Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ACL does not match!!!

Status
Not open for further replies.
hadel

hadel

Technical User
Aug 17, 2003
26
AE
I have the configuration below


Building configuration...

Current configuration:
!
! Last configuration change at 19:51:50 CAT-2 Sun Dec 21 2003 by XXXXXX
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname XXXX
!
aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default group tacacs+
aaa authorization exec default group tacacs+
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
enable secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password ems
!
!
!
!
!
clock timezone CAT-2 2
clock summer-time EDST-3 recurring last Fri Apr 1:00 last Thu Sep 23:00
ip subnet-zero
ip domain-name XXXXXX
ip name-server 193.1.1.2
ip name-server 193.1.1.1
!
x25 routing
!
!
process-max-time 200
!
interface Ethernet0
ip address 195.1.1.17 255.255.255.240
no ip directed-broadcast
loopback
no keepalive
!
interface Serial0
ip address 194.1.1.10 255.255.255.252
ip access-group noc out
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial1
ip address 194.1.1.14 255.255.255.252
ip access-group noc out
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface Serial2
no ip address
no ip directed-broadcast
no ignore-hw local-loopback
!
interface Serial3
no ip address
no ip directed-broadcast
no ignore-hw local-loopback
!
interface Serial4
ip address 196.1.1.1 255.255.255.252
no ip directed-broadcast
encapsulation x25 dce
no ip mroute-cache
x25 address 3610
x25 ltc 5
x25 htc 100
x25 win 7
x25 wout 7
no ignore-hw local-loopback
clockrate 64000
!
interface Serial5
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no ignore-hw local-loopback
!
interface Serial6
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no ignore-hw local-loopback
!
interface Serial7
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
no ignore-hw local-loopback
!
interface Serial8
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface Serial9
no ip address
no ip directed-broadcast
shutdown
no ignore-hw local-loopback
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
interface Dialer6
no ip address
no ip directed-broadcast
no cdp enable
!
router ospf 100
network 194.1.1.8 0.0.0.3 area 0.0.0.5
network 194.1.1.12 0.0.0.3 area 0.0.0.5
network 195.1.1.16 0.0.0.15 area 0.0.0.5
network 196.1.1.0 0.0.0.3 area 0.0.0.5
!
ip classless
no ip http server
!
!
ip access-list extended noc
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.69
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.71
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.200
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.201
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.202
permit tcp 195.1.1.16 0.0.0.15 eq telnet host 193.1.1.203
permit tcp 195.1.1.16 0.0.0.15 host 193.1.1.2 eq 123
permit tcp 195.1.1.16 0.0.0.15 host 193.1.1.1 eq 123
permit tcp 195.1.1.16 0.0.0.15 eq 123 host 193.1.1.2
permit tcp 195.1.1.16 0.0.0.15 eq 123 host 193.1.1.1
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.1 eq snmp
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.2 eq snmp
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.3 eq snmp
permit udp 195.1.1.16 0.0.0.15 eq snmp host 193.1.1.1
permit udp 195.1.1.16 0.0.0.15 eq snmp host 193.1.1.2
permit udp 195.1.1.16 0.0.0.15 eq snmp host 193.1.1.3
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.1 eq snmptrap
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.2 eq snmptrap
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.3 eq snmptrap
permit udp 195.1.1.16 0.0.0.15 eq snmptrap host 193.1.1.1
permit udp 195.1.1.16 0.0.0.15 eq snmptrap host 193.1.1.2
permit udp 195.1.1.16 0.0.0.15 eq snmptrap host 193.1.1.3
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.1 eq tftp
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.2 eq tftp
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.69 eq tftp
permit udp 195.1.1.16 0.0.0.15 eq tftp host 193.1.1.1
permit udp 195.1.1.16 0.0.0.15 eq tftp host 193.1.1.2
permit udp 195.1.1.16 0.0.0.15 eq tftp host 193.1.1.69
permit udp 195.1.1.16 0.0.0.15 eq tacacs host 193.1.1.69
permit udp 195.1.1.16 0.0.0.15 host 193.1.1.69 eq tacacs
permit ospf any any
permit tcp host 196.1.1.1 any eq 1998
permit tcp host 196.1.1.1 eq 1998 any
permit tcp host 194.1.1.10 eq telnet host 193.1.1.200
permit tcp host 194.1.1.10 eq telnet host 193.1.1.201
permit tcp host 194.1.1.10 eq telnet host 193.1.1.202
permit tcp host 194.1.1.10 eq telnet host 193.1.1.203
permit tcp host 194.1.1.14 eq telnet host 193.1.1.200
permit tcp host 194.1.1.14 eq telnet host 193.1.1.201
permit tcp host 194.1.1.14 eq telnet host 193.1.1.202
permit tcp host 194.1.1.14 eq telnet host 193.1.1.203
permit icmp any any
logging trap debugging
logging 193.1.1.3
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
tacacs-server host 193.1.1.69
tacacs-server key notnorth_noc
snmp-server engineID local 0000000902000050547FC128
snmp-server community xnetro RO
snmp-server community xnetrw RW
snmp-server community public view v1default RO
snmp-server enable traps snmp
snmp-server host 193.1.1.3 public tty x25 snmp
x25 route 3615 interface Serial4
x25 route 401111111111 xot 194.1.1.9 194.1.1.13
x25 route 401111111115 xot 194.1.1.9 194.1.1.13
privilege exec level 3 enable
!
line con 0
transport input none
line aux 0
line vty 0 4
password ineed
!
ntp clock-period 17180075
ntp server 193.1.1.200 prefer
ntp server 193.1.1.202
end


The wierd thing is that I get no matches what so ever on the access lists. What did I miss??
 
Sort by date Sort by votes
Is it possible traffic is going out another serial interface than the two you have the acl on?
 
Upvote 0 Downvote
I have two serial interfaces up with ip binded connected to the WAN. The other interface is connected internally to an X25 server. The other interface is Ethernet. I have the ACL applied on both interfaces out to the WAN, this is the way to my site. The same syptoms are on all my remote sites CISCO 2500. Would a reboot do the job??
 
Upvote 0 Downvote
What does your routing table say for network 193?

bob







I know what I know and that's all I know. What I don't know I will ask.
 
Upvote 0 Downvote
Whoheard just read my thoughts. Check your routing table to see how packets are getting to the 193 network.

Also, I hope the tacacs key you have listed in your config isn't the real one. You have the IP and key listed.
 
Upvote 0 Downvote
I might be lost but not that lost to give out the tacacs key
 
Upvote 0 Downvote
Just a thought, when you generated the ACL did you use a wordprocessor package? I had a problem once where a WP stuck an invisible character on the end of the ACL name, took some finding!

Use notepad or a similar text editor to edit your ACL's.

 
Upvote 0 Downvote
I used notepad. I am aware of the ctrl^M characters that would appear in case u use wp. I changed the ACL from named to numbered, that got me some matches. The thing now is "this router can telnet out its serial" how would that be!!??
 
Upvote 0 Downvote
Thats because your ACL is outgoing, when you telnet to a remote device your connecting to port 23 at the remote end.

Your ACL is trying to match telnet against the source address, not the destination address, which would be n.n.n.n port 23.

However if the ACL is correctly applied then you would need a permit statement to match the telnet traffic to, that could be permit tcp any any or ip any any, otherwise it gets dropped by the implicit deny.

When you telnet out which line increments its counter?
 
Upvote 0 Downvote
Routerman,
What I need to do is to deny telnet from this router not permit. Yet I want to permit its reply to my telnet sessions. This is why I had telnet in the source address on the outgoing interface. The implicit deny should deny the telnet going out of the inertface with destination port 23, which is when this router trying to telnet. & that what does not happen. Even when I did an explicit deny any any eq telnet at the first line of the ACL, yet the router did telnet!

When I put log on this entry, the debug would say "denying telnet packet bla bla ..." & the router opens the session to the remote host !!

Can anyone explain this behaviour?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
97
burtsbees
burtsbees
telemarksman
  • Locked
  • Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
86
telemarksman
telemarksman
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
90
acabezas2014
acabezas2014
siggyb
  • Locked
  • Question
Router on a stick, router pings internet but sitch does not
Replies
1
Views
72
ADB100
ADB100
Rockr41
  • Locked
  • Question
tftp server does not see html file
Replies
0
Views
60
Rockr41
Rockr41

Part and Inventory Search

Sponsor

Back
Top