debug/log for security rule

Unanswered Question
Apr 15th, 2008
User Badges:

I have a security rule that prevents outbound SMTP connections from LAN IPs. This rule was inserted because it seems we have some infected PCs that are trying to send mail. Is there a way I can see what IPs are being denied the outbound SMTP so I can find and clean-up the PCs?


Rgds,

Diego

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Tue, 04/15/2008 - 13:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Diego


Yes, you need to enable logging on the firewall (assuming it's a firewall). Packets being denied are logged at severity level 3 - see attached link.


http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1159278


You can either view the logs in the firewall buffer or better yet configure the firewall to send the logs to a syslog server if you have one.


Jon

DIEGO ALONSO Tue, 04/15/2008 - 13:33
User Badges:

If I use syslog is there a way of sending just the denies of the one rule to the syslog server? If not, and the ASA sends all data to the syslog I would think that sorting thru the logs for only the denies of this one particular rule would be quite a mission.


Thanks,

Diego


Actions

This Discussion