- If too much traffic is denied by the IOS Firewall, study the logic of your list or try to define an additional broader list, and then apply it instead. For example:
-
access-list # permit tcp any any access-list # permit udp any any access-list # permit icmp any any int <interface> ip access-group # in|out
- The show ip access-lists command shows which access lists are applied and what traffic is denied by them. If you look at the packet count denied before and after the failed operation with the source and destination IP address, this number increases if the access list blocks traffic.
- If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use discretion with debugging commands.Temporarily add the no ip route-cache command to the interface:
int <interface> no ip route-cache
Then, in enable (but not config) mode:
term mon debug ip packet # det
produces output similar to this:
*Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100 (Ethernet0), g=10.31.1.21, len 100, forward *Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), g=9.9.9.9, len 100, forward
- Extended access lists can also be used with the “log” option at the end of the various statements:
access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log access-list 101 permit ip any any
You therefore see messages on the screen for permitted and denied traffic:
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 171.68.118.100 -> 10.31.1.161 (0/0), 15 packets *Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 171.68.118.100(0) -> 10.31.1.161(0), 1 packet
- If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces output such as this output:
Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223 seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23) Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378 seq 3195751223(12) (10.31.1.5:11109) <= (12.34.56.79:23)
- Source
Leave A Comment?
You must be logged in to post a comment.