09-08-2003 07:30 AM - edited 02-20-2020 10:58 PM
Hello,
Is there any way to, after adding access-lists and assigning them to an interface....then capture what traffic (IP address) is hitting the interface and setting off the access-list. For example setting up an access-list to deny traffic to port 80 to a public IP. Then applying the access-list to the inside interface. Once done - then see if anyone is trying to get to that public IP and port..and see what IP address they are coming from??
much thanks!!
Amin
09-08-2003 04:45 PM
In 6.3 code you can add the "log" keyword to a particular access-list line, just like you can in a router. Basically add the line something like:
> access-list outbound deny tcp any host
> access-list outbound permit ip any any
> access-group outbound in interface inside
Anything that hits the first line will be logged according to the log settings on the PIX. You can log it to the console, the internal buffer or to an external syslog server.
See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1067755 for details, specifically:
-------------------------------------
When the log option is specified, it generates syslog message 106100 for the access list element (ACE) to which it is applied. (Syslog message 106100 is generated for every matching permit or deny ACE flow passing through the firewall.) The first-match flow is cached. Subsequent matches increment the hit count displayed in the show access-list command (hitcnt) for the ACE, and new 106100 messages will be generated at the end of the interval defined by interval secs if the hit count for the flow is not zero.
The default ACL logging behavior (the log keyword not specified) is that if a packet is denied, then message 106023 is generated, and if a packet is permitted, then no syslog message is generated.
An optional syslog level (0 - 7) may be specified for the generated syslog messages (106100). If no level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists, then its existing log level remains unchanged.
--------------------------------------------
09-12-2003 05:16 AM
Much Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide