I have used ACL's for many years and not had too many issues. I am on a new client site and as part of a Port Authentication project we planned on using extanded access control lists to monitor traffic fully open to help write the correct ACL for the services using the ACL. The issu I have found is using the ACL below the logging->syslog does not show the port number which is exactly what we are after. We do have other non named extended ACL's that do log the port number as well.
Running: Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH3a, RELEASE SOFTWARE (fc1)
ip access-list extended Access-List-Example
permit ip any any log
deny ip any any log
Mar 22 11:23:46: %SEC-6-IPACCESSLOGP: list Access-List-Example permitted tcp nnn.nnn.nnn.nnn(0) -> xxx.xxx.xxx.xxx(0), 1 packet
On a normal extended access list we get this in a log output:
access-list 120 permit ip host nnn.nnn.nnn.nnn xxx.xxx.xxx.0 0.0.0.7 log
Mar 22 09:31:46: %SEC-6-IPACCESSLOGP: list 120 permitted tcp nnn.nnn.nnn.nnn(3874) -> xxx.xxx.xxx.xxx(5001), 1 packet
This one shows the port numbers - I was wondering what little thing I have missed out on logging for this as I checked: http://www.cisco.com/web/about/security/intelligence/acl-logging.html and I see that using the log switch should do this as it shows the port numbers in their example.
I am sure it'll be something simple but I can't figure it out - I have searched Cisco for any odd caveats for ACL's named that don't log port numbers but can't find anything easily. Just wondered if anyone else has come across this.
Solved! Go to Solution.
That's done it thanks - I think the extended ACL that was using just ip but getting port numbers was swaying my judgement.
Ended up using to capture everything we wanted:
10 permit tcp any gt 0 any gt 0 log
20 permit udp any gt 0 any gt 0 log
30 permit icmp any any log
40 deny ip any any log
Thank you very much.