eggster34
asked on
Traffic logging on ASA
Hi there, I need to find out whether a certain ip address is trying to connect to resources that have public translations on my ASA firewall, how can I configure logging for this for allowed and denied traffic, which would allow me to view the logs for a certain period of time etc.?
ASKER
we don't have any logging whatsoever right now, we are running 8.03 on the ASA.
You could create inbound rules that log the specific IP you are looking for. For example, if you have a public web server and ftp server you could do something like this where 1.1.1.1 is the IP you are tracking.:
access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip host 1.1.1.1 any log
access-list outside-in extended deny ip any any
This will catch and log the IP you are tracking then allow the normal public access to these servers. By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else. Make sure the last two lines are at the bottom of your acl.
Then you have to turn on logging and set the logging level:
logging on
logging buffered 6
logging timestamp
You can view the traffic by entering "show log" on the ASA command line.
Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.
access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip host 1.1.1.1 any log
access-list outside-in extended deny ip any any
This will catch and log the IP you are tracking then allow the normal public access to these servers. By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else. Make sure the last two lines are at the bottom of your acl.
Then you have to turn on logging and set the logging level:
logging on
logging buffered 6
logging timestamp
You can view the traffic by entering "show log" on the ASA command line.
Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.
ASKER
ok, but how can I change the logging level of this particular exercise? I understand that by default, ACE entries are logged at level 6 , but that creates a massive amount of logs that's hard to keep track of. How can I track these at log level 0 (I believe it's called emergencies.) ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just an add on to mediavisiods,
you can view the logs for specific ace's as follows using the asdm:
set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)
on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.
Its pretty cool as it is very granular
you can view the logs for specific ace's as follows using the asdm:
set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)
on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.
Its pretty cool as it is very granular
Hello eggster34,
Did any of the above help you?
Did any of the above help you?
The reason for all the questions is I am trying to determine the best way to do what you want without breaking what is there :-)
Thanks