Johan ip inspect log drop-pkt is a very good option for both ZFW and CBAC. With CBAC, you can have deny ip any any log configured at the end. Ensure that you have suitable logging configured.
For telnet, terminal monitor and logging monitor should be configured. With console, logging console should be configured With regards Kings On Mon, Jun 14, 2010 at 10:56 PM, Johan Bornman <[email protected]> wrote: > Thanks, Kings. > > > > I think what I am asking for is a acl that can be used to quickly determine > which packets are blocked/denied so that they can be allowed. > > > > > > > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* 14 June 2010 07:18 PM > *To:* Johan Bornman > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] IOS Firewalls > > > > Hi Johan > > > > The tasks will mostly hint you what should be allowed. The FW configuration > will be section 2.0 which is ahead of almost all tasks and at that time > mostly you may need to allow the routing protocols. > > As you start other tasks after section 2.0, you need open the FW. For > example, if the IOS FW on the way to AAA server you may need to open TACACS > or RADIUS. > > But, mostly you may need to open on the ASA. The ASA is always put in > between IPSec. AAA servers, ntp etc. > > If you are aware of the topology, it will strike you. > > > > With regards > > Kings > > > > > > > > > > On Mon, Jun 14, 2010 at 9:57 PM, Johan Bornman <[email protected]> wrote: > > Hi, > > > > What is the best or quickest way to check if I am blocking anything I > should not be blocking after configuring IOS firewalls and filtering? > > > > Thanks > > > > Johan > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
