1720 logging

kidem · ‎01-01-2005

How can i log if im getting DDOS attacks.....i tried logging command but seem to only log internal to outside...am i doing something wrong?

Thanks

Georg Pauwen · ‎01-01-2005

Hello,

can you post what you have configured so far ? What are you logging ?

Regards,

GP

kidem · ‎01-01-2005

here is what i have......

Syslog logging: enabled (0 messages dropped, 41 messages rate-limited, 0 flushes

, 0 overruns, xml disabled)

Console logging: level debugging, 25601 messages logged, xml disabled

Monitor logging: level warnings, 0 messages logged, xml disabled

Buffer logging: disabled, xml disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level informational, 25649 message lines logged

Logging to 10.10.10.66, 25649 message lines logged, xml disabled

kidem · ‎01-01-2005

here is total config.........

Current configuration : 3742 bytes

!

! Last configuration change at 06:02:08 est Sun Jan 2 2005

! NVRAM config last updated at 06:02:09 est Sun Jan 2 2005

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname 1720_FW

!

boot-start-marker

boot-end-marker

!

logging count

logging buffered 4096 informational

logging monitor warnings

enable secret xxxx

enable password xxxx

!

memory-size iomem 20

clock timezone est 5

no aaa new-model

ip subnet-zero

no ip source-route

!

ip dhcp pool dhcppool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.200

lease 7

!

no ip bootp server

ip cef

!

interface Loopback0

ip address 10.10.20.1 255.255.255.0

!

interface Ethernet0

ip address dhcp

ip access-group 100 in

ip access-group 101 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

half-duplex

no cdp enable

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

speed auto

no cdp enable

!

ip nat translation timeout 60

ip nat inside source list 1 interface Ethernet0 overload

ip nat inside source static tcp 10.10.10.60 21 interface Ethernet0 21

ip nat inside source static tcp 10.10.10.60 20 interface Ethernet0 20

ip nat inside source static tcp 10.10.10.60 3389 interface Ethernet0 3389

ip nat inside source static tcp 10.10.10.60 1494 interface Ethernet0 1494

ip classless

no ip http server

!

ip access-list extended internet-in

logging source-interface Ethernet0

logging 10.10.10.66

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any host 10.10.10.60 range 13010 13015 log

access-list 100 permit tcp any host 10.10.10.60 eq 3389 log

access-list 100 permit tcp any any eq ftp log

access-list 100 permit tcp any eq ftp-data any gt 1023 log

access-list 100 permit tcp any eq ftp any gt 1023 log

access-list 100 permit tcp any any established log

access-list 100 permit tcp any any log

access-list 100 permit ip any any log

access-list 100 permit icmp any any net-unreachable

access-list 100 permit icmp any any host-unreachable

access-list 100 permit icmp any any port-unreachable

access-list 100 permit icmp any any parameter-problem

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any administratively-prohibited

access-list 100 permit icmp any any source-quench

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any ttl-exceeded

access-list 100 permit tcp any host 10.10.10.60 eq 1494

access-list 101 permit ip any any log

access-list 101 permit tcp any any log

access-list 101 permit tcp any any established log

access-list 101 permit icmp any any net-unreachable

access-list 101 permit icmp any any host-unreachable

access-list 101 permit icmp any any port-unreachable

access-list 101 permit icmp any any parameter-problem

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any administratively-prohibited

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any ttl-exceeded

access-list 101 deny ip 0.0.0.0 255.255.0.0 any

no cdp run

banner motd ^CC

****************************

* WARNING *

****************************

!

line con 0

line aux 0

line vty 0 3

access-class 1 in

password 7 1508

login

telnet refuse-negotiations

line vty 4

access-class 1 in

password 7

login

telnet refuse-negotiations

!

1720_FW#

Richard Burts · ‎01-01-2005

Thanks for posting the config. It may be helpful.

But first I think we need to be more clear about what you are asking. I think I gather from the original post that you are concerned about Denial of Service attacks. But I am not sure what your question is, or what it is that you are trying to accomplish. If you clarify that it will be a start toward solving your issue.

If you are concerned about Denial of Service attacks I would suggest that you would probably be better protected if you used reflexive access lists. And would be better protected against DOS by using IDS rather than router access lists.

I do have a couple of observations about the access list in your configuration. Access list 100 is logging all traffic through the interface. If you want to identify traffic (and especially if you want to be able to identify DOS) logging it is one way to accomplish it. But I suggest that you think about the load it will generate in your network to send all of these to your logging server, the load on the server, and the effort it will take to look through these log records when you need to investigate anything. Secondly none of the access list statements dealing with ICMP will have any effect because part way into the list you have an permit ip any any log and all traffic will be permitted by this and not be evaluated by the ICMP conditions in the access list. Also I find it a bit strange to have an access list of multiple statements which permits everything. Most access lists dency some traffic.

HTH

Rick

HTH

Rick

kidem · ‎01-01-2005

ok..im trying to clean up my access list. With my access list i dont understand why i have to permit ip any any to get out....why is this..here is what i have now for ACL

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 100 permit tcp any host 10.10.10.60 range 13010 13015 log

access-list 100 permit tcp any host 10.10.10.60 eq 3389 log

access-list 100 permit tcp any host 10.10.10.60 eq 1494

access-list 100 permit tcp any any eq ftp

access-list 100 permit ip any any

access-list 101 permit tcp any any established log

access-list 101 permit ip any any

for some reason i have to have ip any any to get out...what am i missing i dont want to permit ip any from outside in..thanks for your help

Georg Pauwen · ‎01-02-2005

Hello,

from the config you posted it is not clear how your traffic is being routed; are you using a routing protocol or static routes ?

In order to find out what traffic is being blocked, you could change the statement ´permit ip any any´ to ´deny ip any any log´ and log the output to the console, this should tell you which traffic you need to allow...

Regards,

GP

kidem · ‎01-02-2005

ok...i figured it out...thanks for your help....i have a another problem what is the easiest way to map multiple ports to a client i need all of these open, i dont think i have dmz on this....any ideas or do i have to open each port and map each nat port?

UDP:

3500

3658

6779

45000

45001

55301 - 08

tcp:

80

443

6668

40000

40100 -102

42000

51012 -51020