Cisco ACL debugging – ip ACL logs do not show ports

During most cisco firewall or router troubleshooting, it is often necessary to trace or log which traffic is traversing the Cisco. Cisco includes a feature called "IP accounting" which is quite useful, but only to report on amount of traffic between two endpoints, or access list violations. Normal IP access lists are much more useful to see which ports hosts are using, and so on. So I applied the access list:

access-list 102 permit ip host 10.91.25.1 any log

Which I thought would log the information I needed (which IPs and ports the host 10.91.25.1 was connecting to). However the log entries were missing the vital port number, for example:

%SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.91.25.1(0) -> 204.11.109.24(0), 9 packets

Note the (0) instead of the port number. I figured that maybe since in this access list i never reference a port number, the cisco never tests which port the client is using and so gives a 0 as a port number. So I modified my ACL to:

access-list 102 permit tcp host 10.91.25.1 eq 0 any eq 0 log

access-list 102 permit ip host 10.91.25.1 any log

Now the cisco should test which port is being used, in fact, checking the logging we see the ports are being logged:

%SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.91.25.1(21916) -> 92.122.216.105(80), 1 packet

Good to know!🙂