05-12-2005 11:08 AM - edited 02-20-2020 09:27 PM
I've been working on a HUGE undertaking - changing an access-list that has a 'permit ip any any' at the end of it to one that doesn't (which imples a 'deny ip any any'); I added a few lines at the end of the ACL to break down the traffic that is currently getting through without explicit permission:
access-list inside line 522 permit udp any any (hitcnt=495)
access-list inside line 523 permit tcp any any (hitcnt=956)
access-list inside line 524 permit icmp any any (hitcnt=518)
access-list inside line 525 permit ip any any (hitcnt=0)
Other than entering more and more lines to the ACL in order to sub-categorize the hosts, protocols and ports that are getting through by default, does anyone know of an efficient way to analyze and log this traffic so it can be accounted for in the ACL?
Thanks in advance,
Marc
05-12-2005 01:33 PM
You could use nbar on the interface to tell you what protocols are in use.
A sniffer would give you all the details you require (i.e. source, destination, ports, etc).
05-13-2005 06:11 AM
Thanks for the reply;
I'm not familiar with nbar, but if I read it correctly, I'd have to configure class-maps for the protocols I'm looking for anyways, so I think Sniffing the traffic may be the way to go.
In either case, I'm going to have to configure an elaborate filter to trace traffic that falls under a "NOT-this-but-everything-else" condition.
M
05-12-2005 03:22 PM
Seeing as you are not getting too many hits on the ACL, I would just drop a "log" keyword at the end. something like:
access-list inside line 522 permit udp any any log
access-list inside line 523 permit tcp any any log
access-list inside line 524 permit icmp any any log
access-list inside line 525 permit ip any any log
and then do "sho log".
Obvously don't do this is your CPU is really hot, but based upon the number of hits you had in your example, you should be fine.
Warren Kumari
Snr Network Engineer
Google.
05-13-2005 09:02 AM
Thanks for the tip about using the 'log' command; I want to note that the counters for this ACL were reset minutes before that text was copied, so the load on the CPU may be a bit more than anticipated.
Perhaps I'll log just one protocol at a time and build a database for the cumulative information...
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide