cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
524
Views
0
Helpful
3
Replies

access-list appears to grow and grow and grow.......

it
Level 1
Level 1

Ok, here's what I set my acces-list at:

deny ip host 207.134.171.15 host xx.xx.xx.xx

deny udp any eq ntp any

deny tcp any eq 1755 any

permit icmp any any echo-reply

permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute

permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big

permit tcp any host xx.xxx.xxx.xx eq smtp

I then applied it to my companies internet connection with:

ip access-group 103 in

I then did a sh access-list and received the following:

Extended IP access list 103

permit tcp host 209.247.88.182 eq www host xx.xxx.xxx.xx eq 1033 (4 matches)

permit tcp host 62.161.94.166 eq www host xx.xxx.xxx.xx eq 1125 (3 matches)

permit tcp host 65.197.236.62 eq www host xx.xxx.xxx.xx eq 1328 (7 matches)

permit tcp host 165.254.12.102 eq www host xx.xxx.xxx.xx eq 1139 (6 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2076 (7 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2069 (7 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2068 (7 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1955 (7 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1184 (7 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1143 (43 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2058 (10 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 2052 (10 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1623 (10 matches)

permit tcp host 65.197.236.51 eq www host xx.xxx.xxx.xx eq 1228 (10 matches)

permit tcp host 193.201.103.91 eq www host xx.xxx.xxx.xx eq 1122 (6 matches)

permit tcp host 38.117.132.102 eq www host xx.xxx.xxx.xx eq 2077 (1 match)

deny ip host 207.134.171.15 host xx.xxx.xxx.xx

deny udp any eq ntp any

deny tcp any eq 1755 any (14 matches)

permit icmp any any echo-reply

permit icmp any xx.xxx.xxx.xx 0.0.0.7 traceroute

permit icmp any xx.xxx.xxx.xx 0.0.0.7 packet-too-big

permit tcp any host xx.xxx.xxx.xx eq smtp

Can anyone tell me why all of those extra entries input themselves at the beginning of my access-list? Also, I tried clearing out the extra entries by removing the access-list and then recreating it, but it keeps all the entries and those entries override any additional changes I make to the access-list, as they are at the top. I had to change the access-list number in order for a couple of the rules to take effect. Thanks in advance.

Joe

3 Replies 3

ywadhavk
Cisco Employee
Cisco Employee

What shows up if you do a 'show run'? Is there a management station that could be throwing in these on the fly / rule-based?

Thanks,

yatin

Lemme preface this by saying that I inherited this router from the previous Admin at my company. Here is the int for the fastethernet0/0.10:

interface FastEthernet0/0.10

description DSL to Internet

encapsulation isl 10

ip address 63.224.231.65 255.255.255.248

ip access-group 103 in

no ip redirects

ip nat outside

ip inspect OUT out

ip audit TEST in

I suspect that the ip inspect out out or the ip audit test in are to blame. I will remove each one and see....

Hi,

Any extra lines above the lines you have created in your ACL is created by the CBAC (ip inspect OUT out line under the interface). Most likely this is how it is intended to setup. Once you apply cbac on router that is "ip inspect OUT out" on the interface, it will create the dynmic holes by appending the acl lines on top of your existing extended ACL. This is exactly what is happening in your case. If you remove line "ip inspect OUT out", you may experince communication from inside to outside, as return traffic would be blokced from outside. So, either you have to leave the CBAC on or you need to allow the retuurn traffic from outside to inside. Please, let me know if this clear. Thanks,

Mynul