msgbartop
msgbarbottom

26 Aug 14 Cisco IOS ACL logging with Port numbers

Cisco IOS logging with source and destination ports

Recently I had to do some troubleshooting on a Cisco 2911 Router in order to find out if traffic is going from a certain IP address to another. So I did the usual created an extended Access List and then applied it to the interface like this:

ip access-list extended test
permit ip any any log
!
interface gi0/0
ip access-group test in
end

Now that is great and I was seeing the logs and traffic however what I also needed to know was the source and destination port numbers. This configuration was giving me the following:
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(0) -> 10.202.106.15(0), 1 packet
As you can see instead of getting the port number I am just getting a “0” in there. I needed to know the port numbers as well. Now the issue is if the access list line does not have the port numbers listed (Layer 4) it will not show them. So here is what I did to get it working:

ip access-list extended test
permit ip tcp any gt 1024 any gt 1024 log
!
interface gi0/0
ip access-group test in
end

When I did that I got the following results 🙂
Aug 25 08:24:28.608: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9053) -> 10.202.106.15(12302), 1 packet
Aug 25 08:24:29.612: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9052) -> 10.202.106.15(39817), 1 packet
Aug 25 08:24:30.700: %SEC-6-IPACCESSLOGP: list test permitted tcp 172.20.32.200(9055) -> 10.202.106.15(12302), 1 packet

Tags: , ,

Leave a Comment

WordPress SEO