jbla9028
asked on
cisco 1821 router debugging via syslog
hi I have a cisco 1821 router. I want to setup debugging to see if it's blocking some traffic via an ACL. I turned on debugging and my router went on the fritz. The device became unresponsive.
I know I probably shouldn't have used debug all but what should I use to check the ACL entries? I also have a syslog server that might be a better option to troubleshoot my ACLs.
I know I probably shouldn't have used debug all but what should I use to check the ACL entries? I also have a syslog server that might be a better option to troubleshoot my ACLs.
Run a "sh access-list" on your router and it should populate all of your current ACL's. This way you can view all of them and see which ones have what rules assigned to them. Is this your gateway or are you looking at communication between servers?
ASKER
well I can see the access-lists but I want to see traffic hitting the router and being denied based on the ACLs. This is a gateway device connecting us to another site.
Add the log keyword to the end of the acl entries that you are concerned about, then export the syslog to a logging host.
Else use
debug ip packet <acl number>
Else use
debug ip packet <acl number>
You can define logging server in the router config and add log keyword with access list entries....after this you will be able to get logs on the syslog server if you traffic hits that access list entry..make sure that syslog server is reachable from that router.
ASKER
ok so here's my config. I'm not sure what command I actually need to run to get the ACL to spit out logging. I was able to actually get the syslog to spit out messages but it's not giving me much,
version 12.2
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R04
!
enable secret 5 $1$wfOn$gc1/nVyW3YxrBAci2d Nol0
enable password x
!
ip subnet-zero
ip name-server 10.0.0.6
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.252 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0/0
ip address 10.0.2.1 255.255.255.0
ip nat outside
no fair-queue
!
interface Serial1/0
no ip address
ip nat outside
!
router rip
version 2
network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.221
ip route 10.0.0.0 255.0.0.0 10.0.2.2
ip route 10.0.6.0 255.255.255.192 10.0.4.244
ip route 64.69.205.190 255.255.255.255 10.0.4.244
ip route 151.193.136.0 255.255.255.0 10.0.4.244
ip route 172.16.0.0 255.255.0.0 10.0.2.2
ip route 194.156.170.17 255.255.255.255 10.0.2.2
ip route 194.156.170.18 255.255.255.255 10.0.2.2
no ip http server
!
!
ip access-list extended inbound
deny tcp host 196.28.61.10 gt 1023 any eq smtp
deny ip 66.238.224.0 0.0.0.192 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
permit tcp any gt 1023 host 66.238.225.193 eq telnet reflect OUTGOOD
evaluate GOODTRAFFIC
deny ip any any
ip access-list extended outbound
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
permit tcp host 66.238.225.194 gt 1023 any eq 5631 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 5632 reflect GOODTRAFFIC
permit udp host 66.238.225.194 eq 5632 any gt 1023 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq 65301 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 22 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq www reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 1604 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq 1494 reflect GOODTRAFFIC
permit tcp 66.238.225.0 0.0.0.255 gt 1023 any eq 443 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq ftp reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any gt 1023 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
permit icmp host 66.238.225.194 any echo-reply
permit icmp host 66.238.225.194 any time-exceeded
permit icmp host 66.238.225.194 any unreachable
permit icmp host 66.238.225.194 any echo
evaluate OUTGOOD
deny ip any any
ip access-list log-update threshold 10
!
logging 10.0.0.254
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
arp 10.0.0.244 03bf.0a00.00f4 ARPA
arp 10.0.0.245 03bf.0a00.00f4 ARPA
snmp-server community inside RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
password X
login
!
no scheduler allocate
end
my syslog server is 10.0.0.254
I did have the logging trap debugging command on but I didn't see much other than a telnet login messgage. What commands do I have to type to get the ACLs to log to my syslog?
version 12.2
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname R04
!
enable secret 5 $1$wfOn$gc1/nVyW3YxrBAci2d
enable password x
!
ip subnet-zero
ip name-server 10.0.0.6
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.252 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0/0
ip address 10.0.2.1 255.255.255.0
ip nat outside
no fair-queue
!
interface Serial1/0
no ip address
ip nat outside
!
router rip
version 2
network 10.0.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.221
ip route 10.0.0.0 255.0.0.0 10.0.2.2
ip route 10.0.6.0 255.255.255.192 10.0.4.244
ip route 64.69.205.190 255.255.255.255 10.0.4.244
ip route 151.193.136.0 255.255.255.0 10.0.4.244
ip route 172.16.0.0 255.255.0.0 10.0.2.2
ip route 194.156.170.17 255.255.255.255 10.0.2.2
ip route 194.156.170.18 255.255.255.255 10.0.2.2
no ip http server
!
!
ip access-list extended inbound
deny tcp host 196.28.61.10 gt 1023 any eq smtp
deny ip 66.238.224.0 0.0.0.192 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
permit tcp any gt 1023 host 66.238.225.193 eq telnet reflect OUTGOOD
evaluate GOODTRAFFIC
deny ip any any
ip access-list extended outbound
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
deny ip host 255.255.255.255 any
permit tcp host 66.238.225.194 gt 1023 any eq 5631 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 5632 reflect GOODTRAFFIC
permit udp host 66.238.225.194 eq 5632 any gt 1023 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq 65301 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 22 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq www reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq 1604 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq 1494 reflect GOODTRAFFIC
permit tcp 66.238.225.0 0.0.0.255 gt 1023 any eq 443 reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq ftp reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any gt 1023 reflect GOODTRAFFIC
permit udp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
permit tcp host 66.238.225.194 gt 1023 any eq domain reflect GOODTRAFFIC
permit icmp host 66.238.225.194 any echo-reply
permit icmp host 66.238.225.194 any time-exceeded
permit icmp host 66.238.225.194 any unreachable
permit icmp host 66.238.225.194 any echo
evaluate OUTGOOD
deny ip any any
ip access-list log-update threshold 10
!
logging 10.0.0.254
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
arp 10.0.0.244 03bf.0a00.00f4 ARPA
arp 10.0.0.245 03bf.0a00.00f4 ARPA
snmp-server community inside RO
snmp-server enable traps tty
!
line con 0
line aux 0
line vty 0 4
password X
login
!
no scheduler allocate
end
my syslog server is 10.0.0.254
I did have the logging trap debugging command on but I didn't see much other than a telnet login messgage. What commands do I have to type to get the ACLs to log to my syslog?
I don't see the "logging on" command. Add this to your config and that should enable logging. Everything else seems good.
I would recommend the following to be added though:
Disables CPU intensive monitoring:
no logging console
no logging monitor
Source of Information: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
I would recommend the following to be added though:
Disables CPU intensive monitoring:
no logging console
no logging monitor
Source of Information: http://www.cisco.com/web/about/security/intelligence/acl-logging.html
ASKER
Southmod, I've actually cleaned the config. I've changed all the passwords and our global IPs but for safety sake you can remove the config posting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks that worked!
By the way...which syslog server are you using and how are you filtering those logs..