Mailing List Archive

pankaj,

if your accesslist line specifies the ports then the ports get
also listed in the log entry. In your case the accesslist line does
probably not specify the port to match at, thats why IOS is not
reading 'deep enough' into the packet and is not able to tell you
the tcp port of the packet ...

regards

reinhold

On Fri, 9 Aug 2002, pankaj wrote:

> Hi all,
>
> Aug 9 20:16:21 router1 35465: Aug 9 20:37:29.731:
> %SEC-6-IPACCESSLOGDP: list 101 denied icmp 192.168.4.55 ->
> 204.152.190.70 (0/0), 1 packet
>
> Aug 9 20:15:48 router1 35459: Aug 9 20:36:56.243:
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.192.1.202(0) ->
> 192.224.164.70(0), 1 packet
>
>
> My access list denied this packets what does it mean , is this
> broadcast packet?
> is (0) means which port does it indicate?
>
>
> Thanks
> pankaj
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

In ICMP, (Type/Code)

http://www.cisco.com/warp/public/63/ping_traceroute.html

-as

On viernes, agosto 9, 2002, at 10:08 , pankaj wrote:

> Hi all,
>
> Aug 9 20:16:21 router1 35465: Aug 9 20:37:29.731:
> %SEC-6-IPACCESSLOGDP: list 101 denied icmp 192.168.4.55 ->
> 204.152.190.70 (0/0), 1 packet
>
> Aug 9 20:15:48 router1 35459: Aug 9 20:36:56.243:
> %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.192.1.202(0) ->
> 192.224.164.70(0), 1 packet
>
>
> My access list denied this packets what does it mean , is this
> broadcast packet?
> is (0) means which port does it indicate?
>
>
> Thanks
> pankaj
>
> _______________________________________________
> cisco-nsp mailing list real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Thanks Reinhold

Its ok, now leave the port issue.
This packet has been denied because of the access list (only allow the
ips-private which I assigned to or I assigned to my
customer-serial1/1)
Now questions?
WhileI am getting this (serial0/1 *PPP*) on another routers log.
Aug 5 19:54:29 router2 51596: 9w3d: %SEC-6-IPACCESSLOGP: list 100
denied udp 192.168.1.112(7077) (Serial0/1 *PPP*) -> 10.10.10.23(53), 1
packet

Why I am not getting Serial port number in this logs??
> > Aug 9 20:16:21 router1 35465: Aug 9 20:37:29.731:
> > %SEC-6-IPACCESSLOGDP: list 101 denied icmp 192.168.4.55 ->
> > 204.152.190.70 (0/0), 1 packet
> >
> > Aug 9 20:15:48 router1 35459: Aug 9 20:36:56.243:
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.192.1.202(0) ->
> > 192.224.164.70(0), 1 packet

Second question is I want to trace why this packets coming to me or I
want to find out what excatly this packet is , I mean how can I help
my customer to trace why this is happening, Cause before yesterday it
was normal and since from yesterday only this is happenning.
Fot the time being I told him to shutdown that machine, and its stop
coming obviously.
But I am eager to trace is the broadcast packet, or because of virus
like codered, nimda ...etc.


--pankaj




----- Original Message -----
From: "Reinhold Fischer" <rfischer@flexnetworks.de>
To: "pankaj" <pankaj@worldgatein.net>
Cc: <cisco-nsp@puck.nether.net>
Sent: Friday, August 09, 2002 9:23 PM
Subject: Re: [nsp] denied tcp 192.192.1.202(0) -> 192.224.164.70(0)


> pankaj,
>
> if your accesslist line specifies the ports then the ports get
> also listed in the log entry. In your case the accesslist line does
> probably not specify the port to match at, thats why IOS is not
> reading 'deep enough' into the packet and is not able to tell you
> the tcp port of the packet ...
>
> regards
>
> reinhold
>
> On Fri, 9 Aug 2002, pankaj wrote:
>
> > Hi all,
> >
> > Aug 9 20:16:21 router1 35465: Aug 9 20:37:29.731:
> > %SEC-6-IPACCESSLOGDP: list 101 denied icmp 192.168.4.55 ->
> > 204.152.190.70 (0/0), 1 packet
> >
> > Aug 9 20:15:48 router1 35459: Aug 9 20:36:56.243:
> > %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.192.1.202(0) ->
> > 192.224.164.70(0), 1 packet
> >
> >
> > My access list denied this packets what does it mean , is this
> > broadcast packet?
> > is (0) means which port does it indicate?
> >
> >
> > Thanks
> > pankaj
> >
> > _______________________________________________
> > cisco-nsp mailing list real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>

On Sat, 10 Aug 2002 20:37:25 +0530 pankaj <pankaj@worldgatein.net> wrote:
> Its ok, now leave the port issue.
> This packet has been denied because of the access list (only allow the
> ips-private which I assigned to or I assigned to my
> customer-serial1/1)
> Now questions?
> WhileI am getting this (serial0/1 *PPP*) on another routers log.
> Aug 5 19:54:29 router2 51596: 9w3d: %SEC-6-IPACCESSLOGP: list 100
> denied udp 192.168.1.112(7077) (Serial0/1 *PPP*) -> 10.10.10.23(53), 1
> packet
>
> Why I am not getting Serial port number in this logs??

Add an entry to your ACL to match against port number. The IOS won't log
something it's not matching against. Adding "gt 0" onto the end should be
sufficient.

--
Ryan O'Connell - CCIE #8174
<ryan@complicity.co.uk> - http://www.complicity.co.uk

I'm not losing my mind, no I'm not changing my lines,
I'm just learning new things with the passage of time

On Sat, Aug 10, 2002 at 08:37:25PM +0530, pankaj wrote:
> WhileI am getting this (serial0/1 *PPP*) on another routers log.
> Aug 5 19:54:29 router2 51596: 9w3d: %SEC-6-IPACCESSLOGP: list 100
> denied udp 192.168.1.112(7077) (Serial0/1 *PPP*) -> 10.10.10.23(53), 1
> packet
>
> Why I am not getting Serial port number in this logs??
> > > Aug 9 20:16:21 router1 35465: Aug 9 20:37:29.731:
> > > %SEC-6-IPACCESSLOGDP: list 101 denied icmp 192.168.4.55 ->
> > > 204.152.190.70 (0/0), 1 packet

Because you didn't use "log-input", but only "log".


Regards,
Daniel