RE: Logging ICMP on a PIX [7:73232]
If we cannot be more specific (access-lists) for deb icmp trace then make an acces-list group object with the remote customer IP's (icmp echo-echo reply) include icmp reply, packet too big, unreachable etc for 0.0.0.0 include the rest of your existing access-list paste that on outside int THEN TRACE ICMP! (youre eyes will not be garbled anymore) Martijn -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: donderdag 31 juli 2003 17:26 Aan: [EMAIL PROTECTED] Onderwerp: Re: Logging ICMP on a PIX [7:73232] I don't really want to see all ICMP traffic as it makes me cross eyed, I can filter it on the syslog server though (if the disk isn't full). It's just that when trouble shooting connections, e.g.. a vpn to an external company, icmp is normally allowed through so it would be nice to see it when setting up a connection. George Murage wrote in message news:[EMAIL PROTECTED] Just out of curiosity, why do you want to log *all* ICMP traffic through your PIX? At logging level 4, you should see logs for selected ICMP traffic that is characteristic of a reconnaissance attack. Anyway, I hope you have a large disk(s) on your Syslog server :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Logging ICMP on a PIX [7:73232] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73337t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging ICMP on a PIX [7:73232]
just do logging buffer debug and clear the buffers immediately before your testing. You can alter the logging queue size if necessary. Bikespace Patrick Donlon wrote in message news:[EMAIL PROTECTED] I don't really want to see all ICMP traffic as it makes me cross eyed, I can filter it on the syslog server though (if the disk isn't full). It's just that when trouble shooting connections, e.g.. a vpn to an external company, icmp is normally allowed through so it would be nice to see it when setting up a connection. George Murage wrote in message news:[EMAIL PROTECTED] Just out of curiosity, why do you want to log *all* ICMP traffic through your PIX? At logging level 4, you should see logs for selected ICMP traffic that is characteristic of a reconnaissance attack. Anyway, I hope you have a large disk(s) on your Syslog server :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Logging ICMP on a PIX [7:73232] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73395t=73232 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Logging ICMP on a PIX [7:73232]
Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73266t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Logging ICMP on a PIX [7:73232]
Just out of curiosity, why do you want to log *all* ICMP traffic through your PIX? At logging level 4, you should see logs for selected ICMP traffic that is characteristic of a reconnaissance attack. Anyway, I hope you have a large disk(s) on your Syslog server :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Logging ICMP on a PIX [7:73232] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73275t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging ICMP on a PIX [7:73232]
Yes I tried that and scared the sh!t out of myself as this produces quite a bit of output to the console ;) Even when the loggin is to to trap only see below. Any more ideas as I thought I've had this working in the past but maybe on earlier versions of software, Cheers PIX(config)# debu icmp trace ICMP trace on Warning: this may cause problems on busy networks PIX4Internet(config)# 1: Outbound ICMP echo request (len 32 id 2 seq 46102) 172.16.6.91 172.16.6.91 194.#.#.2: Inbound ICMP echo reply (len 32 id 2 seq 46102) 194.#.#.2 172.16.6.91 172.16.6.91 3: Outbound ICMP echo request (len 32 id 2 seq 46358) 172.16.6.91 172.16.6.91 194.#.#.2: Inbound ICMP echo reply (len 32 id 2 seq 46358) 194.#.#.2 172.16.6.91 172.16.6.91 no debu icmp trace5: Outbound ICMP echo request (len 32 id 2 seq 46614) 172.16.6.91 172.16.6.91 194.26.184.42 6: Inbound ICMP echo reply (len 32 id 2 seq 46614) 194.#.#.2 172.16.6.91 172.16.6.91 ICMP trace off PIX4Internet(config)# PIX(config)# sh logg Syslog logging: enabled Facility: 19 Timestamp logging: disabled Standby logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level debugging, 29320465 messages logged Logging to inside 172.16.4.34 Logging to inside 172.16.4.159 History logging: disabled PIX(config)# wrote in message news:[EMAIL PROTECTED] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73273t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging ICMP on a PIX [7:73232]
I don't really want to see all ICMP traffic as it makes me cross eyed, I can filter it on the syslog server though (if the disk isn't full). It's just that when trouble shooting connections, e.g.. a vpn to an external company, icmp is normally allowed through so it would be nice to see it when setting up a connection. George Murage wrote in message news:[EMAIL PROTECTED] Just out of curiosity, why do you want to log *all* ICMP traffic through your PIX? At logging level 4, you should see logs for selected ICMP traffic that is characteristic of a reconnaissance attack. Anyway, I hope you have a large disk(s) on your Syslog server :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Logging ICMP on a PIX [7:73232] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73281t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Logging ICMP on a PIX [7:73232]
Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73232t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
