Re: Output Varies from Show Access-List Command

Bob Simon wrote:
On Tue, 22 Apr 2008 16:44:23 -0400, News Reader <user@xxxxxxxxxxx>
wrote:

Bob Simon wrote:
2600 with C2600-IK9O3S-M, Version 12.3(26)

Access-list 102 is applied to the outside interface incoming. When I
type, "show access-list 102" I get varying output.

I always get the numbered ACEs from the config. For example:
10 permit tcp any host 192.168.0.20 eq smtp (1912 matches)
20 permit tcp any host 192.168.0.20 eq www (41 matches)

Most of the time there are a varying number of statements BEFORE the
first numbered ACE in the output. These statements are NOT in the
config. For example:
permit icmp any host 192.168.0.30 time-exceeded (1179 matches)
permit icmp any host 192.168.0.30 unreachable (5342 matches)
permit icmp any host 192.168.0.30 timestamp-reply
permit icmp any host 192.168.0.30 echo-reply (5304 matches)

Has anyone seen this behavior before? Why are these statements
present in the "show access-list" command output?
You are probably using ICMP inspection on one of the interfaces (e.g.: inbound on the LAN interface). Inspection creates dynamic ACEs in the return path so that you don't need to specifically configure static ACEs to accommodate return traffic.

These entries will timeout according to inspection policy configured for the specific protocol (e.g.: ICMP).

Authentication proxy (when implemented) also creates dynamic entries that are placed above those configured in you interface ACLs. Auth-proxy ACEs are typically downloaded from a RADIUS or TACACS+ server.

Best Regards,
News Reader

Thanks! You are correct. The config includes these:
ip inspect name FW ftp
ip inspect name FW icmp
ip inspect name FW smtp
ip inspect name FW tcp
ip inspect name FW udp

int F0/1
ip inspect FW out

Although I know that inspection opens holes in the return path, I am not seeing entries such as those you've described when I use the show access-list command while inspected sessions are active. This leads me to believe the ACEs you are seeing may be attributable to another feature.

Are you using authentication proxy or some other feature that downloads ACLs from an access control server?

Have you seen the ICMP ACEs timeout?

Are you generating enough outbound ICMP traffic to prevent them from timing out?

Best Regards,
News Reader
.

Relevant Pages

  • Re: XP-SP2 "Feature"
    ... in which case ICMP is not required. ... never be enabled on the ICF interface anyway. ... so is incoming pings. ... The real uncomfortable thing here is for home users. ...
    (Focus-Microsoft)
  • Re: set srcIP for ICMP replies, or for locally sourced connections?
    ... Attach an ACL to the WAN interface that specifies to which IP addresses you will permit ICMP. ... Extended ping permits you to specify the source IP address that will be used in the outbound ping, which then becomes the destination IP address in the reply packet. ... "Inspection" applied on a LAN interface will open temporary dynamic holes in the return path ACLs to accommodate replies to pings sent from internal hosts. ... If there were a way to bind locally-sourced ping and traceroute to a particular source IP on each router, then that would also be helpful. ...
    (comp.dcom.sys.cisco)
  • Re: Disabling VLAN_HWTAGGING
    ... What I found is that VLAN tagged frames sent to the interface never get to ... though when an ICMP ping request gets to ng_eiface it ignores it. ... 10.2.0.1: icmp: echo request ... I can ping from the ng_eiface interface and it makes it tagged ...
    (freebsd-net)
  • Testing on network interface - promisc mode.
    ... interface on my system on FreeBSD 6.1. ... I could understand that machine B receives ICMP request as promisc mode ... some dummy MAC address). ...
    (freebsd-net)