Hi again,

It doesn't appear the logging is working or is not configured to show what I need.  . 

IfI do sh ip access-lists INSIDE-OUTSIDE, which is the one I have set with the port 25 blocking, I see in brackets the # of hits the Deny entry has received. 

Extended IP access list INSIDE-OUTSIDE

    10 permit tcp host 192.168.0.123 any eq smtp (74 matches)

    20 deny tcp any any eq smtp (93 matches)

    30 permit ip any any (41236 matches)

This 93 goes up somewhat steadily, it was in the 80's this morning. 

if I do sh policy-map type inspect zone-pair inside-outside sessions I see some active sessions, no port 25 activity but tha't fine since this show command is for Active sessions, however here's what's at the bottom of the output:

Class-map: class-default (match-any)

      Match: any

      Drop

        93 packets, 2852 bytes Class-map: class-default (match-any)
  

So far I can't find any show command that will show me the source of these 93 drops.  sh logging | i FW is showing no entries at all, it's almost like logging is broken or something. 

It seems that the port 25 hits were just mixed in with a whole bunch of other stuff in the logs.  It's a pain to search for since if you do for example sh logging | i :25 yhou get all the timestamps that have that as well.  I found a few entries for a PC on the network sending to various IP's over port 25 and have isolated  the system.  The hit count went up o about 9000 yesterday evening. 

Just the same, if anybody knows a better technique for handling this type of situation, especially getting better visibility on the offending systems (log filtering?), please advise, thank you. 

Colin,

What kind of device are you using a PIX or ASA...?  I'm not fimiliar with what you listed "ZFW"...

Thanks,

Miguel

Hello Collin,

You should see it with the ip inspect log drop-pkt ( This if the ZBFW is dropping the packets) In case that the ZBFW is not dropping them of course you will not see the logs, I am 100 % sure about this.

Please check the logging setup you have on your router to make sure you have it properly,

Regards,

Miguel,

The ZFW is Cisco's official term for zone-baesd firewall, the new IOS Firewall that is.  I am just learning it now whilst also trying to implement it on some devices. 

Julio,

It didn't seem to show anything for what I was looking for until I added log to the class-default to make it drop log for the inside-outside pair.  Via sh ip access-list INSIDE-OUTSIDE, I was seeing an increasing number of hits against the Deny entry for port 25, and yet sh logging | i FW did not produce any results.  But, I've done this and re-done this stuff so many times it's hard to say, so I will just wait and see.  I've had ip inspect log DROP_PKT enabled since the beginning.  I remove other logging options that are currently enabled and see how that goes.  I need to get educated on logging

Hello Colin,

Glad to see it is showing stuff now,

Sure let us know,

Regards,