02-14-2006 12:31 PM - edited 03-03-2019 01:50 AM
I have been tasked with securing a SCADA LAN with many devices/app's that need to talk outside of this subnet. I thought that an easy way to build the ACL would be to use an ACL like "permit ip any any log" and then slowly add the lines as they appear in the logs. The problem is that this list only produces statements in the logs that show IP and protocol and not port. See below:
SEC-6-IPACCESSLOGP: list 100 permitted udp a.b.c.d(0) -> 224.0.6.127(0)
I tuned it further by doing this:
permit udp any any log
permit tcp any any log
This had the exact same results. Only port 0.
This is on a 1760 router running 123-7.T9
Can anyone tell me what I am doing wrong? Maybe it is just not possible to do this with a permit statement?
TIA
02-20-2006 12:31 PM
The log keyword, causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.
When access lists are configured with the log-input keyword, tcp/udp ports are only displayed when the processing of the access lists requires the port number to be extracted for comparison. If the port is not required, the log messages will display 0 as the port number. The log is expected to report the port number if and only if a port number is mentioned in the ACL.
02-20-2006 12:39 PM
Hugh,
Expanding on what Thomas said, try this:
permit udp any range 0 65535 any range 0 65535 log
permit tcp any range 0 65535 any range 0 65535 log
This will put TCP and UDP port numbers into your logged output. (Range 0 65535 covers all possible port numbers).
02-21-2006 06:17 AM
Thanks for the replies guys. The TAC said the reason that the port numbers weren't showing up was because I did not have any port numbers in the same statement as the log. Putting in just one port number, even if it is a port you will never use, acts like a switch and activates port number display for everything.
08-05-2020 04:57 PM
You need at least 1 ACE listing ports to match:
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq 22
After a single statement you will see the ports in log.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide