ASA 5510 - Logging Firewall Hits

Posted on 2010-09-15
Medium Priority
Last Modified: 2012-06-22
Hi, on our ASA cisco 5510, I have a policy for our outside interface to allow FTP, FTP-DATA & SSH to an external IP address. We then NAT this externalFTP address to an local internal server

access-list outside_access_in extended permit tcp any host ExternalFTP object-group DM_INLINE_TCP_1

static (inside,outside) ExternalFTP  access-list inside_nat_static

I am trying to come up with a list of which external IP's are actually connecting to this IP of ours..

I can see we get about 20 hits every month

Can this be done on the ASA logging or what is recommended?

Question by:LiquidCapital

Expert Comment

ID: 33681805
The IP addresses do appear in the ASDM logs, but it scrolls out of the buffer fairly quickly.  I think you'll need a syslog server if you want to aggregate the logs over a long period of time.  Any reason you can't just enable logging on the FTP server instead?
LVL 18

Accepted Solution

Jimmy Larsson, CISSP, CEH earned 1000 total points
ID: 33681811
If you want to log nothing but that the easiest way is to do like this:

access-l OUTSIDE ext permit tcp any host eq ftp log alerts
logging buffered alerts
logging on

Alerts is one of 8 logging severities (0 - 7) which contains by default almost no events. By telling your acl-line to log hits on that line with severity alerts you will get a log entry each time. By logging severity alerts to buffer you can easily see what has been logged with the "show logg"-command.

Of course you can tweak this to log all alerts to syslog or asdm or whatever suits you best.



Assisted Solution

Donboo earned 1000 total points
ID: 33686504
Or you can setup a free syslog server and log to that instead then you would have the entire log in a file instead of the ASDM.

Author Closing Comment

ID: 33817045
Logged to syslog server and filtered out the ASA code to locate.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question