Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL Incorrectly Blocking Traffic

This problem is causing my Windows 2000 clients to take a very long time to log on to their remote domain controller.

Due to the SQL Slammer worm, we put ACL's on all Fast/Ethernet interfaces, inbound and outbound:

access-list 110 deny udp any any eq 1434 log

access-list 110 deny udp any eq 1434 any log

access-list 110 permit ip any any

I realize the second line maybe unnecessary.

I ran a protocol analyzer on one of the affected clients. While the client was booting up, the router was showing hits against the first line. The source of the packet was supposedly the client I was testing. But when I viewed the captured packets, there were only a handful of udp datagrams. None of them had a destination port of 1434.

So this leads me to believe the router is incorrectly blocking legitimate datagrams.

When I temporarily disable the ACL on the Ethernet interface, the problem goes away. The client can authenticate against its remote domain controller.

Has anyone encountered this?

3 REPLIES
New Member

Re: ACL Incorrectly Blocking Traffic

You can safely remove the second line.

Bronze

Re: ACL Incorrectly Blocking Traffic

You are assuming that the traffic the router blocked was the "handful" of datagrams caught by the analyzer. But if the counts dont match on the access-list and the analyzer then it wasn't set up right. The list should work without significant delays. The real point may be that it looks like the client is infected.

New Member

Re: ACL Incorrectly Blocking Traffic

I've modified the ACL on affected routers to the follwoing, and it seems to have fixed the problem. The common factors so far are: low-end routers, low-bandwidth circuits, and an old version of the IOS (the most recent I've seen is 11.2(18)).

conf t

access-list 115 permit udp any any eq 69

access-list 115 permit udp any any eq 53

access-list 115 permit udp any any eq 37

access-list 115 permit udp any any eq 137

access-list 115 permit udp any any eq 138

access-list 115 permit udp any any eq 67

access-list 115 permit udp any any eq 68

access-list 115 permit udp any any eq 49

access-list 115 permit udp any any eq 42

access-list 115 deny udp any any eq 1434 log

access-list 115 permit ip any any

int x/x

ip access-group 115 in

ip access-group 115 out

92
Views
0
Helpful
3
Replies
CreatePlease to create content