How to deny on port 0???

Discussion in 'Cisco' started by Henrik, Feb 10, 2004.

  1. Henrik

    Henrik Guest

    Hello,

    maybe someone have i hint how to deny/block the follwing:
    ( Can't find any hint at the cisco website)

    Syslog entry:
    %SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    217.203.50.14(0), 131 packets.

    I HAVE NOT defined any "permit" for traffic destined for port 0, so
    why
    i get this entry????

    Regards

    Henrik
     
    Henrik, Feb 10, 2004
    #1
    1. Advertising

  2. In article <>,
    Henrik <> wrote:
    :maybe someone have i hint how to deny/block the follwing:
    :( Can't find any hint at the cisco website)

    :Syslog entry:
    :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    :217.203.50.14(0), 131 packets.

    :I HAVE NOT defined any "permit" for traffic destined for port 0, so why
    :i get this entry????

    It's a trick ;-)

    IOS does not transfer the port numbers from the packet until it encounters
    an ACL statement that tests a port number. If you have a 'permit log'
    statement that is matched before any port number has been tested,
    then the port gets logged as 0.

    If logging the port number is more important than raw performance in your
    situation, then you can start the ACL with something like

    access-list 199 deny tcp any any eq 0 log

    As well as catching the quite uncommon [but not unheard of] case
    where 0 is the destination port, because this tests the port, all
    ACL entries underneath this one will know the port number for logging
    purposes.
    --
    Take care in opening this message: My grasp on reality may have shaken
    loose during transmission!
     
    Walter Roberson, Feb 10, 2004
    #2
    1. Advertising

  3. Henrik

    Henrik Kern Guest

    Walter,
    thanks for explanation.
    My acl starts with "permit gre any any log".
    Thats the reason why i get this entry,
    when building a gre-tunnel for PPTP.

    Henrik


    Walter Roberson wrote:
    > In article <>,
    > Henrik <> wrote:
    > :maybe someone have i hint how to deny/block the follwing:
    > :( Can't find any hint at the cisco website)
    >
    > :Syslog entry:
    > :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    > :217.203.50.14(0), 131 packets.
    >
    > :I HAVE NOT defined any "permit" for traffic destined for port 0, so why
    > :i get this entry????
    >
    > It's a trick ;-)
    >
    > IOS does not transfer the port numbers from the packet until it encounters
    > an ACL statement that tests a port number. If you have a 'permit log'
    > statement that is matched before any port number has been tested,
    > then the port gets logged as 0.
    >
    > If logging the port number is more important than raw performance in your
    > situation, then you can start the ACL with something like
    >
    > access-list 199 deny tcp any any eq 0 log
    >
    > As well as catching the quite uncommon [but not unheard of] case
    > where 0 is the destination port, because this tests the port, all
    > ACL entries underneath this one will know the port number for logging
    > purposes.
     
    Henrik Kern, Feb 10, 2004
    #3
  4. In article <c0bfav$15dgdb$-berlin.de>,
    Henrik Kern <> top-posted:

    |> In article <>,
    |> Henrik <> wrote:

    |> :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    |> :217.203.50.14(0), 131 packets.

    |My acl starts with "permit gre any any log".
    |Thats the reason why i get this entry,
    |when building a gre-tunnel for PPTP.

    No, the syslog entry you show is for TCP, not for GRE. GRE
    would log as either... permitted gre or as... permitted 47

    In your current configuration, there must be another permit log
    statement before the first time you test a port number.
    --
    Live it up, rip it up, why so lazy?
    Give it out, dish it out, let's go crazy, yeah!
    -- Supertramp (The USENET Song)
     
    Walter Roberson, Feb 10, 2004
    #4
  5. Henrik

    Henrik Guest

    Walter,

    i still havent any satisfying reason why i get these log-messages for
    port 0.


    :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    217.203.50.14(0), 131 packets



    My complete acl(s):
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 199 permit gre any any log
    access-list 199 permit tcp any any eq www syn log
    access-list 199 permit tcp any any eq 81 syn
    access-list 199 permit tcp any any eq 443 syn log
    access-list 199 permit tcp any any eq 1723 syn log
    access-list 199 permit tcp any any eq 8888 syn log
    access-list 199 permit tcp any any established
    access-list 199 permit udp any any eq 81
    access-list 199 permit udp any any eq ntp
    access-list 199 permit udp any any gt 1023
    ----- snip
    !
    ------snip
    access-list 199 deny ip any any
    dialer-list 1 protocol ip permit

    There is no other "permit .... log" (not testing for a port) statement
    before start testing with Port 47 (gre)

    It might be that i run this 2514 with an uncommon config (as PPPOE
    Client on e1)
    so maybe you have time to look at the whole config:

