If the access list were examining TCP ports then it could report the TCP port numbers. But since the access list is not examining any TCP port numbers then it can not report any specific TCP port numbers.


HTH


Rick

Giuseppe Larosa Tue, 04/07/2009 - 22:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Rick,

very good note if the ACL line were changed to

permit tcp any any log

the ports fields could be populated with real values


Best Regards

Giuseppe


t-yamashita Wed, 04/08/2009 - 00:10
User Badges:
  • Gold, 750 points or more

konnitiwa


if you want to the port numbers in the log report, I think you can do as follows.


access-list 100 permit tcp any any eq xxx log

access-list 100 permit ip any any log


[xxx is anything you like. telnet, ftp and of course www]


HTH

Richard Burts Wed, 04/08/2009 - 16:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Giuseppe


Actually permit tcp any any log is not good enough. As Tomoyuki illustrates it needs to check for some value in TCP such as permit tcp any any eq xxx log.


HTH


Rick

Actions

This Discussion