IT Certification Study Guide share & Training Preparation Ebooks free download
Fun with IOS Access-lists
Ok so tonight I was playing around with some options avaliable in ACLs. Here is something that I find to be very cool. You can use log options and some fancy configuration of ACL entries to see exactly what ports are being permitted or denied. Here is what I mean.
Access-list looks like this:
Rack2R4(config-ext-nacl)#do sh access-l
Extended IP access list 100
10 permit tcp any any log-input (43 matches)
20 permit udp any any log-input
30 permit ip any any (13 matches)
If you do a show log you will see the source IP, destination IP and the source MAC as well as ingress interface as seen here:
Rack2R4(config-ext-nacl)#do sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 75 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: level debugging, 47 messages logged, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 103 message lines logged
Log Buffer (4096 bytes):
(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:07.684: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:07.704: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:07.712: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:08.733: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:09.030: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:09.038: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:09.302: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:09.627: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar 1 01:37:09.831: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
…but with a slight modification to the list as follows:
Rack2R4(config-ext-nacl)#no 10 permit tcp any any log-input
Rack2R4(config-ext-nacl)#10 permit tcp any any range 1 65535 log
Rack2R4(config-ext-nacl)#
After generating TCP traffic you get a really cool log output like this: (notice you now have source and destination ports.)
Rack2R4(config-ext-nacl)#do sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
Console logging: level debugging, 75 messages logged, xml disabled
Monitor logging: level debugging, 0 messages logged, xml disabled
Buffer logging: level debugging, 47 messages logged, xml disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 103 message lines logged
Log Buffer (4096 bytes):
*Mar 1 01:39:56.893: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:57.097: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:57.927: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.131: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.147: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.307: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.452: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.608: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.736: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:39:58.740: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar 1 01:40:00.114: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11003) -> 150.2.4.4(23), 1 packet
Pretty cool stuff huh? Yeah- it made my night. now what can I use this for….hmm.
Popularity: unranked [?]
Related Posts |
About the author
| Print article | This entry was posted by Johnny on 02/18/2008 at 2:34 AM, and is filed under Cisco Training. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
