asked on
Traffic logging on ASA
Hi there, I need to find out whether a certain ip address is trying to connect to resources that have public translations on my ASA firewall, how can I configure logging for this for allowed and denied traffic, which would allow me to view the logs for a certain period of time etc.?
Cisco
Last Comment
mediavisionds
ASKER
we don't have any logging whatsoever right now, we are running 8.03 on the ASA.
You could create inbound rules that log the specific IP you are looking for. For example, if you have a public web server and ftp server you could do something like this where 1.1.1.1 is the IP you are tracking.:
access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip host 1.1.1.1 any log
access-list outside-in extended deny ip any any
This will catch and log the IP you are tracking then allow the normal public access to these servers. By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else. Make sure the last two lines are at the bottom of your acl.
Then you have to turn on logging and set the logging level:
logging on
logging buffered 6
logging timestamp
You can view the traffic by entering "show log" on the ASA command line.
Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.
access-list outside-in extended permit ip host 1.1.1.1 host <web svr IP> log
access-list outside-in extended permit tcp any host <web svr IP> eq www
access-list outside-in extended permit ip host 1.1.1.1 host <ftp svr IP> log
access-list outside-in extended permit tcp any host <ftp svr IP> eq ftp
access-list outside-in extended deny ip host 1.1.1.1 any log
access-list outside-in extended deny ip any any
This will catch and log the IP you are tracking then allow the normal public access to these servers. By the same logic, the last two lines will log denied traffic by the IP you are tracking and then deny everything else. Make sure the last two lines are at the bottom of your acl.
Then you have to turn on logging and set the logging level:
logging on
logging buffered 6
logging timestamp
You can view the traffic by entering "show log" on the ASA command line.
Admittedly, this could be tedious if you have a large inbound acl so if this doesn't work for you let me know and I'll give you an alternative.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
ok, but how can I change the logging level of this particular exercise? I understand that by default, ACE entries are logged at level 6 , but that creates a massive amount of logs that's hard to keep track of. How can I track these at log level 0 (I believe it's called emergencies.) ?
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
just an add on to mediavisiods,
you can view the logs for specific ace's as follows using the asdm:
set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)
on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.
Its pretty cool as it is very granular
you can view the logs for specific ace's as follows using the asdm:
set an ace with the following logging as an example:
access-list 101 extended permit icmp any host 192.168.111.10 log 7 interval 1 (updates every second)
on the asdm go to:
Configuration > Firewall > Access Rules
right click on the rule with logging enabled and select, show log once the log is triggered you will see the logs.
Its pretty cool as it is very granular
Hello eggster34,
Did any of the above help you?
Did any of the above help you?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
The reason for all the questions is I am trying to determine the best way to do what you want without breaking what is there :-)
Thanks