Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

New to router security

I have been studying Cisco docs for a couple of weeks now, and haven't figured out how to log and view traffic. We run a 2620 as a internet gateway, and I have managed to implement NAT, apply access control lists, enable SNMP traps, setup a syslog daemon, secure passwords, and deny certain traffic.

What I'd like to do is view any inbound traffic that is denied. ( SNMP is sendind alerts successfully, but I have yet to get the console to decode them - it won't load the Cisco MIBs ). We have the IOS FW and IPSec, and I'm still trying to learn how to configure and use them. I also don't know how they fit in with NAT.

Any pointers to less obtuse docs, or other help is appreciated.

Cbyr8552@aol.com

Net admin.

ARI, Ltd.

4 REPLIES
Cisco Employee

Re: New to router security

I have never dealt with SNMP so I can't help you there, but here are a couple of things to check for ensuring that the syslog messages for denied traffic are being sent to your syslog server.

1) Ensure that the router has been setup to send syslog messages to your syslog server box.

The router needs the following two lines:

logging

logging trap info

Refer to the following link for further information on the logging command:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf013.htm#xtocid810512

2) Ensure that the access-list deny lines are configured to generate syslog messages for denied traffic.

When creating the deny lines there is a "log" keyword that must be used to tell the router to create the syslog messages when the traffic is denied.

Example using numbered access lists:

access-list 150 deny tcp any any eq 23 log

.......

For further information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfip1.htm#xtocid1733810

Example using named access lists:

ip access-list filter1

deny tcp any any eq 23 log

.......

For further information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfip1.htm#xtocid17338

New Member

Re: New to router security

I won't profess to speak concerning the SNMP information however I believe that Cisco works and open view can both work with SNMP info. However for your acl's did you:

1. set your acl to log,

deny ip host x.x.x.x any log

2: setup logging(on router, ver 12.0 below) to the syslog server,(warning* changes based on OS and IOS)

logging facility local1 (What are severs are listening on)

logging x.x.x.1 (syslog server)

logging x.x.x.2 (Secondary server)

Then create a directory in /var/log (assuming UNIX:)) and create a syslog_info file. Then edit /etc/syslog.conf with "local1.debug"(or whatever you picked){tab key}/var/log. The kill -HUP syslogd.

test it by saying: "logger -p local1.debug hello" check your log to see if it says hello back :)

Hope this help,

Geoff

New Member

Re: New to router security

Thanks for the URLs and advice. 1 URL gave me a hint (console logging issue ). I am getting the SNMP traps sent to a Win 98 w/s running Kiwi's syslog daemon, just that the Laroit SNMP manager is giving me trouble decoding the messages. Because of budgeting issues I must use these freeware apps....

However, I think what I really need to do is to dig deeper into the IPSec/Firewall configuration. Lots to learn.

Thanks again,

Chris

New Member

Re: New to router security

There's a 3rd party software package from a cisco partner called Private-I from OpenSystemsSolutions...

http://www.opensystems.com/products/router.asp

I have implemented their product for the PIX and found it mildly useful. You can set up the router in conjunction with this product to do essentially what you're looking for, plus a lot more, I am sure.

146
Views
0
Helpful
4
Replies
CreatePlease login to create content