Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
0
Helpful
3
Replies

Using ACL Logging in PIX 6.3

sgoldman
Level 1
Level 1

‎03-31-2005 10:44 AM - edited ‎02-21-2020 12:02 AM

I'm trying to use the logging facility to refine an Access List in a test network. At the end of a list of ACE's I have a "permit ip any any log 5"

I had the idea that only the flows that had fallen through all of my other rules would reach this last rule and be logged. But what looks to be happening is that any thing that hits the interface and is permitted by any of my rules is being logged. When I do a "show access-list" I can see that only a small number of flows are actually making it down to that last rule, but I can't identify what flows they are in the vast number of logged messages.

Is there any way to accomplish what I'm trying to do, without simply denying what I may have overlooked and fixing the fallout?

0 Helpful
3 Replies 3

fedrodri
Level 1
Level 1

‎03-31-2005 11:12 AM

Hi,

It should be working the way that you set it up. The 'log' option should be working only on the ACE to which you have applied it to (from the command reference); and you should be getting syslogs only from the flows that matched that particular ACE. If there are no "denies" before that particular "permit ip any any" ACE, then you should not get any 106023 messages, and only the 106100 messages that you would expect from that ACE.

Did you created the ACEs with PDM, by any chance?Please verify that you don't have the log option on the rest of ACEs before the one you said; please be aware that if you set the 'log disable' option then you would be turning off the ACL logging feature.

If you do a 'show access-list' and confirm that only ACE with the "permit ip any any" has the log option on it, then I would think that this might be a bug or something, because log messages matching that ACE only should be logged.

Federico Rodriguez

0 Helpful

sgoldman
Level 1
Level 1
In response to fedrodri

‎04-05-2005 10:18 AM

Hi Federico,

I double checked my ACL and the log option is only present on that last "permit any any" statement. There are no "deny" statments in the list at all.

I did use PDM to turn on the logging option but the list was originally configured with the CLI. At this point I will just try to re-enter a new list from scratch and change the access-group command just to see what happens, but I think this is a bug.

Thanks for your input.

0 Helpful

sgoldman
Level 1
Level 1
In response to fedrodri

‎04-14-2005 05:54 AM

I just wanted to follow up in case anyone else runs into the same problem. I eventually created a different access-list with the exact same entries. When I switched over to it with the access-group command, logging began to behave in the expected manner. My conclusion is that this is either a bug or a "feature" that involves updating a currently executing acl.

Thanks for confirming my sanity with your original reply to my posting.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card