[c-nsp] LOG ACL
Cory Ayers
cayers at ena.com
Tue Jan 31 11:06:07 EST 2006
> I at least would like to know what ports are being used.
>
> TIA
>
> Mel
>From my experience, doing permit ip any any log on an access-list does
not show port numbers for TCP and UDP packets. A line in the log
typically looks like this:
%SEC-6-IPACCESSLOGP: list 134 permitted tcp w.x.y.z(0) -> a.b.c.d(0), 1
packet
To get a good idea of what is happening, you can put non-log permits in
for well-known ports, then log the entire range 1-65535. I only do this
on end-site routers and definitely wouldn't recommend it on a high
bandwidth core device. You should really look at Netflow accounting for
high capacity environments.
logging buffered 65535 debugging
access-list 134 permit tcp any any eq www
access-list 134 permit tcp any eq www any
access-list 134 permit tcp any any eq 443
access-list 134 permit tcp any eq 443 any
access-list 134 permit tcp any any eq smtp
access-list 134 permit tcp any eq smtp any
access-list 134 permit tcp any any eq pop3
access-list 134 permit tcp any eq pop3 any
access-list 134 permit udp any any eq domain
access-list 134 permit udp any eq domain any
access-list 134 permit udp any any eq ntp
access-list 134 permit udp any eq ntp any
access-list 134 permit udp any any eq snmp
access-list 134 permit udp any eq snmp any
access-list 134 permit tcp any any range 0 65535 log
access-list 134 permit udp any any range 0 65535 log
access-list 134 permit ip any any
interface FastEthernet0/0
ip access-group 134 in
Then to see the log you simply "show logging" from the router terminal.
Cheers,
Cory
> ----- Original Message -----
> From: "Melvin C. Etheridge" <mele at enia.net>
> To: "Amol Sapkal" <amolsapkal at gmail.com>
> Cc: "Cisco-Nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 30, 2006 12:19 AM
> Subject: Re: [c-nsp] LOG ACL
>
>
> >I would really like to log all traffic on this host.
> >
> > The cust thinks they have a trojan and have not been able to track
it
> > down.
> >
> > Thanks!
> >
> > Mel
> > ----- Original Message -----
> > From: Amol Sapkal
> > To: Melvin C. Etheridge
> > Sent: Sunday, January 29, 2006 11:19 PM
> > Subject: Re: [c-nsp] LOG ACL
> >
> >
> > Melvin,
> >
> > Are you looking at logging only the number of packets?
> > If yes, try put an explicit permit statement in your access-list.
> >
> > Like,
> >
> > access-list 100 permit ip host 1.1.1.1 any
> > access-list 100 permit ip any host 1.1.1.1
> >
> >
> >
> > HTH,
> > Amol
> >
> >
> >
> > On 1/30/06, Melvin C. Etheridge <mele at enia.net> wrote:
> > I would like to create a ACL to just log traffic to and from a ip
> going
> > through one of my adsl routers.
> >
> > What would be the best way to word the ACL to do this?
> >
> > Thanks,
> >
> > Mel
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> > --
> > Warm regards,
> >
> > Amol Sapkal
> >
> > -------------------------------------------------------------------
> > "A new study shows that licking the sweat off
> > a frog can cure depression. The down side is,
> > the minute you stop licking, the frog gets
> > depressed again." - Jay Leno
> > -------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list