02-08-2010 05:10 AM - edited 03-04-2019 07:26 AM
Hi,
I am having an issue with an ACL that I cant seem to figute out. I am trying to create an entry to an existing ACL on my router that will allow a linux Computer(IP 10.245.152.57) access an open port (port 2967) on a Windows Server on the other side of the router. I am able to ping and tracerout from the linxu box to the Windows Server.
My AC is as follows:
ACL 104
10 permit tcp host 10.251.134.201 any eq 2967 established log
When I try and telnet from the Linux box to the open port on the Windows Server I receive the following error in the logs:
048432: Feb 8 07:52:09.938 EST: %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.245.152.57(23) -> 10.251.134.201(45879), 1 packet
Trace route works:
traceroute to 10.245.152.57 (10.245.152.57), 30 hops max, 40 byte packets
1 10.251.134.2 (10.251.134.2) 0.792 ms 0.320 ms 0.279 ms
2 10.251.132.2 (10.251.132.2) 1.190 ms 1.201 ms 0.908 ms
3 10.251.254.19 (10.251.254.19) 0.831 ms 1.208 ms 1.282 ms
4 10.2.3.22 (10.2.3.22) 2.374 ms 3.024 ms 2.567 ms
5 192.168.249.109 (192.168.249.109) 1.194 ms 3.700 ms 4.172 ms
6 192.168.192.0 (192.168.192.0) 2.918 ms 2.608 ms 3.298 ms
7 192.168.248.1 (192.168.248.1) 1.806 ms 1.614 ms 1.877 ms
8 192.168.233.186 (192.168.233.186) 6.291 ms 5.992 ms 4.770 ms
9 192.168.193.57 (192.168.193.57) 4.597 ms 5.061 ms 4.489 ms
10 10.213.252.1 (10.213.252.1) 2.926 ms 4.957 ms 5.057 ms
11 10.213.254.169 (10.213.254.169) 694.273 ms 700.061 ms 697.402 ms
12 * 10.245.152.57 (10.245.152.57) 697.690 ms 695.048 ms
The interfaces are configured as follwos:
Router1#show ip int brie
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 10.251.134.2 YES NVRAM up up
GigabitEthernet0/0 10.251.133.2 YES NVRAM up up
15 YES NVRAM up up
FastEthernet0/2 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 10.251.135.2 YES NVRAM up up
GigabitEthernet0/3 10.251.130.2 YES NVRAM up up
Loopback0 10.251.255.240 YES NVRAM up up
interface GigabitEthernet0/1
description Connection Test
ip address 10.251.132.4 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7
duplex auto
speed 1000
media-type rj45
negotiation auto
no cdp enable
interface Ethernet0/0
description connection to managment network
ip address 10.251.134.2 255.255.255.0
ip access-group 108 out
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
no cdp enable
glbp 80 ip 10.251.134.1
glbp 80 timers 5 18
glbp 80 timers redirect 600 7200
glbp 80 preempt delay minimum 15
glbp 80 authentication md5 key-string 7
glbp 80 forwarder preempt delay minimum 15
!
interface GigabitEthernet0/0
description connection to Pro network
ip address 10.251.133.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf authentication-key 7 096F7C5948
duplex auto
speed auto
media-type gbic
negotiation auto
no cdp enable
glbp 55 ip 10.251.133.1
glbp 55 timers 5 18
glbp 55 timers redirect 600 7200
glbp 55 priority 115
glbp 55 preempt delay minimum 15
glbp 55 authentication md5 key-string 7
glbp 55 forwarder preempt delay minimum 15
02-08-2010 07:10 AM
Hello Niall,
if the linux box has to start the session you need to remove the established keyword:
10 permit tcp host 10.251.134.201 any eq 2967 established log
with established keyword initial packets with TCP flags set (SYN set) are not permitted
write it as:
10 permit tcp host 10.251.134.201 host win-server-ipaddress eq 2967 log
Hope to help
Giuseppe
02-09-2010 12:05 PM
I added this but it still fails
permit tcp host 10.251.134.201 any eq 2967 log
%SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets
02-09-2010 01:34 PM
Hello guistar & Nail,
If use saw the deny message from router then you would find that the statement is from access-list 102 & nail has implemented 104 access-list
So there is configuration issue .
If I am wrong Please correct me.
Regards,
Suryakant
02-09-2010 01:43 PM
Hello Suryakant,
you are absolutely correct.
we should see this ACL 102 and where it is applied
Hope to help
Giuseppe
02-10-2010 05:04 AM
Sorry I grabbed the wrong ACL error. It should have read 104 as this is fromt he lab test router I am using. So its the same error.
9 permit tcp host 10.251.134.201 any eq 2967 log
10 permit icmp any any echo (2600544 matches)
20 permit icmp any any echo-reply (376 matches)
30 permit icmp any any packet-too-big (991 matches)
40 permit icmp any any time-exceeded (3743 matches)
50 permit icmp any any traceroute
60 permit icmp any any unreachable (931 matches)
70 deny ip any any log (93930 matches)
02-10-2010 06:02 AM
Hello Niall,
putting together all the info
>>> %SEC-6-IPACCESSLOGP: list 104 denied tcp 10.245.140.67(2967) -> 10.251.134.201(50839), 8 packets
>> 9 permit tcp host 10.251.134.201 any eq 2967 log
this line allows only host 10.251.134.201 not the host listed in the log line
so you may want to use a line like:
permit tcp 10.251.0.0 0.0.255.255 any eq 2967 log
this should permit the denied attempt
Hope to help
Giuseppe
02-09-2010 12:27 PM
Hello Niall,
post the whole ACL config
sh access-list 104
position of new ACL line counts
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide