03-13-2013 06:50 AM - edited 03-07-2019 12:13 PM
I have a weird issue that is confusing me, we want to catch DNS and SMTP traffic going to some specific server that is due to be retired. I desided that the most simple solution was to use a IP access-list that would log the interesting traffic.
However despite the access is catching the correct flows for both cases, nothing is logged for the port 25(tcp) case.
We want to log traffic from any source going to destination 10.141.10.35 port 25(tcp) and from any to 10.141.10.31 53(udp)
Extended IP access list 110
5 permit tcp any host 10.141.10.35 eq smtp log (59 estimate matches)
10 permit udp any host 10.141.10.31 eq domain log (5978 estimate matches)
20 permit ip any any (240561 estimate matches)
The IP access list is then added to the IP interface
interface Vlan10
ip address 10.141.10.2 255.255.255.0
ip access-group 110 in
ip access-group 110 out
From the logs we can see that all the UDP port 53 traffic is logged as expected, but I do not see a single entry of TCP port 25, despite the ACL clearly is catching relevant traffic.
Switch#sh logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 48320 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 1115 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 5974 messages logged, xml disabled,
filtering disabled
Exception Logging: size (8192 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 48033 message lines logged
Logging to 10.12.10.147 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
48033 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
Log Buffer (4096 bytes):
Mar 13 08:34:58.290 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56120) -> 10.141.10.31(53), 1 packet
Mar 13 08:35:03.303 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56121) -> 10.141.10.31(53), 1 packet
Mar 13 08:35:08.280 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56122) -> 10.141.10.31(53), 1 packet
Mar 13 08:35:14.276 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.120.251(60439) -> 10.141.10.31(53), 1 packet
Mar 13 08:35:18.301 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56123) -> 10.141.10.31(53), 1 packet
This is done on a C4506 v12.2(54)SG SUP 6-E runing with IP Base image.
For the sake of trouble shooting, I even went as far as makeing an entry 4 Permit IP any host 10.141.10.31 log, again no result.
I'm starting to belive I'm missing something very basic, but have properly stared my self blind by now. Any suggestions ?
03-16-2013 03:25 PM
Hello Rene,
Did you see match counter increment and still no input in log?
Difference between match counters of both entries is quite big, maybe smtp entry just got lost in other log entries.
5 permit tcp any host 10.141.10.35 eq smtp log (59 estimate matches)
10 permit udp any host 10.141.10.31 eq domain log (5978 estimate matches)
Best Regards
Please rate all helpful posts and close solved questions
03-16-2013 10:17 PM
Hi Blau_grana
You are right It would be easy to miss the SMTP log, if we was just logging to the buffer or console, but they are also being sen to a syslog DB and no records are found here as well.
5 permit tcp any host 10.141.10.35 eq smtp log (783 estimate matches)
10 permit udp any host 10.141.10.31 eq domain log (32595 estimate matches)
Since we more or less have the information we needed for the port 53 logging, I've disabled that and yet still nothing from the port 25 logging, despite the matches counter is increasing.
5 permit tcp any host 10.141.10.35 eq smtp log (790 estimate matches)
10 permit udp any host 10.141.10.31 eq domain (11 estimate matches)
03-16-2013 11:01 PM
Update:
I created a 2nd access list
Extended IP access list 111
5 permit tcp host 10.141.10.35 eq smtp any gt 0 log (11 estimate matches)
10 permit ip any any (34 estimate matches)
And linked it to the physical interface on which the server is located on
interface GigabitEthernet2/25
ip access-group 111 in
Now we are getting results.
Mar 17 00:50:18.439 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(36933), 3 packets
Mar 17 00:50:18.439 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(37000), 1 packet
Mar 17 00:50:18.443 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(36909), 2 packet
In both cases the ACL's are "correct" and do intercept the interresting traffic, but with list 110 the ACL is applied on the L3 interface and with 111 its applied at the L2 interface ,where the difference in the actual log entry's comes into play I dont quite understand yet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide