Re: Questions about logging ACL activity for analysis

beekerc · ‎07-02-2003

I"m trying to analyze traffice through a Cisco 1720 so I can finalize the ACL's to protect the network. Ethernet-0 is connected to the DSL modem, Ethernet-1 is connected to the DMZ network and the FastEthernet-0 is connected to the private network. I'm basically blocking all inbound traffic from the public side except DNS responses, WEB and return traffic from inside activity, but I'm allowing all traffice across the other interfaces in such a way to log activity. Here are snippets from the config files.

!

! Set up logging

!

logging on

logging 192.168.1.13

logging trap debugging

no logging buffered

no logging console

no logging facility

no logging history size

no logging rate-limit

!

! Set interface addresses

!

interface Ethernet0

description Public static IP interface

no ip address

ip address 207.225.227.225 255.255.255.248

ip address 207.225.227.226 255.255.255.248 secondary

ip address 207.225.227.227 255.255.255.248 secondary

ip address 207.225.227.229 255.255.255.248 secondary

ip nat outside

full-duplex

no shutdown

exit

interface Ethernet1

description DMZ network interface

no ip address

ip address 192.168.2.1 255.255.255.0

ip nat inside

full-duplex

no shutdown

exit

interface FastEthernet0

description Private network interface

no ip address

ip address 192.168.1.1 255.255.255.0

ip nat inside

full-duplex

speed auto

no shutdown

exit

!

! Establish default route out

!

ip default-gateway 207.225.227.230

ip route 0.0.0.0 0.0.0.0 207.225.227.230 permanent

!

! Set up NAT from internal networks to public IP pool

!

no ip access-list standard All-Internal-Interfaces

no ip access-list extended All-Internal-Interfaces

ip access-list extended All-Internal-Interfaces

permit tcp any any established log

permit icmp 192.168.001.000 000.000.000.255 any log

permit tcp 192.168.001.000 000.000.000.255 any range 1 65535 log

permit udp 192.168.001.000 000.000.000.255 any range 1 65535 log

permit icmp 192.168.002.000 000.000.000.255 any log

permit tcp 192.168.002.000 000.000.000.255 any range 1 65535 log

permit udp 192.168.002.000 000.000.000.255 any range 1 65535 log

deny ip any any log

exit

!

ip nat pool Public-Interface-NAT 207.225.227.229 207.225.227.229 netmask 255.255.255.248

ip nat inside source list All-Internal-Interfaces pool Public-Interface-NAT overload

!

! Set up NAT from public to assigned DMZ addresses

!

ip nat inside source static 192.168.002.003 207.225.227.225

ip nat inside source static 192.168.002.004 207.225.227.226

ip nat inside source static 192.168.002.005 207.225.227.227

!!!!!!!!!!

! PUBLIC !

!!!!!!!!!!

no ip access-list extended Public-Interface-IN

ip access-list extended Public-Interface-IN

permit icmp any any log

! -- Allowed traffic to web server

permit tcp any host 207.225.227.225 eq WWW log

permit tcp any host 207.225.227.225 eq 443 log

! -- Allow DNS replies back to the NAT pool ports

permit udp any eq DOMAIN host 207.225.227.229 log

! -- Allow established connections through NAT pool ports

permit tcp any host 207.225.227.229 established log

exit

no ip access-list extended Public-Interface-OUT

ip access-list extended Public-Interface-OUT

permit tcp any any range 1 65535 log

permit udp any any range 1 65535 log

permit icmp any any log

exit

interface Ethernet 0

ip access-group Public-Interface-IN in

ip access-group Public-Interface-OUT out

exit

!!!!!!!

! DMZ !

!!!!!!!

no ip access-list extended DMZ-Interface-IN

ip access-list extended DMZ-Interface-IN

permit tcp any any established log

permit tcp any any range 1 65535 log

permit udp any any range 1 65535 log

permit icmp any any log

exit

no ip access-list extended DMZ-Interface-OUT

ip access-list extended DMZ-Interface-OUT

permit tcp any any range 1 65535 log

permit udp any any range 1 65535 log

permit icmp any any log

exit

interface Ethernet 1

ip access-group DMZ-Interface-IN in

ip access-group DMZ-Interface-OUT out

exit

!!!!!!!!!!!

! Private !

!!!!!!!!!!!

no ip access-list extended Private-Interface-IN

ip access-list extended Private-Interface-IN

permit tcp any any established log

permit tcp any any range 1 65535 log

permit udp any any range 1 65535 log

permit icmp any any log

exit

no ip access-list extended Private-Interface-OUT

ip access-list extended Private-Interface-OUT

permit tcp any any range 1 65535 log

permit udp any any range 1 65535 log

permit icmp any any log

exit

interface FastEthernet 0

ip access-group Private-Interface-IN in

ip access-group Private-Interface-OUT out

exit

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Here are my questions

1) Since traffic through the router has to traverse through two interfaces, why does it only send one entry to syslog? ie. a web reqest from the outside has to pass Inbound through the Public interface (Public-Interface-IN ACL) then pass Outbound through the DMZ interface (DMZ-Interface-OUT ACL) to reach the web server, Shouldn't Logging create an entry for both interfaces, since each one has an ACL in effect and one rule must be matched on each. Why do I only see one entry instead of two in syslog?

2) i often see a lot of "access-list logging rate-limited or missed XX packets". Does this mean that there was actual packets that didn't get passed through the router? Or does it mean that there are some packet traffic that should have generated log entries but didn't get logged? While currently in this testing environment, so I know it's not being overloaded. Is there any way to fix this so that (either packets or log messages) are not dropped?

Thanks

nikhil_m · ‎07-08-2003

1. I guess that is the correct way...only one entry in syslog....

2. not sure