access-list port logging

spacemky · ‎08-31-2007

I have an access-list, that looks similar to this:

ip access-list extended TestACL

deny ip 1.0.0.0 0.255.255.255 any log-input

permit ip any any

When IOS logs hits against this ACL, it doesn't log the port numbers:

1568837: Aug 31 15:39:19.552 EDT: %SEC-6-IPACCESSLOGP: list TestACL denied tcp 1.196.74.245(0) (Serial0/0 ) -> 24.15.152.136(0), 1 packet

I realize this is by design to speed things up, and IOS is discarding the packet before even reading the port information. But how could I actually make it log the port numbers?

My ACL basically denies a lot of stuff and has a statement at the bottom allowing everything else.

Thanks pros!

Pari Thiagasundaram · ‎08-31-2007

Try using an extended access list to deny the "tcp" packet that you are sending.

From what i see in the log "denied tcp", an extended ACL should help.

spacemky · ‎08-31-2007

This ACL has about 60 lines, all using "deny ip". I need to not only block tcp, but also udp, icmp, and every other IP protocol. Is there any other way this could be accomplished? I'd like to still block all IP protocols, but also get the port info when logged.

Richard Burts · ‎08-31-2007

Nick

As you seem to acknowledge in your original post, if IOS is not checking port values then IOS can not log port values using the log parameter in the ACL. If you want the ACL logging to report the port numbers then your ACL must have at least one line checking some TCP port values and at least one line checking some UDP port values. Without knowing more about what your ACL is doing I would suggest that your ACL might have lines like this:

deny tcp any any range 1 65535 log

deny udp any any range 1 65535 log

HTH

Rick

HTH

Rick