Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

identifying traffic which is matching an ACL

I have a customer whom has a "permit ip any any statement" configured at the end of an ACL on his inside Firewall. This same statement is not configured on the Firewall that is on the OUtside Perimeter of the network.

Each time I have tried to remove the "permit ip any any " statement , eventually the Mail system will break.

I need to capture what traffic is being passed by this statement, but am not sure how to do so, as the capture command can specify an ACL, but not an individual line from an ACL.

Has anyone ever filtered somehow on just one line of a configured ACL and captured the traffic?

5 REPLIES

Re: identifying traffic which is matching an ACL

You can put the keyword "log" at the end of the line. Any traffic that matches it will be logged to the buffer/console/vty/syslog (if you have it configured). What I would do is make another ACL statement above that one that has the mail sever IP and log that one only. Logging on an 'IP any any' will generate a lot of log. Like you stated you could capture, just create a new ACL and point the capture to it (it does not have to be applied to an interface to work). Again I would restrict that ACL to the mail server instead of all traffic.

Good luck and I hope that helps.

New Member

Re: identifying traffic which is matching an ACL

Yes it does seem like this is working. What is interesting is that i see traffic in the capture that should in fact be matching line statements which are configured within the ACL i have applied to an interface to allow the traffic. But I am not getting any hits on the ACL. any idea why this behavior may be occuring?

Also, can you tell me what the letters "P" and "F" mean in the following trace packets from the capture?

90: 13:00:48.094004 172.16.1.6.44101 > 192.168.5.6.25: P 4063017374:4063017902(528) ack 995364230 win 64576

91: 13:00:48.106775 172.16.1.6.44101 > 192.168.5.6.25: P 4063017902:4063017908(6) ack 995364323 win 64483

92: 13:00:48.107050 172.16.1.6.44101 > 192.168.5.6.25: F 4063017908:4063017908(0) ack 995364396 win 64411

thx

Re: identifying traffic which is matching an ACL

It's hard to tell without seeing the config, it could be any number of things. I'm not sure what P,F,or S stands for. I'd bet something with the TCP state, but I don't know for sure

Re: identifying traffic which is matching an ACL

S stands for TCP SYN, R stands for TCP RESET

Re: identifying traffic which is matching an ACL

The "P" indicates the TCP PSH flag is set. Likewise, the "F" indicates a TCP FIN.

Hope that helps.

-Mike

131
Views
14
Helpful
5
Replies