12-10-2007 05:10 PM - edited 03-05-2019 07:55 PM
Hey guys, I have an access list which is applied to the outside interface. There are 2 lines, however that I think they might be doing the same thing and I want to know if I can get rid of one. They both get hits though when I do a "sh access-list 110"
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any eq isakmp any
thanks
12-10-2007 05:15 PM
They aren't doing the same thing and you haven't told us which direction the ACL was applied.
On the first ACL, you are allowing isakmp on the destination host(s) while on the second ACL, you are allowing isakmp on the source host(s).
12-10-2007 05:23 PM
sorry for that.
In int4, there is a line "ip access-group 110 in" so I assume, and I think this is right :), that the ACL is applied to all traffic coming from the outside (internet) towards the network (inside)... please correct me if Im wrong.
There isn't any ACLs applied to the inside interface, which I believe it means anything outbound from the inside is allowed.
my apologies for the fragil questions, I'm trying to get this right and be strong on the basics before moving forward
12-10-2007 05:26 PM
My previous explanation still stands. You are allowing bi-directional traffic for the isakmp port. Removing one ACL will affect this traffic, so leave as is.
12-10-2007 05:42 PM
I see. But wouldn't it be redundant as all outbound traffic is already allowed, thus safely remove the second line, and only keep and use the first line (access-list 110 permit udp any any eq isakmp)?
When you make and outbound connection, once that connection is established, doesn't the router allows anything inbound from the destination during the session? and because is ISAKMP, you do have to allow this protocol in the inbound direction, so line 1 wouldn't already be allowing for this?
12-10-2007 07:20 PM
Usually only the destination would be listed in the allowed port but due to the nature of the IPSec traffic, both the source and destination use that port.
For instance, if you are running a web server, only the server needs to be allowed on port 80. The end-devices connecting to this web server will use high random ports (1024 and above) which is allowed by the ACL.
On this case, the application behaves differently as the end-devices and the vpn server utilizes the isakmp port, not high random ports.
12-10-2007 08:12 PM
Angel
I am glad that you are trying to get strong on the basics. Here is an important basic concept: if both access list lines are getting hits then they are not redundant. If a packet gets to the second line and matches the second line (which produces a hit) then it did not match the first line, because access list processing stops when it gets to the first match.
So if you remove either of the lines you will be changing the behavior and some traffic that is getting through currently will start being denied.
I will admit that I am a bit surprised that both lines are getting hits. In my experience using ISAKMP both the source port and the destination port are the same (both sourece port and destination port are UDP ISAKMP). But if both lines of your access list are getting hits then obviously there is traffic in your network that is not working the way that I would expect.
HTH
Rick
12-11-2007 12:03 AM
I have to be honest but I was very close to removing one of the lines. But thanks to you guys I didn't.
I have few networks where we use Cisco all the way, and as time goes by, I want/need to understand each line of each running config I have.
The less lines, the better (for me :) ) One Cisco TAC guy told me that there are Cisco Best Practices and that's exactly where I will like to get.... just like MS Windows where, almost with my eyes closed, I remove tons of unneeded services/files/programs before deployment :)
12-11-2007 12:10 AM
Hi
One thing you might consider is adding the "log" keyword to the end of these 2 lines and that will show you the source and destination IP addresses and port numbers.
As Rick says, this is strange because ISAKMP is usually udp port 500 to udp port 500.
Obvioulsy if you are going to log these entries please ensure your router has enough spare resources to do this.
Jon
12-11-2007 12:22 AM
oh, I like that. I will add the log keyword.
But what do you mean by enough resources? I have an 871 which is handling an office of 30+ users.
Can you please show me how to get this "logging" going?
12-11-2007 12:33 AM
Hi
You should be okay as long as your router is not running "hot" at the moment.
At it's most basic just to turn on logging
router(config)# logging on
router(config)# logging trap informational
router(config)# logging buffered
This will log to the buffer on your 871. Because it is informational you will get more than just the access-list lines being logged and the buffer is circular in that it will keep getting overwritten, which is why people often set up a syslog server and send the logs to that.
You can get a free syslog server that you can run on one of your windows boxes from
If you do this you need one more line in your config
router(config)# logging host "ip address of syslog server"
As with debugging and logging you should keep an eye on the memory and CPU usage on your router.
Jon
12-11-2007 09:20 AM
what do you mean by "running 'hot' "? cpu usage high? sh proc high?
I am moving ahead with the logging. I do have a syslog server and I will make this 871 send its logs to it, although I want to deploy this syslog server at the other end of the tunnel. Meaning that I will create a LAN-to-LAN tunnel from this 871 to a remote office because that's where I have the syslog server. Will this be OK? will it be safe? or is it gonna put too much traffic on the line?
12-11-2007 10:17 AM
Hi
I just mean that if your router is running over 50% in cpu usage you just need to be a little careful when you turn logging on.
Sending the traffic down the tunnel will put more overhead on the router because of the encryption overhead.
It's a suck it and see thing really.
Jon
12-11-2007 10:22 AM
I see. Well, this is my plan, this 871 uses 2 ISPs, and ISP2 is only for backup purposes, so the connection is always on idle. So I am planning to use it for the tunnel so I can keep it busy :) and not put overhead to the main line which is always busy anyways with all the traffic that the inside network puts in it
what do you think?
12-10-2007 11:55 PM
interesting. very interesting
Edison, do you know of a good link that touches this ACL topic in very deep details?
Also, any good readings about ACLs (books, articles, etc.) and about ISKMP?
Once again, I need to get stronger on these basics
thank you for the answers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide