Port number not shown in access-list log output

When I was testing the inspection of router-generated traffic, I wanted to block and log all incoming traffic (apart from inspect-generated conduits, obviously) with a simple access-list:

access-list 102 deny ip any any log
Unfortunately, the port numbers in the logging printout were always zero:
%SEC-6-IPACCESSLOGP: list 102 denied udp 10.0.0.1(0) -> 192.168.1.3(0), 1 packet
The reason for this behavior is very simple: unless a line in the IP ACL matches on the layer-4 port numbers, the router does not inspect them; the log action thus has no port number to show in the syslog printout.

To fix the printout, you have to force the router to inspect the layer-4 port numbers. If you still want to block-and-log all traffic, the minimum access-list achieving this goal is the following:
access-list 102 deny   udp any gt 0 any gt 0 log
access-list 102 deny tcp any gt 0 any gt 0 log
access-list 102 deny ip any any

4 comments:

  1. cool stuff!!!! I have added you to my blog feed.

    http://hackathology.blogspot.com/

    ReplyDelete
  2. Actually, by default standard ACL's don't show port numbers but extended ACL's with log do....

    ReplyDelete
  3. @Anonymous#2: Actually, that's pretty much exactly what I've said :) The standard ACL cannot show port numbers because they are not examined by the standard ACL ... BUT (and this is a HUGE BUT :) the extended ACL shows port numbers in log printouts IF AND ONLY IF the ACL uses the port numbers in PERMIT/DENY statements (unless there is a weird interaction with some other packet forwarding function in late IOS releases :))

    ReplyDelete
  4. In IOS 15.0 enough to add at least 1 rule with eq statement for logging port numbers.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.