06-24-2015 02:05 PM - edited 03-11-2019 11:10 PM
Hi,
I have a really long access list that has the following 2 entries, in this order, contained in it:
show ip access-list blah
<output omitted>
1010 deny ip any 192.168.1.128 0.0.0.63 log (no matches)
1200 permit tcp host 192.168.1.130 gt 1023 any eq www (matches actively incrementing at the rate of 2 or 3 every few seconds)
<output omitted>
since the host 192.168.1.130 is contained within the subnet denied in the previous statement, I am at a loss to explain why the TCP traffic to the specific host is not ALSO denied by the previous line.
Anybody got a clue as to what might cause this? What obvious thing am I missing? I thought the hit counter only incremented if traffic was matched, and it really doesn't look like the tcp/80 traffic from 192.168.1.130 should be allowed.
(1st 3 octets of the IP address were changed to private, but the mask and the last octet are the same)
Thanks!
Sue
Solved! Go to Solution.
06-24-2015 08:14 PM
Line 1010 is deny FROM any to the subnet
Line 1200 is permit from a host in the subnet TO any
Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.
06-24-2015 08:14 PM
Line 1010 is deny FROM any to the subnet
Line 1200 is permit from a host in the subnet TO any
Assuming it's on a stateful firewall, the reflexive ACL will allow the return traffic that is generated by traffic being allowed by line 1200.
06-25-2015 06:03 AM
Thanks Marvin, I can't believe I missed that! I'm re structuring these massive ACLs on HSRP pairs of routers and I'm just going cross eyed looking at that. Silly question, but I appreciate the response.
Sue
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: