Router Logging

Unanswered Question
Mar 23rd, 2010

Hi there,

I am part of a team project at Glasgow Cali Uni. Was wondering of anyone knew how to log blocked traffic on the router. I know as much as that i need to set up an access list and the only traffic i should allow is Internet and Email traffic ( the protocols i think should be permitted are http, smtp, pop3 and telnet) and out spec says that all other traffic should be blocked and logged.

Any tips, hints or ways to go about it would be much appriecated.

cheers

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Jerry Ye Tue, 03/23/2010 - 05:36

Do a permit any any log at the end of an ACL since you have to set one up to permit certain traffic anyway.

ip access-list extended xxxx

permit tcp any any eq 80

... ...

deny ip any any log

HTH,

jerry

Gardiner2 Tue, 03/30/2010 - 03:02

Hi there,

I tried there but i could not get the logging to work. So far i have

An-Teallach-Main(config)#ip access-list

% Incomplete command.

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465

An-Teallach-Main(config-ext-nacl)#deny ip any any log

                                                  ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config-ext-nacl)#exit

An-Teallach-Main(config)#deny ip any any log

                          ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#deny ip any log

                          ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#deny ip any any log

                                                  ^

% Invalid input detected at '^' marker.

sorry we are really inexperecied when working with these sort of router commands

i take it that have enabled http, smtp, pop3 and telnet but i need to be able to log any other disabled protocols

cheers

Jon Marshall Tue, 03/30/2010 - 03:08

Jonathan

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465

An-Teallach-Main(config-ext-nacl)#deny ip any any log

That is strange that it is not allowing you to enter the final deny line. What device and IOS version are you running ?

Try this instead -

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any any eq 110

access-list 101 permit tcp any any eq 465

access-list 101 deny ip any any log

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Gardiner2 Tue, 03/30/2010 - 03:22

Im using packet tracer and i think that is why it is not letting me log for some reason? Some of the commands seem to be slightly different.

Gardiner2 Tue, 03/30/2010 - 03:33

An-Teallach-Main(config)#access-list 101 ip any any log

                                         ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#

I done everything as followed but it seems to fall at the final hurdle regarding the logging .

any help it would be great

droeun141 Tue, 03/30/2010 - 04:22

On production equipment it would allow you to enter the command.  Sometimes the simulation stufff doesn't include even the real basic commands.

Gardiner2 Wed, 03/31/2010 - 04:32

Seems really strange its a 2811 cisco router and it has accecpted every other command i have throwed at it. It must be done as it is part of the courswork which specfies we must use this router. Can the logging possibly be done server side in this way?

Actions

This Discussion