- asa5520 ACL, Merridius, 18:58 , 30-Апр-13 (1)
>[оверквотинг удален] > vlan 216 > nameif xxx-dc > security-level 100 > ip address 172.17.4.1 255.255.255.248 > object-group network xxx-distr > network-object 172.31.0.0 255.255.0.0 > route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2 > access-list acl-xxx-distr extended deny ip object-group xxx-distr any > access-group acl-xxx-distr in interface xxx-dc > Трафик ходит, хотя не должен. Почему?Откуда и куда ходит ваш трафик?
- asa5520 ACL, Om, 13:14 , 06-Май-13 (2)
>[оверквотинг удален] >> nameif xxx-dc >> security-level 100 >> ip address 172.17.4.1 255.255.255.248 >> object-group network xxx-distr >> network-object 172.31.0.0 255.255.0.0 >> route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2 >> access-list acl-xxx-distr extended deny ip object-group xxx-distr any >> access-group acl-xxx-distr in interface xxx-dc >> Трафик ходит, хотя не должен. Почему? > Откуда и куда ходит ваш трафик?НА другие интерфейсы и сети.
- asa5520 ACL, Om, 13:44 , 06-Май-13 (3)
1: 13:19:45.979227 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662171:3467662415(244) ack 256553634 win 571 2: 13:19:45.982203 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256553634:256553878(244) ack 3467662415 win 255 3: 13:19:45.983500 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662415:3467662621(206) ack 256553878 win 570 4: 13:19:45.987162 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: . 256553878:256555258(1380) ack 3467662621 win 254 5: 13:19:45.987253 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256555258:256556058(800) ack 3467662621 win 254 6: 13:19:45.987986 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: . ack 256556058 win 562 7: 13:19:45.988947 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: P 3467662621:3467662713(92) ack 256556058 win 562 8: 13:19:45.991464 802.1Q vlan#216 P0 172.27.0.10.445 > 172.31.1.18.60493: P 256556058:256556186(128) ack 3467662713 win 254 9: 13:19:46.188115 802.1Q vlan#216 P0 172.31.1.18.60493 > 172.27.0.10.445: . ack 256556186 win 561 10: 13:19:47.075954 802.1Q vlan#216 P0 172.31.1.9.55732 > 172.27.0.3.47976: . 990632064:990632065(1) ack 2301496656 win 815 11: 13:19:47.080821 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.9.55732: . ack 990632065 win 10068 <nop,nop,sack sack 1 {990632064:990632065} > 12: 13:19:50.029173 802.1Q vlan#216 P0 172.31.1.21.49369 > 172.27.0.3.47976: P 1927316053:1927317041(988) ack 1794367667 win 2441 13: 13:19:50.040159 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.21.49369: . 1794367667:1794369047(1380) ack 1927317041 win 258 14: 13:19:50.040265 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.21.49369: P 1794369047:1794370303(1256) ack 1927317041 win 258 15: 13:19:50.040738 802.1Q vlan#216 P0 172.31.1.21.49369 > 172.27.0.3.47976: . ack 1794370303 win 2431 16: 13:19:53.422661 802.1Q vlan#216 P0 172.31.1.1.50078 > 172.27.0.3.47976: . 67284983:67284984(1) ack 2459831405 win 1069 17: 13:19:53.425316 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.1.50078: . ack 67284984 win 254 <nop,nop,sack sack 1 {67284983:67284984} > 18: 13:19:55.203373 802.1Q vlan#216 P0 172.31.1.19.49320 > 172.27.0.3.47976: . 1436019216:1436019217(1) ack 1071041742 win 254 19: 13:19:55.206318 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.19.49320: . ack 1436019217 win 255 <nop,nop,sack sack 1 {1436019216:1436019217} > 20: 13:19:56.435783 802.1Q vlan#216 P0 172.31.1.19.49284 > 172.27.0.3.47976: . 2540691227:2540691228(1) ack 4094067666 win 2302 21: 13:19:56.437492 802.1Q vlan#216 P0 172.27.0.3.47976 > 172.31.1.19.49284: . ack 2540691228 win 255 <nop,nop,sack sack 1 {2540691227
- asa5520 ACL, Om, 13:44 , 06-Май-13 (4)
Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 172.31.0.0 255.255.0.0 xxx-dcPhase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xd839b0a8, priority=11, domain=permit, deny=true hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Result: input-interface: xxx-dc input-status: up input-line-status: up output-interface: xxx-dc output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
|