access-list set permit, but it denys --> logging says deny - Network

This is a discussion on access-list set permit, but it denys --> logging says deny - Network ; hi all i have a very special situation, my access-list entry permits a udp 500 conection, but in my logging it says, that the access-list deny a udp 500 conection. did i wrote the access-list false? here my configuration and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: access-list set permit, but it denys --> logging says deny

  1. access-list set permit, but it denys --> logging says deny

    hi all

    i have a very special situation, my access-list entry permits a udp
    500 conection, but in my logging it says, that the access-list deny a
    udp 500 conection. did i wrote the access-list false?

    here my configuration and the part from the logging:

    access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq www
    access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq https
    access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq ftp
    access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq smtp
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq domain
    access-list acl_out permit icmp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq 1701
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq 1723
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq 50
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq 51
    access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq 500
    access-list acl_out permit esp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0
    access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    255.255.255.0 eq isakmp

    access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq www
    access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq https
    access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq ftp
    access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq smtp
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq isakmp
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq 1701
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq 1723
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq 50
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq 51
    access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq 500
    access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0 eq domain
    access-list acl_in permit esp 139.79.159.0 255.255.255.0 10.0.1.0
    255.255.255.0

    access-group acl_out in interface outside
    access-group acl_in in interface inside

    106023: Deny udp src outside:139.79.159.22/500 dst inside:10.0.1.3/500
    by access-group "acl_out"

    ip address outside 139.79.159.21 255.255.255.0
    ip address inside 10.0.1.1 255.255.255.0

  2. Re: access-list set permit, but it denys --> logging says deny

    robin.kocher@belponline.ch (Robin Kocher) wrote in message news:<5b14c2f3.0405170615.43aa0df4@posting.google.com>...
    > hi all
    >
    > i have a very special situation, my access-list entry permits a udp
    > 500 conection, but in my logging it says, that the access-list deny a
    > udp 500 conection. did i wrote the access-list false?
    >
    > here my configuration and the part from the logging:
    >
    > access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq www
    > access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq https
    > access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq ftp
    > access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq smtp
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq domain
    > access-list acl_out permit icmp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq 1701
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq 1723
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq 50
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq 51
    > access-list acl_out permit tcp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq 500
    > access-list acl_out permit esp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0
    > access-list acl_out permit udp 10.0.1.0 255.255.255.0 139.79.159.0
    > 255.255.255.0 eq isakmp
    >
    > access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq www
    > access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq https
    > access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq ftp
    > access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq smtp
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq isakmp
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq 1701
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq 1723
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq 50
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq 51
    > access-list acl_in permit tcp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq 500
    > access-list acl_in permit udp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0 eq domain
    > access-list acl_in permit esp 139.79.159.0 255.255.255.0 10.0.1.0
    > 255.255.255.0
    >
    > access-group acl_out in interface outside
    > access-group acl_in in interface inside
    >
    > 106023: Deny udp src outside:139.79.159.22/500 dst inside:10.0.1.3/500
    > by access-group "acl_out"
    >
    > ip address outside 139.79.159.21 255.255.255.0
    > ip address inside 10.0.1.1 255.255.255.0



    I assume this is a Pix? I would suggest you copy your acl and paste it
    to notepad. Then remove the acl from the interface, then recreate the
    acl (copy from notepad back to your cli) and add it back in the
    interface. You might also consider adding a deny any any statement to
    the end of the acl. good luck. kb

+ Reply to Thread