Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Router / Protocol Problem

  • From: Mike Walter
  • Date: Thu Sep 07 07:29:24 2006

Good morning everyone.  I just wanted to say thanks for all the help.  I
did discover the problem this morning and I should be hit with a
herring.  I upgraded the IOS on the router with the issue to match the
other router and the problem was still there.  So I tested and noticed
the following line in the logs, since I was on console it popped up
right in front of me.

Sep  7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp
69.50.222.8(25) -> 69.4.74.14(2421), 4 packets

What is this I thought?  What is my ACL 166 doing this?  I thought I
tested removing all access-lists from interfaces with the original
problem came up.  Apparently not.  Here is my ACL 166, the first line is
what was being matched.  Apparently some how this connection is being
matched via NBAR for good old Code Red.

access-list 166 deny   ip any any dscp 1 log
access-list 166 deny   tcp any any eq sunrpc
access-list 166 deny   tcp any any eq 135
access-list 166 deny   tcp any any eq 137
access-list 166 deny   tcp any any eq 138
access-list 166 deny   tcp any any eq 139
access-list 166 deny   tcp any any eq 445
access-list 166 deny   tcp any any eq 5554
access-list 166 deny   tcp any any eq 9996
access-list 166 deny   tcp any any eq 1025
access-list 166 deny   udp any any eq 1434
access-list 166 deny   udp any any eq 135
access-list 166 deny   udp any any eq netbios-ns
access-list 166 deny   udp any any eq netbios-dgm
access-list 166 deny   udp any any eq netbios-ss
access-list 166 deny   udp any any eq 445
access-list 166 deny   icmp any any redirect
access-list 166 deny   ip 127.0.0.0 0.255.255.255 any
access-list 166 deny   ip 10.0.0.0 0.255.255.255 any
access-list 166 deny   ip 172.16.0.0 0.15.255.255 any
access-list 166 deny   ip 192.168.0.0 0.0.255.255 any
access-list 166 permit ip any any

class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"

policy-map mark-inbound-http-hacks 
class http-hacks 
set ip dscp 1

I have always had this on my FE0/0 as an outbound ACL, well atleast
since Code Red came about: ip access-group 166 out.

Now I have two questions.  Is that not a good idea to have this on FE0/0
out?  Second, why the heck would a smtp connection be matched via my
http-hacks class-map?

Thanks again everyone,

Mike

-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Rodney Dunn
Sent: Wednesday, September 06, 2006 8:45 PM
To: Christopher L. Morrow
Cc: Rodney Dunn; Mike Walter; Hank Nussbacher; Justin M. Streiner;
nanog@merit.edu
Subject: Re: Router / Protocol Problem


Then that proves it's not a local router problem then. :)

On Wed, Sep 06, 2006 at 07:49:26PM +0000, Christopher L. Morrow wrote:
> On Wed, 6 Sep 2006, Rodney Dunn wrote:
> 
> >
> > Get a sniffer trace. Packets on the wire prove what's going on.
> 
> provided the packets get back to him, it seems his problem is traffic 
> getting back to him :( so probably no packets will be on the wire 
> (none in question atleast)...




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.