Troubleshooting an ACL I have built that's designed to restrict SIP traffic from everyone except a specific host:
ip access-list extended BLOCK_SIP
permit ip host <SIP service provider> host <Adtran IP> log
deny ip any host <Adtran IP> log
permit ip any any
Will the "log" parameter on the permit and deny statements generate a syslog message for matching packets? Or is it limited to use when performing debug commands on the ACL?
Thanks
Mhess,
Thanks for posting! The "log" option is designed to be used with "debug ip access-list <ACL name>". An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.
>enable
#debug access-list HOST
2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)
2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH. There may be another option, but this will likely generate a lot more Syslog messages than you desire. The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS. Below is an example configuration.
ip firewall policy-log threshold 1
!
event-history on
logging forwarding on
logging facility local0
logging forwarding priority-level info
logging forwarding receiver-ip <syslog server IP address>
This information could then be searched for key phrases such as "No Access Policy matched".
Thanks!
David
Mhess,
Thanks for posting! The "log" option is designed to be used with "debug ip access-list <ACL name>". An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.
>enable
#debug access-list HOST
2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)
2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)
Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH. There may be another option, but this will likely generate a lot more Syslog messages than you desire. The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS. Below is an example configuration.
ip firewall policy-log threshold 1
!
event-history on
logging forwarding on
logging facility local0
logging forwarding priority-level info
logging forwarding receiver-ip <syslog server IP address>
This information could then be searched for key phrases such as "No Access Policy matched".
Thanks!
David
Mhess,
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
David