HostedDB - Dedicated UNIX Servers
index_74
Router Security Configuration Guide UNCLASSIFIED 74 UNCLASSIFIED Version 1.0g Use the log keyword at the end of each deny statement in each extended access list, as shown in  the example below.  This feature will pr ovide valuable information about what types of packets are being denied. Logs of denied packets can be useful for detection and analysis of probes and attacks against a network. Section 4.5.1    describes IOS’s logging features in more detail. East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny   ip any any log Add the following statements at the end of each extended IP access list to deny and to log any packets that are not permitted.  These statements will guarantee that the router will log the values for the source and destination ports for TCP and UDP traffic. East(config)# access-list 100 deny tcp any range 0 65535 any range 0 65535 log East(config)# access-list 100 deny udp any range 0 65535 any range 0 65535 log East(config)# access-list 100 deny ip  any any log Finally, due to limited editing capability on the Cisco router, you cannot easily modify access lists.  Thus, whenever you needs to change an access list, it is best to build it offline on a separate computer.  When the access list is ready you can cut and paste the access list via a connection to the router.  Since the original access list is still on the router, you must purge it before adding the updated access list.  Below is an example of how to clear an access list. East(config)# no access-list 100 4.3.2.    Filtering Traffic to Router Itself Access lists are used in a variety of ways to control access to services on the router itself.  While it is possible to incorporate access controls for these services into the access lists placed on interfaces, it is typically easier and more reliable to use the specialized facilities that IOS makes available to apply access controls directly to the services themselves.  For more information about services on the router, and how to disable unneeded ones, see Section 4.2. Remote Login (Telnet) Service There are a number of methods to filter access to the router itself:  vty lines, SNMP servers and routing protocols.  The vty lines are used for remote access to the router.   Typically, a router administrator telnets to one of the vty lines.  The following example shows the configuration of an extended IP access list that is applied to the vty lines.  This simple IP access list allows the hosts with IP addresses 14.2.6.1 and 14.2.6.18 to connect to the router East via Telnet.  The list denies all other connections.  It also logs all successful and unsuccessful connections.