packetbyter
Technical User
Hi,
i have a pix501, which is running version 6.3(5), i want to have denied traffic logged to a syslog server.
i managed to set up the logging part and i do see that allowed traffic is being logged succefully.
%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(4536) -> inside/2.2.2.2(25) hit-cnt 1 (first hit)
%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(38173) -> inside/2.2.2.2(80) hit-cnt 1 (first hit)
but i want to have logged denied traffic as well. i have a deny rule at last place but i don't get any syslog messages for this rule.
any hints?
<snip pix config>
ozean# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname ozean
domain-name ***.com
no fixup protocol dns
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 192.168.2.15 freya.***.com
name 192.168.2.10 jsyldur.***.com
name 80.229.116.139 Evil_001
name 217.89.65.130 arbeit.***.com
access-list 100 deny ip host Evil_001 any log 4
access-list 100 permit icmp any any unreachable log 4
access-list 100 permit icmp any any echo-reply log 4
access-list 100 permit udp any any eq domain log 4
access-list 100 permit tcp any any eq domain log 4
access-list 100 permit tcp any any eq 4
access-list 100 permit tcp any any eq 27 log 4
access-list 100 permit tcp any any eq smtp log 4
access-list 100 permit tcp any any eq imap4 log 4
access-list 100 permit tcp any any eq ftp log 4
access-list 100 permit tcp host arbeit.***.com any eq 3389 log 4
access-list 100 permit tcp any any eq 3613 log 4
access-list 100 permit udp any any eq 3613 log 4
access-list 100 permit tcp any any eq 6881 log 4
access-list 100 permit udp any any eq 6881 log 4
access-list 100 permit tcp any any eq 8080 log 4
access-list 100 permit icmp any any log 4
access-list 100 deny ip any any log 4 interval 1
access-list 200 permit ip 192.168.2.0 255.255.255.0 any log 4
pager lines 24
logging on
logging trap warnings
logging host inside freya.***.com
icmp permit any outside
icmp permit any inside
mtu outside 1456
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 1005 disable
ip audit signature 1006 disable
ip audit signature 1100 disable
ip audit signature 1102 disable
ip audit signature 1103 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
ip audit signature 2150 disable
ip audit signature 2151 disable
ip audit signature 2154 disable
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
ip audit signature 3153 disable
ip audit signature 3154 disable
ip audit signature 4050 disable
ip audit signature 4051 disable
ip audit signature 4052 disable
ip audit signature 6050 disable
ip audit signature 6051 disable
ip audit signature 6052 disable
ip audit signature 6053 disable
ip audit signature 6100 disable
ip audit signature 6101 disable
ip audit signature 6102 disable
ip audit signature 6103 disable
ip audit signature 6150 disable
ip audit signature 6151 disable
ip audit signature 6152 disable
ip audit signature 6153 disable
ip audit signature 6154 disable
ip audit signature 6155 disable
ip audit signature 6175 disable
ip audit signature 6180 disable
ip audit signature 6190 disable
pdm location 80.153.1.1 255.255.255.255 outside
pdm location freya.***.com 255.255.255.255 inside
pdm location jsyldur.***.com 255.255.255.255 inside
pdm location Evil_001 255.255.255.255 outside
pdm location arbeit.***.com 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 27 freya.***.com ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 smtp freya.***.com smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 imap4 freya.***.com imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 ftp freya.***.com ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3389 jsyldur.***.com 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 8080 freya.***.com 8080 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group 200 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside freya.***.com
snmp-server location ***
snmp-server contact ***@***
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
username routeradmin password *** encrypted privilege 15
terminal width 80
banner exec Piss Off!
banner login Piss Off!
Cryptochecksum:6d630f3096c6b0e6aaaac1d622f0e04b
: end
</snip>
regards
markus
Das Abspringen einer Begrenzungsmauer dient nicht dem direkten Zurücklegen des Arbeitsweges.
i have a pix501, which is running version 6.3(5), i want to have denied traffic logged to a syslog server.
i managed to set up the logging part and i do see that allowed traffic is being logged succefully.
