cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2709
Views
0
Helpful
7
Replies

ACL Issue On Router

niall-wilkins
Level 1
Level 1

Hi,
I am having an issue with an ACL that I cant seem to figute out.  I am trying to create an entry to an existing ACL on my router that will allow a linux Computer(IP 10.245.152.57) access an open port (port 2967) on a Windows Server on the other side of the router.  I am able to ping and tracerout from the linxu box to the Windows Server.

My AC is as follows:
ACL 104

10 permit tcp host 10.251.134.201 any eq 2967 established log

When I try and telnet from the Linux box to the open port on the Windows Server I receive the following error in the logs:

048432: Feb  8 07:52:09.938 EST: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.245.152.57(23) -> 10.251.134.201(45879), 1 packet

Trace route works:

traceroute to 10.245.152.57 (10.245.152.57), 30 hops max, 40 byte packets
1  10.251.134.2 (10.251.134.2)  0.792 ms   0.320 ms   0.279 ms
2  10.251.132.2 (10.251.132.2)  1.190 ms   1.201 ms   0.908 ms
3  10.251.254.19 (10.251.254.19)  0.831 ms   1.208 ms   1.282 ms
4  10.2.3.22 (10.2.3.22)  2.374 ms   3.024 ms   2.567 ms
5  192.168.249.109 (192.168.249.109)  1.194 ms   3.700 ms   4.172 ms
6  192.168.192.0 (192.168.192.0)  2.918 ms   2.608 ms   3.298 ms
7  192.168.248.1 (192.168.248.1)  1.806 ms   1.614 ms   1.877 ms
8  192.168.233.186 (192.168.233.186)  6.291 ms   5.992 ms   4.770 ms
9  192.168.193.57 (192.168.193.57)  4.597 ms   5.061 ms   4.489 ms
10  10.213.252.1 (10.213.252.1)  2.926 ms   4.957 ms   5.057 ms
11  10.213.254.169 (10.213.254.169)  694.273 ms   700.061 ms   697.402 ms
12  * 10.245.152.57 (10.245.152.57)  697.690 ms   695.048 ms

The interfaces are configured as follwos:

Router1#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                10.251.134.2    YES NVRAM  up                    up
GigabitEthernet0/0         10.251.133.2    YES NVRAM  up                    up
15    YES NVRAM  up                    up
FastEthernet0/2            unassigned      YES NVRAM  administratively down down
GigabitEthernet0/2         10.251.135.2    YES NVRAM  up                    up
GigabitEthernet0/3         10.251.130.2    YES NVRAM  up                    up
Loopback0                  10.251.255.240  YES NVRAM  up                    up

interface GigabitEthernet0/1
description Connection Test
ip address 10.251.132.4 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7
duplex auto
speed 1000
media-type rj45
negotiation auto
no cdp enable


interface Ethernet0/0
description connection to managment network
ip address 10.251.134.2 255.255.255.0
ip access-group 108 out
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
no cdp enable
glbp 80 ip 10.251.134.1
glbp 80 timers 5 18
glbp 80 timers redirect 600 7200
glbp 80 preempt delay minimum 15
glbp 80 authentication md5 key-string 7
glbp 80 forwarder preempt delay minimum 15
!


interface GigabitEthernet0/0
description connection to Pro network
ip address 10.251.133.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7 096F7C5948
duplex auto
speed auto
media-type gbic
negotiation auto
no cdp enable
glbp 55 ip 10.251.133.1
glbp 55 timers 5 18
glbp 55 timers redirect 600 7200
glbp 55 priority 115
glbp 55 preempt delay minimum 15
glbp 55 authentication md5 key-string 7

glbp 55 forwarder preempt delay minimum 15

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Niall,

if the linux box has to start the session you need to remove the established keyword:

10 permit tcp host 10.251.134.201 any eq 2967 established log

with established keyword initial packets with TCP flags set (SYN set) are not permitted

write it as:

10 permit tcp host 10.251.134.201 host win-server-ipaddress eq 2967 log

Hope to help

Giuseppe

I added this but it still fails

permit tcp host 10.251.134.201 any eq 2967 log

%SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets

Hello guistar & Nail,

  If use saw the deny message from router then you would find that the statement is  from access-list 102 & nail has implemented 104 access-list

So there is configuration issue .

If I am wrong Please correct me.

Regards,

Suryakant

Hello Suryakant,

you are absolutely correct.

we should see this ACL 102 and where it is applied

Hope to help

Giuseppe

Sorry I grabbed the wrong ACL error.  It should have read 104 as this is fromt he lab test router I am using.  So its the same error.

9  permit tcp host 10.251.134.201 any eq 2967 log
10 permit icmp any any echo (2600544 matches)
20 permit icmp any any echo-reply (376 matches)
30 permit icmp any any packet-too-big (991 matches)
40 permit icmp any any time-exceeded (3743 matches)
50 permit icmp any any traceroute
60 permit icmp any any unreachable (931 matches)
70 deny ip any any log (93930 matches)

Hello Niall,

putting together all the info

>>> %SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets

>>  9  permit tcp host 10.251.134.201 any eq 2967 log

this line allows only host 10.251.134.201 not the host listed in the log line

so you may want to use a line like:

permit tcp 10.251.0.0 0.0.255.255 any eq 2967 log

this should permit the denied attempt

Hope to help

Giuseppe

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Niall,

post the whole ACL config

sh access-list 104

position of new ACL line counts

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: