Logging unsolicated outside interface connections

[ScoreBo]

Is there any way to enable logging of unsolicited connection attempts from the outside to the PIX IP address? I have turned my syslogging up to debug with no difference made.

I want my syslog to show me when someone attempts to connect to / thru my PIX from the Internet (outside interface).

Thanks.

 

[haknwak]

ScoreBo you must be getting hundreds or thousands of "denied" syslog entries. I use informational and have more than I can possibly wade through. Are you sure you're monitoring the outside interface? Also that there is no other protective devices outside the firewall that might be blocking traffic before it gets to your outside interface?

read

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/syslog/index.htm

and

http://www.cisco.com/warp/public/110/pixsyslog.html

(this one is for older IOS but a very good setup guide) "If you lived here, you'd be home by now!"

George Carlin

 

[ScoreBo]

Actually I don't get any denies on the outside interface, and that is the problem. I am currently running in warning mode and if I turn up logging to informational, all I get is a bunch of NAT teardowns and building NAT connections. I have since filtered those out on KIWI. The only denies I get come from the built in IDS signatures.

I am running 6.3(1) with the new beat PDM. There is a new option within the PDM to enable a specific rule to explicitly syslog at various levels. I have even created a clean up rule so I could leverage this feature on the PIX to no avail.

I agree that I might not be logging the outside interface, but if that is the case, I don't know how to fix it.

Thanks for the response.

 

[ScoreBo]

Beat PDM should have been beta PDM.

Looks like you can't edit your posts after you have submitted them.

 

[cchipman]

Actually, its more likely that you have your access-lists set too broadly. Can you post your sanitized configuration?

 

[ScoreBo]

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
hostname xxxxxxx
domain-name xxxx.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.1.2 srvr
name xxx.xxx.xxx.xxx Firewall
object-group service NetBIOS tcp-udp
description All NetBIOS Services
port-object range 135 139
access-list outside_access_in remark ICMP Ping helper rule
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in remark eMail Server
access-list outside_access_in permit tcp any host Firewall eq smtp log interval
5
access-list outside_access_in remark HTTPS web server
access-list outside_access_in permit tcp any host Firewall eq https log interval
5
access-list outside_access_in remark pcAnywhere
access-list outside_access_in permit tcp any host Firewall eq 5631 log interval
5
access-list outside_access_in remark pcAnywhere
access-list outside_access_in permit udp any host Firewall eq 5632 log interval
5
access-list outside_access_in remark UT
access-list outside_access_in deny udp any host Firewall eq 777
access-list outside_access_in remark UT
access-list outside_access_in deny udp any host Firewall eq 778
access-list outside_access_in remark UT webadmin
access-list outside_access_in deny tcp any host Firewall eq 8888
access-list outside_access_in remark NetBIOS block rule
access-list outside_access_in deny udp any any eq netbios-ns
access-list outside_access_in remark Cleanup Rule for Logging
access-list outside_access_in deny ip any any log 7 interval 5
access-list inside_access_in remark Block outbound NetBIOS
access-list inside_access_in deny tcp any any object-group NetBIOS
access-list inside_access_in remark Half Life server ports
access-list inside_access_in deny udp any any range 27010 27020
access-list inside_access_in remark GameSPY ports
access-list inside_access_in deny udp any any range 26000 30000
access-list inside_access_in remark General Surfing Rule
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging timestamp
logging trap warnings
logging history informational
logging host inside srvr
no logging message 106015
no logging message 302010
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop
ip audit name Info info action alarm drop
ip audit interface outside Attack
ip audit info action alarm drop
ip audit attack action alarm drop
ip audit signature 2005 disable
pdm location srvr 255.255.255.255 inside
pdm location Firewall 255.255.255.255 outside
pdm logging notifications 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp Firewall smtp srvr smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp Firewall https srvr https netmask 255.255.255.255 0
0
static (inside,outside) udp Firewall 777 srvr 777 netmask 255.255.255.255 0 0
static (inside,outside) udp Firewall 778 srvr 778 netmask 255.255.255.255 0 0
static (inside,outside) tcp Firewall 8888 srvr 8888 netmask 255.255.255.255 0 0
static (inside,outside) tcp Firewall 5631 srvr 5631 netmask 255.255.255.255 0
0
static (inside,outside) udp Firewall 5632 srvr 5632 netmask 255.255.255.255 0
0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server enable traps
floodguard enable
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.19 inside
dhcpd wins srvr 192.168.1.3
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxxxxxxx.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

[ScoreBo]

No input?

 

[baddos]

I make a giant log file, and just nuke the log file every week.

logging on
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside XXX.XXX.XXX.XXX

 

[ScoreBo]

Debugging mode with some exclude filters is all I needed. Thanks everyone for your input.