URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 725
[ Назад ]

Исходное сообщение
"asa5520 ACL"
Отправлено Om , 30-Апр-13 16:55

interface Ethernet0/2.7
vlan 216
nameif xxx-dc
security-level 100
ip address 172.17.4.1 255.255.255.248
object-group network xxx-distr
network-object 172.31.0.0 255.255.0.0
route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2
access-list acl-xxx-distr extended deny ip object-group xxx-distr any

access-group acl-xxx-distr in interface xxx-dc
Трафик ходит, хотя не должен. Почему?

Содержание

asa5520 ACL,Merridius, 18:58 , 30-Апр-13
- asa5520 ACL,Om, 13:14 , 06-Май-13
  - asa5520 ACL,Om, 13:44 , 06-Май-13
    - asa5520 ACL,Om, 13:44 , 06-Май-13

Сообщения в этом обсуждении

"asa5520 ACL"
Отправлено Merridius , 30-Апр-13 18:58

>[оверквотинг удален]
> vlan 216
> nameif xxx-dc
> security-level 100
> ip address 172.17.4.1 255.255.255.248
> object-group network xxx-distr
> network-object 172.31.0.0 255.255.0.0
> route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2
> access-list acl-xxx-distr extended deny ip object-group xxx-distr any
> access-group acl-xxx-distr in interface xxx-dc
> Трафик ходит, хотя не должен. Почему?
Откуда и куда ходит ваш трафик?

"asa5520 ACL"
Отправлено Om , 06-Май-13 13:14

>[оверквотинг удален]
>> nameif xxx-dc
>> security-level 100
>> ip address 172.17.4.1 255.255.255.248
>> object-group network xxx-distr
>> network-object 172.31.0.0 255.255.0.0
>> route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2
>> access-list acl-xxx-distr extended deny ip object-group xxx-distr any
>> access-group acl-xxx-distr in interface xxx-dc
>> Трафик ходит, хотя не должен. Почему?
> Откуда и куда ходит ваш трафик?
НА другие интерфейсы и сети.

"asa5520 ACL"
Отправлено Om , 06-Май-13 13:44

1: 13:19:45.979227 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662171:3467662415(244) ack 256553634 win 571
2: 13:19:45.982203 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256553634:256553878(244) ack 3467662415 win 255
3: 13:19:45.983500 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662415:3467662621(206) ack 256553878 win 570
4: 13:19:45.987162 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: . 256553878:256555258(1380) ack 3467662621 win 254
5: 13:19:45.987253 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256555258:256556058(800) ack 3467662621 win 254
6: 13:19:45.987986 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: . ack 256556058 win 562
7: 13:19:45.988947 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662621:3467662713(92) ack 256556058 win 562
8: 13:19:45.991464 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256556058:256556186(128) ack 3467662713 win 254
9: 13:19:46.188115 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: . ack 256556186 win 561
10: 13:19:47.075954 802.1Q vlan#216 P0 172.31.1.9.55732 > 172.27.0.3.47976: . 990632064:990632065(1) ack 2301496656 win 815
11: 13:19:47.080821 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.9.55732: . ack 990632065 win 10068 <nop,nop,sack sack 1 {990632064:990632065} >
12: 13:19:50.029173 802.1Q vlan#216 P0 172.31.1.21.49369 > 172.27.0.3.47976: P 1927316053:1927317041(988) ack 1794367667 win 2441
13: 13:19:50.040159 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.21.49369: . 1794367667:1794369047(1380) ack 1927317041 win 258
14: 13:19:50.040265 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.21.49369: P 1794369047:1794370303(1256) ack 1927317041 win 258
15: 13:19:50.040738 802.1Q vlan#216 P0 172.31.1.21.49369 > 172.27.0.3.47976: . ack 1794370303 win 2431
16: 13:19:53.422661 802.1Q vlan#216 P0 172.31.1.1.50078 > 172.27.0.3.47976: . 67284983:67284984(1) ack 2459831405 win 1069
17: 13:19:53.425316 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.1.50078: . ack 67284984 win 254 <nop,nop,sack sack 1 {67284983:67284984} >
18: 13:19:55.203373 802.1Q vlan#216 P0 172.31.1.19.49320 > 172.27.0.3.47976: . 1436019216:1436019217(1) ack 1071041742 win 254
19: 13:19:55.206318 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.19.49320: . ack 1436019217 win 255 <nop,nop,sack sack 1 {1436019216:1436019217} >
20: 13:19:56.435783 802.1Q vlan#216 P0 172.31.1.19.49284 > 172.27.0.3.47976: . 2540691227:2540691228(1) ack 4094067666 win 2302
21: 13:19:56.437492 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.19.49284: . ack 2540691228 win 255 <nop,nop,sack sack 1 {2540691227

"asa5520 ACL"
Отправлено Om , 06-Май-13 13:44

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.31.0.0 255.255.0.0 xxx-dc
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd839b0a8, priority=11, domain=permit, deny=true
hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: xxx-dc
input-status: up
input-line-status: up
output-interface: xxx-dc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule