Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
3
Helpful
4
Replies

Flipping an ACL from default 'allow' to 'deny'

drumrb0y
Level 1
Level 1

‎05-12-2005 11:08 AM - edited ‎02-20-2020 09:27 PM

I've been working on a HUGE undertaking - changing an access-list that has a 'permit ip any any' at the end of it to one that doesn't (which imples a 'deny ip any any'); I added a few lines at the end of the ACL to break down the traffic that is currently getting through without explicit permission:

access-list inside line 522 permit udp any any (hitcnt=495)

access-list inside line 523 permit tcp any any (hitcnt=956)

access-list inside line 524 permit icmp any any (hitcnt=518)

access-list inside line 525 permit ip any any (hitcnt=0)

Other than entering more and more lines to the ACL in order to sub-categorize the hosts, protocols and ports that are getting through by default, does anyone know of an efficient way to analyze and log this traffic so it can be accounted for in the ACL?

Thanks in advance,

Marc

Labels:
0 Helpful
4 Replies 4

BRUNO WOLLMANN
Level 1
Level 1

‎05-12-2005 01:33 PM

You could use nbar on the interface to tell you what protocols are in use.

A sniffer would give you all the details you require (i.e. source, destination, ports, etc).

0 Helpful

drumrb0y
Level 1
Level 1
In response to BRUNO WOLLMANN

‎05-13-2005 06:11 AM

Thanks for the reply;

I'm not familiar with nbar, but if I read it correctly, I'd have to configure class-maps for the protocols I'm looking for anyways, so I think Sniffing the traffic may be the way to go.

In either case, I'm going to have to configure an elaborate filter to trace traffic that falls under a "NOT-this-but-everything-else" condition.

M

0 Helpful

wkumari
Level 1
Level 1

‎05-12-2005 03:22 PM

Seeing as you are not getting too many hits on the ACL, I would just drop a "log" keyword at the end. something like:

access-list inside line 522 permit udp any any log

access-list inside line 523 permit tcp any any log

access-list inside line 524 permit icmp any any log

access-list inside line 525 permit ip any any log

and then do "sho log".

Obvously don't do this is your CPU is really hot, but based upon the number of hits you had in your example, you should be fine.

Warren Kumari

Snr Network Engineer

Google.

drumrb0y
Level 1
Level 1
In response to wkumari

‎05-13-2005 09:02 AM

Thanks for the tip about using the 'log' command; I want to note that the counters for this ACL were reset minutes before that text was copied, so the load on the CPU may be a bit more than anticipated.

Perhaps I'll log just one protocol at a time and build a database for the cumulative information...

Marc

0 Helpful
Customers Also Viewed These Support Documents