Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How to deny on port 0???

Reply
Thread Tools

How to deny on port 0???

 
 
Henrik
Guest
Posts: n/a
 
      02-10-2004
Hello,

maybe someone have i hint how to deny/block the follwing:
( Can't find any hint at the cisco website)

Syslog entry:
%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
217.203.50.14(0), 131 packets.

I HAVE NOT defined any "permit" for traffic destined for port 0, so
why
i get this entry????

Regards

Henrik
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-10-2004
In article <(E-Mail Removed) >,
Henrik <(E-Mail Removed)> wrote:
:maybe someone have i hint how to deny/block the follwing:
Can't find any hint at the cisco website)

:Syslog entry:
:%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
:217.203.50.14(0), 131 packets.

:I HAVE NOT defined any "permit" for traffic destined for port 0, so why
:i get this entry????

It's a trick

IOS does not transfer the port numbers from the packet until it encounters
an ACL statement that tests a port number. If you have a 'permit log'
statement that is matched before any port number has been tested,
then the port gets logged as 0.

If logging the port number is more important than raw performance in your
situation, then you can start the ACL with something like

access-list 199 deny tcp any any eq 0 log

As well as catching the quite uncommon [but not unheard of] case
where 0 is the destination port, because this tests the port, all
ACL entries underneath this one will know the port number for logging
purposes.
--
Take care in opening this message: My grasp on reality may have shaken
loose during transmission!
 
Reply With Quote
 
 
 
 
Henrik Kern
Guest
Posts: n/a
 
      02-10-2004
Walter,
thanks for explanation.
My acl starts with "permit gre any any log".
Thats the reason why i get this entry,
when building a gre-tunnel for PPTP.

Henrik


Walter Roberson wrote:
> In article <(E-Mail Removed) >,
> Henrik <(E-Mail Removed)> wrote:
> :maybe someone have i hint how to deny/block the follwing:
> Can't find any hint at the cisco website)
>
> :Syslog entry:
> :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
> :217.203.50.14(0), 131 packets.
>
> :I HAVE NOT defined any "permit" for traffic destined for port 0, so why
> :i get this entry????
>
> It's a trick
>
> IOS does not transfer the port numbers from the packet until it encounters
> an ACL statement that tests a port number. If you have a 'permit log'
> statement that is matched before any port number has been tested,
> then the port gets logged as 0.
>
> If logging the port number is more important than raw performance in your
> situation, then you can start the ACL with something like
>
> access-list 199 deny tcp any any eq 0 log
>
> As well as catching the quite uncommon [but not unheard of] case
> where 0 is the destination port, because this tests the port, all
> ACL entries underneath this one will know the port number for logging
> purposes.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      02-10-2004
In article <c0bfav$15dgdb$(E-Mail Removed)-berlin.de>,
Henrik Kern <(E-Mail Removed)> top-posted:

|> In article <(E-Mail Removed) >,
|> Henrik <(E-Mail Removed)> wrote:

|> :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
|> :217.203.50.14(0), 131 packets.

|My acl starts with "permit gre any any log".
|Thats the reason why i get this entry,
|when building a gre-tunnel for PPTP.

No, the syslog entry you show is for TCP, not for GRE. GRE
would log as either... permitted gre or as... permitted 47

In your current configuration, there must be another permit log
statement before the first time you test a port number.
--
Live it up, rip it up, why so lazy?
Give it out, dish it out, let's go crazy, yeah!
-- Supertramp (The USENET Song)
 
Reply With Quote
 
Henrik
Guest
Posts: n/a
 
      02-14-2004
Walter,

i still havent any satisfying reason why i get these log-messages for
port 0.


:%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
217.203.50.14(0), 131 packets



My complete acl(s):
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 199 permit gre any any log
access-list 199 permit tcp any any eq www syn log
access-list 199 permit tcp any any eq 81 syn
access-list 199 permit tcp any any eq 443 syn log
access-list 199 permit tcp any any eq 1723 syn log
access-list 199 permit tcp any any eq 8888 syn log
access-list 199 permit tcp any any established
access-list 199 permit udp any any eq 81
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
----- snip
!
------snip
access-list 199 deny ip any any
dialer-list 1 protocol ip permit

There is no other "permit .... log" (not testing for a port) statement
before start testing with Port 47 (gre)

It might be that i run this 2514 with an uncommon config (as PPPOE
Client on e1)
so maybe you have time to look at the whole config:

