Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
3
Replies

PIX Logging question

azore2007
Level 1
Level 1

‎12-17-2009 06:35 AM - edited ‎03-11-2019 09:49 AM

Hi everyone.

I have a question regarding how the pix handles logging. PIX 515E IOS 6.3(5)

We currently have an outside global nat (ip example 10.0.0.1) that we send out emails from.

Sometimes it happens that our customers sends emails (bounces after a while) back to our nat IP. And we would like to find this in our syslog.

Problem is, since we dont have 10.0.0.1 (outside nat) anywhere in our "acl-outside" which is bound to interface outside.We dont get any hits on the acl = no logging to syslog on deny rules?

Shouldnt a "deny ip any any" make a deny statement in the log from any attempts from the outside trying to access our 10.0.0.1 even tho we dont have a SAT statement?

If I do a capture on the interface, with that specific IP, we can see requests coming in, but it doesnt show in the log / syslog for those attempts.

Does anyone understand what im trying to say? 

Thanks

BR

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎12-18-2009 10:11 AM

Ya BR. You are right.. Since there are no specific ACLs matching the outside global IP 10.0.0.1, you can have a deny ip any any (thought it is implicitely denied), for management purpose.. now when the packet matches the permit statement, syslog isnt triggered, but when the packet his the deny, pix firewall generates a syslog message similar to this:

%PIX-4-106019: IP packet from source_addr to 10.0.0.1, protocol protocol received from interface outside deny by access-group outside.

have appropriate logging levels configured for this message to come.. "loggin buffered" , but when we need such implicit messages, we might need debug level, and that would fill the logs fast, depending on the traffic pattern...

Hope this helps.. all the best..

Raj

0 Helpful

azore2007
Level 1
Level 1
In response to sachinraja

‎12-20-2009 09:59 AM

Hi Raj and thanks for the help

We do have a "deny ip any any" statement in the acl-outside, but that doesnt make it log the attempts on port 25 on 10.0.0.1 IP.

We also have debuggin on, that sends all the packets to the syslog servers.. but that doesnt give any "hits" either

I'm guessing we have to make a "deny tcp any host 10.0.0.1 eq 25" just to get it into the acl... hopefully that will help..

I hope it doesnt need a static statement for log attempts

Thanks for the advice tho

BR and merry christmas !

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-20-2009 02:20 PM

I don't believe so. The firewall would just drop it.

In the 7.x and above code the following can be seen in the "asp drop" capture.

syntax: cap capasp type asp-drop all

sh cap capasp

timestamp 472649372 0,sackOK,eol> Drop-reason: (acl-drop) Flow is denied by configured rule
  37: 16:59:21.420571 802.1Q vlan#10 P0 10.117.14.66.53098 > 172.18.254.34.33389: S 2378760599:2378760599(0) win 65535

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card