PIX LOGGING OF OUTSIDE INTERFACE DESTINED DENIED TRAFFIC

bchcjheleniak · ‎06-22-2004

Is it possible to log unwanted traffic destined for the outside interface to be logged? Such as port scans and non IDS traffic. Denied tcp/udp traffic. For example: A Cisco PIX 501 with a DHCP assigned outside interface. Is it possible to log denied connections to the outside interface IP address without going to Debug syslog levels. Traffic would never be addressed to an inside address with them being private so how is logging possible? Traffic destined for the ip address of the external interface is simply not logged for whatever reason. I'm looking for 106023 type messages.

gfullage · ‎06-22-2004

To see 106023 log messages for denied packets you do still need an ACL on the interface, something like:

access-list inbound deny ip any any

access-group inbound in interface inside

To see 106100 messages, which have more detail than 106023's, add the "log" keyword to the end of the ACL.

Either way, these are syslog messages so to see them you need to configure the "logging" command appropriately.

bchcjheleniak · ‎06-23-2004

All that did was block inside traffic from going out, logging 106023's. I want 106023's to log when someone is scanning my outside ip for that fact, my only ip. I changed the 710005 to a warning level which does essentially what I want logging denied access to that ip but I thought there was a way to get 106023 and similar.

gfullage · ‎06-23-2004

Whoops, I told you to add that to the inside interface, which is wrong (actually I thought I changed that after the fact but it musn't have taken). Add the access-list as follows:

access-list inbound in interface outside

Note it is applied to the outside int, NOT the inside like my original post says. Your internal users will still be able to go out now and their return traffic will be allowed back in. Anything originated from the outside should be logged.

My apologies again.