cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
5
Helpful
5
Replies

Question about access-list of Cisco1812

r.ogawa
Level 1
Level 1

Hello everyone,

I tested the following compositions.

Client ---------- Cisco 1812

   10.0.0.0/24

-----

・Cisco 1812 config(Excerpt)

!

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

access-list 100 permit ip any any log

!

------

When I access "http://10.0.0.1/",

Cisco 1812 outputs this log.

*Apr 6 14:23:01.455 JST: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.10(0) -> 10.0.0.1(0), 5 packets

I don't know why Cisco 1812 outputs this log "(0)". And I tested two IOS version but both output this log.

・12.4(24)T

・12.3(8)YI2

Is it bug, restriction or other ??

Thanks

Reiji

5 Replies 5

Laurent Aubert
Cisco Employee
Cisco Employee

Hi Reiji,

It's because of the log option you added in your ACL:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1058483

HTH

Laurent.

Reiji

The link provided by Laurent gives a reasonable explanation of the log function used in an access list. But I am not sure that it really addresses the central point of your question. If I am understanding correctly what you really want to know is why the port numbers in the log report are (0) rather than the (80) that you would normally expect for HTTP traffic. This is one of the subtle behaviors of the log function. If the access list were examining TCP ports then it could report the TCP port numbers. But since the access list is not examining any TCP port numbers then it can not report any specific TCP port numbers.

HTH

Rick

HTH

Rick

Hello Rick,

very good note if the ACL line were changed to

permit tcp any any log

the ports fields could be populated with real values

Best Regards

Giuseppe

t-yamashita
Level 7
Level 7

konnitiwa

if you want to the port numbers in the log report, I think you can do as follows.

access-list 100 permit tcp any any eq xxx log

access-list 100 permit ip any any log

[xxx is anything you like. telnet, ftp and of course www]

HTH

Giuseppe

Actually permit tcp any any log is not good enough. As Tomoyuki illustrates it needs to check for some value in TCP such as permit tcp any any eq xxx log.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: