Output Varies from Show Access-List Command
in [Cisco]
|
From: Bob Simon on 22 Apr 2008 16:31 2600 with C2600-IK9O3S-M, Version 12.3(26) Access-list 102 is applied to the outside interface incoming. When I type, "show access-list 102" I get varying output. I always get the numbered ACEs from the config. For example: 10 permit tcp any host 192.168.0.20 eq smtp (1912 matches) 20 permit tcp any host 192.168.0.20 eq www (41 matches) Most of the time there are a varying number of statements BEFORE the first numbered ACE in the output. These statements are NOT in the config. For example: permit icmp any host 192.168.0.30 time-exceeded (1179 matches) permit icmp any host 192.168.0.30 unreachable (5342 matches) permit icmp any host 192.168.0.30 timestamp-reply permit icmp any host 192.168.0.30 echo-reply (5304 matches) Has anyone seen this behavior before? Why are these statements present in the "show access-list" command output?
From: News Reader on 22 Apr 2008 16:44 Bob Simon wrote: > 2600 with C2600-IK9O3S-M, Version 12.3(26) > > Access-list 102 is applied to the outside interface incoming. When I > type, "show access-list 102" I get varying output. > > I always get the numbered ACEs from the config. For example: > 10 permit tcp any host 192.168.0.20 eq smtp (1912 matches) > 20 permit tcp any host 192.168.0.20 eq www (41 matches) > > Most of the time there are a varying number of statements BEFORE the > first numbered ACE in the output. These statements are NOT in the > config. For example: > permit icmp any host 192.168.0.30 time-exceeded (1179 matches) > permit icmp any host 192.168.0.30 unreachable (5342 matches) > permit icmp any host 192.168.0.30 timestamp-reply > permit icmp any host 192.168.0.30 echo-reply (5304 matches) > > Has anyone seen this behavior before? Why are these statements > present in the "show access-list" command output? You are probably using ICMP inspection on one of the interfaces (e.g.: inbound on the LAN interface). Inspection creates dynamic ACEs in the return path so that you don't need to specifically configure static ACEs to accommodate return traffic. These entries will timeout according to inspection policy configured for the specific protocol (e.g.: ICMP). Authentication proxy (when implemented) also creates dynamic entries that are placed above those configured in you interface ACLs. Auth-proxy ACEs are typically downloaded from a RADIUS or TACACS+ server. Best Regards, News Reader
From: News Reader on 22 Apr 2008 16:50 News Reader wrote: > Bob Simon wrote: >> 2600 with C2600-IK9O3S-M, Version 12.3(26) >> >> Access-list 102 is applied to the outside interface incoming. When I >> type, "show access-list 102" I get varying output. >> >> I always get the numbered ACEs from the config. For example: >> 10 permit tcp any host 192.168.0.20 eq smtp (1912 matches) >> 20 permit tcp any host 192.168.0.20 eq www (41 matches) >> >> Most of the time there are a varying number of statements BEFORE the >> first numbered ACE in the output. These statements are NOT in the >> config. For example: >> permit icmp any host 192.168.0.30 time-exceeded (1179 matches) >> permit icmp any host 192.168.0.30 unreachable (5342 matches) >> permit icmp any host 192.168.0.30 timestamp-reply >> permit icmp any host 192.168.0.30 echo-reply (5304 matches) Given the large number of matches with each ACE, you might want to confirm whether ICMP inspection is configured, and more importantly, what timeout interval has been configured. The ICMP timeout should be short. You don't want the dynamic holes in the return path to exist for any longer than necessary. e.g.: ip inspect name <inspect-name> icmp timeout 10 >> >> Has anyone seen this behavior before? Why are these statements >> present in the "show access-list" command output? > > You are probably using ICMP inspection on one of the interfaces (e.g.: > inbound on the LAN interface). Inspection creates dynamic ACEs in the > return path so that you don't need to specifically configure static ACEs > to accommodate return traffic. > > These entries will timeout according to inspection policy configured for > the specific protocol (e.g.: ICMP). > > Authentication proxy (when implemented) also creates dynamic entries > that are placed above those configured in you interface ACLs. Auth-proxy > ACEs are typically downloaded from a RADIUS or TACACS+ server. > > Best Regards, > News Reader -- Best Regards, News Reader
