PIX Logging question

Unanswered Question
Dec 17th, 2009

Hi everyone.

I have a question regarding how the pix handles logging. PIX 515E IOS 6.3(5)

We currently have an outside global nat (ip example that we send out emails from.

Sometimes it happens that our customers sends emails (bounces after a while) back to our nat IP. And we would like to find this in our syslog.

Problem is, since we dont have (outside nat) anywhere in our "acl-outside" which is bound to interface outside.We dont get any hits on the acl = no logging to syslog on deny rules?

Shouldnt a "deny ip any any" make a deny statement in the log from any attempts from the outside trying to access our even tho we dont have a SAT statement?

If I do a capture on the interface, with that specific IP, we can see requests coming in, but it doesnt show in the log / syslog for those attempts.

Does anyone understand what im trying to say? 



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Fri, 12/18/2009 - 10:11

Ya BR. You are right.. Since there are no specific ACLs matching the outside global IP, you can have a deny ip any any (thought it is implicitely denied), for management purpose.. now when the packet matches the permit statement, syslog isnt triggered, but when the packet his the deny, pix firewall generates a syslog message similar to this:

%PIX-4-106019: IP packet from source_addr to, protocol protocol received from interface outside deny by access-group outside.

have appropriate logging levels configured for this message to come.. "loggin buffered" , but when we need such implicit messages, we might need debug level, and that would fill the logs fast, depending on the traffic pattern...

Hope this helps.. all the best..


azore2007 Sun, 12/20/2009 - 09:59

Hi Raj and thanks for the help

We do have a "deny ip any any" statement in the acl-outside, but that doesnt make it log the attempts on port 25 on IP.

We also have debuggin on, that sends all the packets to the syslog servers.. but that doesnt give any "hits" either

I'm guessing we have to make a "deny tcp any host eq 25" just to get it into the acl... hopefully that will help..

I hope it doesnt need a static statement for log attempts

Thanks for the advice tho

BR and merry christmas !

Kureli Sankar Sun, 12/20/2009 - 14:20

I don't believe so. The firewall would just drop it.

In the 7.x and above code the following can be seen in the "asp drop" capture.

syntax: cap capasp type asp-drop all

sh cap capasp

timestamp 472649372 0,sackOK,eol> Drop-reason: (acl-drop) Flow is denied by configured rule
  37: 16:59:21.420571 802.1Q vlan#10 P0 > S 2378760599:2378760599(0) win 65535



This Discussion