[c-nsp] LOG ACL

Cory Ayers cayers at ena.com
Tue Jan 31 11:06:07 EST 2006


> I at least would like to know what ports are being used.
> 
> TIA
> 
> Mel

>From my experience, doing permit ip any any log on an access-list does
not show port numbers for TCP and UDP packets.  A line in the log
typically looks like this:

%SEC-6-IPACCESSLOGP: list 134 permitted tcp w.x.y.z(0) -> a.b.c.d(0), 1
packet

To get a good idea of what is happening, you can put non-log permits in
for well-known ports, then log the entire range 1-65535.  I only do this
on end-site routers and definitely wouldn't recommend it on a high
bandwidth core device.  You should really look at Netflow accounting for
high capacity environments.

logging buffered 65535 debugging
access-list 134 permit tcp any any eq www
access-list 134 permit tcp any eq www any
access-list 134 permit tcp any any eq 443
access-list 134 permit tcp any eq 443 any
access-list 134 permit tcp any any eq smtp
access-list 134 permit tcp any eq smtp any
access-list 134 permit tcp any any eq pop3
access-list 134 permit tcp any eq pop3 any
access-list 134 permit udp any any eq domain
access-list 134 permit udp any eq domain any
access-list 134 permit udp any any eq ntp
access-list 134 permit udp any eq ntp any
access-list 134 permit udp any any eq snmp
access-list 134 permit udp any eq snmp any
access-list 134 permit tcp any any range 0 65535 log
access-list 134 permit udp any any range 0 65535 log
access-list 134 permit ip any any
interface FastEthernet0/0
 ip access-group 134 in

Then to see the log you simply "show logging" from the router terminal.

Cheers,
Cory
 
> ----- Original Message -----
> From: "Melvin C. Etheridge" <mele at enia.net>
> To: "Amol Sapkal" <amolsapkal at gmail.com>
> Cc: "Cisco-Nsp" <cisco-nsp at puck.nether.net>
> Sent: Monday, January 30, 2006 12:19 AM
> Subject: Re: [c-nsp] LOG ACL
> 
> 
> >I would really like to log all traffic on this host.
> >
> > The cust thinks they have a trojan and have not been able to track
it
> > down.
> >
> > Thanks!
> >
> > Mel
> >  ----- Original Message -----
> >  From: Amol Sapkal
> >  To: Melvin C. Etheridge
> >  Sent: Sunday, January 29, 2006 11:19 PM
> >  Subject: Re: [c-nsp] LOG ACL
> >
> >
> >  Melvin,
> >
> >  Are you looking at logging only the number of packets?
> >  If yes, try put an explicit permit statement in your access-list.
> >
> >  Like,
> >
> >  access-list 100 permit ip host 1.1.1.1 any
> >  access-list 100 permit ip any host 1.1.1.1
> >
> >
> >
> >  HTH,
> >  Amol
> >
> >
> >
> >  On 1/30/06, Melvin C. Etheridge <mele at enia.net> wrote:
> >    I would like to create a ACL to just log traffic to and from a ip
> going
> >    through one of my adsl routers.
> >
> >    What would be the best way to word the ACL to do this?
> >
> >    Thanks,
> >
> >    Mel
> >
> >    _______________________________________________
> >    cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >    https://puck.nether.net/mailman/listinfo/cisco-nsp
> >    archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> >  --
> >  Warm regards,
> >
> >  Amol Sapkal
> >
> >  -------------------------------------------------------------------
> >  "A new study shows that licking the sweat off
> >  a frog can cure depression. The down side is,
> >  the minute you stop licking, the frog gets
> >  depressed again." - Jay Leno
> >  -------------------------------------------------------------------
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list