03-22-2010 04:31 AM - edited 03-09-2019 10:53 PM
Hi,
I have used ACL's for many years and not had too many issues. I am on a new client site and as part of a Port Authentication project we planned on using extanded access control lists to monitor traffic fully open to help write the correct ACL for the services using the ACL. The issu I have found is using the ACL below the logging->syslog does not show the port number which is exactly what we are after. We do have other non named extended ACL's that do log the port number as well.
Running: Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH3a, RELEASE SOFTWARE (fc1)
ip access-list extended Access-List-Example
permit ip any any log
deny ip any any log
Log output:
Mar 22 11:23:46: %SEC-6-IPACCESSLOGP: list Access-List-Example permitted tcp nnn.nnn.nnn.nnn(0) -> xxx.xxx.xxx.xxx(0), 1 packet
On a normal extended access list we get this in a log output:
access-list 120 permit ip host nnn.nnn.nnn.nnn xxx.xxx.xxx.0 0.0.0.7 log
Mar 22 09:31:46: %SEC-6-IPACCESSLOGP: list 120 permitted tcp nnn.nnn.nnn.nnn(3874) -> xxx.xxx.xxx.xxx(5001), 1 packet
This one shows the port numbers - I was wondering what little thing I have missed out on logging for this as I checked: http://www.cisco.com/web/about/security/intelligence/acl-logging.html and I see that using the log switch should do this as it shows the port numbers in their example.
I am sure it'll be something simple but I can't figure it out - I have searched Cisco for any odd caveats for ACL's named that don't log port numbers but can't find anything easily. Just wondered if anyone else has come across this.
Thanks
Z.
Solved! Go to Solution.
03-22-2010 05:42 AM
For the port number to show up in logs, you would need to create the access-list as follows:
ip access-list extended Access-List-Example
permit tcp any gt 0 any gt 0 log
permit udp any gt 0 any gt 0 log
Hope that helps.
03-22-2010 05:42 AM
For the port number to show up in logs, you would need to create the access-list as follows:
ip access-list extended Access-List-Example
permit tcp any gt 0 any gt 0 log
permit udp any gt 0 any gt 0 log
Hope that helps.
03-22-2010 06:02 AM
Halijenn,
That's done it thanks - I think the extended ACL that was using just ip but getting port numbers was swaying my judgement.
Ended up using to capture everything we wanted:
10 permit tcp any gt 0 any gt 0 log
20 permit udp any gt 0 any gt 0 log
30 permit icmp any any log
40 deny ip any any log
Thank you very much.
Z.
05-13-2012 10:57 PM
I didnt get it. Why we need to specify port number gt 0 ? if i dont specify anything shouldnt it show all the port numbers ?
05-14-2012 12:51 AM
Without the port number (gt 0) it will not show the port number. It will only show TCP or UDP without the port number in the logs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide