PIX501 - How to log denied traffic

Discussion in 'Cisco' started by Markus Sonnenberg, Feb 6, 2012.

  1. Hi,

    i have a pix501, which is running version 6.3(5), i want to have denied
    traffic logged to a syslog server.

    i managed to set up the logging part and i do see that allowed traffic
    is being logged succefully.

    %PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(4536) ->
    inside/2.2.2.2(25) hit-cnt 1 (first hit)
    %PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(38173) ->
    inside/2.2.2.2(80) hit-cnt 1 (first hit)

    but i want to have logged denied traffic as well. i have a deny rule at
    last place but i don't get any syslog messages for this rule.

    any hints?

    <snip pix config>
    ozean# sh run
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password *** encrypted
    passwd *** encrypted
    hostname ozean
    domain-name ***.com
    no fixup protocol dns
    fixup protocol ftp 21
    no fixup protocol h323 h225 1720
    no fixup protocol h323 ras 1718-1719
    no fixup protocol http 80
    no fixup protocol rsh 514
    no fixup protocol rtsp 554
    no fixup protocol sip 5060
    no fixup protocol sip udp 5060
    no fixup protocol skinny 2000
    no fixup protocol smtp 25
    no fixup protocol sqlnet 1521
    no fixup protocol tftp 69
    names
    name 192.168.2.15 freya.***.com
    name 192.168.2.10 jsyldur.***.com
    name 80.229.116.139 Evil_001
    name 217.89.65.130 arbeit.***.com
    access-list 100 deny ip host Evil_001 any log 4
    access-list 100 permit icmp any any unreachable log 4
    access-list 100 permit icmp any any echo-reply log 4
    access-list 100 permit udp any any eq domain log 4
    access-list 100 permit tcp any any eq domain log 4
    access-list 100 permit tcp any any eq www log 4
    access-list 100 permit tcp any any eq 27 log 4
    access-list 100 permit tcp any any eq smtp log 4
    access-list 100 permit tcp any any eq imap4 log 4
    access-list 100 permit tcp any any eq ftp log 4
    access-list 100 permit tcp host arbeit.***.com any eq 3389 log 4
    access-list 100 permit tcp any any eq 3613 log 4
    access-list 100 permit udp any any eq 3613 log 4
    access-list 100 permit tcp any any eq 6881 log 4
    access-list 100 permit udp any any eq 6881 log 4
    access-list 100 permit tcp any any eq 8080 log 4
    access-list 100 permit icmp any any log 4
    access-list 100 deny ip any any log 4 interval 1
    access-list 200 permit ip 192.168.2.0 255.255.255.0 any log 4
    pager lines 24
    logging on
    logging trap warnings
    logging host inside freya.***.com
    icmp permit any outside
    icmp permit any inside
    mtu outside 1456
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip audit signature 1000 disable
    ip audit signature 1001 disable
    ip audit signature 1002 disable
    ip audit signature 1003 disable
    ip audit signature 1004 disable
    ip audit signature 1005 disable
    ip audit signature 1006 disable
    ip audit signature 1100 disable
    ip audit signature 1102 disable
    ip audit signature 1103 disable
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2002 disable
    ip audit signature 2003 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    ip audit signature 2006 disable
    ip audit signature 2007 disable
    ip audit signature 2008 disable
    ip audit signature 2009 disable
    ip audit signature 2010 disable
    ip audit signature 2011 disable
    ip audit signature 2012 disable
    ip audit signature 2150 disable
    ip audit signature 2151 disable
    ip audit signature 2154 disable
    ip audit signature 3040 disable
    ip audit signature 3041 disable
    ip audit signature 3042 disable
    ip audit signature 3153 disable
    ip audit signature 3154 disable
    ip audit signature 4050 disable
    ip audit signature 4051 disable
    ip audit signature 4052 disable
    ip audit signature 6050 disable
    ip audit signature 6051 disable
    ip audit signature 6052 disable
    ip audit signature 6053 disable
    ip audit signature 6100 disable
    ip audit signature 6101 disable
    ip audit signature 6102 disable
    ip audit signature 6103 disable
    ip audit signature 6150 disable
    ip audit signature 6151 disable
    ip audit signature 6152 disable
    ip audit signature 6153 disable
    ip audit signature 6154 disable
    ip audit signature 6155 disable
    ip audit signature 6175 disable
    ip audit signature 6180 disable
    ip audit signature 6190 disable
    pdm location 80.153.1.1 255.255.255.255 outside
    pdm location freya.***.com 255.255.255.255 inside
    pdm location jsyldur.***.com 255.255.255.255 inside
    pdm location Evil_001 255.255.255.255 outside
    pdm location arbeit.***.com 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www freya.***.com www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 27 freya.***.com ssh netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 smtp freya.***.com smtp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 imap4 freya.***.com imap4 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 ftp freya.***.com ftp netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 3389 jsyldur.***.com 3389 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 3613 freya.***.com 3613 netmask
    255.255.255.255 0 0
    static (inside,outside) udp 80.153.1.1 3613 freya.***.com 3613 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 6881 jsyldur.***.com 6881 netmask
    255.255.255.255 0 0
    static (inside,outside) udp 80.153.1.1 6881 jsyldur.***.com 6881 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 domain freya.***.com domain
    netmask 255.255.255.255 0 0
    static (inside,outside) udp 80.153.1.1 domain freya.***.com domain
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp 80.153.1.1 8080 freya.***.com 8080 netmask
    255.255.255.255 0 0
    access-group 100 in interface outside
    access-group 200 in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    snmp-server host inside freya.***.com
    snmp-server location ***
    snmp-server contact ***@***
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.2.0 255.255.255.0 inside
    telnet timeout 60
    ssh 192.168.2.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname ***
    vpdn group pppoe_group ppp authentication pap
    vpdn username *** password ********* store-local
    username routeradmin password *** encrypted privilege 15
    terminal width 80
    banner exec Piss Off!
    banner login Piss Off!
    Cryptochecksum:6d630f3096c6b0e6aaaac1d622f0e04b
    : end
    </snip>

