Sorry for the dumb question, but is it possible for the event history to show packet denial? On products from you-know-who I can do a show log and see recent activity related to the ACL and all that, but I can't figure out how to do that on a 4430.
Event history does show things like commands entered and logins/logouts etc, but nothing about packet denial.
My ACL statements all end in log-input, is that correct? Is there some other command I need to issue?
Thanks.
speck wrote:
Event history does show things like commands entered and logins/logouts etc, but nothing about packet denial.
My ACL statements all end in log-input, is that correct? Is there some other command I need to issue?
ACLs have an implicit deny at the end. You'll need to add an explicit deny with log-input.
You really don't want to log desired packets as this will rapidly fill your logfile and could significantly impact performance in terms of CPU and routing.
Example:
ip access-list standard foo
permit w.w.w.w x.x.x.x
permit y.y.y.y z.z.z.z
...
deny any log-input
As apenichet mentioned, the ACL needs to match a firewall rule and the firewall must be enabled on the device.
Yes I can do the reload thing, I'm familiar with that. I can't really afford to take the site down even for a few minutes so I'll wait for a maintenance window.
The Adtran does deny packets without the firewall enabled. I tweak it often to permit and deny stuff so I know it works. Plus you can see the hits when you do a show access-list.
I'm not sure if I was clear, but I meant do you need an ACL on the Adtran router component if you have the same rules in the Adtran firewall component when it's enabled.
Thanks again for your informative replies.
Make sure ip firewall is turned on. You wont get any of those packet events with ip firewall disabled.
speck wrote:
Event history does show things like commands entered and logins/logouts etc, but nothing about packet denial.
My ACL statements all end in log-input, is that correct? Is there some other command I need to issue?
ACLs have an implicit deny at the end. You'll need to add an explicit deny with log-input.
You really don't want to log desired packets as this will rapidly fill your logfile and could significantly impact performance in terms of CPU and routing.
Example:
ip access-list standard foo
permit w.w.w.w x.x.x.x
permit y.y.y.y z.z.z.z
...
deny any log-input
As apenichet mentioned, the ACL needs to match a firewall rule and the firewall must be enabled on the device.
Thanks for the detailed response. I got rid of log-input on the permit lines and added log-input to the deny any line at the end. Thanks for pointing that out.
I'm doing this remotely, if I enable the firewall am I going to cut myself off? I've never dabbled with the firewall portion of the device as there is a firewall behind it.
If you have the firewall component running the same rules, is there any point having an ACL doing the same thing? I would think the firewall has logging capabilities of its own.
speck wrote:
I'm doing this remotely, if I enable the firewall am I going to cut myself off? I've never dabbled with the firewall portion of the device as there is a firewall behind it.
Here's a nice trick for making risky changes remotely. Connect to the unit and enter the command:
reload in 10
The "10" above is time in minutes. Follow the prompt to save changes and acknowledge the reload. This will start a timer to reboot the device.
Then make your changes. If you screw up and get locked out, your changes haven't been saved. You just need to wait, the box will reboot and be in the same state that it was before your changes. Note that enabling the firewall will log you out but if all is good you'll be able to log back in. If, after your changes all is well, then type the command:
reload cancel
to cancel the scheduled reboot. Write to memory and you're done.
speck wrote:
I've never dabbled with the firewall portion of the device as there is a firewall behind it.If you have the firewall component running the same rules, is there any point having an ACL doing the same thing? I would think the firewall has logging capabilities of its own.
The Adtran generally isn't going to denying packets unless you have its firewall enabled. Yes, you can use the other firewall to log denied packets generally, and you can log packets denied by an ACL on the Adtran not related to its firewall capability, such as ACLs applied to SIP, SSH, etc. Or both.
Adtran's firewall capabilities are surprisingly good.
Yes I can do the reload thing, I'm familiar with that. I can't really afford to take the site down even for a few minutes so I'll wait for a maintenance window.
The Adtran does deny packets without the firewall enabled. I tweak it often to permit and deny stuff so I know it works. Plus you can see the hits when you do a show access-list.
I'm not sure if I was clear, but I meant do you need an ACL on the Adtran router component if you have the same rules in the Adtran firewall component when it's enabled.
Thanks again for your informative replies.