Cisco access-list question

Hi,

I'm having trouble configuring access lists. I'm trying to restrict access to a machine to only port 21015.

Here are my access-list lines:

access-list lock_down permit icmp 10.10.10.0 255.255.255.0 host

172.16.1.100 access-list lock_down permit tcp 10.10.10.0 255.255.255.0 host 172.16.1.100 rq 21015 access-group lock_down in interface inside

Am I right in thinking that this should limit access on the inside interface to port 21015 for the host 172.16.1.100? If I telnet to another port, for example, 24079, and run a capture on the inside interface, I see the line "172.16.1.100.24079 > 10.10.10.138.1269". Does this indicate that a packet has been returned from 172.16.1.100? If so, how is this possible with the access-list in place?

If a packet is denied access because of an access-list is there anything specific in the capture or elsewhere that would tell me?

Any help would be much appreciated,

Thanks,

Bob

I'm going to presume that 'rq' is a typo for 'eq'.

Not always, no.

What you omitted in your description is that you are using a PIX, not an IOS router. Our clue to that is that you used 255.255.255.0 as your mask: IOS would use 0.0.0.255 to express the same mask.

PIX uses an Adaptive Security Algorithm. When a connection is permitted in one direction, then the PIX automatically injects permission for the return traffic into the beginning of the access list for the other direction.

You permitted telnet from outside to 24079 and started that connection from outside, and the PIX read off the source IP and source port and automatically added a temporary entry permitting the appropriate inside host to return packets to that IP and port.

Not in the capture. Look at the log messages. Denial via an ACL is a level 4 event, so it will appear in the logs if you are set to log level 4 or higher (and have the logs turned on.) To see more of the gory details, turn up the logging to level 6: that would show up the translations being made and the connections being made.