Fun with IOS Access-lists

Posted February 18th, 2008 by bcarroll and filed in CCIE Security
Add a Comment

Ok so tonight I was playing around with some options avaliable in ACLs.  Here is something that I find to be very cool.  You can use log options and some fancy configuration of ACL entries to see exactly what ports are being permitted or denied.  Here is what I mean.

Access-list looks like this:

Rack2R4(config-ext-nacl)#do sh access-l
Extended IP access list 100
    10 permit tcp any any log-input (43 matches)
    20 permit udp any any log-input
    30 permit ip any any (13 matches)

If you do a show log you will see the source IP, destination IP and the source MAC as well as ingress interface as seen here:

Rack2R4(config-ext-nacl)#do sh logg
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)
    Console logging: level debugging, 75 messages logged, xml disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled
    Buffer logging: level debugging, 47 messages logged, xml disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level informational, 103 message lines logged


Log Buffer (4096 bytes):
(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.684: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.700: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.704: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:07.712: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:08.733: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.030: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.038: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.302: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.627: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet
*Mar  1 01:37:09.831: %SEC-6-IPACCESSLOGP: list 100 permitted tcp
150.2.14.1(0) (Ethernet0/1 0002.4b51.7c00) -> 150.2.4.4(0), 1 packet

…but with a slight modification to the list as follows:

Rack2R4(config-ext-nacl)#no 10  permit tcp any any log-input
Rack2R4(config-ext-nacl)#10 permit tcp any any range 1 65535 log
Rack2R4(config-ext-nacl)#

After generating TCP traffic you get a really cool log output like this: (notice you now have source and destination ports.)

Rack2R4(config-ext-nacl)#do sh logg

Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled)

    Console logging: level debugging, 75 messages logged, xml disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled

    Buffer logging: level debugging, 47 messages logged, xml disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled

    Trap logging: level informational, 103 message lines logged

Log Buffer (4096 bytes):

*Mar  1 01:39:56.893: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:57.097: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:57.927: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.131: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.147: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.307: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.452: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.608: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.736: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:39:58.740: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11002) -> 150.2.4.4(23), 1 packet
*Mar  1 01:40:00.114: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 150.2.14.1(11003) -> 150.2.4.4(23), 1 packet

Pretty cool stuff huh?  Yeah- it made my night.  now what can I use this for….hmm.

Leave a Reply