05-05-2008 04:20 PM - edited 03-11-2019 05:40 AM
I have a customer with a PIX 515 running 6.3. They have an appliance running a web server and they allow port 80 to a public IP. This is working but they want to log the actual IPs being used to access the web server. They have this currently:
access-list out_in permit tcp any host 1.2.3.4 eq https
I've tried
access-list out_in permit tcp any host 1.2.3.4 eq https log
but this does not generate any syslog messages. I tried using log-input but it gives me an extra command arguement(s).
The customer doesn't have access to the external router so is there any way to record the IP addresses that are being allowed through this acl? The appliance has a log but it does not include this information and is not customizable.
05-05-2008 04:33 PM
This is very easy:
conf t
logging on
logging timestamp
logging facility 19
logging host outside 192.168.15.10
logging trap 6
Once you have this, assume your syslog server
is 192.168.15.10 and it is Linux, modify the
/etc/syslog.conf to include this line:
local3.* /var/log/cisco.log
make sure you allow syslog to your linux box
in the /etc/sysconfig/syslog file:
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r -x"
restart your syslog with "service syslog restart"
Now do this: tail -f /var/log/cisco.log | grep 192.168.15.25 where 192.168.15.25 is the
External IP address of my Pix firewall:
May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/172.20.20.1(33563) -> inside/192.168.15.70(139) hit-cnt 1 first hit
May 5 22:28:20 192.168.15.25 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside:172.20.20.1/33563 (172.20.20.1/33563) to inside:192.168.4.70/139 (192.168.15.70/139)
I am using NebBiOS as an example but you get
the idea. You may also want to supress lot
of translation messages with "no logging
message xxxxxx"
Easy right?
CCIE Security
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide