Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
396
Views
5
Helpful
2
Replies

Access-list logs on PIX

arashid
Level 1
Level 1

‎09-08-2003 07:30 AM - edited ‎02-20-2020 10:58 PM

Hello,

Is there any way to, after adding access-lists and assigning them to an interface....then capture what traffic (IP address) is hitting the interface and setting off the access-list. For example setting up an access-list to deny traffic to port 80 to a public IP. Then applying the access-list to the inside interface. Once done - then see if anyone is trying to get to that public IP and port..and see what IP address they are coming from??

much thanks!!

Amin

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎09-08-2003 04:45 PM

In 6.3 code you can add the "log" keyword to a particular access-list line, just like you can in a router. Basically add the line something like:

> access-list outbound deny tcp any host eq www log

> access-list outbound permit ip any any

> access-group outbound in interface inside

Anything that hits the first line will be logged according to the log settings on the PIX. You can log it to the console, the internal buffer or to an external syslog server.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1067755 for details, specifically:

-------------------------------------

When the log option is specified, it generates syslog message 106100 for the access list element (ACE) to which it is applied. (Syslog message 106100 is generated for every matching permit or deny ACE flow passing through the firewall.) The first-match flow is cached. Subsequent matches increment the hit count displayed in the show access-list command (hitcnt) for the ACE, and new 106100 messages will be generated at the end of the interval defined by interval secs if the hit count for the flow is not zero.

The default ACL logging behavior (the log keyword not specified) is that if a packet is denied, then message 106023 is generated, and if a packet is permitted, then no syslog message is generated.

An optional syslog level (0 - 7) may be specified for the generated syslog messages (106100). If no level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists, then its existing log level remains unchanged.

--------------------------------------------

arashid
Level 1
Level 1
In response to gfullage

‎09-12-2003 05:16 AM

Much Thanks!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card