cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1266
Views
0
Helpful
4
Replies

Tracking down IP of Hitcnts of ACL Help

dan hale
Level 3
Level 3

Hi All, we recently had an issue with a virus exploting SMTP port 25 and sending out spam. Since then I have created an access-list on the inside of our PIX 515  to deny SMTP. Since we have a multisite WAN with one Internet circuit I had to stick the access list on the pix rather than the site routers since I did not know where it was comming from.

I see a lot of hitcnt's from this access-list I created and would like to track down the IP's of the host. If I do a show logging on the PIX I get a ton of info and its hard to narrow it down. Is there a more specific log level I can enable or does someone else have a better recommendation to tracking down the host(s)?

Thanks,

Dan

4 Replies 4

Namit Agarwal
Cisco Employee
Cisco Employee

Hi Dan,

you can log all the attempts that hit the deny statement for SMTP.

Please check the following link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#use3

I hope this helps. You can view the specific log messages pertaining only to the ACL hits as shown in the link.

Thanks,

Namit

hobbe
Level 7
Level 7

I agree with Namit Agarwal 100%

Syslog is the way to go to make it easier for you to know where there are offenders.

However I would like to add that if the WAN links does get overwhelmed you can set the access-list on the inbound local interfaces of the routers on the far end and configure them for syslog also and use the same syslog server to monitor the events or if it is realy bad and you have good enough switches you can set the access-list on the inbound traffic at the ports of the switches, but thats just incase there is a huge load of traffic

just beware that if you send a syslog everytime the access-list gets hit then that volume in itself might bog down the wan links.

the access list would be something like this

permit mail to your own mailservers

deny mail any any log

good luck

This is great info thanks guys! One other question if I decide to send log messages to a syslog server how would I go about just sending either the specific ACL or at least all ACL hits. I tried this and the pix is sending log messages but, it seems that I can get it to filter the specified logs its sending based on severity levels which again is quite a lot of messages

Thanks,

Dan

You can send only specific messages to your syslog server. For example let's say you want to send only log 106100 that is for ACL drops permits.

You can do

logging enable

logging list my list message 106100

logging trap my-list

logging host inside 192.168.1.1

I hope it helps.

PK
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: