RE: Problems logging deny's on Cisco Routers?

["Manson, Jim" <MANSO001 () dcri duke edu>]

Scott,

I know this is a late post, and you may have resolved this already, but try
adding a port range:

deny ip any any range 0 65535 log

Jim

Jim Manson
Network Engineer
Information Security Officer
Duke Clinical Research Institute
919-668-8833

-----Original Message-----
From: Scott C. Kennedy [mailto:sck () nogas org] 
Sent: Monday, March 08, 2004 3:21 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Problems logging deny's on Cisco Routers?

Has anyone else seen problems logging on Cisco Routers for deny ACLs?

I've been using Routers with ACLs for years and have never had problems for
those sites too small or too diverse to use actual firewall devices. Yet,
now I have a problem with a site that is using Cisco routers with 'extended'
ACLs yet, the final line 'deny ip any any log' is not logging all the
information.

In tests with NMap for the first 1,024 ports, the router only logs 30% of
the UDP ports scanned and only 1% of the TCP ports scanned. This was a
standard NMap full-TCP connect scan, with no odd flags.

So, what gives? Is this normal for Cisco Routers to not keep accurate logs
of denied packets? If so, then how are you suppossed to support ACLs on
these devices without accurate logs. I'd expect some log drops under high
stress, but these routers are barely putting 1 mb/s of traffic through them,
and are less the 5% CPU busy, thus they should be able to provide higher
than 1% accuracy.

Scott
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards