2 Replies Latest reply on Apr 26, 2013 12:47 PM by david

    Use of "log" parameter in permit/deny ACL statements

    mhess New Member

      Troubleshooting an ACL I have built that's designed to restrict SIP traffic from everyone except a specific host:

       

      ip access-list extended BLOCK_SIP

        permit ip host <SIP service provider>  host <Adtran IP>  log

        deny   ip any  host <Adtran IP>  log

        permit ip any  any

       

      Will the "log" parameter on the permit and deny statements generate a syslog message for matching packets?  Or is it limited to use when performing debug commands on the ACL?

      Thanks

        • Re: Use of "log" parameter in permit/deny ACL statements
          david Employee

          Mhess,

           

          Thanks for posting!  The "log" option is designed to be used with "debug ip access-list <ACL name>".  An example from page 28 of Configuring IP Access Control Lists (ACLs) in AOS is shown below.

           

          >enable

          #debug access-list HOST

          2009.06.09 14:15:03 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)

          2009.06.09 14:15:13 ACCESS_LIST.HOST permit host 192.168.0.1 log (3 matches)

          2009.06.09 14:15:57 ACCESS_LIST.HOST permit host 192.168.0.1 log (1 matches)

           

          Therefore, this method is only going to be an option when capturing debug output while connected to the unit with Telnet or SSH.  There may be another option, but this will likely generate a lot more Syslog messages than you desire.  The following method uses firewall thresholds to send out event messages via Syslog or email notifications and is described starting on page 54 of Configuring the Firewall (IPv4) AOS.  Below is an example configuration.

           

          ip firewall policy-log threshold 1

          !

          event-history on

          logging forwarding on

          logging facility local0

          logging forwarding priority-level info

          logging forwarding receiver-ip <syslog server IP address>

           

          This information could then be searched for key phrases such as "No Access Policy matched".

           

          Thanks!

          David

          • Re: Use of "log" parameter in permit/deny ACL statements
            david Employee

            Mhess,

             

            I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

             

            Thanks,

            David