What alert level show the source and dest ports on denied packets ?

jjaime · ‎03-12-2003

Hello dear all,

I'm working with Pix IOS ver 5.3 and syslog servers. I need the know the source and destination ports from denied packets on internal and external interfaces of Pix.

I put the Pix alert level on informational, but only show me the IP source/dest and the protocol type ( tcp, udp...).

Ex: Mar 12 14:24:37 xxx.xxx.xxx.xxx Mar 12 2003 09:16:16: %PIX-4-106019: IP packet from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx, protocol udp received from interface "inside" deny by access-group "CSM-acl-inside

What is the alert level that show me the source and dest ports on denied packets ?

The problem with debug level is that show me also a lot of information that I not need.

Thanks a lot by your help.

=======================================

Julio Jaime

Americas Zone Security Administrator

Accor Services

jjaime@accorservices.com.ar

=======================================

gfullage · ‎03-12-2003

Syslog message 106019 was changed in a bunch of versions a while ago to include the port numbers (CSCdr68251). You can check the bug details here:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdr68251&Submit=Search

to upgrade to a version that'll include those for you.

shannong · ‎03-12-2003

As previously stated, upgrade and you'll get the port numbers included. Another "trick" is to place an "deny ip any any" at the end of your access-list. Functionally, this doesn't affect traffic any as all ACLs have an implicit deny at the end. The good news is that the Pix will log denies for the ACL at level 4 rather than level 6. (or is it 7?) The Pix considers explicit ACL denies a high priority than implicit denies.

jjaime · ‎03-13-2003

Thanks very much.

I'm glad with your answers.

JJ