Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX Logging question

Hi everyone.

I have a question regarding how the pix handles logging. PIX 515E IOS 6.3(5)

We currently have an outside global nat (ip example 10.0.0.1) that we send out emails from.

Sometimes it happens that our customers sends emails (bounces after a while) back to our nat IP. And we would like to find this in our syslog.

Problem is, since we dont have 10.0.0.1 (outside nat) anywhere in our "acl-outside" which is bound to interface outside.We dont get any hits on the acl = no logging to syslog on deny rules?

Shouldnt a "deny ip any any" make a deny statement in the log from any attempts from the outside trying to access our 10.0.0.1 even tho we dont have a SAT statement?

If I do a capture on the interface, with that specific IP, we can see requests coming in, but it doesnt show in the log / syslog for those attempts.

Does anyone understand what im trying to say? 

Thanks

BR

3 REPLIES

Re: PIX Logging question

Ya BR. You are right.. Since there are no specific ACLs matching the outside global IP 10.0.0.1, you can have a deny ip any any (thought it is implicitely denied), for management purpose.. now when the packet matches the permit statement, syslog isnt triggered, but when the packet his the deny, pix firewall generates a syslog message similar to this:

%PIX-4-106019: IP packet from source_addr to 10.0.0.1, protocol protocol received from interface outside deny by access-group outside.

have appropriate logging levels configured for this message to come.. "loggin buffered" , but when we need such implicit messages, we might need debug level, and that would fill the logs fast, depending on the traffic pattern...

Hope this helps.. all the best..

Raj

New Member

Re: PIX Logging question

Hi Raj and thanks for the help

We do have a "deny ip any any" statement in the acl-outside, but that doesnt make it log the attempts on port 25 on 10.0.0.1 IP.

We also have debuggin on, that sends all the packets to the syslog servers.. but that doesnt give any "hits" either

I'm guessing we have to make a "deny tcp any host 10.0.0.1 eq 25" just to get it into the acl... hopefully that will help..

I hope it doesnt need a static statement for log attempts

Thanks for the advice tho

BR and merry christmas !

Cisco Employee

Re: PIX Logging question

I don't believe so. The firewall would just drop it.

In the 7.x and above code the following can be seen in the "asp drop" capture.

syntax: cap capasp type asp-drop all

sh cap capasp

timestamp 472649372 0,sackOK,eol> Drop-reason: (acl-drop) Flow is denied by configured rule
  37: 16:59:21.420571 802.1Q vlan#10 P0 10.117.14.66.53098 > 172.18.254.34.33389: S 2378760599:2378760599(0) win 65535

-KS

339
Views
0
Helpful
3
Replies
CreatePlease to create content