Invalid ACL to Layer-4 Ports

Created Mar 12, 2016 10:05:54Latest reply Mar 12, 2016 16:48:15 1071 1 0 0

Networking: WIN2kServer?OUTER?A5200F?2?C Version: MA5200 MA2.10-7127 Description: Set an ACL on the MA5200F to make the downstream routers use the well-known ports such as httpFTPTELNETSNMP only and to disable other ports. A PC still can remotly control the WIN2kServer through Port 3589.

  • x
  • convention:

Ravger     Created Mar 12, 2016 16:48:15 Helpful(0) Helpful(0)

Alarm Information
None
Handling Process
1) Check the ACL configuration. dis acl all Display the ACL: permit, 12 rules, rule 1 net-user permit ip destination 1 rule 8 net-user deny tcp destination 1 rule 9 net-user deny udp destination 1 rule 0 user-net permit ip source 1 rule 2 user-net permit tcp source-port eq www rule 3 user-net permit tcp source-port eq ftp rule 4 user-net permit tcp source-port eq smtp rule 5 user-net permit tcp source-port eq telnet rule 6 user-net permit udp source-port eq dns rule 7 user-net permit udp source-port eq tftp rule 10 user-net deny tcp source 1 rule 11 user-net deny udp source 1 2) From the above information, the configuration is correct and no time range is configured. 3) The match sequence is set to the configuration sequence and the first rule rule 0 takes effect because rule 0 allows all IP packets. So the rest of ACL rules are not used and the subscriber can still use TCP/UDP port applications. 4) Modify the match sequence of the ACL to auto. The fault is cleared.
Root Cause
There are some possible reasons for the ACL failure. 1) The ACL configuration is wrong. 2) The ACL is not applied to the according access. 3) The ACL is configured to match based on configuration sequence. In this case, once the first rule is matched, the match will stop. 4) The ACL is configured with a time range and the case is not included in the time range.

  • x
  • convention:

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top