Cisco ACL debugging – ip ACL logs do not show ports

During most cisco firewall or router troubleshooting, it is often necessary to trace or log which traffic is traversing the Cisco. Cisco includes a feature called "IP accounting" which is quite useful, but only to report on amount of traffic between two endpoints, or access list violations. Normal IP access lists are much more useful to see which ports hosts are using, and so on. So I applied the access list:

access-list 102 permit ip host 10.91.25.1 any log

Which I thought would log the information I needed (which IPs and ports the host 10.91.25.1 was connecting to). However the log entries were missing the vital port number, for example:

%SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.91.25.1(0) -> 204.11.109.24(0), 9 packets

Note the (0) instead of the port number. I figured that maybe since in this access list i never reference a port number, the cisco never tests which port the client is using and so gives a 0 as a port number. So I modified my ACL to:

access-list 102 permit tcp host 10.91.25.1 eq 0 any eq 0 log

access-list 102 permit ip host 10.91.25.1 any log

Now the cisco should test which port is being used, in fact, checking the logging we see the ports are being logged:

%SEC-6-IPACCESSLOGP: list 102 permitted tcp 10.91.25.1(21916) -> 92.122.216.105(80), 1 packet

Good to know! 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s