When I was testing the inspection of router-generated traffic, I wanted to block and log all incoming traffic (apart from inspect-generated conduits, obviously) with a simple access-list:
access-list 102 deny ip any any logUnfortunately, the port numbers in the logging printout were always zero:
%SEC-6-IPACCESSLOGP: list 102 denied udp 10.0.0.1(0) -> 192.168.1.3(0), 1 packetThe reason for this behavior is very simple: unless a line in the IP ACL matches on the layer-4 port numbers, the router does not inspect them; the log action thus has no port number to show in the syslog printout.
To fix the printout, you have to force the router to inspect the layer-4 port numbers. If you still want to block-and-log all traffic, the minimum access-list achieving this goal is the following:
access-list 102 deny udp any gt 0 any gt 0 log
access-list 102 deny tcp any gt 0 any gt 0 log
access-list 102 deny ip any any
Posts
cool stuff!!!! I have added you to my blog feed.
ReplyDeletehttp://hackathology.blogspot.com/
Actually, by default standard ACL's don't show port numbers but extended ACL's with log do....
ReplyDelete@Anonymous#2: Actually, that's pretty much exactly what I've said :) The standard ACL cannot show port numbers because they are not examined by the standard ACL ... BUT (and this is a HUGE BUT :) the extended ACL shows port numbers in log printouts IF AND ONLY IF the ACL uses the port numbers in PERMIT/DENY statements (unless there is a weird interaction with some other packet forwarding function in late IOS releases :))
ReplyDeleteIn IOS 15.0 enough to add at least 1 rule with eq statement for logging port numbers.
ReplyDelete