Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1208
Views
0
Helpful
3
Replies

Logning in a IP access-list issue

rkirkeby
Level 1
Level 1

‎03-13-2013 06:50 AM - edited ‎03-07-2019 12:13 PM

I have a weird issue that is confusing me, we want to catch DNS and SMTP traffic going to some specific server that is due to be retired. I desided that the most simple solution was to use a IP access-list that would log the interesting traffic.

However despite the access is catching the correct flows for both cases, nothing is logged for the port 25(tcp) case.

We want to log traffic from any source going to destination 10.141.10.35 port 25(tcp) and from any to 10.141.10.31 53(udp)

Extended IP access list 110

   5 permit tcp any host 10.141.10.35 eq smtp log (59 estimate matches)

   10 permit udp any host 10.141.10.31 eq domain log (5978 estimate matches)

   20 permit ip any any (240561 estimate matches)

The IP access list is then added to the IP interface

interface Vlan10

ip address 10.141.10.2 255.255.255.0

ip access-group 110 in

ip access-group 110 out

From the logs we can see that all the UDP port 53 traffic is logged as expected, but I do not see a single entry of TCP port 25, despite the ACL clearly is catching relevant traffic.

Switch#sh logging

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

   Console logging: level debugging, 48320 messages logged, xml disabled,

                     filtering disabled

   Monitor logging: level debugging, 1115 messages logged, xml disabled,

                     filtering disabled

   Buffer logging: level debugging, 5974 messages logged, xml disabled,

                     filtering disabled

   Exception Logging: size (8192 bytes)

   Count and timestamp logging messages: disabled

   Persistent logging: disabled

No active filter modules.

   Trap logging: level informational, 48033 message lines logged

       Logging to 10.12.10.147 (udp port 514, audit disabled,

             authentication disabled, encryption disabled, link up),

             48033 message lines logged,

             0 message lines rate-limited,

             0 message lines dropped-by-MD,

             xml disabled, sequence number disabled

             filtering disabled

        

Log Buffer (4096 bytes):

Mar 13 08:34:58.290 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56120) -> 10.141.10.31(53), 1 packet

Mar 13 08:35:03.303 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56121) -> 10.141.10.31(53), 1 packet

Mar 13 08:35:08.280 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56122) -> 10.141.10.31(53), 1 packet

Mar 13 08:35:14.276 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.120.251(60439) -> 10.141.10.31(53), 1 packet

Mar 13 08:35:18.301 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted udp 10.135.10.14(56123) -> 10.141.10.31(53), 1 packet

This is done on a C4506 v12.2(54)SG SUP 6-E runing with IP Base image.

For the sake of trouble shooting, I even went as far as makeing an entry 4 Permit IP any host 10.141.10.31 log, again no result.

I'm starting to belive I'm missing something very basic, but have properly stared my self blind by now. Any suggestions ?

Labels:
0 Helpful
3 Replies 3

blau grana
Level 7
Level 7

‎03-16-2013 03:25 PM

Hello Rene,

Did you see match counter increment and still no input in log?

Difference between match counters of both entries is quite big, maybe smtp entry just got lost in other log entries.

  5 permit tcp any host 10.141.10.35 eq smtp log (59 estimate matches)

  10 permit udp any host 10.141.10.31 eq domain log (5978 estimate matches)

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

rkirkeby
Level 1
Level 1
In response to blau grana

‎03-16-2013 10:17 PM

Hi Blau_grana

You are right It would be easy to miss the SMTP log, if we was just logging to the buffer or console, but they are also being sen to a syslog DB and no records are found here as well.

    5 permit tcp any host 10.141.10.35 eq smtp log (783 estimate matches)
    10 permit udp any host 10.141.10.31 eq domain log (32595 estimate matches)

Since we more or less have the information we needed for the port 53 logging, I've disabled that and yet still nothing from the port 25 logging, despite the matches counter is increasing.

    5 permit tcp any host 10.141.10.35 eq smtp log (790 estimate matches)
    10 permit udp any host 10.141.10.31 eq domain (11 estimate matches)

0 Helpful

rkirkeby
Level 1
Level 1
In response to rkirkeby

‎03-16-2013 11:01 PM

Update:

I created a 2nd access list

Extended IP access list 111

    5 permit tcp host 10.141.10.35 eq smtp any gt 0 log (11 estimate matches)

    10 permit ip any any (34 estimate matches)

And linked it to the physical interface on which the server is located on

interface GigabitEthernet2/25
ip access-group 111 in

Now we are getting results.

Mar 17 00:50:18.439 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(36933), 3 packets
Mar 17 00:50:18.439 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(37000), 1 packet
Mar 17 00:50:18.443 CDT: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 10.141.10.35(25) -> 10.139.52.11(36909), 2 packet

In both cases the ACL's are "correct" and do intercept the interresting traffic, but with list 110 the ACL is applied on the L3 interface and with 111 its applied at the L2 interface ,where the difference in the actual log entry's comes into play I dont quite understand yet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card