That command overides the deny any any rule applied to all access-lists.
You could also have:-
access-list deny tcp any any log
Then when you test whatever you are testing, you will see the specific tcp src & dst port numbers in questions.
You could also use what the consulant advised, with the log comment on the end, but while you are testing - this comment allows ALL traffic....so say you apply this config to the outside interface, for the period of testing - your firewall is just a pass-thru device, leaving you open to attack.
thats exactly the purpose. it will match the any any at the end of the access-list and from that, we wanted to see what are this ports that passed thu and define it explicitly..onece all is explicitly defined then only we can remove the any any..we dont want to block any coz its on production...
There are two easy ways to do this. Get a full/trial version of fireplotter (fireplotter.com) and then analyze the traffic flow. It really is a wonderful software.
Otherwise get a syslog analysis tool like Sawmill and analyze the firewalls syslogs using it. Doing this manually will kill you basically :) The Cisco firewall generates a lot of logs! Or you can use a free syslog server (preferably UNIX) and 'grep' the right data out of it.
already runned some software and already gathered almost all needed. we are on the process of filtering and its on production..because of that we want to put the any any so the legitimate traffics wont be blocked on the process.
from the permit any any, we wanted to dig into the traffic match and explicitly define on the ACE. how to dig into it is just the issue here.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :