Help on logging on my Soho 77

Discussion in 'Cisco' started by Mr. Spadoni, Sep 15, 2006.

  1. Mr. Spadoni

    Mr. Spadoni Guest

    Hello
    I got a SOHO 77 IOS 12.3 (15).

    I need to write a log entry everytime someone from the internet accesses one
    my pc via Remote Desktop (TCP3389)

    I have put an access-list


    access-list 100 permit tcp any eq 3389 host xx.xx.xx.xxx eq 3389 log

    But this won't log.

    Can some one help me?
    Mr. Spadoni, Sep 15, 2006
    #1
    1. Advertising

  2. Mr. Spadoni

    AM Guest

    Mr. Spadoni wrote:
    > I need to write a log entry everytime someone from the internet accesses one
    > my pc via Remote Desktop (TCP3389)
    >
    > I have put an access-list
    >
    >
    > access-list 100 permit tcp any eq 3389 host xx.xx.xx.xxx eq 3389 log
    >
    > But this won't log.


    conf t
    logging on
    loggin buffered 512000 (choose how many bytes you want to reserve for logs)

    HTH Alex
    AM, Sep 15, 2006
    #2
    1. Advertising

  3. Mr. Spadoni

    Mr. Spadoni Guest

    Hello


    router#show log
    Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0
    flushes, 0 overruns, xml disabled)
    Console logging: disabled
    Monitor logging: level warnings, 0 messages logged, xml disabled
    Buffer logging: level notifications, 119 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 124 message lines logged

    Log Buffer (4096 bytes):


    I open a rdp connection but nothing happens on the log on the cisco.

    How can I do?
    Mr. Spadoni, Sep 15, 2006
    #3
  4. Mr. Spadoni

    Merv Guest

    Did you apply the access-list to any Interface ?

    Post your entrie config
    Merv, Sep 15, 2006
    #4
  5. Mr. Spadoni

    Guest

    Merv wrote:
    > Did you apply the access-list to any Interface ?
    >
    > Post your entrie config



    You need:-
    access-list 100 permit tcp any host xx.xx.xx.xxx eq 3389 log

    since the source port of the incomming connection is unknown
    and is chosen by the outside device.


    You also need to have the approprite kind of
    logging enabled. The log on the router
    is stored in RAM and is not preserved over a reboot.


    "Log Buffer (4096 bytes):" will likely not be enough,
    as noted by AM already.

    You should consider an external syslog server
    or an SNMP trap reveiver.

    Don't though have too many log receivers since
    too much logging can be bad for a router's health.

    Here is the logging configuration of a box here:-

    R2#sh run | inc log
    service timestamps log datetime localtime show-timezone
    logging buffered 65536 debugging
    no logging console ! can adversely affect CPU
    ! one interrupt per character sent.
    logging facility local6 ! I don't understand this
    logging source-interface Loopback0
    logging 192.168.5.1 ! do syslog
    snmp-server enable traps syslog ! ! also snmp


    I don't recommend doing SNMP AND syslog
    just seems stupid to give the router
    extra work.
    , Sep 15, 2006
    #5
  6. Mr. Spadoni

    Mr. Spadoni Guest

    Hello

    Well I have a static DSL with a 8ip subnet

    the first ip is my gw/router cisco on .177 IP.

    on IP 178 there is a firewall that PATs the 3389 on its public wan address
    to a private lan pc 192.168.0.138


    the wan int of the cisco is the atm0.35
    the "public" lan is the eth0


    I put an ACL on the atm0.35 wich permits the 3389 inside and log

    for me it is sufficient to log on the ram even if it clears on reboot.

    Now is the config:


    Current configuration : 8911 bytes
    !
    ! Last configuration change at 10:26:32 CET Fri Sep 15 2006 by maggiore
    ! NVRAM config last updated at 10:26:11 CET Fri Sep 15 2006 by maggiore
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered notifications
    no logging console
    enable password 7 xxxxxxxxxxxxx
    !
    clock timezone CET 1
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 15
    !
    no ip bootp server
    username maggiore SNIP
    !
    !
    !
    interface Ethernet0
    bandwidth 10000
    ip address xxxxxxxxxxx
    ip broadcast-address xxxxxxxxx
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    bandwidth 608
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    atm vc-per-vp 64
    atm ilmi-keepalive
    dsl operating-mode itu-dmt
    hold-queue 224 in
    !
    interface ATM0.35 point-to-point
    bandwidth 1504
    ip address xxxxxxxxxxxxx
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    pvc 8/35
    encapsulation aal5snap
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.35
    no ip http server
    !
    access-list 100 deny ip 0.0.0.0 0.255.255.255 any
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 deny ip 169.254.0.0 0.0.255.255 any
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    access-list 100 deny ip 192.0.2.0 0.0.0.255 any
    access-list 100 deny ip 192.168.0.0 0.0.255.255 any
    access-list 100 deny ip 224.0.0.0 15.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip host 85.33.96.176 host 85.33.96.176
    access-list 100 deny ip host 85.33.96.177 host 85.33.96.177
    access-list 100 deny ip host 85.33.96.178 host 85.33.96.178
    access-list 100 deny ip host 85.33.96.179 host 85.33.96.179
    access-list 100 deny ip host 85.33.96.180 host 85.33.96.180
    access-list 100 deny ip host 85.33.96.181 host 85.33.96.181
    access-list 100 deny ip host 85.33.96.182 host 85.33.96.182
    access-list 100 deny ip host 85.33.96.183 host 85.33.96.183
    access-list 100 deny ip host 212.97.35.10 host 85.33.96.181
    access-list 100 deny ip host 85.33.96.176 any
    access-list 100 deny ip host 85.33.96.177 any
    access-list 100 deny ip host 85.33.96.178 any
    access-list 100 deny ip host 85.33.96.179 any
    access-list 100 deny ip host 85.33.96.180 any
    access-list 100 deny ip host 85.33.96.181 any
    access-list 100 deny ip host 85.33.96.182 any
    access-list 100 deny ip host 85.33.96.183 any
    access-list 100 deny ip any host 85.33.96.176
    access-list 100 deny ip any host 85.33.96.183
    access-list 100 permit ip host 89.186.68.6 any
    access-list 100 permit udp any any eq ntp
    access-list 100 permit ip any any fragments
    access-list 100 permit icmp any any echo
    access-list 100 permit icmp any any echo-reply
    access-list 100 permit icmp any any time-exceeded
    access-list 100 permit icmp any any packet-too-big
    access-list 100 permit icmp any any unreachable
    access-list 100 deny icmp any any
    access-list 100 permit igmp any any
    access-list 100 permit gre any any
    SNIP

