Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question about access-list of Cisco1812

Hello everyone,

I tested the following compositions.

Client ---------- Cisco 1812

   10.0.0.0/24

-----

・Cisco 1812 config(Excerpt)

!

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip access-group 100 in

duplex auto

speed auto

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

access-list 100 permit ip any any log

!

------

When I access "http://10.0.0.1/",

Cisco 1812 outputs this log.

*Apr 6 14:23:01.455 JST: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.0.0.10(0) -> 10.0.0.1(0), 5 packets

I don't know why Cisco 1812 outputs this log "(0)". And I tested two IOS version but both output this log.

・12.4(24)T

・12.3(8)YI2

Is it bug, restriction or other ??

Thanks

Reiji

5 REPLIES
Cisco Employee

Re: Question about access-list of Cisco1812

Hi Reiji,

It's because of the log option you added in your ACL:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1058483

HTH

Laurent.

Hall of Fame Super Silver

Re: Question about access-list of Cisco1812

Reiji

The link provided by Laurent gives a reasonable explanation of the log function used in an access list. But I am not sure that it really addresses the central point of your question. If I am understanding correctly what you really want to know is why the port numbers in the log report are (0) rather than the (80) that you would normally expect for HTTP traffic. This is one of the subtle behaviors of the log function. If the access list were examining TCP ports then it could report the TCP port numbers. But since the access list is not examining any TCP port numbers then it can not report any specific TCP port numbers.

HTH

Rick

Hall of Fame Super Silver

Re: Question about access-list of Cisco1812

Hello Rick,

very good note if the ACL line were changed to

permit tcp any any log

the ports fields could be populated with real values

Best Regards

Giuseppe

Re: Question about access-list of Cisco1812

konnitiwa

if you want to the port numbers in the log report, I think you can do as follows.

access-list 100 permit tcp any any eq xxx log

access-list 100 permit ip any any log

[xxx is anything you like. telnet, ftp and of course www]

HTH

Hall of Fame Super Silver

Re: Question about access-list of Cisco1812

Giuseppe

Actually permit tcp any any log is not good enough. As Tomoyuki illustrates it needs to check for some value in TCP such as permit tcp any any eq xxx log.

HTH

Rick

195
Views
5
Helpful
5
Replies
CreatePlease to create content