Just add the "log" keyword to the end of the deny statements,
and include an explicit deny statement at the end of the ACL
which also logs. eg.
access-l 101 deny ip any any log
Provided the router has logging enabled (either temporarily to
the console or vty, to the logging buffer, or to a syslog server),
the router will tell you which packets are being denied. You can
then modify the ACL appropriately.
Rgds
Cameron
-----Original Message-----
From: Brad Davenport [mailto:BDavenport@egisticsinc.com]
Sent: Thursday, 13 January 2005 1:14 AM
To: firewalls@securityfocus.com
Subject: Dumb Dumb Question
Ok,
I am having a hell of a time with some ACLs on a border device attached
to our LAN.
I have a PIX which I am offloading some Processing to a 2600 from. I
need the ACLs which would allow MSN Messenger access to the LAN as well
as file sharing. However, I have hunted down all the known ports for MSN
and even with the ACL applied I get immediate log outs from the clients
when the ACL is applied.
Take a look and see if perhaps I am missing something.
Thanks,
These deny statements are just in the interest of keeping port scans
from hitting my FW.
access-list 101 deny tcp any any eq 135
access-list 101 deny tcp any any eq 139
access-list 101 deny tcp any any eq 445
access-list 101 deny tcp any any range 3127 3198
access-list 101 deny tcp any any eq 4899
access-list 101 permit ip host my.pub.ip. any
access-list 101 permit ip host my.pub.ip. any
access-list 101 permit ip host my.pub.ip. any
access-list 101 permit esp any any
access-list 101 permit gre any any
access-list 101 permit ahp any any
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq 1023
access-list 101 permit udp any any eq 1701
access-list 101 permit tcp any any eq 1701
access-list 101 permit udp any any eq 1723
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq www
access-list 101 permit udp any any eq 47
access-list 101 permit udp any any eq domain
access-list 101 permit udp any any eq 92
access-list 101 permit tcp any any eq 443
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 990
access-list 101 permit tcp any any eq 990
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq 10000
access-list 101 permit tcp any any eq 10000
access-list 101 permit udp any any eq 62515
access-list 101 permit udp any any eq 2070
access-list 101 permit tcp any any eq 2070
access-list 101 permit udp any any eq 2797
access-list 101 permit tcp any any eq 2797
BJD
Brad Davenport, Director
Network Services
eGistics Inc.
www.egisticsinc.com
bdavenport@egisticsinc.com
972-851-3131
214-995-5629
******************************************************************************
- NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged
information. If you have received this email in error, please notify the
sender and delete it immediately.
Internet communications are not secure. You should scan this message and any
attachments for viruses. Under no circumstances do we accept liability for any
loss or damage which may result from your receipt of this message or any
attachments.
******************************************************************************
