Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
6
Replies

zone-based fireall class-map access-list with 'log' not supported...

ydemissie
Level 1
Level 1

‎09-07-2008 11:14 AM - edited ‎03-11-2019 06:40 AM

I'm using IOS (c3845-advipservicesk9-mz.124-15.T3) zone-based firewall on a 3845 router and when I enable logging on an extended access list (permit ip any any log) that I have applied to a class-map, I get the following message:

"class-map my_cl_map : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map my_cl_map will not work properly"

Any ideas what this means? If I apply permit any any log again, it will take it. But what are the consequences?

Relevant config:

class-map type inspect match-all my_cl_map

match class-map protocols

match access-group name my_acl

ip access-list extended my_acl

permit icmp any any

permit tcp host 192.168.1.1 any eq 1022

permit tcp host 192.168.1.1 any eq 513

permit tcp host 192.168.1.1 any eq 514

permit ip any any log

Labels:
0 Helpful
6 Replies 6

palomoj
Level 1
Level 1

‎09-07-2008 08:39 PM

why are you entering a "permit ip any any" in the first place? you first four lines are not even needed if you need the last line in the acl. aren't you trying match on specific traffic?

0 Helpful

y.demissie
Level 1
Level 1
In response to palomoj

‎09-08-2008 04:56 AM

I'm trying to capture what else is needed by doing "permit ip any any log". However, that's besides the point. Do you know why "log" in access lists applied to class-maps not allowed?

0 Helpful

palomoj
Level 1
Level 1
In response to y.demissie

‎09-08-2008 07:31 AM

the acl is there to identify traffic for the policy, nothing else. you can bind another acl on the interface if you need to identify traffic using the log option

0 Helpful

y.demissie
Level 1
Level 1
In response to palomoj

‎09-08-2008 08:51 AM

In other words, you have no idea what ""class-map my_cl_map : access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map my_cl_map will not work properly" means.

0 Helpful

ken.chua
Level 1
Level 1
In response to y.demissie

‎02-18-2009 07:37 PM

I know what you mean. I would like to see log of deny/allow traffic. I have the same problem.

0 Helpful

palomoj
Level 1
Level 1
In response to y.demissie

‎02-19-2009 11:42 AM

In other words you don't understand english too well.

"the acl is there to identify traffic for the policy, nothing else. "

Identifying traffic with an ACL using a log option isn't going to identify the traffic correctly. If you want to see what's dropped, use the "drop log" in the policy-map for class class-default.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card