Hi there, I need to find out whether a certain ip address is trying to connect to resources that have public translations on my ASA firewall, how can I configure logging for this for allowed and denied traffic, which would allow me to view the logs for a certain period of time etc.?
Cisco
Last Comment
mediavisionds
8/22/2022 - Mon
mediavisionds
How is you logging configured today? At which level are you logging (debug, info, etc.) . Are you sending logs to a syslog server? What code level is on the ASA?
The reason for all the questions is I am trying to determine the best way to do what you want without breaking what is there :-)
Thanks
eggster34
ASKER
we don't have any logging whatsoever right now, we are running 8.03 on the ASA.
mediavisionds
You could create inbound rules that log the specific IP you are looking for. For example, if you have a public web server and ftp server you could do something like this where 1.1.1.1 is the IP you are tracking.:
access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip host 1.1.1.1 any log
access-list outside-in extended deny ip any any
This will catch and log the IP you are tracking then allow the normal public access to these servers. By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else. Make sure the last two lines are at the bottom of your acl.
Then you have to turn on logging and set the logging level:
logging on
logging buffered 6
logging timestamp
You can view the traffic by entering "show log" on the ASA command line.
Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.
Your help has saved me hundreds of hours of internet surfing.
fblack61
eggster34
ASKER
ok, but how can I change the logging level of this particular exercise? I understand that by default, ACE entries are logged at level 6 , but that creates a massive amount of logs that's hard to keep track of. How can I track these at log level 0 (I believe it's called emergencies.) ?
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
you can view the logs for specific ace's as follows using the asdm:
set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)
on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.
The reason for all the questions is I am trying to determine the best way to do what you want without breaking what is there :-)
Thanks