Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Track what ip addresses try to hit an external ip address in Cisco ASA

Posted on 2010-11-22
15
Medium Priority
?
637 Views
Last Modified: 2012-05-10
How can I monitor what ip addresses try to connect to an external facing server on a cisco asa 5510.  The server is setup with a static nat with an internal and external ip address.  I want to monitor any attempts to connect to the external address and from what ip the attempt is from.  
0
Comment
Question by:dmwynne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 34190643
conf t
access-list caphitacl permit ip any host x.x.x.x

cap caphits interface outside access-list caphitacl

then after some time

show cap caphits

this really shows the packets. However the buffer is limited.

-----------
Assuming you have somewhere

access-list outside_in permit ip any host x.x.x.x

If you set your logging level to 7 (debugging) with

logging buffered 7

but then you see a lot of other stuff you may not want to see

-----------
To reduce messages:
you can change the logging level for that line as follows:

access-list outside_in permit ip any host x.x.x.x log 4

and change the logging level:

logging buffered 4

so all warnings and higher are logged.
----------------------
But all really depends on your other requirements with regard to logging. There are many possibilities.
Eg, you could also log to a syslog server, then you can be sure that your logdata is retained. If you need that, let  me know and I can give you the syntax.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34191501
Is the host here the external or internal address?

access-list caphitacl permit ip any host x.x.x.x

I actually setup both internal and exteranal ip and then connected to the host from outide, I telnetted to port 25, but the cap hits did not go up.

I would like to setup a syslog server.



0
 
LVL 7

Expert Comment

by:joelvp
ID: 34191986
what version of ASA are you using?

ie: command: show version

Address to use has changed in version 8.3

Although, if you used both internal and external representation, one of them should have worked.
Could you post (relevant part of) the config?

to log to syslog:

assume syslog server is host a.b.c.d. located on inside, code the following
logging host inside a.b.c.d
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 14

Author Comment

by:dmwynne
ID: 34192355
Cisco Adaptive Security Appliance Software Version 8.2(1)11
Device Manager Version 6.2(5)

This is the access list I created, not sure which part of config you need.

access-list caphitacl extended permit ip any host "external IP"
access-list caphitacl extended permit ip any host "internal ip"


Can't seem to get the syslog working either:

Here is the info from show run.


logging enable
logging timestamp
logging asdm warnings
logging host inside 10.10.4.42
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192391
OK so I realized after this was posted how to get the syslog server working.  Any chance you know what level syslog or what event numbers I should be looking for to see connections to the specific acl that server uses?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192447
That is not enough information. Did you do the capture or the logging on an access-list attached to an interface?
What is the syslogserver you have running? Is it receiving logs from other hosts?

Best would be to paste the complete config (without passwords/external ip's)

Otherwise, what is result of the following commands:

sh run access-group
sh logging
sh cap
sh access-list

0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192474
Oh, just saw your last message, so forget about the syslog.
The question about how you setup the access-list stuff is important. I think you don't have the access-group command, however is you just set the logging level to 6, message %ASA-6-302020 and %ASA-6-302021 are 2 interesting ones.
0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192532
I see now that TCP connections are logged under a different code, but they do start with %ASA-6-3020 so you may want to select on those messages
0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192547
But I also see from your config, you are suppressing these messages with

no logging message 302015
.....
no logging message 302020

so I would take these lines out with the commands:
logging message 302015
.....
logging message 302020

0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192597
sh run access-group - access-group outside_access_in in interface outside

sh logging - Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level warnings, 27 messages logged

sh cap - capture caphits type raw-data access-list caphitacl interface outside [Capturing - 0 bytes]

0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192665
your capture is correct and your acl is correct. Should be a typo somehwere.

What is the output of the command

sh access-list caphitacl

?

Are your connection attempts now visible in syslog? Did you set it to level 6?
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192686
sh access-list caphitacl
access-list caphitacl; 2 elements; name hash: 0xb9185424
access-list caphitacl line 1 extended permit ip any host "external ip" (hitcnt=0) 0xef958d9a
access-list caphitacl line 2 extended permit ip any host "internal ip" (hitcnt=0) 0x7c3bab30

I did set it to level 6 and I can see some connection attempts.  I am seeing an event that tells me what I need to know, it shows the external ip of a test machine I have connecting to the internal host.  Is this the best way to see what I want to see.  

11-22-2010      17:31:25      Local4.Debug      10.10.1.9      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host outside:x.x.x.x
11-22-2010      17:31:25      Local4.Debug      10.10.1.9      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host inside:x.x.x.x
0
 
LVL 7

Accepted Solution

by:
joelvp earned 2000 total points
ID: 34193230
Yes, if you only need to know the fact that a host connects, the logging information is the easiest way. I use it at most places to track access to/from resources. The capture is only needed in case you need detailed information about the packets being sent. Logging with an access-list entry if you really only want to log one specific item, but this comes down to the same thing as you also log to either the buffer or syslog or asdm etc.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34197032
I am able to show a connection how do I log a denied attempt.  I want to be able to see a connection attempt from an ip range that is not allowed.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34198253
I found out that I could do this using 106023.

Thanks
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question