Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
1
Replies

Logging ACL permit statements

nutflush11
Level 1
Level 1

‎05-05-2008 04:20 PM - edited ‎03-11-2019 05:40 AM

I have a customer with a PIX 515 running 6.3. They have an appliance running a web server and they allow port 80 to a public IP. This is working but they want to log the actual IPs being used to access the web server. They have this currently:

access-list out_in permit tcp any host 1.2.3.4 eq https

I've tried

access-list out_in permit tcp any host 1.2.3.4 eq https log

but this does not generate any syslog messages. I tried using log-input but it gives me an extra command arguement(s).

The customer doesn't have access to the external router so is there any way to record the IP addresses that are being allowed through this acl? The appliance has a log but it does not include this information and is not customizable.

Labels:
0 Helpful
1 Reply 1

cisco24x7
Level 6
Level 6

‎05-05-2008 04:33 PM

This is very easy:

conf t

logging on

logging timestamp

logging facility 19

logging host outside 192.168.15.10

logging trap 6

Once you have this, assume your syslog server

is 192.168.15.10 and it is Linux, modify the

/etc/syslog.conf to include this line:

local3.* /var/log/cisco.log

make sure you allow syslog to your linux box

in the /etc/sysconfig/syslog file:

# Options to syslogd

# -m 0 disables 'MARK' messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0 -r -x"

restart your syslog with "service syslog restart"

Now do this: tail -f /var/log/cisco.log | grep 192.168.15.25 where 192.168.15.25 is the

External IP address of my Pix firewall:

May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/172.20.20.1(33563) -> inside/192.168.15.70(139) hit-cnt 1 first hit

May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside:172.20.20.1/33563 (172.20.20.1/33563) to inside:192.168.4.70/139 (192.168.15.70/139)

I am using NebBiOS as an example but you get

the idea. You may also want to supress lot

of translation messages with "no logging

message xxxxxx"

Easy right?

CCIE Security

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card