From: Bob Simon on 22 Apr 2008 17:07 On Tue, 22 Apr 2008 16:44:23 -0400, News Reader <user(a)domain.null> wrote: >Bob Simon wrote: >> 2600 with C2600-IK9O3S-M, Version 12.3(26) >> >> Access-list 102 is applied to the outside interface incoming. When I >> type, "show access-list 102" I get varying output. >> >> I always get the numbered ACEs from the config. For example: >> 10 permit tcp any host 192.168.0.20 eq smtp (1912 matches) >> 20 permit tcp any host 192.168.0.20 eq www (41 matches) >> >> Most of the time there are a varying number of statements BEFORE the >> first numbered ACE in the output. These statements are NOT in the >> config. For example: >> permit icmp any host 192.168.0.30 time-exceeded (1179 matches) >> permit icmp any host 192.168.0.30 unreachable (5342 matches) >> permit icmp any host 192.168.0.30 timestamp-reply >> permit icmp any host 192.168.0.30 echo-reply (5304 matches) >> >> Has anyone seen this behavior before? Why are these statements >> present in the "show access-list" command output? > >You are probably using ICMP inspection on one of the interfaces (e.g.: >inbound on the LAN interface). Inspection creates dynamic ACEs in the >return path so that you don't need to specifically configure static ACEs >to accommodate return traffic. > >These entries will timeout according to inspection policy configured for >the specific protocol (e.g.: ICMP). > >Authentication proxy (when implemented) also creates dynamic entries >that are placed above those configured in you interface ACLs. Auth-proxy >ACEs are typically downloaded from a RADIUS or TACACS+ server. > >Best Regards, >News Reader Thanks! You are correct. The config includes these: ip inspect name FW ftp ip inspect name FW icmp ip inspect name FW smtp ip inspect name FW tcp ip inspect name FW udp int F0/1 ip inspect FW out
From: News Reader on 22 Apr 2008 18:42 Bob Simon wrote: > On Tue, 22 Apr 2008 16:44:23 -0400, News Reader <user(a)domain.null> > wrote: > >> Bob Simon wrote: >>> 2600 with C2600-IK9O3S-M, Version 12.3(26) >>> >>> Access-list 102 is applied to the outside interface incoming. When I >>> type, "show access-list 102" I get varying output. >>> >>> I always get the numbered ACEs from the config. For example: >>> 10 permit tcp any host 192.168.0.20 eq smtp (1912 matches) >>> 20 permit tcp any host 192.168.0.20 eq www (41 matches) >>> >>> Most of the time there are a varying number of statements BEFORE the >>> first numbered ACE in the output. These statements are NOT in the >>> config. For example: >>> permit icmp any host 192.168.0.30 time-exceeded (1179 matches) >>> permit icmp any host 192.168.0.30 unreachable (5342 matches) >>> permit icmp any host 192.168.0.30 timestamp-reply >>> permit icmp any host 192.168.0.30 echo-reply (5304 matches) >>> >>> Has anyone seen this behavior before? Why are these statements >>> present in the "show access-list" command output? >> You are probably using ICMP inspection on one of the interfaces (e.g.: >> inbound on the LAN interface). Inspection creates dynamic ACEs in the >> return path so that you don't need to specifically configure static ACEs >> to accommodate return traffic. >> >> These entries will timeout according to inspection policy configured for >> the specific protocol (e.g.: ICMP). >> >> Authentication proxy (when implemented) also creates dynamic entries >> that are placed above those configured in you interface ACLs. Auth-proxy >> ACEs are typically downloaded from a RADIUS or TACACS+ server. >> >> Best Regards, >> News Reader > > Thanks! You are correct. The config includes these: > ip inspect name FW ftp > ip inspect name FW icmp > ip inspect name FW smtp > ip inspect name FW tcp > ip inspect name FW udp > > int F0/1 > ip inspect FW out Although I know that inspection opens holes in the return path, I am not seeing entries such as those you've described when I use the show access-list command while inspected sessions are active. This leads me to believe the ACEs you are seeing may be attributable to another feature. Are you using authentication proxy or some other feature that downloads ACLs from an access control server? Have you seen the ICMP ACEs timeout? Are you generating enough outbound ICMP traffic to prevent them from timing out? Best Regards, News Reader
|
Next
|
Last
Pages: 1 2 Prev: MPLS & IPSEC VPN Next: caller ID with callmanager/communication manager express |