Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Logging ACL permit statements

I have a customer with a PIX 515 running 6.3. They have an appliance running a web server and they allow port 80 to a public IP. This is working but they want to log the actual IPs being used to access the web server. They have this currently:

access-list out_in permit tcp any host eq https

I've tried

access-list out_in permit tcp any host eq https log

but this does not generate any syslog messages. I tried using log-input but it gives me an extra command arguement(s).

The customer doesn't have access to the external router so is there any way to record the IP addresses that are being allowed through this acl? The appliance has a log but it does not include this information and is not customizable.


Re: Logging ACL permit statements

This is very easy:

conf t

logging on

logging timestamp

logging facility 19

logging host outside

logging trap 6

Once you have this, assume your syslog server

is and it is Linux, modify the

/etc/syslog.conf to include this line:

local3.* /var/log/cisco.log

make sure you allow syslog to your linux box

in the /etc/sysconfig/syslog file:

# Options to syslogd

# -m 0 disables 'MARK' messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0 -r -x"

restart your syslog with "service syslog restart"

Now do this: tail -f /var/log/cisco.log | grep where is the

External IP address of my Pix firewall:

May 5 22:28:20 May 06 2008 00:47:05: %PIX-6-106100: access-list External permitted tcp outside/ -> inside/ hit-cnt 1 first hit

May 5 22:28:20 May 06 2008 00:47:05: %PIX-6-302013: Built inbound TCP connection 237480 for outside: ( to inside: (

I am using NebBiOS as an example but you get

the idea. You may also want to supress lot

of translation messages with "no logging

message xxxxxx"

Easy right?

CCIE Security

CreatePlease to create content