%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(4536) -> inside/2.2.2.2(25) hit-cnt 1 (first hit)
%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(38173) -> inside/2.2.2.2(80) hit-cnt 1 (first hit)
but i want to have logged denied traffic as well. i have a deny rule at last place but i don't get any syslog messages for this rule.
any hints?
<snip pix config>
ozean# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname ozean
domain-name ***.com
no fixup protocol dns
fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 192.168.2.15 freya.***.com
name 192.168.2.10 jsyldur.***.com
name 80.229.116.139 Evil_001
name 217.89.65.130 arbeit.***.com
access-list 100 deny ip host Evil_001 any log 4
access-list 100 permit icmp any any unreachable log 4
access-list 100 permit icmp any any echo-reply log 4
access-list 100 permit udp any any eq domain log 4
access-list 100 permit tcp any any eq domain log 4
access-list 100 permit tcp any any eq 4
access-list 100 permit tcp any any eq 27 log 4
access-list 100 permit tcp any any eq smtp log 4
access-list 100 permit tcp any any eq imap4 log 4
access-list 100 permit tcp any any eq ftp log 4
access-list 100 permit tcp host arbeit.***.com any eq 3389 log 4
access-list 100 permit tcp any any eq 3613 log 4
access-list 100 permit udp any any eq 3613 log 4
access-list 100 permit tcp any any eq 6881 log 4
access-list 100 permit udp any any eq 6881 log 4
access-list 100 permit tcp any any eq 8080 log 4
access-list 100 permit icmp any any log 4
access-list 100 deny ip any any log 4 interval 1
access-list 200 permit ip 192.168.2.0 255.255.255.0 any log 4
pager lines 24
logging on
logging trap warnings
logging host inside freya.***.com
icmp permit any outside
icmp permit any inside
mtu outside 1456
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip audit signature 1000 disable
ip audit signature 1001 disable
ip audit signature 1002 disable
ip audit signature 1003 disable
ip audit signature 1004 disable
ip audit signature 1005 disable
ip audit signature 1006 disable
ip audit signature 1100 disable
ip audit signature 1102 disable
ip audit signature 1103 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 2011 disable
ip audit signature 2012 disable
ip audit signature 2150 disable
ip audit signature 2151 disable
ip audit signature 2154 disable
ip audit signature 3040 disable
ip audit signature 3041 disable
ip audit signature 3042 disable
ip audit signature 3153 disable
ip audit signature 3154 disable
ip audit signature 4050 disable
ip audit signature 4051 disable
ip audit signature 4052 disable
ip audit signature 6050 disable
ip audit signature 6051 disable
ip audit signature 6052 disable
ip audit signature 6053 disable
ip audit signature 6100 disable
ip audit signature 6101 disable
ip audit signature 6102 disable
ip audit signature 6103 disable
ip audit signature 6150 disable
ip audit signature 6151 disable
ip audit signature 6152 disable
ip audit signature 6153 disable
ip audit signature 6154 disable
ip audit signature 6155 disable
ip audit signature 6175 disable
ip audit signature 6180 disable
ip audit signature 6190 disable
pdm location 80.153.1.1 255.255.255.255 outside
pdm location freya.***.com 255.255.255.255 inside
pdm location jsyldur.***.com 255.255.255.255 inside
pdm location Evil_001 255.255.255.255 outside
pdm location arbeit.***.com 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 27 freya.***.com ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 smtp freya.***.com smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 imap4 freya.***.com imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 ftp freya.***.com ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3389 jsyldur.***.com 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0
static (inside,outside) udp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0
static (inside,outside) tcp 80.153.1.1 8080 freya.***.com 8080 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group 200 in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside freya.***.com
snmp-server location ***
snmp-server contact ***@***
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname ***
vpdn group pppoe_group ppp authentication pap
vpdn username *** password ********* store-local
username routeradmin password *** encrypted privilege 15
terminal width 80
banner exec Piss Off!
banner login Piss Off!
Cryptochecksum:6d630f3096c6b0e6aaaac1d622f0e04b
: end
</snip>
regards
markus
Das Abspringen einer Begrenzungsmauer dient nicht dem direkten Zurücklegen des Arbeitsweges.
