https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065556#M396072 <P>Hi all,&nbsp;&nbsp; </P><P></P><P>I am new to logging in the IOS.&nbsp; Fairly new to ZFW too, but have set up ZFW to block all internal sytsems from sending through port 25, except the mail server on the LAN.&nbsp; This is to help stop a spambot which I am trying to identify.&nbsp; As typical, antivirus is not helping. </P><P></P><P>What options should I enable in the IOS (v 15.2) to capture what system(s)is sending on port 25. amd then what commands would I use to monitor the situation?&nbsp; Everything would be at the IOS console.&nbsp; </P><P></P><P>Pleaes and thank you. </P> Tue, 12 Mar 2019 00:19:05 GMT cluovpemb 2019-03-12T00:19:05Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065556#M396072 <P>Hi all,&nbsp;&nbsp; </P><P></P><P>I am new to logging in the IOS.&nbsp; Fairly new to ZFW too, but have set up ZFW to block all internal sytsems from sending through port 25, except the mail server on the LAN.&nbsp; This is to help stop a spambot which I am trying to identify.&nbsp; As typical, antivirus is not helping. </P><P></P><P>What options should I enable in the IOS (v 15.2) to capture what system(s)is sending on port 25. amd then what commands would I use to monitor the situation?&nbsp; Everything would be at the IOS console.&nbsp; </P><P></P><P>Pleaes and thank you. </P> Tue, 12 Mar 2019 00:19:05 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065556#M396072 cluovpemb 2019-03-12T00:19:05Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065557#M396074 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>ip inspect log-drop pkt</P><P></P><P>That will show you logs with the ip addresses, destination and source ports of connections being dropped by the IOS FW,</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Mon, 05 Nov 2012 17:24:33 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065557#M396074 Julio Carvajal 2012-11-05T17:24:33Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065558#M396076 <HTML><HEAD></HEAD><BODY><P> Hi again, </P><P></P><P>It doesn't appear the logging is working or is not configured to show what I need.&nbsp; .&nbsp; </P><P></P><P>IfI do <STRONG>sh ip access-lists INSIDE-OUTSIDE</STRONG>, which is the one I have set with the port 25 blocking, I see in brackets the # of hits the Deny entry has received.&nbsp; </P><P></P><P><STRONG>Extended IP access list INSIDE-OUTSIDE</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; 10 permit tcp host 192.168.0.123 any eq smtp (74 matches)</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; 20 deny tcp any any eq smtp (93 matches)</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; 30 permit ip any any (41236 matches)</STRONG></P><P></P><P>This 93 goes up somewhat steadily, it was in the 80's this morning.&nbsp; </P><P></P><P>if I do <STRONG>sh policy-map type inspect zone-pair inside-outside sessions </STRONG>I see some active sessions, no port 25 activity but tha't fine since this show command is for Active sessions, however here's what's at the bottom of the output: </P><P></P><P><STRONG>Class-map: class-default (match-any)</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Match: any</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Drop</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 93 packets, 2852 bytes<SPAN id="mce_marker"> </SPAN>Class-map: class-default (match-any)<BR /></STRONG>&nbsp;&nbsp; </P><P>So far I can't find any show command that will show me the source of these 93 drops.&nbsp; sh logging | i FW is showing no entries at all, it's almost like logging is broken or something.&nbsp; </P></BODY></HTML> Tue, 06 Nov 2012 19:30:37 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065558#M396076 cluovpemb 2012-11-06T19:30:37Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065559#M396077 <HTML><HEAD></HEAD><BODY><P> It seems that the port 25 hits were just mixed in with a whole bunch of other stuff in the logs.&nbsp; It's a pain to search for since if you do for example sh logging | i :25 yhou get all the timestamps that have that as well.&nbsp; I found a few entries for a PC on the network sending to various IP's over port 25 and have isolated&nbsp; the system.&nbsp; The hit count went up o about 9000 yesterday evening.&nbsp; </P><P></P><P>Just the same, if anybody knows a better technique for handling this type of situation, especially getting better visibility on the offending systems (log filtering?), please advise, thank you.&nbsp; </P></BODY></HTML> Wed, 07 Nov 2012 14:32:33 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065559#M396077 cluovpemb 2012-11-07T14:32:33Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065560#M396078 <HTML><HEAD></HEAD><BODY><P>Colin,</P><P></P><P>What kind of device are you using a PIX or ASA...?&nbsp; I'm not fimiliar with what you listed "ZFW"...</P><P></P><P>Thanks,</P><P>Miguel</P></BODY></HTML> Wed, 07 Nov 2012 15:26:36 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065560#M396078 miguel.desantiago 2012-11-07T15:26:36Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065561#M396079 <HTML><HEAD></HEAD><BODY><P>Hello Collin,</P><P></P><P>You should see it with the ip inspect log drop-pkt ( This if the ZBFW is dropping the packets) In case that the ZBFW is not dropping them of course you will not see the logs, I am 100 % sure about this.</P><P></P><P>Please check the logging setup you have on your router to make sure you have it properly,</P><P></P><P>Regards,</P></BODY></HTML> Wed, 07 Nov 2012 17:30:02 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065561#M396079 Julio Carvajal 2012-11-07T17:30:02Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065562#M396080 <HTML><HEAD></HEAD><BODY><P> Miguel, </P><P></P><P>The ZFW is Cisco's official term for zone-baesd firewall, the new IOS Firewall that is.&nbsp; I am just learning it now whilst also trying to implement it on some devices.&nbsp; </P><P></P><P></P><P>Julio, </P><P></P><P>It didn't seem to show anything for what I was looking for until I added log to the class-default to make it drop log for the inside-outside pair.&nbsp; Via sh ip access-list INSIDE-OUTSIDE, I was seeing an increasing number of hits against the Deny entry for port 25, and yet sh logging | i FW did not produce any results.&nbsp; But, I've done this and re-done this stuff so many times it's hard to say, so I will just wait and see.&nbsp; I've had ip inspect log DROP_PKT enabled since the beginning.&nbsp; I remove other logging options that are currently enabled and see how that goes.&nbsp; I need to get educated on logging <SPAN __jive_emoticon_name="happy"></SPAN> </P></BODY></HTML> Thu, 08 Nov 2012 02:56:40 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065562#M396080 cluovpemb 2012-11-08T02:56:40Z https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065563#M396081 <HTML><HEAD></HEAD><BODY><P>Hello Colin,</P><P></P><P>Glad to see it is showing stuff now, </P><P></P><P>Sure let us know,</P><P></P><P>Regards,</P></BODY></HTML> Thu, 08 Nov 2012 04:00:51 GMT https://community.cisco.com/t5/network-security/blocked-port-25-how-to-log/m-p/2065563#M396081 Julio Carvajal 2012-11-08T04:00:51Z