AlaskanIT
asked on
Decomposing ACL hits
I would like to remove the last statement (an ANY-ANY statement) from each ACL of 24 legacy vlans. The challenge is is that of decomposing the ANY-ANY statement to produce identifiable source and destination, both IP and port for analysis. Note, the ACL lists are legacy and the ANY-ANY added when the network was upgraded. The FWSM is version 3.2(7). The primary tool is ASDM 5.2(4)F on a 5510 hardware platform.
InteraX
If you are trying to identify the trffic hitting the rule, you would be best to enable logging on the line. Is the rule an allow or deny? Do you have a syslog server setup?
ASKER
The rule is permit (ip permit any any). Obviously, the goal is to remove that statement without causing horrendous distruption of services.....(:-)>
If I do logging on the line do I receive source/destination info or do I get a hitcount?
ASDM seems to show me a 4k local buffer. It doesn't appear to reach out to syslog. Having said that, the keeper of syslog should be back tomorrow and I will track the answer to your question.
Since the underlying hardware is ASA5510 is there a way to use "show connection detail" or "show xlate detail?"
Thanks.
If I do logging on the line do I receive source/destination info or do I get a hitcount?
ASDM seems to show me a 4k local buffer. It doesn't appear to reach out to syslog. Having said that, the keeper of syslog should be back tomorrow and I will track the answer to your question.
Since the underlying hardware is ASA5510 is there a way to use "show connection detail" or "show xlate detail?"
Thanks.
To get the port information in the logs you need to write the access-list as follows:
access-list outside_in permit tcp any gt 1 any gt 1 log
access-list outside_in permit udp any gt 1 any gt 1 log
access-list outside_in permit tcp any gt 1 any gt 1 log
access-list outside_in permit udp any gt 1 any gt 1 log
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I must chuckle at myself since when I began, the task seemed well in hand. Then it was time to remember hit counts don't tell the tale. I appreciate the sage advice from both you. Thanks mediavisionds for such a practical suggestion: I will follow that lead and download the Kiwi Syslog server. It certainly wasn't personal but I received a bit of pushback from the current syslog keeper here at work. Truthfully, I might have done the same were I charged with the daily read.(;-)
Have either of you thoughts on the applicability of a couple show commands: connection detail; and xlate detail? Both reflect my background in PIX but I'm wondering if they wouldn't be equally applicable to ASDM/ASA.
Thanks both of you. I'm off to scrounge a workstation and a copy of VM.I will be watching for your comments.
Have either of you thoughts on the applicability of a couple show commands: connection detail; and xlate detail? Both reflect my background in PIX but I'm wondering if they wouldn't be equally applicable to ASDM/ASA.
Thanks both of you. I'm off to scrounge a workstation and a copy of VM.I will be watching for your comments.
sh xlate on shows the current translations. Show conn shows the current connections is use on the device. I'm not sure the translations would be particularly useful here, but the connections could be.
The syslog route would probably be best as you can set it to not log allowed traffic except for the traffic you want to identify. Then you know what people are using and can create the relevant ace's.
The ASA code is based on the PIX code with a load of new features. Essentialy, they are very similar devices on a hardware basis, with both running a hardened unix OS with a very cut down feature set.
The syslog route would probably be best as you can set it to not log allowed traffic except for the traffic you want to identify. Then you know what people are using and can create the relevant ace's.
The ASA code is based on the PIX code with a load of new features. Essentialy, they are very similar devices on a hardware basis, with both running a hardened unix OS with a very cut down feature set.