Try enabling the interface configuration command "ip accounting access-violations". This will log source/destination pairs which fail the access-list on the interface.
""Scott Nawalaniec"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi Anil, > > To the best of my knowledge and without looking it up at www.cisco.com, I > think if you put log on the end an access-list statement it will send the > log to the syslog server. I don't know if that is true in all cases. I like > to keep my routers streamed lined.....ie unnecessary services and buffers > turned off....=) > > OUTPUT from show log: > Admin_3662#sh log > Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) > Console logging: level debugging, 723 messages logged > Monitor logging: level debugging, 0 messages logged > Buffer logging: disabled > Trap logging: level debugging, 727 message lines logged > Logging to X.X.X.X, 727 message lines logged > > HTH, > > Scott > > -----Original Message----- > From: anil [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 07, 2001 12:58 PM > To: Scott Nawalaniec > Subject: RE: ACL Gurus [7:27361] > > > Scott, If I add an access list with [log] at the end, can I expect to see > the log by typing: > "show log" > At the moment I see nothing. > I am trying to catch snmp traffic, using snmpwalk. > port 161, 162. > > If I do "debug snmp packets" then I can see some logs. > Many thanks > -Anil > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Scott Nawalaniec > Sent: Tuesday, November 27, 2001 5:41 PM > To: [EMAIL PROTECTED] > Subject: RE: ACL Gurus [7:27361] > > > Thanx for the info and the verification. > > Scott > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 26, 2001 7:25 PM > To: [EMAIL PROTECTED] > Subject: RE: ACL Gurus [7:27361] > > > "My understanding is ICMP is not a subset of IP or anything with IP > protocol. > ICMP and IP both work at the network layer and are separate protocols." > Bzzt. You are the weakest link. Goodbye ;-) > > ICMP is IP protocol 1 (TCP is 6, UDP is 17). ICMP stands for Internet > Control Message Protocol, which is a bit of a hint that it might be related > to IP (although hardly strong evidence). According to TCP/IP Illustrated > (Stevens); "ICMP is often considered part of the IP layer", so you're > correct there, but "ICMP messages are transmitted within IP datagrams", so > your "permit ip any any" will permit ICMP. > And anyway, I use "permit ip any any" to define interesting traffic on some > dialup links, and I can bring up the links with a well-directed ping. So I > know IP includes ICMP ;-) > > JMcL > ----- Forwarded by Jenny Mcleod/NSO/CSDA on 27/11/2001 02:09 pm ----- > > > > "Scott > Nawalaniec" To: > [EMAIL PROTECTED] > Subject: RE: ACL Gurus > [7:27361] > Sent > by: > > nobody@groups > > tudy.com > > > > > > 27/11/2001 > 11:29 > am > > Please > respond > to > > "Scott > > Nawalaniec" > > > > > > > > > Hello, > > Good call on the "access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo > (equivalent to your > two lines)" > > My understanding is ICMP is not a subset of IP or anything with IP > protocol. > ICMP and IP both work at the network layer and are separate protocols. So > you would not need the "access-list 102 deny icmp any any (may as well > block all other icmp)" or "access-list 102 deny icmp any any (may as well > block all other icmp)" because the implicit deny at the end should take > care > of dropping the unwanted protocols. Please correct me if I am wrong. > > What about udp and tcp protocols? The implicit deny would drop all > protocols > at the end. > > Scott > > -----Original Message----- > From: Gaz [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 26, 2001 3:56 PM > To: [EMAIL PROTECTED] > Subject: Re: ACL Gurus [7:27361] > > > My view/guestimation only here, so anyone is welcome to pick holes in it: > > I would apply 101 (the outgoing access list to the ethernet port). May as > well drop the rubbish before the router processes it. > I would also make it: > > access-list 101 permit icmp x.x.54.0 0.0.1.255 any echo (equivalent to > your > two lines) > access-list 101 deny icmp any any (denies all other icmp, otherwise your > next line allowed everything including icmp) > access-list 101 permit ip any any > > I would apply 102 as you have on the serial interface, with slight change. > > access-list 102 permit icmp any any echo-reply (presumably as you allowed > echo outgoing, you want the replies) > access-list 102 deny icmp any any (may as well block all other icmp) > access-list 102 permit ip any any > > Of course this is just fictional to control icmp only. > I've changed it about 4 times, so I've no doubt it could take some more > changes. > > Regards, > > Gaz > > > ""Matthew Tayler"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Ok I am a little confused here, but > > > > 1. What does access-list 101 actually deny ? > > 2. If you permit all ip are you not also allowing all tcp & udp ? > > > > Matt T > > Jeff wrote: > > > > > > Looking to block icmp-echo on my external router... just want > > > to doublecheck > > > that I'm putting these on the right interfaces. Please, > > > suggestions welcome! > > > > > > Cheers, > > > Jeff > > > access-list 101 permit icmp x.x.54.0 0.0.0.255 any echo > > > > > > access-list 101 permit icmp x.x.55.0 0.0.0.255 any echo > > > > > > *Permits internal network to ping any host > > > > > > access-list 101 permit ip any any > > > > > > *Permits any other traffic to and from the network. Need for > > > the explicit > > > deny > > > > > > > > > > > > access-list 102 permit icmp host x.x.x.x any echo-reply > > > > > > *Permits a ping reply from ISP servers for monitoring > > > > > > access-list 102 permit icmp any any packet-too-big > > > > > > *Permits Fragmentation Required ICMP packets (Used of MTU-PD) > > > > > > access-list 102 deny icmp any any echo-reply > > > > > > deny any echo reply from any other sources > > > > > > > > > > > > access-list 102 deny icmp any x.x.54.0 0.0.0.255 echo > > > > > > access-list 102 deny icmp any x.x.55.0 0.0.0.255 echo > > > > > > deny any echo from any other sources > > > > > > access-list 102 permit ip any any > > > > > > *Permits any other traffic to and from the network. Needed due > > > to the > > > explicit deny rule. > > > > > > > > > > > > Both Access-list are applied to the Serial Interfaces of the > > > Edge router. > > > Access list 102 is assigned to inbound traffic and Access list > > > 101 is > > > assigned to outbound traffic. See below.. > > > > > > > > > > > > Internet (same ISP, different BGP peers) > > > > > > > > > > > > S0/0 S0/1 > > > > > > \ / > > > > > > \ / > > > > > > \ / > > > > > > Edge Router > > > > > > | > > > > > > E0/0 > > > > > > | > > > > > > FW > > > > > > | > > > > > > LAN > > > > > > x.x.54.0 and x.x.55.0 networks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28463&t=27361 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
