Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX501 - How to log denied traffic

Reply
Thread Tools

PIX501 - How to log denied traffic

 
 
Markus Sonnenberg
Guest
Posts: n/a
 
      02-06-2012
Hi,

i have a pix501, which is running version 6.3(5), i want to have denied
traffic logged to a syslog server.

i managed to set up the logging part and i do see that allowed traffic
is being logged succefully.

%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(4536) ->
inside/2.2.2.2(25) hit-cnt 1 (first hit)
%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(38173) ->
inside/2.2.2.2(80) hit-cnt 1 (first hit)

but i want to have logged denied traffic as well. i have a deny rule at
last place but i don't get any syslog messages for this rule.

any hints?

<snip pix config>
ozean# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname ozean
domain-name ***.com
no fixup protocol dns
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 192.168.2.15 freya.***.com
name 192.168.2.10 jsyldur.***.com
name 80.229.116.139 Evil_001
name 217.89.65.130 arbeit.***.com
access-list 100 deny ip host Evil_001 any log 4
access-list 100 permit icmp any any unreachable log 4
access-list 100 permit icmp any any echo-reply log 4
access-list 100 permit udp any any eq domain log 4
access-list 100 permit tcp any any eq domain log 4
access-list 100 permit tcp any any eq www log 4
access-list 100 permit tcp any any eq 27 log 4
access-list 100 permit tcp any any eq smtp log 4
access-list 100 permit tcp any any eq imap4 log 4
access-list 100 permit tcp any any eq ftp log 4
access-list 100 permit tcp host arbeit.***.com any eq 3389 log 4
access-list 100 permit tcp any any eq 3613 log 4
access-list 100 permit udp any any eq 3613 log 4
access-list 100 permit tcp any any eq 6881 log 4
access-list 100 permit udp any any eq 6881 log 4
access-list 100 permit tcp any any eq 8080 log 4
access-list 100 permit icmp any any log 4
access-list 100 deny ip any any log 4 interval 1
access-list 200 permit ip 192.168.2.0 255.255.255.0 any log 4
pager lines 24
logging on
logging trap warnings
logging host inside freya.***.com
icmp permit any outside
icmp permit any inside
mtu outside 1456
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 1005 disable
ip audit signature 1006 disable
ip audit signature 1100 disable
ip audit signature 1102 disable
ip audit signature 1103 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
ip audit signature 2150 disable
ip audit signature 2151 disable
ip audit signature 2154 disable
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
ip audit signature 3153 disable
ip audit signature 3154 disable
ip audit signature 4050 disable
ip audit signature 4051 disable
ip audit signature 4052 disable
ip audit signature 6050 disable
ip audit signature 6051 disable
ip audit signature 6052 disable
ip audit signature 6053 disable
ip audit signature 6100 disable
ip audit signature 6101 disable
ip audit signature 6102 disable
ip audit signature 6103 disable
ip audit signature 6150 disable
ip audit signature 6151 disable
ip audit signature 6152 disable
ip audit signature 6153 disable
ip audit signature 6154 disable
ip audit signature 6155 disable
ip audit signature 6175 disable
ip audit signature 6180 disable
ip audit signature 6190 disable
pdm location 80.153.1.1 255.255.255.255 outside
pdm location freya.***.com 255.255.255.255 inside
pdm location jsyldur.***.com 255.255.255.255 inside
pdm location Evil_001 255.255.255.255 outside
pdm location arbeit.***.com 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www freya.***.com www netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 27 freya.***.com ssh netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 smtp freya.***.com smtp netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 imap4 freya.***.com imap4 netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 ftp freya.***.com ftp netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3389 jsyldur.***.com 3389 netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3613 freya.***.com 3613 netmask
255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 3613 freya.***.com 3613 netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 6881 jsyldur.***.com 6881 netmask
255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 6881 jsyldur.***.com 6881 netmask
255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 domain freya.***.com domain
netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 domain freya.***.com domain
netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 8080 freya.***.com 8080 netmask
255.255.255.255 0 0
access-group 100 in interface outside
access-group 200 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside freya.***.com
snmp-server location ***
snmp-server contact ***@***
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
username routeradmin password *** encrypted privilege 15
terminal width 80
banner exec **** Off!
banner login **** Off!
Cryptochecksum:6d630f3096c6b0e6aaaac1d622f0e04b
: end
</snip>

regards
markus


ct,
--
Das Abspringen einer Begrenzungsmauer dient nicht dem direkten
Zurücklegen des Arbeitsweges.
http://www.rz-amper.de
 
Reply With Quote
 
 
 
 
Lutz Donnerhacke
Guest
Posts: n/a
 
      02-06-2012
* Markus Sonnenberg wrote:
> i have a pix501, which is running version 6.3(5), i want to have denied
> traffic logged to a syslog server.


Usually the PIX does this automagically.

> but i want to have logged denied traffic as well. i have a deny rule at
> last place but i don't get any syslog messages for this rule.


You do not need the set the logging target. It might confuse the system.

> access-list 100 deny ip host Evil_001 any log 4


OTOH I do not see any "permit" rule for outgoing traffic.
PIX does not insert an "auto-inverted" rule at the end.

 
Reply With Quote
 
 
 
 
Markus Sonnenberg
Guest
Posts: n/a
 
      02-07-2012
On 2/6/2012 5:20 PM, Lutz Donnerhacke wrote:
>> i have a pix501, which is running version 6.3(5), i want to have denied
>> traffic logged to a syslog server.

>
> Usually the PIX does this automagically.


hmm, but not the one which i've configured and i want to knwo what i've
done wrong.

>> but i want to have logged denied traffic as well. i have a deny rule at
>> last place but i don't get any syslog messages for this rule.

>
> You do not need the set the logging target. It might confuse the system.


it does not matter whether i have this rule in place or not.

>> access-list 100 deny ip host Evil_001 any log 4

>
> OTOH I do not see any "permit" rule for outgoing traffic.
> PIX does not insert an "auto-inverted" rule at the end.


do i really need to have a permit rule for this rule? i want to block
this ip for all serverices.

ct,
--
Das Abspringen einer Begrenzungsmauer dient nicht dem direkten
Zurücklegen des Arbeitsweges.
http://www.rz-amper.de
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? Skybuck Flying Cisco 0 01-19-2006 08:50 PM
traffic-shaping limit ftp traffic Hypno999 Cisco 5 10-08-2005 07:25 AM
Sitting behind a local pix501 and can't access an external site with Pix501 from Cisco VPN CLient- why? simon Cisco 1 09-21-2004 12:52 PM
Traffic Log-Legitimate Traffic or Data Mining??? Jeff Computer Security 11 08-10-2004 01:08 AM



Advertisments