cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mhess
New Contributor

Use of "log" parameter in permit/deny ACL statements

Jump to solution

Troubleshooting an ACL I have built that's designed to restrict SIP traffic from everyone except a specific host:

ip access-list extended BLOCK_SIP

  permit ip host <SIP service provider>  host <Adtran IP>  log

  deny   ip any  host <Adtran IP>  log

  permit ip any  any

Will the "log" parameter on the permit and deny statements generate a syslog message for matching packets?  Or is it limited to use when performing debug commands on the ACL?

Thanks

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Use of "log" parameter in permit/deny ACL statements

Jump to solution

Mhess,

Thanks for posting!  The "log" option is designed to be used with "debug ip access-list <ACL name>".  An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.


>enable


#debug access-list HOST


2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)


2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)


2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)



Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH.  There may be another option, but this will likely generate a lot more Syslog messages than you desire.  The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS.  Below is an example configuration.


ip firewall policy-log threshold 1


!


event-history on


logging forwarding on


logging facility local0


logging forwarding priority-level info


logging forwarding receiver-ip <syslog server IP address>


This information could then be searched for key phrases such as "No Access Policy matched".

Thanks!

David

View solution in original post

0 Kudos
2 Replies
Anonymous
Not applicable

Re: Use of "log" parameter in permit/deny ACL statements

Jump to solution

Mhess,

Thanks for posting!  The "log" option is designed to be used with "debug ip access-list <ACL name>".  An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.


>enable


#debug access-list HOST


2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)


2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)


2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)



Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH.  There may be another option, but this will likely generate a lot more Syslog messages than you desire.  The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS.  Below is an example configuration.


ip firewall policy-log threshold 1


!


event-history on


logging forwarding on


logging facility local0


logging forwarding priority-level info


logging forwarding receiver-ip <syslog server IP address>


This information could then be searched for key phrases such as "No Access Policy matched".

Thanks!

David

0 Kudos
Anonymous
Not applicable

Re: Use of "log" parameter in permit/deny ACL statements

Jump to solution

Mhess,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

David