Richard,
I am going to info the list as I have received many such requests.
You wrote:
> I was forwarded you note that you sent to the firewalls mailing list a
> few weeks ago about setting up cisco routers to log the access-list
> violations. We are trying to get denied packets sent to SYSLOG, but this
> seems too difficult and potentailly dangerous if lots of packets arrive!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UNDERSTATEMENT
> You mentioned a PD utility 'ciscotalk', could you point me in the right
> direction to find it?
>
> Any help would be much appriciated,
It used to be on Cisco's ftp[.cisco.com] server, but you should go thru your
Cisco rep to ask/get permission to connect to it. It used to be
anonymous access, but I don't know if it still is.
Also, if you are using TACACS to log/limit logins to your cisco's, ciscotalk
won't work (without re-writing the code).
Also, also, ciscotalk won't show you any more details than you will see
by doing a sho ip acc acc. It won't give you the detail you get by
having debug turned on. This is why you should verbally abuse your cisco rep
to put the pressure on cisco to get them to improve the debug ip packet
command to include a "deny" parameter. This would allow it to log only
packets that are denied instead of *all* packets as is the case now.
One last hint, if you have a spare port on the cisco and use that port
ONLY to connect to your syslog host, then you reduce the hi-traffic danger
you refer to above.
Regards-
Robert
Follow-Ups:
|
|
