11-16-2005 09:59 PM - edited 03-03-2019 11:00 AM
I find a strange situation.
In the router, when I configure the access-list for protecting worm port like followings. If I configure these access-lists, servers connected to this router is well operating. But, when I delete access-list configuration, servers will be downed. What is the cause ?
interface Vlan200
ip address 203.237.0.5 255.255.255.0
ip access-group 101 in
ip access-group 102 out
access-list 101 remark "Bagle.U Worm"
access-list 101 deny tcp any any eq 4751
access-list 101 remark "WORM_Agobot.gen"
access-list 101 deny tcp any any eq 135
access-list 101 remark "WORM_MYDOOM.b"
access-list 101 deny tcp any any eq 1080
access-list 101 deny tcp any any eq 3218
access-list 101 deny tcp any any eq 10080
access-list 101 remark "WORM_MYDOOM.A"
access-list 101 deny tcp any any eq 3127
access-list 101 remark "SPYBOT.S
access-list 101 deny tcp any any eq 31031
access-list 101 remark "Wout32.Bagle , Mirc"
access-list 101 deny tcp any any eq 6667
access-list 101 remark "Wout32.Sobig.worm.F"
access-list 101 deny udp any any range 995 999
access-list 101 remark "Wout32.Welchia.worm"
access-list 101 deny tcp any any eq 707
access-list 101 deny udp any any eq 2048
access-list 101 remark "W32.Blaster.Worm"
access-list 101 deny tcp any any eq 4444
access-list 101 remark "Backdoor.IRC.Cirebot"
access-list 101 deny tcp any any eq 57005
access-list 101 deny udp any any eq 57005
access-list 101 deny tcp any any range 1235 1238
access-list 101 remark "Kita Worm"
access-list 101 deny udp any any eq 1204
access-list 101 deny tcp any any eq 593
access-list 101 deny tcp any any eq 28290
access-list 101 deny tcp any any eq 12345
access-list 101 remark "Bagle.P"
11-16-2005 10:40 PM
Hi
Hope ur well aware that if u have access-group under the interface and if u remvoe the aceess lists associated with it you will loose the connectivity.
Again in the ACLs mentioned in your post i dont c any permit statement in the end of the same and also u didnt mention up the second part which is access-lsit 102..
if possible do post them out as an attachment over here..
have you got all windows based servers over there ?
if yes have u got them patched them with the latest updates ??Also about Antivirus,have u got the latest updates installed ??
Also do close out the unecessary unsed ports if you arent using them up in the server.
regds
11-17-2005 10:20 AM
Actually it has not been true for a long time that if you have access lists defined, have access-group applied to interface, and then remove the access list that you lose connectivity because of the implicit deny any at the end of the access list. At one point in time that was the behavior of IOS, but it has not worked that way for a very long time. The behavior now is that if you remove the access list it acts like there is a permit any.
Edwin's point about not seeing any permit in the access list is well taken. If an access list has a number of deny statements and no permit statements, then I would expect to lose connectivity since everything would be denied.
So the behavior described is the reverse of the behavior that I would expect. I am not sure how to explain this.
HTH
Rick
11-17-2005 05:25 PM
Access -list command will have 'permit' statement below. And ip access-group command is configured on the router. So, accees-list configuration is perfect.
OS of servers are Window or Linux based.
Antivirus patch is done.
I think slow servers is problem.
Complex access-list configurations on the router enable fast packet transmission to servers.
Then server will be downed.
Can this scenario be correct?
In fact, if I delete access-list configuration, server become downed.
Server upgrade can be a change fot the better?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide