Solved

cisco 1821 router debugging via syslog

Posted on 2010-09-20
12
1,140 Views
Last Modified: 2012-05-10
hi I have a cisco 1821 router. I want to setup debugging to see if it's blocking some traffic via an ACL. I turned on debugging and my router went on the fritz. The device became unresponsive.

I know I probably shouldn't have used debug all but what should I use to check the ACL entries? I also have a syslog server that might be a better option to troubleshoot my ACLs.
0
Comment
Question by:jbla9028
  • 4
  • 3
  • 2
  • +1
12 Comments
 
LVL 1

Expert Comment

by:Malhovic
ID: 33720605
Run a "sh access-list" on your router and it should populate all of your current ACL's. This way you can view all of them and see which ones have what rules assigned to them. Is this your gateway or are you looking at communication between servers?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33720618
well I can see the access-lists but I want to see traffic hitting the router and being denied based on the ACLs. This is a gateway device connecting us to another site.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 33721835
Add the log keyword to the end of the acl entries that you are concerned about, then export the syslog to a logging host.
Else use
 debug ip packet <acl number>

0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33723934
You can define logging server in the router config and add log keyword with access list entries....after this you will be able to get logs on the syslog server if you traffic hits that access list entry..make sure that syslog server is reachable from that router.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33724312
ok so here's my config. I'm not sure what command I actually need to run to get the ACL to spit out logging. I was able to actually get the syslog to spit out messages but it's not giving me much,


version 12.2
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R04
!
enable secret 5 $1$wfOn$gc1/nVyW3YxrBAci2dNol0
enable password x
!
ip subnet-zero
ip name-server 10.0.0.6
!
!
!
!
!
interface FastEthernet0/0
 ip address 10.0.0.252 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 ip address 10.0.2.1 255.255.255.0
 ip nat outside
 no fair-queue
!
interface Serial1/0
 no ip address
 ip nat outside
!
router rip
 version 2
 network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.221
ip route 10.0.0.0 255.0.0.0 10.0.2.2
ip route 10.0.6.0 255.255.255.192 10.0.4.244
ip route 64.69.205.190 255.255.255.255 10.0.4.244
ip route 151.193.136.0 255.255.255.0 10.0.4.244
ip route 172.16.0.0 255.255.0.0 10.0.2.2
ip route 194.156.170.17 255.255.255.255 10.0.2.2
ip route 194.156.170.18 255.255.255.255 10.0.2.2
no ip http server
!
!
ip access-list extended inbound
 deny   tcp host 196.28.61.10 gt 1023 any eq smtp
 deny   ip 66.238.224.0 0.0.0.192 any
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 7.255.255.255 any
 deny   ip 248.0.0.0 7.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit tcp any gt 1023 host 66.238.225.193 eq telnet reflect OUTGOOD
 evaluate GOODTRAFFIC
 deny   ip any any
ip access-list extended outbound
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 169.254.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.0.2.0 0.0.0.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 240.0.0.0 7.255.255.255 any
 deny   ip 248.0.0.0 7.255.255.255 any
 deny   ip host 255.255.255.255 any
 permit tcp host 66.238.225.194 gt 1023 any eq 5631 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 5632 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 eq 5632 any gt 1023 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq 65301 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 22 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq www reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq 1604 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq 1494 reflect GOODTRAFFIC
 permit tcp 66.238.225.0 0.0.0.255 gt 1023 any eq 443 reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq ftp reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any gt 1023 reflect GOODTRAFFIC
 permit udp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
 permit tcp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
 permit icmp host 66.238.225.194 any echo-reply
 permit icmp host 66.238.225.194 any time-exceeded
 permit icmp host 66.238.225.194 any unreachable
 permit icmp host 66.238.225.194 any echo
 evaluate OUTGOOD
 deny   ip any any
ip access-list log-update threshold 10
!
logging 10.0.0.254
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
arp 10.0.0.244 03bf.0a00.00f4 ARPA
arp 10.0.0.245 03bf.0a00.00f4 ARPA
snmp-server community inside RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
 password X
 login
!
no scheduler allocate
end



my syslog server is 10.0.0.254
I did have the logging trap debugging command on but I didn't see much other than a telnet login messgage. What commands do I have to type to get the ACLs to log to my syslog?



0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Expert Comment

by:Malhovic
ID: 33727961
I don't see the "logging on" command. Add this to your config and that should enable logging. Everything else seems good.

I would recommend the following to be added though:
Disables CPU intensive monitoring:
no logging console
no logging monitor

Source of Information: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
0
 
LVL 1

Author Comment

by:jbla9028
ID: 33734873
Southmod, I've actually cleaned the config. I've changed all the passwords and our global IPs but for safety sake you can remove the config posting.
0
 
LVL 5

Accepted Solution

by:
shubhanshu_jaiswal earned 500 total points
ID: 33741963
I am giving you an example:

conf t
logging 172.x.x.x
ip access-list extended ABC
10 permit ip host x.x.x.x host a.a.a.a log
20 deny ip any any

so when the traffic will hit this access list entry...the logs will be generated and it will be displayed on the syslog server...
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 33742865
thanks that worked!
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 33742908
By the way...which syslog server are you using and how are you filtering those logs..
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now