Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1173
  • Last Modified:

cisco 1821 router debugging via syslog

hi I have a cisco 1821 router. I want to setup debugging to see if it's blocking some traffic via an ACL. I turned on debugging and my router went on the fritz. The device became unresponsive.

I know I probably shouldn't have used debug all but what should I use to check the ACL entries? I also have a syslog server that might be a better option to troubleshoot my ACLs.
0
jbla9028
Asked:
jbla9028
  • 4
  • 3
  • 2
  • +1
1 Solution
 
MalhovicCommented:
Run a "sh access-list" on your router and it should populate all of your current ACL's. This way you can view all of them and see which ones have what rules assigned to them. Is this your gateway or are you looking at communication between servers?
0
 
jbla9028Author Commented:
well I can see the access-lists but I want to see traffic hitting the router and being denied based on the ACLs. This is a gateway device connecting us to another site.
0
 
lrmooreCommented:
Add the log keyword to the end of the acl entries that you are concerned about, then export the syslog to a logging host.
Else use
 debug ip packet <acl number>

0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
shubhanshu_jaiswalCommented:
You can define logging server in the router config and add log keyword with access list entries....after this you will be able to get logs on the syslog server if you traffic hits that access list entry..make sure that syslog server is reachable from that router.
0
 
jbla9028Author Commented:
ok so here's my config. I'm not sure what command I actually need to run to get the ACL to spit out logging. I was able to actually get the syslog to spit out messages but it's not giving me much,


version 12.2
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R04
!
enable secret 5 $1$wfOn$gc1/nVyW3YxrBAci2dNol0
enable password x
!
ip subnet-zero
ip name-server 10.0.0.6
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.0.0.252 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 ip address 10.0.2.1 255.255.255.0
 ip nat outside
 no fair-queue
!
interface Serial1/0
 no ip address
 ip nat outside
!
router rip
 version 2
 network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.221
ip route 10.0.0.0 255.0.0.0 10.0.2.2
ip route 10.0.6.0 255.255.255.192 10.0.4.244
ip route 64.69.205.190 255.255.255.255 10.0.4.244
ip route 151.193.136.0 255.255.255.0 10.0.4.244
ip route 172.16.0.0 255.255.0.0 10.0.2.2
ip route 194.156.170.17 255.255.255.255 10.0.2.2
ip route 194.156.170.18 255.255.255.255 10.0.2.2
no ip http server
!
!
ip access-list extended inbound
 deny   tcp host 196.28.61.10 gt 1023 any eq smtp
 deny   ip 66.238.224.0 0.0.0.192 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 7.255.255.255 any
 deny   ip 248.0.0.0 7.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit tcp any gt 1023 host 66.238.225.193 eq telnet reflect OUTGOOD
 evaluate GOODTRAFFIC
 deny   ip any any
ip access-list extended outbound
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 7.255.255.255 any
 deny   ip 248.0.0.0 7.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit tcp host 66.238.225.194 gt 1023 any eq 5631 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 5632 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 eq 5632 any gt 1023 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq 65301 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 22 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq www reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 1604 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq 1494 reflect GOODTRAFFIC
 permit tcp 66.238.225.0 0.0.0.255 gt 1023 any eq 443 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq ftp reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any gt 1023 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
 permit icmp host 66.238.225.194 any echo-reply
 permit icmp host 66.238.225.194 any time-exceeded
 permit icmp host 66.238.225.194 any unreachable
 permit icmp host 66.238.225.194 any echo
 evaluate OUTGOOD
 deny   ip any any
ip access-list log-update threshold 10
!
logging 10.0.0.254
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
arp 10.0.0.244 03bf.0a00.00f4 ARPA
arp 10.0.0.245 03bf.0a00.00f4 ARPA
snmp-server community inside RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
 password X
 login
!
no scheduler allocate
end



my syslog server is 10.0.0.254
I did have the logging trap debugging command on but I didn't see much other than a telnet login messgage. What commands do I have to type to get the ACLs to log to my syslog?



0
 
MalhovicCommented:
I don't see the "logging on" command. Add this to your config and that should enable logging. Everything else seems good.

I would recommend the following to be added though:
Disables CPU intensive monitoring:
no logging console
no logging monitor

Source of Information: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
0
 
jbla9028Author Commented:
Southmod, I've actually cleaned the config. I've changed all the passwords and our global IPs but for safety sake you can remove the config posting.
0
 
shubhanshu_jaiswalCommented:
I am giving you an example:

conf t
logging 172.x.x.x
ip access-list extended ABC
10 permit ip host x.x.x.x host a.a.a.a log
20 deny ip any any

so when the traffic will hit this access list entry...the logs will be generated and it will be displayed on the syslog server...
0
 
jbla9028Author Commented:
thanks that worked!
0
 
shubhanshu_jaiswalCommented:
By the way...which syslog server are you using and how are you filtering those logs..
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now