ACL Issue On Router

Unanswered Question
Feb 8th, 2010

Hi,
I am having an issue with an ACL that I cant seem to figute out.  I am trying to create an entry to an existing ACL on my router that will allow a linux Computer(IP 10.245.152.57) access an open port (port 2967) on a Windows Server on the other side of the router.  I am able to ping and tracerout from the linxu box to the Windows Server.

My AC is as follows:
ACL 104

10 permit tcp host 10.251.134.201 any eq 2967 established log

When I try and telnet from the Linux box to the open port on the Windows Server I receive the following error in the logs:

048432: Feb  8 07:52:09.938 EST: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.245.152.57(23) -> 10.251.134.201(45879), 1 packet

Trace route works:

traceroute to 10.245.152.57 (10.245.152.57), 30 hops max, 40 byte packets
1  10.251.134.2 (10.251.134.2)  0.792 ms   0.320 ms   0.279 ms
2  10.251.132.2 (10.251.132.2)  1.190 ms   1.201 ms   0.908 ms
3  10.251.254.19 (10.251.254.19)  0.831 ms   1.208 ms   1.282 ms
4  10.2.3.22 (10.2.3.22)  2.374 ms   3.024 ms   2.567 ms
5  192.168.249.109 (192.168.249.109)  1.194 ms   3.700 ms   4.172 ms
6  192.168.192.0 (192.168.192.0)  2.918 ms   2.608 ms   3.298 ms
7  192.168.248.1 (192.168.248.1)  1.806 ms   1.614 ms   1.877 ms
8  192.168.233.186 (192.168.233.186)  6.291 ms   5.992 ms   4.770 ms
9  192.168.193.57 (192.168.193.57)  4.597 ms   5.061 ms   4.489 ms
10  10.213.252.1 (10.213.252.1)  2.926 ms   4.957 ms   5.057 ms
11  10.213.254.169 (10.213.254.169)  694.273 ms   700.061 ms   697.402 ms
12  * 10.245.152.57 (10.245.152.57)  697.690 ms   695.048 ms

The interfaces are configured as follwos:

Router1#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.251.134.2    YES NVRAM  up                    up
GigabitEthernet0/0         10.251.133.2    YES NVRAM  up                    up
15    YES NVRAM  up                    up
FastEthernet0/2            unassigned      YES NVRAM  administratively down down
GigabitEthernet0/2         10.251.135.2    YES NVRAM  up                    up
GigabitEthernet0/3         10.251.130.2    YES NVRAM  up                    up
Loopback0                  10.251.255.240  YES NVRAM  up                    up

interface GigabitEthernet0/1
description Connection Test
ip address 10.251.132.4 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7
duplex auto
speed 1000
media-type rj45
negotiation auto
no cdp enable


interface Ethernet0/0
description connection to managment network
ip address 10.251.134.2 255.255.255.0
ip access-group 108 out
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
no cdp enable
glbp 80 ip 10.251.134.1
glbp 80 timers 5 18
glbp 80 timers redirect 600 7200
glbp 80 preempt delay minimum 15
glbp 80 authentication md5 key-string 7
glbp 80 forwarder preempt delay minimum 15
!


interface GigabitEthernet0/0
description connection to Pro network
ip address 10.251.133.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7 096F7C5948
duplex auto
speed auto
media-type gbic
negotiation auto
no cdp enable
glbp 55 ip 10.251.133.1
glbp 55 timers 5 18
glbp 55 timers redirect 600 7200
glbp 55 priority 115
glbp 55 preempt delay minimum 15
glbp 55 authentication md5 key-string 7

glbp 55 forwarder preempt delay minimum 15

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 02/08/2010 - 07:10

Hello Niall,

if the linux box has to start the session you need to remove the established keyword:

10 permit tcp host 10.251.134.201 any eq 2967 established log

with established keyword initial packets with TCP flags set (SYN set) are not permitted

write it as:

10 permit tcp host 10.251.134.201 host win-server-ipaddress eq 2967 log

Hope to help

Giuseppe

suryakant.chavan Tue, 02/09/2010 - 13:34

Hello guistar & Nail,

  If use saw the deny message from router then you would find that the statement is  from access-list 102 & nail has implemented 104 access-list

So there is configuration issue .

If I am wrong Please correct me.

Regards,

Suryakant

Giuseppe Larosa Tue, 02/09/2010 - 13:43

Hello Suryakant,

you are absolutely correct.

we should see this ACL 102 and where it is applied

Hope to help

Giuseppe

niall-wilkins Wed, 02/10/2010 - 05:04

Sorry I grabbed the wrong ACL error.  It should have read 104 as this is fromt he lab test router I am using.  So its the same error.

9  permit tcp host 10.251.134.201 any eq 2967 log
10 permit icmp any any echo (2600544 matches)
20 permit icmp any any echo-reply (376 matches)
30 permit icmp any any packet-too-big (991 matches)
40 permit icmp any any time-exceeded (3743 matches)
50 permit icmp any any traceroute
60 permit icmp any any unreachable (931 matches)
70 deny ip any any log (93930 matches)

Giuseppe Larosa Wed, 02/10/2010 - 06:02

Hello Niall,

putting together all the info

>>> %SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets

>>  9  permit tcp host 10.251.134.201 any eq 2967 log

this line allows only host 10.251.134.201 not the host listed in the log line

so you may want to use a line like:

permit tcp 10.251.0.0 0.0.255.255 any eq 2967 log

this should permit the denied attempt

Hope to help

Giuseppe

niall-wilkins Tue, 02/09/2010 - 12:05

I added this but it still fails

permit tcp host 10.251.134.201 any eq 2967 log

%SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets

Giuseppe Larosa Tue, 02/09/2010 - 12:27

Hello Niall,

post the whole ACL config

sh access-list 104

position of new ACL line counts

Hope to help

Giuseppe

Actions

This Discussion

Related Content