Avatar of eggster34
eggster34
 asked on

Traffic logging on ASA

Hi there, I need to find out whether a certain ip address is trying to connect to resources that have public translations on my ASA firewall, how can I configure logging for this for allowed and denied traffic, which would allow me to view the logs for a certain period of time etc.?
Cisco

Avatar of undefined
Last Comment
mediavisionds

8/22/2022 - Mon
mediavisionds

How is you logging configured today?  At which level are you logging (debug, info, etc.) .  Are you sending logs to a syslog server?  What code level is on the ASA?  

The reason for all the questions is I am trying to determine the best way to do what you want without breaking what is there :-)

Thanks
eggster34

ASKER
we don't have any logging whatsoever right now, we are running 8.03 on the ASA.
mediavisionds

You could create inbound rules that log the specific IP you are looking for.  For example, if you have a public web server and  ftp server you could do something like this where 1.1.1.1 is the IP you are tracking.:

access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip  host 1.1.1.1 any log
access-list outside-in extended deny ip any any

This will catch and log the IP you are tracking then allow the normal public access to these servers.  By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else.  Make sure the last two lines are at the bottom of your acl.


Then you have to turn on logging and set the logging level:

logging on
logging buffered 6
logging timestamp

You can view the traffic by entering "show log" on the ASA command line.

Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.

Your help has saved me hundreds of hours of internet surfing.
fblack61
eggster34

ASKER
ok, but how can I change the logging level of this particular exercise? I understand that by default, ACE entries are logged at level 6 , but that creates a massive amount of logs that's hard to keep track of. How can I track these at log level 0 (I believe it's called emergencies.) ?
ASKER CERTIFIED SOLUTION
mediavisionds

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
nkwizz

just an add on to mediavisiods,

you can view the logs for specific ace's as follows using the asdm:

set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)

on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.

Its pretty cool as it is very granular
mediavisionds

Hello eggster34,

Did any of the above help you?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.