Using a Standard ACL to help define the traffic to be
audited by an audit rule is possible. In the following example, an audit rule
named Attack.7 is created that uses ACL 25, which is defined later in the
configuration. The ACL doesn’t behave the way you’d assume, particularly if
you’re thinking of it as if it were filtering interface traffic. Instead, when
used in this context, the deny statements are indicating that the private
networks—192.168.0.0 to 192.168.255.0—aren’t filtered through the audit process
because they’re trusted hosts. All other hosts are defined by the permit any
statement and are to be processed by the audit rule.
Rtr1(config)#ip audit name Attack.7 list 25
Rtr1(config)#access-list 25 deny 192.168.0.0
0.0.255.255
Rtr1(config)#access-list 25 permit
any
If some individual hosts or subnets should have been included in
the audit, the following example shows how this might be addressed.
Rtr1(config)#ip audit name Attack.7 list 25
Rtr1(config)#access-list 25 permit host 192.168.1.117
Rtr1(config)#access-list 25 permit 192.168.100.16
0.0.15
Rtr1(config)#access-list 25 permit 192.168.8.0
0.0.1.255
Rtr1(config)#access-list 25 deny 192.168.0.0
0.0.255.255
Rtr1(config)#access-list 25 permit
any
Sections
Comments (0 posted)
Syndication
