Instead of using the "access-list" command for both inbound & outbound
access control
you can still use the good old "conduit" command for the inbound access
control and you 'll see the desired logs. You'll then have the same
functionality.
Things are different for the outbound access contol. There exists the
"outbound" command but it doesn't have the functionality of the new
"access-list" command.
Things are easy in your case though since you permit everything from inside
to the outside and you don't realy need (?) outbound access control.
This is a well known bug (i believe).
Ioannis Migadakis
At 12:33 �� 10/11/2000 +0100, Fabio Pietrosanti \(naif\) wrote:
>PIX developper group say that ONLY in 5.4(x) release this bug will be
>patched!!!
>
>Don't ask me why!!!!
>
>they also refuse to fix the ftp "internal ip revelation bug"...
>
>bha...
>
>Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet
>e-mail: [EMAIL PROTECTED] ( Direzione Tecnica, Gruppo Firewall )
> [EMAIL PROTECTED]
>PGP Key (DSS) http://naif.itapac.net/naif.asc
>
>Home Page URL: http://www.inet.it
>Sede: Via Caldera, 21 20153 Milano
>Tel: 02-409061 Fax: 02-40906303
>--
>Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS
>
>
>On Thu, 9 Nov 2000, Graham Zulauf wrote:
>
> > I currently have a PIX 506 setup as our firewall. Everything works fine on
> > the box itself.
> >
> > I'm wondering how to configure the logging function to output port numbers
> > when sending a message to the syslog server. Currently it just gives a
> > message like this:
> >
> > 11:46:17 Local7.Warning 10.1.0.10 Nov 09 2000 11:45:54: %PIX-4-106019: IP
> > packet from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx, protocol tcp received from
> > interface "outside" deny by access-group "acl_out"
> >
> > There are no references to the port number source or destination.
> >
> >
> > Here are my access-lists:
> >
> > access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq smtp (hitcnt=2)
> > access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq www (hitcnt=163)
> > access-list acl_out permit icmp any host xxx.xxx.xxx.xxx (hitcnt=318)
> > access-list acl_out permit tcp any host xxx.xxx.xxx.xxx eq pop3 (hitcnt=1)
> > access-list acl_out deny ip any any (hitcnt=4)
> > access-list acl_in permit ip any any (hitcnt=3110)
> >
> >
> > Here is my logging setup:
> >
> > Syslog logging: enabled
> > Timestamp logging: enabled
> > Standby logging: disabled
> > Console logging: disabled
> > Monitor logging: disabled
> > Buffer logging: disabled
> > Trap logging: level notifications, facility 23, 331 messages logged
> > Logging to inside 10.1.0.60
> > History logging: disabled
> >
> >
> >
> > I've changed the logging level to 7 or "debugging", but that didn't seem to
> > help. Are there any statements that need to be added? Shouldn't the PIX be
> > capable of logging port numbers? Their documentation seems shows it as
> being
> > possible (
> >
> http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/syslog/pix
> > emint.htm#31944
> >
> <http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/syslog/pi>
> xemint.htm#31944> ).
> >
> > Thanks.
> >
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