    -----------------------------------------------------------

    vpdn enable
    !
    vpdn-group PPPoE
    request-dialin
    protocol pppoe
    !
    vpdn-group PPTP
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    interface Ethernet0
    description LAN-Interface
    ip address 192.168.100.77 255.255.255.0
    ip nat inside
    no ip mroute-cache
    no cdp enable
    no mop enabled
    !
    interface Ethernet1
    description OUTSIDE_WORLD
    no ip address
    logging event subif-link-status
    pppoe enable
    pppoe-client dial-pool-number 1
    no cdp enable
    no mop enabled
    !
    interface Virtual-Template1
    ip address 192.168.1.1 255.255.255.0
    peer default ip address pool PPTPUser
    no keepalive
    ppp authentication pap chap ms-chap
    !
    interface Serial0
    no ip address
    shutdown
    no fair-queue
    no cdp enable
    !
    interface Serial1
    no ip address
    shutdown
    no cdp enable
    !
    interface Dialer1
    bandwidth 10000
    ip address negotiated
    ip access-group 199 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    no ip mroute-cache
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username xxxxxx password 7 xxxxxxxxx
    !
    ip local pool PPTPUser 192.168.1.2 192.168.1.254
    ip nat inside source list 1 interface Dialer1 overload
    ip nat inside source static tcp 192.168.100.88 8888 interface Dialer1
    8888
    ip nat inside source static tcp 192.168.100.88 443 interface Dialer1
    443
    ip nat inside source static tcp 192.168.100.88 80 interface Dialer1 80
    ip nat inside source static udp 192.168.100.111 81 interface Dialer1
    81
    ip nat inside source static tcp 192.168.100.111 81 interface Dialer1
    81
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
    no ip http server
    !
    !
    logging trap debugging
    logging 192.168.100.111
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 199 permit gre any any log
    access-list 199 permit tcp any any eq www syn log
    access-list 199 permit tcp any any eq 81 syn
    access-list 199 permit tcp any any eq 443 syn log
    access-list 199 permit tcp any any eq 1723 syn log
    access-list 199 permit tcp any any eq 8888 syn log
    access-list 199 permit tcp any any established
    access-list 199 permit udp any any eq 81
    access-list 199 permit udp any any eq ntp
    access-list 199 permit udp any any gt 1023
    access-list 199 deny tcp any any log fragments
    access-list 199 deny tcp 10.0.0.0 0.255.255.255 any log
    access-list 199 deny tcp 172.16.0.0 0.15.255.255 any log
    access-list 199 deny tcp 192.168.0.0 0.0.0.255 any log
    access-list 199 deny udp 10.0.0.0 0.255.255.255 any log
    access-list 199 deny udp 172.16.0.0 0.15.255.255 any log
    access-list 199 deny udp 192.168.0.0 0.0.0.255 any log
    access-list 199 deny icmp any any echo log
    access-list 199 deny udp any any eq 135
    access-list 199 deny udp any any eq netbios-ns
    access-list 199 deny udp any any eq netbios-ss
    access-list 199 deny udp any any eq isakmp
    access-list 199 deny tcp any any eq telnet log
    access-list 199 deny tcp any any eq smtp log
    access-list 199 deny tcp any any eq nntp
    access-list 199 deny tcp any any eq 135 log
    access-list 199 deny tcp any any eq 137
    access-list 199 deny tcp any any eq 139 log
    access-list 199 deny tcp any any eq 443
    access-list 199 deny tcp any any eq 445
    access-list 199 deny ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    radius-server host 192.168.100.111 auth-port 1645 acct-port 1646
    radius-server key 7 111A1C0605171F1C053938
    radius-server authorization permit missing Service-Type
    banner login OpenBSD 3.4, UNAUTHORIZED ACCESS TO THIS NETWORKSERVER
    IS PROHIBITED AND WILL BE LOGGED!!!
    !
    line con 0
    exec-timeout 600 0
    password 7 XXXXX
    login authentication m2reload
    history size 50
    line aux 0
    no exec
    line vty 0 4
    exec-timeout 600 0
    timeout login response 10
    password 7 XXXXXXX
    login authentication m2reload
    history size 50
    !
    scheduler interval 500
    ntp clock-period 17179998
    ntp server 129.132.2.21
    ntp server 131.188.3.220
    end

    ----------------------------------------------------------

    Thanks

    Henrik















    -cnrc.gc.ca (Walter Roberson) wrote in message news:<c0bi2o$2i2$>...
    > In article <c0bfav$15dgdb$-berlin.de>,
    > Henrik Kern <> top-posted:
    >
    > |> In article <>,
    > |> Henrik <> wrote:
    >
    > |> :%SEC-6-IPACCESSLOGP: list 199 permitted tcp 220.184.132.18(0) ->
    > |> :217.203.50.14(0), 131 packets.
    >
    > |My acl starts with "permit gre any any log".
    > |Thats the reason why i get this entry,
    > |when building a gre-tunnel for PPTP.
    >
    > No, the syslog entry you show is for TCP, not for GRE. GRE
    > would log as either... permitted gre or as... permitted 47
    >
    > In your current configuration, there must be another permit log
    > statement before the first time you test a port number.
     
    Henrik, Feb 14, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Matheney
    Replies:
    1
    Views:
    896
  2. Richard

    Strange PIX Deny Inbound Error

    Richard, Jan 16, 2004, in forum: Cisco
    Replies:
    3
    Views:
    7,038
    Richard
    Jan 20, 2004
  3. jan david dijk

    PIX 506E Deny inbound (No xlate) tcp

    jan david dijk, Feb 8, 2004, in forum: Cisco
    Replies:
    6
    Views:
    12,273
    huyhong
    Jan 7, 2009
  4. HisNameWasRobertPaulson
    Replies:
    7
    Views:
    12,800
    Andrey Tarasov
    Apr 30, 2004
  5. CCGolfer
    Replies:
    0
    Views:
    3,974
    CCGolfer
    Jun 8, 2004
Loading...

Share This Page