Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
4
Helpful
4
Replies

Access-Group

linker.team
Level 1
Level 1

‎09-13-2007 03:37 AM - edited ‎03-09-2019 06:48 PM

Hi,

Basically, there would be "access-group" under which there would be multiple "rules" listed. This "access-group" would be then applied on desired interface.

When some transactions matching them generated a message is logged with the "access-group" (ex: PIX-4-106023).

Is it possible to get the exact rule within the "access-group" that matched ? If so do let me know.

thanks,

-S-

Labels:
0 Helpful
4 Replies 4

micheljoh
Level 1
Level 1

‎09-13-2007 10:17 PM

Hi

Well hum

you have an access-list specified on the access-group

like:

access-list Web-Trafic permit tcp any any eq 80

and then an access-group applied to you interface:

access-group Web-Trafic in interface outside

if you need to know what hit the "access-group" look at the access-list by:

sh access-list Web-Trafic

you would get something like:

access-list Web-Trafic; 1 element

access-list Web-Trafic line 1 extended permit tcp any any eq 80 (hitcnt=11)

this would meed 11 hits on that access-list wich is applied to the access-group.

Regards//Michel

linker.team
Level 1
Level 1
In response to micheljoh

‎09-13-2007 11:54 PM

Hi Michel,

Appreciate your reply. Your suggestion would get the total hits for the rule defined with-in the group.

Consider the below case (some sample rules),

access-list outside_access_in; 2 elements

access-list outside_access_in line 1 permit tcp x.x.x.x 255.255.255.0 any (hitcnt=0)

access-list outside_access_in line 2 deny tcp any any eq FTP (hitcnt=0)

Now, assume we have a transaction matching rule 2. I would love to see the exact rule along with Source-Destination combination in the logs. Like connection from source X to destination Y was dropped as rule "outside_access_in line 2" doesn't permit.

Is this possible ? Pix is giving the group name & not the exact rule within it. Hope i am clear with my requirement :-( .

thanks,

-S-

0 Helpful

micheljoh
Level 1
Level 1
In response to linker.team

‎09-14-2007 12:35 AM

Hi

Well if i do understand you correctly what you could do is put a log level at the end of the second rule

Example:

access-list outside_access_in line 2 deny tcp any any eq FTP log errors

and then logg for example to to buffer:

conf example:

logging on

logging buffered errors

if you whant a larger buffer use:

loggin buffered-size ?

Although using this will only hit on sources going to ftp not being sourced from your x.x.x.x 255.255.255.0 network

since ftp from that network is being allowed on line 1

You can also use the logg message id and logg that to either syslog or buffer

Regards//Michel

0 Helpful

keith.skinner
Level 1
Level 1
In response to linker.team

‎02-01-2008 07:49 AM

To my knowledge, this has always been a shortcoming with logs. It shows a log entry with the ACL name, but not the line number it matched. Send cisco an enhancement request. maybe they will finally add this. I have asked for it before.

0 Helpful
Customers Also Viewed These Support Documents