-----------------------------------------------------------

vpdn enable
!
vpdn-group PPPoE
request-dialin
protocol pppoe
!
vpdn-group PPTP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
interface Ethernet0
description LAN-Interface
ip address 192.168.100.77 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
no mop enabled
!
interface Ethernet1
description OUTSIDE_WORLD
no ip address
logging event subif-link-status
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip address 192.168.1.1 255.255.255.0
peer default ip address pool PPTPUser
no keepalive
ppp authentication pap chap ms-chap
!
interface Serial0
no ip address
shutdown
no fair-queue
no cdp enable
!
interface Serial1
no ip address
shutdown
no cdp enable
!
interface Dialer1
bandwidth 10000
ip address negotiated
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxx password 7 xxxxxxxxx
!
ip local pool PPTPUser 192.168.1.2 192.168.1.254
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.88 8888 interface Dialer1
8888
ip nat inside source static tcp 192.168.100.88 443 interface Dialer1
443
ip nat inside source static tcp 192.168.100.88 80 interface Dialer1 80
ip nat inside source static udp 192.168.100.111 81 interface Dialer1
81
ip nat inside source static tcp 192.168.100.111 81 interface Dialer1
81
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
no ip http server
!
!
logging trap debugging
logging 192.168.100.111
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 199 permit gre any any log
access-list 199 permit tcp any any eq www syn log
access-list 199 permit tcp any any eq 81 syn
access-list 199 permit tcp any any eq 443 syn log
access-list 199 permit tcp any any eq 1723 syn log
access-list 199 permit tcp any any eq 8888 syn log
access-list 199 permit tcp any any established
access-list 199 permit udp any any eq 81
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 deny tcp any any log fragments
access-list 199 deny tcp 10.0.0.0 0.255.255.255 any log
access-list 199 deny tcp 172.16.0.0 0.15.255.255 any log
access-list 199 deny tcp 192.168.0.0 0.0.0.255 any log
access-list 199 deny udp 10.0.0.0 0.255.255.255 any log
access-list 199 deny udp 172.16.0.0 0.15.255.255 any log
access-list 199 deny udp 192.168.0.0 0.0.0.255 any log
access-list 199 deny icmp any any echo log
access-list 199 deny udp any any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 deny tcp any any eq telnet log
access-list 199 deny tcp any any eq smtp log
access-list 199 deny tcp any any eq nntp
access-list 199 deny tcp any any eq 135 log
access-list 199 deny tcp any any eq 137
access-list 199 deny tcp any any eq 139 log
access-list 199 deny tcp any any eq 443
access-list 199 deny tcp any any eq 445
access-list 199 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
radius-server host 192.168.100.111 auth-port 1645 acct-port 1646
radius-server key 7 111A1C0605171F1C053938
radius-server authorization permit missing Service-Type
banner login OpenBSD 3.4, UNAUTHORIZED ACCESS TO THIS NETWORKSERVER
IS PROHIBITED AND WILL BE LOGGED!!!
!
line con 0
exec-timeout 600 0
password 7 XXXXX
login authentication m2reload
history size 50
line aux 0
no exec
line vty 0 4
exec-timeout 600 0
timeout login response 10
password 7 XXXXXXX
login authentication m2reload
history size 50
!
scheduler interval 500
ntp clock-period 17179998
ntp server 129.132.2.21
ntp server 131.188.3.220
end

----------------------------------------------------------

Thanks

Henrik















http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<c0bi2o$2i2$(E-Mail Removed)>...
> In article <c0bfav$15dgdb$(E-Mail Removed)-berlin.de>,
> Henrik Kern <(E-Mail Removed)> top-posted:
>
> |> In article <(E-Mail Removed) >,
> |> Henrik <(E-Mail Removed)> wrote:
>
> |> :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
> |> :217.203.50.14(0), 131 packets.
>
> |My acl starts with "permit gre any any log".
> |Thats the reason why i get this entry,
> |when building a gre-tunnel for PPTP.
>
> No, the syslog entry you show is for TCP, not for GRE. GRE
> would log as either... permitted gre or as... permitted 47
>
> In your current configuration, there must be another permit log
> statement before the first time you test a port number.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
newbie: allow deny vs deny allow Jeff ASP .Net 2 09-19-2006 02:12 AM
RTP: Who will deny odd RTP (UDP) port numbers? CCGolfer VOIP 0 06-08-2004 08:39 PM
Domain controller GPO does not deny logon locally right to IWAM_machinename when running aspnet.wp.exe \Rob\ ASP .Net 4 05-12-2004 12:13 AM
Strange PIX Deny Inbound Error Richard Cisco 3 01-20-2004 09:09 PM
permit only outbound icmp requests and inbound replies, deny other Mark Matheney Cisco 1 12-10-2003 02:00 PM



Advertisments