Logging and acl logging LAB.

Los objetivos de este laboratorio son:
-Habilitar el logging remoto.
-Configurar una acl con logs.
-Enviar y comprobar la llegada de los logs.

Topología:

Configs:

R1
!
hostname R1
!
ip dhcp pool LAN
network 144.1.1.0 255.255.255.0
default-router 144.1.1.1
dns-server 144.1.1.254
domain-name friskbo.com
lease 7
!
interface FastEthernet0/0
ip address 144.1.1.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
!
router eigrp 1
network 144.1.0.0
network 192.168.1.0
no auto-summary
!

R2
!
hostname R2
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip access-group test in
!
interface FastEthernet0/1
ip address 144.1.20.1 255.255.255.0
!
interface FastEthernet1/0
ip address dhcp
!
router eigrp 1
network 144.1.0.0
network 192.168.1.0
no auto-summary
!
ip access-list extended test
deny icmp host 144.1.1.2 144.1.20.0 0.0.0.255 log-input attack!
permit ip any any
!
logging trap debugging
logging 172.22.30.201
!

Desarrollo:
-En primer lugar configuré en R2 logging trap debugging para habilitar el logging remoto a un servidor de syslog de debugging messages (severity level 7) and numerically lower levels. O sea, todos los mensaje en cuyo formato aparezca de la siguiente forma:

seq no:timestamp: %facility-severity (7) -MNEMONIC:description

Serán mandado al servidor de syslog.

-Después declaré la dirección ip del servidor.
También cree una acl con logs. Por default, el primer pkt que machea en la primera sentencia de la acl, genera el siguiente mensaje:

ip access-list extended test
deny icmp host 144.1.1.2 144.1.20.0 0.0.0.255 log-input attack!
permit ip any any

(log-input option enables logging of the ingress interface and source MAC address in addition to the packet’s source and destination IP addresses and ports. Attack! Es un tag que se le puede añadir al mensaje)
(If the log-enabled ACE matches another packet with identical characteristics to the packet that generated a log message, the number of packets matched is incremented and then reported at five-minute intervals. Similarly, if any log-enabled ACE in any ACL on any interface matches a packet within one second of the initial log message, the match or matches are counted for five minutes and then reported. These periodic updates will contain the number of packets matched since the previous message)

Para machear en la acl le hice ping desde la PC1 a la dirección ip 144.1.20.1:

PC1> ping 144.1.20.1
*192.168.1.2 icmp_seq=1 ttl=254 time=62.400 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.2 icmp_seq=2 ttl=254 time=62.400 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.2 icmp_seq=3 ttl=254 time=62.400 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.2 icmp_seq=4 ttl=254 time=46.800 ms (ICMP type:3, code:13, Communication administratively prohibited)
*192.168.1.2 icmp_seq=5 ttl=254 time=62.400 ms (ICMP type:3, code:13, Communication administratively prohibited)

El mensaje generado en el R2 producto de la ACL es el siguiente:

*May 15 17:23:24.051: %SEC-6-IPACCESSLOGDP: list test denied icmp 144.1.1.2 (Fas tEthernet0/0 ca01.1590.0006) -> 144.1.20.1 (0/0), 4 packets [attack!]

Para comprobar que este mensaje fue enviado al server se puede ver lo siguiente:

Nota 1: La mac address ca01.1590.0006 le corresponde a la Fa0/1 de R1.

Nota 2: Si no quisiera que los logs generados por la ACL fueran enviados al remote server, podría disminuir el nivel de logging:

logging trap notifications (or lower)

Nota 3: The ip access-list log-update threshold threshold-in-msgs and ipv6 access-list log-update threshold threshold-in-msgs commands can be used to configure how often syslog messages are generated and sent after the initial packet match. These commands use a threshold described as a number of packets, not as a time interval.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s