CocoCounty
asked on
Need to count IP address hits
Hello
Task - I have been asked to check if certain NAT rules are being utilized at this time, usually this would be a matter of looking at the firewall (ASA in my case) or to simply look at the end devices to check if there's any incoming traffic from the outside. Either option is not available right now.
Scenario - We currently use the ISP as our firewall, they firewall and NAT outside addresses into our internal addresses. The ISP doesn't provide NAT metrics to us. Incoming traffic hits our edge router and then our ASA (used for VPN mostly).
What I have tried - I put an ACL on our edge router interface (in) permitting the NATted to internal ip addresses expecting to see some ACL matches if hit. See text below for ACL and interface configs.
ON the ACL I have tried with and without the "LOG" option.
What is the method to collect IP traffic information on a Cisco 1941?
Any assistance would be greatly appreciated.
Thanks in advance
-----------------------
R1#show access-list
Standard IP access list 88
20 permit 192.168.111.7
30 permit 192.168.111.8
10 deny 192.168.55.11
40 permit 192.168.34.27
50 permit 192.168.31.40
60 permit 192.168.34.18
70 permit 192.168.32.13
80 permit 192.168.3.33
90 permit 192.168.25.6
100 permit any (4920313 matches)
------------
R1#sh run int gig 0/0
interface GigabitEthernet0/0
ip address 65.118.86.166 255.255.255.252
ip access-group 88 in
duplex full
speed 100
--------------
Task - I have been asked to check if certain NAT rules are being utilized at this time, usually this would be a matter of looking at the firewall (ASA in my case) or to simply look at the end devices to check if there's any incoming traffic from the outside. Either option is not available right now.
Scenario - We currently use the ISP as our firewall, they firewall and NAT outside addresses into our internal addresses. The ISP doesn't provide NAT metrics to us. Incoming traffic hits our edge router and then our ASA (used for VPN mostly).
What I have tried - I put an ACL on our edge router interface (in) permitting the NATted to internal ip addresses expecting to see some ACL matches if hit. See text below for ACL and interface configs.
ON the ACL I have tried with and without the "LOG" option.
What is the method to collect IP traffic information on a Cisco 1941?
Any assistance would be greatly appreciated.
Thanks in advance
-----------------------
R1#show access-list
Standard IP access list 88
20 permit 192.168.111.7
30 permit 192.168.111.8
10 deny 192.168.55.11
40 permit 192.168.34.27
50 permit 192.168.31.40
60 permit 192.168.34.18
70 permit 192.168.32.13
80 permit 192.168.3.33
90 permit 192.168.25.6
100 permit any (4920313 matches)
------------
R1#sh run int gig 0/0
interface GigabitEthernet0/0
ip address 65.118.86.166 255.255.255.252
ip access-group 88 in
duplex full
speed 100
--------------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are open to more extensive analysis, things like Netflow Accounting could deliver even more information ...
ASKER
The ACL with a deny statement did the job.
ASKER
I will try both. I need to wait until Monday to do any work on the router. I will post the results then.
Thanks again