Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Access-list logs on PIX

Hello,

Is there any way to, after adding access-lists and assigning them to an interface....then capture what traffic (IP address) is hitting the interface and setting off the access-list. For example setting up an access-list to deny traffic to port 80 to a public IP. Then applying the access-list to the inside interface. Once done - then see if anyone is trying to get to that public IP and port..and see what IP address they are coming from??

much thanks!!

Amin

2 REPLIES
Cisco Employee

Re: Access-list logs on PIX

In 6.3 code you can add the "log" keyword to a particular access-list line, just like you can in a router. Basically add the line something like:

> access-list outbound deny tcp any host eq www log

> access-list outbound permit ip any any

> access-group outbound in interface inside

Anything that hits the first line will be logged according to the log settings on the PIX. You can log it to the console, the internal buffer or to an external syslog server.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/ab.htm#1067755 for details, specifically:

-------------------------------------

When the log option is specified, it generates syslog message 106100 for the access list element (ACE) to which it is applied. (Syslog message 106100 is generated for every matching permit or deny ACE flow passing through the firewall.) The first-match flow is cached. Subsequent matches increment the hit count displayed in the show access-list command (hitcnt) for the ACE, and new 106100 messages will be generated at the end of the interval defined by interval secs if the hit count for the flow is not zero.

The default ACL logging behavior (the log keyword not specified) is that if a packet is denied, then message 106023 is generated, and if a packet is permitted, then no syslog message is generated.

An optional syslog level (0 - 7) may be specified for the generated syslog messages (106100). If no level is specified, the default level is 6 (informational) for a new ACE. If the ACE already exists, then its existing log level remains unchanged.

--------------------------------------------

Community Member

Re: Access-list logs on PIX

Much Thanks!!

117
Views
5
Helpful
2
Replies
CreatePlease to create content