    Now focusing on the ACL regarding my ip

    access-list 100 deny tcp any host xxxxxxx.178 eq 135
    access-list 100 deny udp any host xxxxxxx.178 eq 135
    access-list 100 deny tcp any host xxxxxxx.178 range 137 139
    access-list 100 deny udp any host xxxxxxx.178 range netbios-ns netbios-ss
    access-list 100 deny tcp any host xxxxxxx.178 eq 445
    access-list 100 deny udp any host xxxxxxx.178 eq 445
    access-list 100 permit udp any eq domain host xxxxxxx.178 range 1024 5000
    access-list 100 permit tcp any eq 3389 host 8xxxxxxx.178 eq 3389 log
    access-list 100 permit tcp any host xxxxxxx.178 gt 1023
    access-list 100 permit tcp any host xxxxxxx.178 gt 1023 established
    access-list 100 deny tcp any lt 1023 host xxxxxxx.178 lt 1023
    access-list 100 deny udp any lt 1023 host xxxxxxx.178 lt 1023
    access-list 100 permit 41 any host xxxxxxx.178
    access-list 100 deny ip any host xxxxxxx.178
    etc etc etc
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    no cdp run

    etc etc etc
    Mr. Spadoni, Sep 15, 2006
    #6
  7. Mr. Spadoni

    Mr. Spadoni Guest

    Hello

    Well I have a static DSL with a 8ip subnet

    the first ip is my gw/router cisco on .177 IP.

    on IP 178 there is a firewall that PATs the 3389 on its public wan address
    to a private lan pc 192.168.0.138


    the wan int of the cisco is the atm0.35
    the "public" lan is the eth0


    I put an ACL on the atm0.35 wich permits the 3389 inside and log

    for me it is sufficient to log on the ram even if it clears on reboot.

    Now is the config:


    Current configuration : 8911 bytes
    !
    ! Last configuration change at 10:26:32 CET Fri Sep 15 2006 by maggiore
    ! NVRAM config last updated at 10:26:11 CET Fri Sep 15 2006 by maggiore
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered notifications
    no logging console
    enable password 7 xxxxxxxxxxxxx
    !
    clock timezone CET 1
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 15
    !
    no ip bootp server
    username maggiore SNIP
    !
    !
    !
    interface Ethernet0
    bandwidth 10000
    ip address xxxxxxxxxxx
    ip broadcast-address xxxxxxxxx
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    bandwidth 608
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    atm vc-per-vp 64
    atm ilmi-keepalive
    dsl operating-mode itu-dmt
    hold-queue 224 in
    !
    interface ATM0.35 point-to-point
    bandwidth 1504
    ip address xxxxxxxxxxxxx
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    pvc 8/35
    encapsulation aal5snap
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.35
    no ip http server
    !



    SNIP

    Now focusing on the ACL regarding my ip

    access-list 100 deny tcp any host xxxxxxx.178 eq 135
    access-list 100 deny udp any host xxxxxxx.178 eq 135
    access-list 100 deny tcp any host xxxxxxx.178 range 137 139
    access-list 100 deny udp any host xxxxxxx.178 range netbios-ns netbios-ss
    access-list 100 deny tcp any host xxxxxxx.178 eq 445
    access-list 100 deny udp any host xxxxxxx.178 eq 445
    access-list 100 permit udp any eq domain host xxxxxxx.178 range 1024 5000
    access-list 100 permit tcp any eq 3389 host 8xxxxxxx.178 eq 3389 log
    access-list 100 permit tcp any host xxxxxxx.178 gt 1023
    access-list 100 permit tcp any host xxxxxxx.178 gt 1023 established
    access-list 100 deny tcp any lt 1023 host xxxxxxx.178 lt 1023
    access-list 100 deny udp any lt 1023 host xxxxxxx.178 lt 1023
    access-list 100 permit 41 any host xxxxxxx.178
    access-list 100 deny ip any host xxxxxxx.178
    etc etc etc
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    no cdp run

    etc etc etc
    Mr. Spadoni, Sep 15, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Garrett
    Replies:
    8
    Views:
    2,682
    Garrett
    Jan 6, 2004
  2. Nick250

    SOHO 91 Help

    Nick250, Aug 22, 2004, in forum: Cisco
    Replies:
    3
    Views:
    667
    M.C. van den Bovenkamp
    Aug 24, 2004
  3. Christian Roos

    logging buffered vs. logging history

    Christian Roos, Feb 5, 2006, in forum: Cisco
    Replies:
    4
    Views:
    15,010
  4. Donald Ramer

    SonicWall SOHO TZW Access Rule Help

    Donald Ramer, Jan 27, 2005, in forum: Computer Security
    Replies:
    6
    Views:
    638
    Donald Ramer
    Feb 1, 2005
  5. Replies:
    1
    Views:
    575
Loading...

Share This Page