cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
6
Helpful
8
Replies

Router Logging

Gardiner2
Level 1
Level 1

Hi there,

I am part of a team project at Glasgow Cali Uni. Was wondering of anyone knew how to log blocked traffic on the router. I know as much as that i need to set up an access list and the only traffic i should allow is Internet and Email traffic ( the protocols i think should be permitted are http, smtp, pop3 and telnet) and out spec says that all other traffic should be blocked and logged.

Any tips, hints or ways to go about it would be much appriecated.

cheers

8 Replies 8

Jerry Ye
Cisco Employee
Cisco Employee

Do a permit any any log at the end of an ACL since you have to set one up to permit certain traffic anyway.

ip access-list extended xxxx

permit tcp any any eq 80

... ...

deny ip any any log

HTH,

jerry

Hi there,

I tried there but i could not get the logging to work. So far i have

An-Teallach-Main(config)#ip access-list

% Incomplete command.

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465

An-Teallach-Main(config-ext-nacl)#deny ip any any log

                                                  ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config-ext-nacl)#exit

An-Teallach-Main(config)#deny ip any any log

                          ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#deny ip any log

                          ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#deny ip any any log

                                                  ^

% Invalid input detected at '^' marker.

sorry we are really inexperecied when working with these sort of router commands

i take it that have enabled http, smtp, pop3 and telnet but i need to be able to log any other disabled protocols

cheers

Jonathan

An-Teallach-Main(config)#ip access-list extended xxxx

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 80

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 23

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 110

An-Teallach-Main(config-ext-nacl)#permit tcp any any eq 465

An-Teallach-Main(config-ext-nacl)#deny ip any any log

That is strange that it is not allowing you to enter the final deny line. What device and IOS version are you running ?

Try this instead -

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any any eq 110

access-list 101 permit tcp any any eq 465

access-list 101 deny ip any any log

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Im using packet tracer and i think that is why it is not letting me log for some reason? Some of the commands seem to be slightly different.

An-Teallach-Main(config)#access-list 101 ip any any log

                                         ^

% Invalid input detected at '^' marker.

An-Teallach-Main(config)#

I done everything as followed but it seems to fall at the final hurdle regarding the logging .

any help it would be great

On production equipment it would allow you to enter the command.  Sometimes the simulation stufff doesn't include even the real basic commands.

Seems really strange its a 2811 cisco router and it has accecpted every other command i have throwed at it. It must be done as it is part of the courswork which specfies we must use this router. Can the logging possibly be done server side in this way?

Do you mean on the syslog server side? If that is what you want and I don't think that is possible.

Regards,

jerry

Cisco will donate $1 to the American Red Cross Haiti fund  every rated post.

https://supportforums.cisco.com/docs/DOC-8727

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: