11-05-2012 06:08 AM - edited 03-11-2019 05:19 PM
Hi all,
I am new to logging in the IOS. Fairly new to ZFW too, but have set up ZFW to block all internal sytsems from sending through port 25, except the mail server on the LAN. This is to help stop a spambot which I am trying to identify. As typical, antivirus is not helping.
What options should I enable in the IOS (v 15.2) to capture what system(s)is sending on port 25. amd then what commands would I use to monitor the situation? Everything would be at the IOS console.
Pleaes and thank you.
Solved! Go to Solution.
11-05-2012 09:24 AM
Hello Colin,
ip inspect log-drop pkt
That will show you logs with the ip addresses, destination and source ports of connections being dropped by the IOS FW,
Regards,
Julio
11-05-2012 09:24 AM
Hello Colin,
ip inspect log-drop pkt
That will show you logs with the ip addresses, destination and source ports of connections being dropped by the IOS FW,
Regards,
Julio
11-06-2012 11:30 AM
Hi again,
It doesn't appear the logging is working or is not configured to show what I need. .
IfI do sh ip access-lists INSIDE-OUTSIDE, which is the one I have set with the port 25 blocking, I see in brackets the # of hits the Deny entry has received.
Extended IP access list INSIDE-OUTSIDE
10 permit tcp host 192.168.0.123 any eq smtp (74 matches)
20 deny tcp any any eq smtp (93 matches)
30 permit ip any any (41236 matches)
This 93 goes up somewhat steadily, it was in the 80's this morning.
if I do sh policy-map type inspect zone-pair inside-outside sessions I see some active sessions, no port 25 activity but tha't fine since this show command is for Active sessions, however here's what's at the bottom of the output:
Class-map: class-default (match-any)
Match: any
Drop
93 packets, 2852 bytes Class-map: class-default (match-any)
So far I can't find any show command that will show me the source of these 93 drops. sh logging | i FW is showing no entries at all, it's almost like logging is broken or something.
11-07-2012 06:32 AM
It seems that the port 25 hits were just mixed in with a whole bunch of other stuff in the logs. It's a pain to search for since if you do for example sh logging | i :25 yhou get all the timestamps that have that as well. I found a few entries for a PC on the network sending to various IP's over port 25 and have isolated the system. The hit count went up o about 9000 yesterday evening.
Just the same, if anybody knows a better technique for handling this type of situation, especially getting better visibility on the offending systems (log filtering?), please advise, thank you.
11-07-2012 07:26 AM
Colin,
What kind of device are you using a PIX or ASA...? I'm not fimiliar with what you listed "ZFW"...
Thanks,
Miguel
11-07-2012 09:30 AM
Hello Collin,
You should see it with the ip inspect log drop-pkt ( This if the ZBFW is dropping the packets) In case that the ZBFW is not dropping them of course you will not see the logs, I am 100 % sure about this.
Please check the logging setup you have on your router to make sure you have it properly,
Regards,
11-07-2012 06:56 PM
Miguel,
The ZFW is Cisco's official term for zone-baesd firewall, the new IOS Firewall that is. I am just learning it now whilst also trying to implement it on some devices.
Julio,
It didn't seem to show anything for what I was looking for until I added log to the class-default to make it drop log for the inside-outside pair. Via sh ip access-list INSIDE-OUTSIDE, I was seeing an increasing number of hits against the Deny entry for port 25, and yet sh logging | i FW did not produce any results. But, I've done this and re-done this stuff so many times it's hard to say, so I will just wait and see. I've had ip inspect log DROP_PKT enabled since the beginning. I remove other logging options that are currently enabled and see how that goes. I need to get educated on logging
11-07-2012 08:00 PM
Hello Colin,
Glad to see it is showing stuff now,
Sure let us know,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide