Qustion about Cisco term mon command and/or syslogging

I have a router with a pretty complex ACL structure serving as our internet firewall (using CBAC, I think it's called).  I need to troubleshoot FTP access for clients on my network trying to connect to servers on the internet.

My normal method of troubleshooting a thing like this is to ssh to the firewall router and issue a term mon command, then have the user try to do whatever it is we're troubleshooting.  Usually that'll show me something being denied and make it easy to figure out how to fix it.  But when I do this for the current issue, I don't see any denies, the FTP client just fails to connect, from multiple clients on multiple subnets.

I'm wondering: if the reason a client is being denied is just the implied "deny any" at the end of my outbound ACL, will I see a deny in my term mon output or syslog output, or not?
ZipoBibrock5e8Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
yes you able to see deny

id you put the end of deny acl 'log' command
0
Justin EllenbeckerIT DirectorCommented:
Does the router have the ASDM image on it, if so you can log in through ASDM and use a few tools also to do some packet tracing.
0
Don JohnstonInstructorCommented:
What debug command are you using?
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

ZipoBibrock5e8Author Commented:
donjohnston:

Sorry, forgot about this question, but I would like to know the answer.

I'm issuing a term mon and using whatever debug level is set already for the device, if that makes sense...how do I see what level that is?
0
Istvan KalmarHead of IT Security Division Commented:
sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 863847 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 8 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 863847 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
0
ZipoBibrock5e8Author Commented:
Here's the output of that command on the router in question, minus the individual log entries:


Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: disabled
    Monitor logging: level debugging, 241 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 153598 messages logged, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled
    Trap logging: level debugging, 153648 message lines logged
        Logging to 10.10.2.14  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              153648 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
0
Istvan KalmarHead of IT Security Division Commented:
so you have debugging level if you put 'ter mon' command you able to see it online
0
Justin EllenbeckerIT DirectorCommented:
You should also be able to see them in the syslog server that is running on 10.10.2.14.  You should be able to open this file and search for what you are looking for.
0
ZipoBibrock5e8Author Commented:
That's what I did when I was troubleshooting the problem, and I didn't see the rejected attempts.  The problem was fixed by adding an entry to our outgoing ACL, so it was an issue where the request was hitting the implicit deny, but it wasn't showing up in the monitor session.
0
Justin EllenbeckerIT DirectorCommented:
This will happen because the implicit deny does not have Log at the end of it.  The solution to that is to add your own deny all at the with the log option so your last command and the implicit match except for the logging.
0
ZipoBibrock5e8Author Commented:
Ah ha...am I likely to regret the amount of log entries I get if I do that?  Is there any easy way to only turn on that kind of logging when I need it?
0
Justin EllenbeckerIT DirectorCommented:
since it is the last line of the acl and there is the implicit you should be able to add and remove it as needed.  The real question is how restrictive is the rest of the ACL, do you expect a lot of traffic to get blocked?  But like i said since it is the last item you should have no troubles removing it and adding it as you please for troubleshooting.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZipoBibrock5e8Author Commented:
Two good points, there.  Really, the catch-all deny won't be hit that often by well-behaved, non-technical users, so it might not add the load I first thought it would.  Also, even an amateur like myself can add and delete a last line deny pretty easily.

Sounds like I've got 2 good options here.  Thanks all for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.