    regards
    markus


    ct,
    --
    Das Abspringen einer Begrenzungsmauer dient nicht dem direkten
    Zur├╝cklegen des Arbeitsweges.
    http://www.rz-amper.de
    Markus Sonnenberg, Feb 6, 2012
    #1
    1. Advertising

  2. * Markus Sonnenberg wrote:
    > i have a pix501, which is running version 6.3(5), i want to have denied
    > traffic logged to a syslog server.


    Usually the PIX does this automagically.

    > but i want to have logged denied traffic as well. i have a deny rule at
    > last place but i don't get any syslog messages for this rule.


    You do not need the set the logging target. It might confuse the system.

    > access-list 100 deny ip host Evil_001 any log 4


    OTOH I do not see any "permit" rule for outgoing traffic.
    PIX does not insert an "auto-inverted" rule at the end.
    Lutz Donnerhacke, Feb 6, 2012
    #2
    1. Advertising

  3. On 2/6/2012 5:20 PM, Lutz Donnerhacke wrote:
    >> i have a pix501, which is running version 6.3(5), i want to have denied
    >> traffic logged to a syslog server.

    >
    > Usually the PIX does this automagically.


    hmm, but not the one which i've configured and i want to knwo what i've
    done wrong.

    >> but i want to have logged denied traffic as well. i have a deny rule at
    >> last place but i don't get any syslog messages for this rule.

    >
    > You do not need the set the logging target. It might confuse the system.


    it does not matter whether i have this rule in place or not.

    >> access-list 100 deny ip host Evil_001 any log 4

    >
    > OTOH I do not see any "permit" rule for outgoing traffic.
    > PIX does not insert an "auto-inverted" rule at the end.


    do i really need to have a permit rule for this rule? i want to block
    this ip for all serverices.

    ct,
    --
    Das Abspringen einer Begrenzungsmauer dient nicht dem direkten
    Zur├╝cklegen des Arbeitsweges.
    http://www.rz-amper.de
    Markus Sonnenberg, Feb 7, 2012
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jason
    Replies:
    2
    Views:
    665
    jason
    Jul 27, 2005
  2. Jerry G.

    Log On Screen Changed. No More Auto-Log On.

    Jerry G., Oct 22, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    530
    Locke Nash Cole
    Oct 22, 2004
  3. Jeff
    Replies:
    11
    Views:
    3,012
  4. Southern Kiwi
    Replies:
    6
    Views:
    2,113
    Southern Kiwi
    Mar 19, 2006
  5. Rob
    Replies:
    0
    Views:
    1,128
Loading...

Share This Page