Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to log traffic going through pix

Hi

I have a pix 515, and I'd like to log all traffic that goes through. The aim of my exercise is to see which servers are making https requests to a site with IP a.b.c.d. Currently I have the following config:

logging on

logging timestamp

logging console warnings

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging host inside 10.11.9.19

no logging message 106015

no logging message 305012

no logging message 305011

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 304001

no logging message 302016

Currently the above config is only showing me deny statements, not showing me all requests going through. Any ideas?

Thanks for any help

Dan

3 REPLIES

Re: How to log traffic going through pix

You could create a specific permit statement and log it. That will make the logs easier to read.

access-list inside_access permit tcp object-group SERVERS host a.b.c.d eq 443 log

HTH and please rate.

Re: How to log traffic going through pix

Hi Dan,

You are not receiving the TCP built connection events in your syslog server, because logging of that particular event is disabled in your config.

syslog event id 305011 is for sending syslog messages for the new TCP/UDP/ICMP connections that are built in the state table of the firewall.

As you have disabled this event in your configuration, you are not receiving this event.

Refer to this URL for explanation of syslog message numbers.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cd.html#wp1039175

To enable the same, issue the following command in the global config of the firewall.

logging message 302015

Now you should receive the messages in your syslog server for the new tcp/udp/icmp connections that are getting built in your firewall.

However you should make a note that you cannot filter the generation of any syslog event by source/dest ip.

So by enabling the above statement, you will get the tcp/udp/icmp connections that are getting built for all the traffic in the firewall, not just restricted to any source/destination ip addresses.

Hence you would have to examine the actual file in your syslog server, to which those syslog messages are logged, to search for any specific entry.

Hope this helps. Kindly Rate the post if it does.

-VJ

New Member

Re: How to log traffic going through pix

The best way I know to get those messages is to setup an ACL on the interfaces you want to log and make sure the log command is in the ACL.

Ex.

access-list Test extended permit ip any any log informational

221
Views
0
Helpful
3
Replies