Hello I got a SOHO 77 IOS 12.3 (15).
I need to write a log entry everytime someone from the internet accesses one my pc via Remote Desktop (TCP3389)
I have put an access-list
access-list 100 permit tcp any eq 3389 host xx.xx.xx.xxx eq 3389 log
But this won't log.
Can some one help me?
conf t logging on loggin buffered 512000 (choose how many bytes you want to reserve for logs)
HTH Alex
Hello
router#show log Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: disabled Monitor logging: level warnings, 0 messages logged, xml disabled Buffer logging: level notifications, 119 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 124 message lines logged
Log Buffer (4096 bytes):
I open a rdp connection but nothing happens on the log on the cisco.
How can I do?
Did you apply the access-list to any Interface ?
Post your entrie config
You need:- access-list 100 permit tcp any host xx.xx.xx.xxx eq 3389 log
since the source port of the incomming connection is unknown and is chosen by the outside device.
You also need to have the approprite kind of logging enabled. The log on the router is stored in RAM and is not preserved over a reboot.
"Log Buffer (4096 bytes):" will likely not be enough, as noted by AM already.
You should consider an external syslog server or an SNMP trap reveiver.
Don't though have too many log receivers since too much logging can be bad for a router's health.
Here is the logging configuration of a box here:-
R2#sh run | inc log service timestamps log datetime localtime show-timezone logging buffered 65536 debugging no logging console ! can adversely affect CPU ! one interrupt per character sent. logging facility local6 ! I don't understand this logging source-interface Loopback0 logging 192.168.5.1 ! do syslog snmp-server enable traps syslog ! ! also snmp
I don't recommend doing SNMP AND syslog just seems stupid to give the router extra work.
Hello
Well I have a static DSL with a 8ip subnet
the first ip is my gw/router cisco on .177 IP.
on IP 178 there is a firewall that PATs the 3389 on its public wan address to a private lan pc 192.168.0.138
the wan int of the cisco is the atm0.35 the "public" lan is the eth0
I put an ACL on the atm0.35 wich permits the 3389 inside and log
for me it is sufficient to log on the ram even if it clears on reboot.
Now is the config:
Current configuration : 8911 bytes ! ! Last configuration change at 10:26:32 CET Fri Sep 15 2006 by maggiore ! NVRAM config last updated at 10:26:11 CET Fri Sep 15 2006 by maggiore ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime service timestamps log datetime localtime service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! logging buffered notifications no logging console enable password 7 xxxxxxxxxxxxx ! clock timezone CET 1 ip subnet-zero no ip source-route ip tcp synwait-time 15 ! no ip bootp server username maggiore SNIP ! ! ! interface Ethernet0 bandwidth 10000 ip address xxxxxxxxxxx ip broadcast-address xxxxxxxxx no ip redirects no ip unreachables no ip proxy-arp ip nat inside no cdp enable hold-queue 100 out ! interface ATM0 bandwidth 608 no ip address no ip redirects no ip unreachables no ip proxy-arp atm vc-per-vp 64 atm ilmi-keepalive dsl operating-mode itu-dmt hold-queue 224 in ! interface ATM0.35 point-to-point bandwidth 1504 ip address xxxxxxxxxxxxx ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside pvc 8/35 encapsulation aal5snap ! ! ip classless ip route 0.0.0.0 0.0.0.0 ATM0.35 no ip http server ! access-list 100 deny ip 0.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 224.0.0.0 15.255.255.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip host 85.33.96.176 host 85.33.96.176 access-list 100 deny ip host 85.33.96.177 host 85.33.96.177 access-list 100 deny ip host 85.33.96.178 host 85.33.96.178 access-list 100 deny ip host 85.33.96.179 host 85.33.96.179 access-list 100 deny ip host 85.33.96.180 host 85.33.96.180 access-list 100 deny ip host 85.33.96.181 host 85.33.96.181 access-list 100 deny ip host 85.33.96.182 host 85.33.96.182 access-list 100 deny ip host 85.33.96.183 host 85.33.96.183 access-list 100 deny ip host 212.97.35.10 host 85.33.96.181 access-list 100 deny ip host 85.33.96.176 any access-list 100 deny ip host 85.33.96.177 any