Logging ACL permit statements

Unanswered Question
May 5th, 2008
User Badges:

I have a customer with a PIX 515 running 6.3. They have an appliance running a web server and they allow port 80 to a public IP. This is working but they want to log the actual IPs being used to access the web server. They have this currently:

access-list out_in permit tcp any host 1.2.3.4 eq https


I've tried

access-list out_in permit tcp any host 1.2.3.4 eq https log


but this does not generate any syslog messages. I tried using log-input but it gives me an extra command arguement(s).


The customer doesn't have access to the external router so is there any way to record the IP addresses that are being allowed through this acl? The appliance has a log but it does not include this information and is not customizable.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Mon, 05/05/2008 - 16:33
User Badges:
  • Silver, 250 points or more

This is very easy:


conf t

logging on

logging timestamp

logging facility 19

logging host outside 192.168.15.10

logging trap 6


Once you have this, assume your syslog server

is 192.168.15.10 and it is Linux, modify the

/etc/syslog.conf to include this line:


local3.* /var/log/cisco.log


make sure you allow syslog to your linux box

in the /etc/sysconfig/syslog file:


# Options to syslogd

# -m 0 disables 'MARK' messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0 -r -x"


restart your syslog with "service syslog restart"


Now do this: tail -f /var/log/cisco.log | grep 192.168.15.25 where 192.168.15.25 is the

External IP address of my Pix firewall:


May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/172.20.20.1(33563) -> inside/192.168.15.70(139) hit-cnt 1 first hit

May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside:172.20.20.1/33563 (172.20.20.1/33563) to inside:192.168.4.70/139 (192.168.15.70/139)



I am using NebBiOS as an example but you get

the idea. You may also want to supress lot

of translation messages with "no logging

message xxxxxx"


Easy right?


CCIE Security







Actions

This Discussion