03-23-2010 05:18 AM - edited 03-06-2019 10:16 AM
Hi there,
I am part of a team project at Glasgow Cali Uni. Was wondering of anyone knew how to log blocked traffic on the router. I know as much as that i need to set up an access list and the only traffic i should allow is Internet and Email traffic ( the protocols i think should be permitted are http, smtp, pop3 and telnet) and out spec says that all other traffic should be blocked and logged.
Any tips, hints or ways to go about it would be much appriecated.
cheers
03-23-2010 05:36 AM
Do a permit any any log at the end of an ACL since you have to set one up to permit certain traffic anyway.
ip access-list extended xxxx
permit tcp any any eq 80
...
deny ip any any log
HTH,
jerry
03-30-2010 03:02 AM
Hi there,
I tried there but i could not get the logging to work. So far i have
An-Teallach-Main(config)#ip access-list
% Incomplete command.
An-Teallach-Main(config)#ip access-list extended xxxx
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465
An-Teallach-Main(config-ext-nacl)#deny ip any any log
^
% Invalid input detected at '^' marker.
An-Teallach-Main(config-ext-nacl)#exit
An-Teallach-Main(config)#deny ip any any log
^
% Invalid input detected at '^' marker.
An-Teallach-Main(config)#deny ip any log
^
% Invalid input detected at '^' marker.
An-Teallach-Main(config)#ip access-list extended xxxx
An-Teallach-Main(config-ext-nacl)#deny ip any any log
^
% Invalid input detected at '^' marker.
sorry we are really inexperecied when working with these sort of router commands
i take it that have enabled http, smtp, pop3 and telnet but i need to be able to log any other disabled protocols
cheers
03-30-2010 03:08 AM
Jonathan
An-Teallach-Main(config)#ip access-list extended xxxx
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110
An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465
An-Teallach-Main(config-ext-nacl)#deny ip any any log
That is strange that it is not allowing you to enter the final deny line. What device and IOS version are you running ?
Try this instead -
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any any eq 110
access-list 101 permit tcp any any eq 465
access-list 101 deny ip any any log
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
03-30-2010 03:22 AM
Im using packet tracer and i think that is why it is not letting me log for some reason? Some of the commands seem to be slightly different.
03-30-2010 03:33 AM
An-Teallach-Main(config)#access-list 101 ip any any log
^
% Invalid input detected at '^' marker.
An-Teallach-Main(config)#
I done everything as followed but it seems to fall at the final hurdle regarding the logging .
any help it would be great
03-30-2010 04:22 AM
On production equipment it would allow you to enter the command. Sometimes the simulation stufff doesn't include even the real basic commands.
03-31-2010 04:32 AM
Seems really strange its a 2811 cisco router and it has accecpted every other command i have throwed at it. It must be done as it is part of the courswork which specfies we must use this router. Can the logging possibly be done server side in this way?
03-31-2010 04:49 AM
Do you mean on the syslog server side? If that is what you want and I don't think that is possible.
Regards,
jerry
Cisco will donate $1 to the American Red Cross Haiti fund every rated post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: