You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps will reproduce the problem?
1. compile the following ACL with target:: cisco
term test-term {
source-address:: bas050-2
destination-address:: HVAC_TEST_SERVERS
protocol:: tcp
destination-port:: SSH
option:: established
action:: accept
}
2. check the results:
remark test-term
permit tcp host 134.79.230.135 172.25.192.8 0.0.0.7 eq 22 established
permit tcp host 134.79.230.135 172.25.192.8 0.0.0.7 range 1024 65535 established
What is the expected output? What do you see instead?
The second line should not be there, and the first line should read:
permit tcp host 134.79.230.135 range 1024 65535 172.25.192.8 0.0.0.7 eq 22
established
What version of the product are you using? On what operating system?
SVN v110. Also tried on v103 with the same results.
Linux RHEL5.
Please provide any additional information below.
- it works correctly when specifying a source-port (as opposed to a
destination-port).
- it fails in the same way on UDP.
Original issue reported on code.google.com by antonio....@gmail.com on 8 Apr 2011 at 12:10
The text was updated successfully, but these errors were encountered:
This is expected behavior. For stateless filtering, the "established" option
simply appends high-ports (1024-65535) to the destination-ports. Therefore, in
the example term if results in a policy allowing src->dest of ports 22 and
1024-65535.
From: http://code.google.com/p/capirca/wiki/PolicyFormat
...
option:: [established|tcp-established|sample|intial|rst|first-fragment]
established - only permit established connections, implements tcp-established
if protocol is tcp only, otherwise adds 1024-65535 to required
destination-ports.
Original comment by watson@google.com on 12 Jul 2011 at 6:59
Original issue reported on code.google.com by
antonio....@gmail.com
on 8 Apr 2011 at 12:10The text was updated successfully, but these errors were encountered: