Router / Protocol Problem

Thu Sep 7 15:02:38 UTC 2006

Yeah.  Don't want any operational stuff here.  Need to get back to who's 
got a free 300-baud dialup in Antwerp.

Hank Nussbacher wrote:

> 
> At 07:27 AM 07-09-06 -0400, Mike Walter wrote:
> 
> Best moved to cisco-nsp.
> 
> -Hank Nussbacher
> http://www.interall.co.il
> 
>> Good morning everyone.  I just wanted to say thanks for all the help.  I
>> did discover the problem this morning and I should be hit with a
>> herring.  I upgraded the IOS on the router with the issue to match the
>> other router and the problem was still there.  So I tested and noticed
>> the following line in the logs, since I was on console it popped up
>> right in front of me.
>>
>> Sep  7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp
>> 69.50.222.8(25) -> 69.4.74.14(2421), 4 packets
>>
>> What is this I thought?  What is my ACL 166 doing this?  I thought I
>> tested removing all access-lists from interfaces with the original
>> problem came up.  Apparently not.  Here is my ACL 166, the first line is
>> what was being matched.  Apparently some how this connection is being
>> matched via NBAR for good old Code Red.
>>
>> access-list 166 deny   ip any any dscp 1 log
>> access-list 166 deny   tcp any any eq sunrpc
>> access-list 166 deny   tcp any any eq 135
>> access-list 166 deny   tcp any any eq 137
>> access-list 166 deny   tcp any any eq 138
>> access-list 166 deny   tcp any any eq 139
>> access-list 166 deny   tcp any any eq 445
>> access-list 166 deny   tcp any any eq 5554
>> access-list 166 deny   tcp any any eq 9996
>> access-list 166 deny   tcp any any eq 1025
>> access-list 166 deny   udp any any eq 1434
>> access-list 166 deny   udp any any eq 135
>> access-list 166 deny   udp any any eq netbios-ns
>> access-list 166 deny   udp any any eq netbios-dgm
>> access-list 166 deny   udp any any eq netbios-ss
>> access-list 166 deny   udp any any eq 445
>> access-list 166 deny   icmp any any redirect
>> access-list 166 deny   ip 127.0.0.0 0.255.255.255 any
>> access-list 166 deny   ip 10.0.0.0 0.255.255.255 any
>> access-list 166 deny   ip 172.16.0.0 0.15.255.255 any
>> access-list 166 deny   ip 192.168.0.0 0.0.255.255 any
>> access-list 166 permit ip any any
>>
>> class-map match-any http-hacks
>> match protocol http url "*default.ida*"
>> match protocol http url "*cmd.exe*"
>> match protocol http url "*root.exe*"
>>
>> policy-map mark-inbound-http-hacks
>> class http-hacks
>> set ip dscp 1
>>
>> I have always had this on my FE0/0 as an outbound ACL, well atleast
>> since Code Red came about: ip access-group 166 out.
>>
>> Now I have two questions.  Is that not a good idea to have this on FE0/0
>> out?  Second, why the heck would a smtp connection be matched via my
>> http-hacks class-map?
>>
>> Thanks again everyone,
>>
>> Mike
>>
>> -----Original Message-----
>> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
>> Rodney Dunn
>> Sent: Wednesday, September 06, 2006 8:45 PM
>> To: Christopher L. Morrow
>> Cc: Rodney Dunn; Mike Walter; Hank Nussbacher; Justin M. Streiner;
>> nanog at merit.edu
>> Subject: Re: Router / Protocol Problem
>>
>>
>> Then that proves it's not a local router problem then. :)
>>
>> On Wed, Sep 06, 2006 at 07:49:26PM +0000, Christopher L. Morrow wrote:
>> > On Wed, 6 Sep 2006, Rodney Dunn wrote:
>> >
>> > >
>> > > Get a sniffer trace. Packets on the wire prove what's going on.
>> >
>> > provided the packets get back to him, it seems his problem is traffic
>> > getting back to him :( so probably no packets will be on the wire
>> > (none in question atleast)...
>>
>>  +++++++++++++++++++++++++++++++++++++++++++
>>  This Mail Was Scanned By Mail-seCure System
>>  at the Tel-Aviv University CC.
> 
> 
> 

-- 
Requiescas in pace o email

Ex turpi causa non oritur actio

http://members.cox.net/larrysheldon/