access-list 100 deny ip host 85.33.96.178 any access-list 100 deny ip host 85.33.96.179 any access-list 100 deny ip host 85.33.96.180 any access-list 100 deny ip host 85.33.96.181 any access-list 100 deny ip host 85.33.96.182 any access-list 100 deny ip host 85.33.96.183 any access-list 100 deny ip any host 85.33.96.176 access-list 100 deny ip any host 85.33.96.183 access-list 100 permit ip host 89.186.68.6 any access-list 100 permit udp any any eq ntp access-list 100 permit ip any any fragments access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any unreachable access-list 100 deny icmp any any access-list 100 permit igmp any any access-list 100 permit gre any any SNIP
Now focusing on the ACL regarding my ip
access-list 100 deny tcp any host xxxxxxx.178 eq 135 access-list 100 deny udp any host xxxxxxx.178 eq 135 access-list 100 deny tcp any host xxxxxxx.178 range 137 139 access-list 100 deny udp any host xxxxxxx.178 range netbios-ns netbios-ss access-list 100 deny tcp any host xxxxxxx.178 eq 445 access-list 100 deny udp any host xxxxxxx.178 eq 445 access-list 100 permit udp any eq domain host xxxxxxx.178 range 1024 5000 access-list 100 permit tcp any eq 3389 host 8xxxxxxx.178 eq 3389 log access-list 100 permit tcp any host xxxxxxx.178 gt 1023 access-list 100 permit tcp any host xxxxxxx.178 gt 1023 established access-list 100 deny tcp any lt 1023 host xxxxxxx.178 lt 1023 access-list 100 deny udp any lt 1023 host xxxxxxx.178 lt 1023 access-list 100 permit 41 any host xxxxxxx.178 access-list 100 deny ip any host xxxxxxx.178 etc etc etc access-list 102 permit ip 192.168.0.0 0.0.0.255 any no cdp run
etc etc etc
Hello
Well I have a static DSL with a 8ip subnet
the first ip is my gw/router cisco on .177 IP.
on IP 178 there is a firewall that PATs the 3389 on its public wan address to a private lan pc 192.168.0.138
the wan int of the cisco is the atm0.35 the "public" lan is the eth0
I put an ACL on the atm0.35 wich permits the 3389 inside and log
for me it is sufficient to log on the ram even if it clears on reboot.
Now is the config:
Current configuration : 8911 bytes ! ! Last configuration change at 10:26:32 CET Fri Sep 15 2006 by maggiore ! NVRAM config last updated at 10:26:11 CET Fri Sep 15 2006 by maggiore ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime service timestamps log datetime localtime service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! logging buffered notifications no logging console enable password 7 xxxxxxxxxxxxx ! clock timezone CET 1 ip subnet-zero no ip source-route ip tcp synwait-time 15 ! no ip bootp server username maggiore SNIP ! ! ! interface Ethernet0 bandwidth 10000 ip address xxxxxxxxxxx ip broadcast-address xxxxxxxxx no ip redirects no ip unreachables no ip proxy-arp ip nat inside no cdp enable hold-queue 100 out ! interface ATM0 bandwidth 608 no ip address no ip redirects no ip unreachables no ip proxy-arp atm vc-per-vp 64 atm ilmi-keepalive dsl operating-mode itu-dmt hold-queue 224 in ! interface ATM0.35 point-to-point bandwidth 1504 ip address xxxxxxxxxxxxx ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside pvc 8/35 encapsulation aal5snap ! ! ip classless ip route 0.0.0.0 0.0.0.0 ATM0.35 no ip http server !
SNIP
Now focusing on the ACL regarding my ip
access-list 100 deny tcp any host xxxxxxx.178 eq 135 access-list 100 deny udp any host xxxxxxx.178 eq 135 access-list 100 deny tcp any host xxxxxxx.178 range 137 139 access-list 100 deny udp any host xxxxxxx.178 range netbios-ns netbios-ss access-list 100 deny tcp any host xxxxxxx.178 eq 445 access-list 100 deny udp any host xxxxxxx.178 eq 445 access-list 100 permit udp any eq domain host xxxxxxx.178 range 1024 5000 access-list 100 permit tcp any eq 3389 host 8xxxxxxx.178 eq 3389 log access-list 100 permit tcp any host xxxxxxx.178 gt 1023 access-list 100 permit tcp any host xxxxxxx.178 gt 1023 established access-list 100 deny tcp any lt 1023 host xxxxxxx.178 lt 1023 access-list 100 deny udp any lt 1023 host xxxxxxx.178 lt 1023 access-list 100 permit 41 any host xxxxxxx.178 access-list 100 deny ip any host xxxxxxx.178 etc etc etc access-list 102 permit ip 192.168.0.0 0.0.0.255 any no cdp run
etc etc etc
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.