Hey guys,
Is there a cmd I can use via CLI to monitor when external connections attempt to get thru our PIX 515?
I sometimes have customers trying to FTP to us, and they sometime give their wrong IP address, so Id like to be able to view what IPs are attempting to connect and where they are going? Is this possible?
Thanks in advance.
Set your logging level to 4 or 6 and watch your logs. It's better if you log to a syslog server and look at the logs there; if you do that then the setting you need to alter is 'logging trap'.
If you don't have a syslog server and your traffic rate is fairly slow, then you could set the 'logging buffered' level and then 'show log' from time to time.
If you are either desperate or have a very low traffic level, you could set the 'logging monitor' level and watch the messages appear on your CLI session.
Logging level 4 is enough to show you the translations being created and torn down, but if they are putting in the wrong IP or something like that then you need level 6 (debug) in order to see the ACL refusals. [Also, if you are using static nat or identity nat or nat 0 access-list, then there might not be a new translation generated for an access attempt, so logging for level 6 is more likely to get you the information you need.]
Depending on the situation, being realtime (like you are on the console when this is going on) or historically (like you what to monitor this over time, and take coorsponding action) the approach are different.
For realtime I would set logging monitor debugging, and use term mon in conf t mode. or use the show local, show xlate and show connection
For historical, you only option are syslogD, and eighter a logging trap info, or create a ACL with the LOG statement in the end.
HTH Martin Bilgrav
"syslog server" - sorry for my lack of knowing, but I assume this is perhaps just a server that all the logs will get written too? So I should be able to add a network path to the log settings pointing to the "syslog server"?
Am I understanding this correctly?
Thanks for chiming in guys!
Yes. It differs from plain "server" only in that it is a server or host which is running software that is able to record syslog (UDP 514) messages. Most unix-type systems make fine syslog servers with the default software (though sometimes you have to configure them to accept syslog messages from remote hosts.) Windows does not include syslog programs, but you can get them easily: for moderate volumes, "Kiwi" syslog software [free] is often recommended; their "professional" [not free] version has some nice organizating and paging features.
This was PIX 6, right? If so then you use "logging trap" to control the categories of messages to be sent, and you use "logging host" to designate a host which is expected to record (or act on) the syslog messages you through it's way.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.