12-17-2009 06:35 AM - edited 03-11-2019 09:49 AM
Hi everyone.
I have a question regarding how the pix handles logging. PIX 515E IOS 6.3(5)
We currently have an outside global nat (ip example 10.0.0.1) that we send out emails from.
Sometimes it happens that our customers sends emails (bounces after a while) back to our nat IP. And we would like to find this in our syslog.
Problem is, since we dont have 10.0.0.1 (outside nat) anywhere in our "acl-outside" which is bound to interface outside.We dont get any hits on the acl = no logging to syslog on deny rules?
Shouldnt a "deny ip any any" make a deny statement in the log from any attempts from the outside trying to access our 10.0.0.1 even tho we dont have a SAT statement?
If I do a capture on the interface, with that specific IP, we can see requests coming in, but it doesnt show in the log / syslog for those attempts.
Does anyone understand what im trying to say?
Thanks
BR
12-18-2009 10:11 AM
Ya BR. You are right.. Since there are no specific ACLs matching the outside global IP 10.0.0.1, you can have a deny ip any any (thought it is implicitely denied), for management purpose.. now when the packet matches the permit statement, syslog isnt triggered, but when the packet his the deny, pix firewall generates a syslog message similar to this:
%PIX-4-106019: IP packet from source_addr to 10.0.0.1, protocol protocol received from interface outside deny by access-group outside.
have appropriate logging levels configured for this message to come.. "loggin buffered" , but when we need such implicit messages, we might need debug level, and that would fill the logs fast, depending on the traffic pattern...
Hope this helps.. all the best..
Raj
12-20-2009 09:59 AM
Hi Raj and thanks for the help
We do have a "deny ip any any" statement in the acl-outside, but that doesnt make it log the attempts on port 25 on 10.0.0.1 IP.
We also have debuggin on, that sends all the packets to the syslog servers.. but that doesnt give any "hits" either
I'm guessing we have to make a "deny tcp any host 10.0.0.1 eq 25" just to get it into the acl... hopefully that will help..
I hope it doesnt need a static statement for log attempts
Thanks for the advice tho
BR and merry christmas !
12-20-2009 02:20 PM
I don't believe so. The firewall would just drop it.
In the 7.x and above code the following can be seen in the "asp drop" capture.
syntax: cap capasp type asp-drop all
sh cap capasp
timestamp 472649372 0,sackOK,eol> Drop-reason: (acl-drop) Flow is denied by configured rule
37: 16:59:21.420571 802.1Q vlan#10 P0 10.117.14.66.53098 > 172.18.254.34.33389: S 2378760599:2378760599(0) win 65535
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide