Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list question

Does anybody know why the port numbers would be returned blank in a show access-list display?

eg

Sep 24 14:35:58.351 bst: %SEC-6-IPACCESSLOGP: list 123 permitted tcp 166.71.21.43(0) -> 80.32.177.185(0), 1 packet

shouldn't the port number be shown?

cheers,

Daniel,

1 REPLY

Re: Access list question

Does your access-list have "permit ip .... " or does it have "permit tcp ... "?

With '(0)' the ports are generated when the router didn't know the port numbers rather than them actually being 0. If your access-list doesn't

filter on higher level ports the router doesn't bother parsing the TCP/UDP headers so it can't log the port numbers and just fills in with zeros to keep the format consistent.

eg. The access-list:

access-list 123 permit ip any any log

generates log messages like this:

%SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.1(0) -> 10.0.1.228(0), 5 packets

with zero ports, whereas the access-list:

access-list 123 permit udp any any range 0 65535 log

access-list 123 permit tcp any any range 0 65535 log

generates log message like this:

%SEC-6-IPACCESSLOGP: list 123 permitted tcp 10.0.1.1(2862) -> 10.0.1.228(25), 5 packets

with non-zero ports.

Steve

92
Views
0
Helpful
1
Replies
CreatePlease login to create content