Security Basics mailing list archives
RE: Cisco ACL doubt
From: "Payton, Zack" <Zack.Payton () MWAA com>
Date: Wed, 13 Jul 2005 10:15:52 -0400
Log-input is useful for tracing spoofed DOS attacks back through a network albeit a bad idea on high speed network links. Log-input will tell you the interface on which the packets matching the criteria in your access-list entered your router. Using a perl script and a lot of timing... It it possible to automate the tracing of DOS attacks at least to the edge of your autonomous system. But good luck getting your neighboring AS to support the same capability. Zack Payton -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Monday, July 11, 2005 6:40 PM To: 345345 () gmail com; security-basics () securityfocus com Subject: RE: Cisco ACL doubt Your mystification suggests that you have written "log-input" where in fact you meant to write "log". Although I have not yet managed to imagine a need for the feature, the "log-input" feature is behaving exactly as documented by Cisco, and if that behaviour is not what you want then you should use the feature whose behaviour more closely matches your need. David Gillett
-----Original Message----- From: 345345 () gmail com [mailto:345345 () gmail com] Sent: Sunday, July 03, 2005 7:09 AM To: security-basics () securityfocus com Subject: Cisco ACL doubt Hello people, I have the following ACL attached to the external serial (ISP link) of my Cisco 805 Router. access-list 102 remark Egress Filtering ACL access-list 102 permit ip host 100.100.20.34 any access-list 102 permit ip host 100.100.14.102 any log-input access-list 102 deny ip any any log-input And I keep getting lots of log messages from the router (just like the
one here!) 2005-07-02 14:13:37 Local5.Info 192.168.0.254 12112: 012109: *Mar 1 17:38:03.975 GMT: %SEC-6-IPACCESSLOGP: list 102 denied tcp 200.227.70.210(0) (Serial0 DLCI 100) -> 100.100.20.53(0), 1 packet As far as I can see, those messages tell that the router has blocked an incoming packet on Interface Serial 0. The Big question is: Why does the router reports this incoming packet related to ACL 102 if this ACL is attached to the Serial 0 OUT??? interface Serial0 ip access-group 102 out Thanks in advance for any help. Best regards, Jasho Mendinka. Ps.: in case one needs additional info, please contact me on my e-mail, or I can send more infos if is the common interest.
Current thread:
- Cisco ACL doubt 345345 (Jul 05)
- Re: Cisco ACL doubt routerg (Jul 11)
- RE: Cisco ACL doubt David Gillett (Jul 12)
- <Possible follow-ups>
- RE: Cisco ACL doubt Jeffery Chen (Jul 06)
- Re: Cisco ACL doubt digitaltone (Jul 06)
- RE: Cisco ACL doubt Payton, Zack (Jul 13)
- Re: Cisco ACL doubt routerg (Jul 18)