cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3764
Views
0
Helpful
4
Replies

Named extended Access Control List logging issue.

zyontrific
Level 1
Level 1

Hi,

I have used ACL's for many years and not had too many issues. I am on a new client site and as part of a Port Authentication project we planned on using extanded access control lists to monitor traffic fully open to help write the correct ACL for the services using the ACL. The issu I have found is using the ACL below the logging->syslog does not show the port number which is exactly what we are after. We do have other non named extended ACL's that do log the port number as well.

Running: Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH3a, RELEASE SOFTWARE (fc1)

ip access-list extended Access-List-Example

permit ip any any log
deny   ip any any log

Log output:

Mar 22 11:23:46: %SEC-6-IPACCESSLOGP: list Access-List-Example permitted tcp nnn.nnn.nnn.nnn(0) -> xxx.xxx.xxx.xxx(0), 1 packet

On a normal extended access list we get this in a log output:

access-list 120 permit ip host nnn.nnn.nnn.nnn xxx.xxx.xxx.0 0.0.0.7 log

Mar 22 09:31:46: %SEC-6-IPACCESSLOGP: list 120 permitted tcp nnn.nnn.nnn.nnn(3874) -> xxx.xxx.xxx.xxx(5001), 1 packet

This one shows the port numbers - I was wondering what little thing I have missed out on logging for this as I checked: http://www.cisco.com/web/about/security/intelligence/acl-logging.html and I see that using the log switch should do this as it shows the port numbers in their example.

I am sure it'll be something simple but I can't figure it out - I have searched Cisco for any odd caveats for ACL's named that don't log port numbers but can't find anything easily. Just wondered if anyone else has come across this.

Thanks

Z.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

For the port number to show up in logs, you would need to create the access-list as follows:

ip access-list extended Access-List-Example

     permit tcp any gt 0 any gt 0 log
     permit udp any gt 0 any gt 0 log


Hope that helps.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

For the port number to show up in logs, you would need to create the access-list as follows:

ip access-list extended Access-List-Example

     permit tcp any gt 0 any gt 0 log
     permit udp any gt 0 any gt 0 log


Hope that helps.

Halijenn,

That's done it thanks - I think the extended ACL that was using just ip but getting port numbers was swaying my judgement.

Ended up using to capture everything we wanted:

10 permit tcp any gt 0 any gt 0 log
20 permit udp any gt 0 any gt 0 log
30 permit icmp any any log
40 deny   ip any any log

Thank you very much.

Z.

I didnt get it. Why we need to specify port number gt 0 ? if i dont specify anything shouldnt it show all the port numbers ?

Without the port number (gt 0) it will not show the port number. It will only show TCP or UDP without the port number in the logs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: