Quoth Simon Halsall: > I've been off bugtraq for a couple of weeks but I just saw these messages. I > have recently been putting logging into our cisco's rule set so that I can see > what traffic is being passed through our network. I spotted traffic that > appeared to be missed by the rules as it had src port 0 and dst port 0. On cisco-nspat_private I postulated that IOS only logs port numbers when it needed to look at them in a previous access-list <n> entry. If you have access-list 105 deny ip any any log-input as the last entry in an ACL, you could try changing that to access-list 105 deny udp any range 1 65535 any range 1 65535 log-input access-list 105 deny tcp any range 1 65535 any range 1 65535 log-input access-list 105 deny ip any any log-input instead. It solved the problem for me - I now see port numbers logged. > Further investigation showed that it was ssh that was causing this. I have > looked at the packets using tcpdump and they look find and what I would expect > but the cisco is still reporting packets from 0 to 0. On a related note, it amazes me what amounts of packets with bogus source addresses customers unleash upon us just by misconfiguration of their WinGate proxies and thus leaking 192.168.x.y addresses. Too bad Livingston^WLucent's ChoiceNet doesn't have an option to automatically drop packets with a source address other than the one assigned to the customer on that dialup port... Take care, -- Niels Bakker, * * EuroNet Internet BV Network Operations * * Herengracht 208-214 * 1016 BS Amsterdam NJB9 * +31 (0)20 535 5555
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:52 PDT