RE: Logging traffic [7:17559]

Wed, 29 Aug 2001 21:54:42 -0700 

I would add the syn predicate to cut down on
logging traffic.  This will only log the first
TCP segment, but it will still contain the source
IP address, Time of Day, etc. 

access-list 101 permit tcp any any lt 100 syn log

Since syslog traffic is sent on the data link in
human readable form I would use an IPSec tunnel, or
a standalone Ethernet interface to actually handle
the traffic. Logging data can be very sensitive.

Wayne

-----Original Message-----
From: Tony van Ree [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, August 30, 2001 8:39 AM
To: [EMAIL PROTECTED]
Subject: Re: Logging traffic [7:17559]

Hi,

Depends on what your are really trying to achieve.  If you have plenty of
head room in your router you could just add stuuf to an access-list and send
the list to a syslog.  Cheap nasty but a good way to solve issues.

access-list 101 permit icmp any any log
access-list 101 permit tcp any any lt 100 log
access-list 101 permit tcp any any gt 99 log
access-list 101 permit udp any any lt 100 log
access-list 101 permit udp any any gt 99 log

The trick is to put the port numbers in (lt 100 etc) this will then tell you
what address/port is talking to address/port.

If you put this at the end of an existing access-list in place of the permit
ip any any you should get what you need.

On a busy link however this generates heaps of information but it is a nice
way to find what you don't want on your network

BE AWARE OF ANY PRIVACY ISSUES THAT MIGHT ARISE DOING THIS SORT OF STUFF.

Just a thought,

Teunis,
Hobart, Tasmania
Australia

On Tuesday, August 28, 2001 at 03:03:47 PM, cisco skin wrote:

> Here's what I want to do:
> 
> Log all traffic (source/destination ip address/port #) from a specific
> subnet (our HQ) to see what's passing through our external router, and
where
> they're going.
> 
> Any suggestions?
> 
> Thanks,
> Jeff
--
www.tasmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17806&t=17559
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to