02-10-2006 01:51 AM - edited 02-21-2020 12:42 AM
Hallo all, I have a problem with a cisco pix (535, version 7.0) - and I hope that someone can help me to solve it:
In my opinion I should get a logmessage for every matching connection if I paste an log entry to an extended accesslist like:
access-list dmz_out extended permit ip x.x.x.x 255.255.255.0 any log informational interval 300 (hitcnt=333)
I get hitcounts but no logs - where are they? or will the pix only log messages which belongs to a deny ACEs?
Thanking you in advance for your help in this matter
02-10-2006 03:39 AM
hi
do find some note inline with the error msg which you have posted out here..
106100
Error Message %PIX-n-106100: access-list acl_ID {permitted | denied | est-allowed}
protocol interface_name/source_address(source_port) ->
interface_name/dest_address(dest_port) hit-cnt number ({first hit |
number-second interval})
Explanation This message reports when packets match an ACL statement, if you configured the log option for the access-list command. The message level depends on the level set in the access-list command (by default, the level is 6). The message indicates either the initial occurrance or the total number of occurrances during an interval. This message provides more information than message 106023, which only logs denied packets, and does not include the hit count or a configurable level. See the following descriptions:
{permitted | denied | est-allowed}These values specify if the packet was permitted or denied by the ACL. If the value is est-allowed, then the packet was denied by the ACL, but the packet was allowed for an already established session (for example, an internal user is allowed to accesss the Internet, and responding packets are allowed back).
protocoltcp, udp, icmp, or an IP protocol number.
interface_nameThe interface name for the source or destination of the logged flow. The VLAN interfaces are supported.
source_addressThe source IP address of the logged flow.
dest_addressThe destination IP address of the logged flow.
source_portThe source port of the logged flow (TCP or UDP). For ICMP, this field is 0.
dest_portThe destination port of the logged flow (TCP or UDP). For ICMP, this field is icmp-type.
hit-cnt numberThe number of times this flow was permitted or denied by this ACL entry in the configured time interval. The value is 1, however, when the firewall generates the first syslog message for this flow.
first hitThe first message generated for this flow.
number-second intervalThe interval in which the hit count is accumulated. Set this interval using the access-list command interval option.
Recommended Action None required
regds
02-14-2006 02:43 AM
Thank you for your quick reply, but the problem is not the interpretation of the logmessages 106100 but that there is no log-entry at all; I have configured an syslog-server which works fine and I can have a look at log messages on the commandline (sh logging) but I can not find any messagelog entries concerning the posted (permit) ACE statement;
some data:
SWVersion: 7.0 (4)
HW: PIX 535
sh logging message 106100:
syslog 106100: default-level informational (enabled)
again: there are hitcounts (sh access-list xxx) but no logmessages to the logserver or to the buffer!!!
Do I have forgotten to configure something else?
regds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide