cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
690
Views
0
Helpful
3
Replies

How to log traffic going through pix

dan_track
Level 1
Level 1

Hi

I have a pix 515, and I'd like to log all traffic that goes through. The aim of my exercise is to see which servers are making https requests to a site with IP a.b.c.d. Currently I have the following config:

logging on

logging timestamp

logging console warnings

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging host inside 10.11.9.19

no logging message 106015

no logging message 305012

no logging message 305011

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 304001

no logging message 302016

Currently the above config is only showing me deny statements, not showing me all requests going through. Any ideas?

Thanks for any help

Dan

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

You could create a specific permit statement and log it. That will make the logs easier to read.

access-list inside_access permit tcp object-group SERVERS host a.b.c.d eq 443 log

HTH and please rate.

vijayasankar
Level 4
Level 4

Hi Dan,

You are not receiving the TCP built connection events in your syslog server, because logging of that particular event is disabled in your config.

syslog event id 305011 is for sending syslog messages for the new TCP/UDP/ICMP connections that are built in the state table of the firewall.

As you have disabled this event in your configuration, you are not receiving this event.

Refer to this URL for explanation of syslog message numbers.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cd.html#wp1039175

To enable the same, issue the following command in the global config of the firewall.

logging message 302015

Now you should receive the messages in your syslog server for the new tcp/udp/icmp connections that are getting built in your firewall.

However you should make a note that you cannot filter the generation of any syslog event by source/dest ip.

So by enabling the above statement, you will get the tcp/udp/icmp connections that are getting built for all the traffic in the firewall, not just restricted to any source/destination ip addresses.

Hence you would have to examine the actual file in your syslog server, to which those syslog messages are logged, to search for any specific entry.

Hope this helps. Kindly Rate the post if it does.

-VJ

rmundy
Level 1
Level 1

The best way I know to get those messages is to setup an ACL on the interfaces you want to log and make sure the log command is in the ACL.

Ex.

access-list Test extended permit ip any any log informational

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: