03-25-2008 07:52 AM - edited 02-20-2020 09:40 PM
Hi all,
I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.
Karel
btw.> I tried solve this problem with this links:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
[1.]
Extended IP access list anti_spoof_Te1/1_input
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip 194.79.52.0 0.0.3.255 any
60 deny ip 0.0.0.0 0.255.255.255 any
70 permit ip any OUR CIDR
80 permit ip any host BGP Neighbor
90 deny ip any any
Extended IP access list anti_spoof_Te1/1_output
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 deny ip any 127.0.0.0 0.255.255.255
50 deny ip any 0.0.0.0 0.255.255.255
60 deny ip any OUR CIDR
70 permit ip host BGP Neighbor any
80 permit ip OUR CIDR any
90 deny ip any any
[2.]
ip access-group anti_spoof_Te1/1_input in
ip access-group anti_spoof_Te1/1_output out
[3.]
Extended IP access list anti_spoof_Te1/1_output
1 deny icmp host from OUR CIDR host in INTERNET log-input
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 deny ip any 127.0.0.0 0.255.255.255
50 deny ip any 0.0.0.0 0.255.255.255
60 deny ip any OUR CIDR
70 permit ip host BGP Neighbor any
80 permit ip OUR CIDR any
90 deny ip any any log-input
[4.]
Extended IP access list anti_spoof_Te1/1_input
1 deny icmp host from INTERNET host from OUR CIDR
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip 194.79.52.0 0.0.3.255 any
60 deny ip 0.0.0.0 0.255.255.255 any
70 permit ip any OUR CIDR
80 permit ip any host BGP Neighbor
90 deny ip any any
03-31-2008 09:36 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide