You are using match-all which makes to match a packet with both SYN and FIN. Split them and also use mask 0x3E for FIN
class-map type access-control match-all SYN match field TCP dest-port eq 80 match field tcp control-bits eq 2 mask 0x3D class-map type access-control match-all FILTER match field TCP dest-port eq 80 match field tcp control-bits eq 1 mask 0x3E With regards Kings On Thu, Jun 2, 2011 at 8:20 PM, Bruno <[email protected]> wrote: > Check this statement > > class-map type access-control match-all FILTER > match field TCP dest-port eq 80 > match field tcp control-bits eq 2 mask 0x3D > match field tcp control-bits eq 1 mask 0x3D > > Will this catch either SYN OR FIN and other bits could be set as well? Is > that right? > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
