PIX501 - How to log denied traffic - Cabling-Design.com Forums

- M
- Markus Sonnenberg
  
  Contact options for registered users
posted
12 years ago

Mon, Feb 6, 2012 1:35 PM

Hi,

i have a pix501, which is running version 6.3(5), i want to have denied traffic logged to a syslog server.

i managed to set up the logging part and i do see that allowed traffic is being logged succefully.

%PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(4536) -> inside/2.2.2.2(25) hit-cnt 1 (first hit) %PIX-4-106100: access-list 100 permitted tcp outside/1.1.1.1(38173) -> inside/2.2.2.2(80) hit-cnt 1 (first hit)

but i want to have logged denied traffic as well. i have a deny rule at last place but i don't get any syslog messages for this rule.

any hints?

ozean# sh run : Saved : PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd *** encrypted hostname ozean domain-name ***.com no fixup protocol dns fixup protocol ftp 21 no fixup protocol h323 h225 1720 no fixup protocol h323 ras 1718-1719 no fixup protocol http 80 no fixup protocol rsh 514 no fixup protocol rtsp 554 no fixup protocol sip 5060 no fixup protocol sip udp 5060 no fixup protocol skinny 2000 no fixup protocol smtp 25 no fixup protocol sqlnet 1521 no fixup protocol tftp 69 names name 192.168.2.15 freya.***.com name 192.168.2.10 jsyldur.***.com name 80.229.116.139 Evil_001 name 217.89.65.130 arbeit.***.com access-list 100 deny ip host Evil_001 any log 4 access-list 100 permit icmp any any unreachable log 4 access-list 100 permit icmp any any echo-reply log 4 access-list 100 permit udp any any eq domain log 4 access-list 100 permit tcp any any eq domain log 4 access-list 100 permit tcp any any eq www log 4 access-list 100 permit tcp any any eq 27 log 4 access-list 100 permit tcp any any eq smtp log 4 access-list 100 permit tcp any any eq imap4 log 4 access-list 100 permit tcp any any eq ftp log 4 access-list 100 permit tcp host arbeit.***.com any eq 3389 log 4 access-list 100 permit tcp any any eq 3613 log 4 access-list 100 permit udp any any eq 3613 log 4 access-list 100 permit tcp any any eq 6881 log 4 access-list 100 permit udp any any eq 6881 log 4 access-list 100 permit tcp any any eq 8080 log 4 access-list 100 permit icmp any any log 4 access-list 100 deny ip any any log 4 interval 1 access-list 200 permit ip 192.168.2.0 255.255.255.0 any log 4 pager lines 24 logging on logging trap warnings logging host inside freya.***.com icmp permit any outside icmp permit any inside mtu outside 1456 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip audit signature 1000 disable ip audit signature 1001 disable ip audit signature 1002 disable ip audit signature 1003 disable ip audit signature 1004 disable ip audit signature 1005 disable ip audit signature 1006 disable ip audit signature 1100 disable ip audit signature 1102 disable ip audit signature 1103 disable ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2002 disable ip audit signature 2003 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 2006 disable ip audit signature 2007 disable ip audit signature 2008 disable ip audit signature 2009 disable ip audit signature 2010 disable ip audit signature 2011 disable ip audit signature 2012 disable ip audit signature 2150 disable ip audit signature 2151 disable ip audit signature 2154 disable ip audit signature 3040 disable ip audit signature 3041 disable ip audit signature 3042 disable ip audit signature 3153 disable ip audit signature 3154 disable ip audit signature 4050 disable ip audit signature 4051 disable ip audit signature 4052 disable ip audit signature 6050 disable ip audit signature 6051 disable ip audit signature 6052 disable ip audit signature 6053 disable ip audit signature 6100 disable ip audit signature 6101 disable ip audit signature 6102 disable ip audit signature 6103 disable ip audit signature 6150 disable ip audit signature 6151 disable ip audit signature 6152 disable ip audit signature 6153 disable ip audit signature 6154 disable ip audit signature 6155 disable ip audit signature 6175 disable ip audit signature 6180 disable ip audit signature 6190 disable pdm location 80.153.1.1 255.255.255.255 outside pdm location freya.***.com 255.255.255.255 inside pdm location jsyldur.***.com 255.255.255.255 inside pdm location Evil_001 255.255.255.255 outside pdm location arbeit.***.com 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www freya.***.com www netmask

255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 27 freya.***.com ssh netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 smtp freya.***.com smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 imap4 freya.***.com imap4 netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 ftp freya.***.com ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 3389 jsyldur.***.com 3389 netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0 static (inside,outside) udp 80.153.1.1 3613 freya.***.com 3613 netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0 static (inside,outside) udp 80.153.1.1 6881 jsyldur.***.com 6881 netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0 static (inside,outside) udp 80.153.1.1 domain freya.***.com domain netmask 255.255.255.255 0 0 static (inside,outside) tcp 80.153.1.1 8080 freya.***.com 8080 netmask 255.255.255.255 0 0 access-group 100 in interface outside access-group 200 in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication http console LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL http server enable http 192.168.2.0 255.255.255.0 inside snmp-server host inside freya.***.com snmp-server location *** snmp-server contact ***@*** snmp-server community public no snmp-server enable traps floodguard enable telnet 192.168.2.0 255.255.255.0 inside telnet timeout 60 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 60 console timeout 0 vpdn group pppoe_group request dialout pppoe vpdn group pppoe_group localname *** vpdn group pppoe_group ppp authentication pap vpdn username *** password ********* store-local username routeradmin password *** encrypted privilege 15 terminal width 80 banner exec Piss Off! banner login Piss Off! Cryptochecksum:6d630f3096c6b0e6aaaac1d622f0e04b : end

regards markus

ct,

- L
- Lutz Donnerhacke
  
  Contact options for registered users
Vote on answer
posted
12 years ago

Mon, Feb 6, 2012 4:20 PM

Usually the PIX does this automagically.

You do not need the set the logging target. It might confuse the system.

OTOH I do not see any "permit" rule for outgoing traffic. PIX does not insert an "auto-inverted" rule at the end.

- M
- Markus Sonnenberg
  
  Contact options for registered users
Vote on answer
posted
12 years ago

Tue, Feb 7, 2012 8:20 AM

hmm, but not the one which i've configured and i want to knwo what i've done wrong.

it does not matter whether i have this rule in place or not.

do i really need to have a permit rule for this rule? i want to block this ip for all serverices.

ct,