PixUser
@perr.blu
| [Config] [PIX 501] Logging Issue
Hello,
I am having an issue with my PIX which is preventing proper log anaysis.
When the pix is receiving unsolicited packets on the outside interface it is dropping them and logging the following:
Sep 11 19:49:28 pix Sep 11 2005 19:49:28 pix : %PIX-4-710005: TCP request discarded from 82.36.60.92/2458 to outside:123.37.130.123/www
Great I know! However mormally what i would be expecting to see would be:
Sep 11 19:37:38 pix Sep 11 2005 19:37:38 pix : %PIX-4-106023: Deny tcp src outside:82.36.60.92/2458 dst inside:123.37.130.123/www by access-group "outside_access_in"
which would indicate the request was denied by the ACL.
The logging analysis software (fwanalog) will only process entries that were denied by the ACL which is perfectly correct. When running the log though fwanalog it is ignoring the 710005 discarded messages resulting in nothing been displayed in the output.
Can anyone explain why the pix is not blocking using the ACL? Or at least (as I suspect) not reporting that it's blocking because of the ACL. Inbound access as defined by the ACL is working perfectly.
My config is below, you will see I have changed the level of some of the logging messages, this is purely to have them displayed at level 4 so I don't have to run with debug. The issues exists with or without this of course.
Any clues? Many Thanks.
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password password encrypted
passwd password encrypted
hostname pix
domain-name local.domain
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service voip udp
description SIP Ports
port-object eq 5060
object-group network sip_hosts
description SIP IP Block
network-object 123.10.79.123 255.255.255.248
object-group network ssh_hosts
description Permitted SSH Sources
network-object host 123.84.194.123
network-object host 123.79.113.123
network-object host 123.86.102.123
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit tcp object-group ssh_hosts host 123.36.130.123 eq ssh
*
access-list outside_access_in permit udp object-group sip_hosts object-group voip host 123
*.36.130.123
pager lines 27
logging on
logging timestamp
logging trap warnings
logging device-id hostname
logging host inside 192.168.1.50
logging message 710005 level warnings
logging message 710001 level warnings
logging message 710002 level warnings
logging message 607001 level warnings
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp interface 5060 192.168.1.26 5060 netmask 255.255.255.255 10 10
*
static (inside,outside) tcp interface ssh 192.168.1.50 ssh netmask 255.255.255.255 5 5
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 194.117.157.4 source outside
snmp-server host inside 192.168.1.50 poll
no snmp-server location
no snmp-server contact
snmp-server community marbles
no snmp-server enable traps
tftp-server inside 192.168.1.50 pix
floodguard enable
telnet 192.168.1.195 255.255.255.255 inside
telnet timeout 15
ssh 192.168.1.195 255.255.255.255 inside
ssh 192.168.1.181 255.255.255.255 inside
ssh timeout 15
console timeout 0
dhcpd address 192.168.1.180-192.168.1.190 inside
dhcpd dns 192.168.1.200
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd option 150 ip 192.168.1.50
dhcpd enable inside
terminal width 100
(*) WARNING 3 long line(s) split |
|
aryoba
Premium,MVM
join:2002-08-22
| You need to specify such ACL with "log" parameter in order for the syslog server to receive such log. Here is a Cisco link for more info:
»www.cisco.com/en/US/products/sw/···p1067755
Here is an illustration. Let's say you need to know which unapproved IP address that is trying to establish TCP connection. Then the command is something like this
access-list outside_access_in deny tcp any any log
Keep in mind that such deny ACL should be placed after the permit ACL. Otherwise all IP address (including the approved ones) would also be rejected. |
|
PixUser
@perr.blu | Added access-list outside_access_in deny tcp any any log and equally access-list outside_access_in deny ip any any log it makes no differance the same messages are still logged  |
|
Jugaad
join:2002-04-28
MARS!!
| 
Message was not logged because the request was not trying to go THROUGH the PIX but it was trying to go TO the PIX. I don't see www port being redirected to inside on the PIX.
--
Not able to get online? Good!! Go out and meet friends  |
|
PixUser
@perr.blu | reply to PixUser
Ah! Spot on it makes perfect sense now. How did I know it was going to be something simple. Thankyou very much |
|
