How to trace internal IP address using ACL match?

erwin1969 · ‎02-11-2015

One or more devices on the network are the reason why we get blacklisted.

I've created an ACL record to block all outgoing trafic to a specific IP address.

How can I find out what local IP address or MAC address generates matches on this ACL record?

nspasov · ‎02-11-2015

Hello Erwin-

You can use the "log" keyword at the end of your ACL. This will generate a log message every time a device/IP address matches that rule. That should tell you the source IP. Once you find the source IP then you can use "show ip arp" to the mac address of the endpoint.

I hope this helps!

Thank you for rating helpful posts!

erwin1969 · ‎02-11-2015

Hi Neno,

thanks for your reaction.

I already tried the log keyword, but I get following notification.

"access-list with 'log' not supported, pls remove 'log' from access-list otherwise class-map ISP_INSP_CM will not work properly."

Any other idea?

nspasov · ‎02-12-2015

Hmm, can you share your config here so we can better understand what you are working with?

erwin1969 · ‎02-12-2015

Hi Neno,

attached you'll find the routerconfig for you. It's a Cisco 891.

Of course, I made a few changes in names and/or IP addresses and passwords.

I've added the 2 red lines in the ACL.

When I do the: "sh ip access-list COMP_ISP_INSP_ACL" I see there are e few matches op the rule I entered. It's only around 40 matches a day, and not everyday. So the infected device doesn't want to connect all day long.

That's why I want to get it monitored.

Hope you know how I can get it solved.

nspasov · ‎02-13-2015

Hmm, is this the only L3 device on the network? Or do you have another L3 device (like a L3 switch) where you could perhaps place an ALC with the "log" keyword? You can just have two statements: Deny to that IP with the log keyword and one the permits everything else.