Hi jimmy, and others, A bit of guessing here, but you should be able to verify it..
Could it be, that just like the ips, the log messages are rate limited and are escalating on ip-level to reduce the number of log messages and thus not overload the router / control plane? Just like ips signatures can be summarized to limit the number of events? I mean, we have the option for rate-limiting the log messages, this could be an internal escalation sort of level to not log individual packets if there's too much logging, but escalates to source and destination ip address. You could test it with a router and start to generate more traffic.. Just an idea.. Pieter-Jan Sent from my iPad On 8 jul. 2010, at 08:59, Jimmy Larsson <[email protected]> wrote: > I dont get it. A few minutes later my log entries starts to look like this: > > *Jul 8 07:03:40.147: %SEC-6-IPACCESSLOGP: list FW denied udp > 192.168.1.51(1645) -> 192.168.1.61(1645), 1 packet > *Jul 8 07:03:48.483: %SEC-6-IPACCESSLOGP: list FW denied udp > 192.168.1.203(17500) -> 255.255.255.255(17500), 1 packet > > And this, the very same outside to inside telnet-attempt as in my last email: > > *Jul 8 07:05:11.691: %SEC-6-IPACCESSLOGP: list FW denied tcp > 192.168.1.52(4229) -> 192.168.169.2(23), 1 packet > > Please help me explain why... > > /J > > 2010/7/8 Jimmy Larsson <[email protected]> > Guys > > How do you guys handle this situation? You have a router with an inbound acl > in outside interface that is blocking things: > > interface FastEthernet0 > descr Outside interface > ip address 192.168.1.61 255.255.255.0 > ip access-group FW in > ! > ip access-list extended FW > deny ip any any log > ! > > No inspection, no zbfw, nothing. The problem is that the log-entry in the > access-list doesnt show me enough details of what is being blocked. > > A few examples: > > Return traffic for outbound radius: > *Jul 8 06:55:41.035: %SEC-6-IPACCESSLOGP: list FW denied udp 192.168.1.51(0) > -> 192.168.1.255(0), 8 packets > > Telnet traffic from outside host to inside router: > *Jul 8 06:56:56.567: %SEC-6-IPACCESSLOGP: list FW denied tcp 192.168.1.52(0) > -> 192.168.169.2(0), 1 packet > > Garbage broadcast from a windows-host on outside: > *Jul 8 06:58:41.035: %SEC-6-IPACCESSLOGP: list FW denied udp 192.168.1.50(0) > -> 192.168.1.255(0), 11 packets > > How do I find out port details about the blocked traffic so that I can open > them up (or not)? I know, it looks different when doing inspections. > > /J > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
