Solved

Track what ip addresses try to hit an external ip address in Cisco ASA

Posted on 2010-11-22
15
627 Views
Last Modified: 2012-05-10
How can I monitor what ip addresses try to connect to an external facing server on a cisco asa 5510.  The server is setup with a static nat with an internal and external ip address.  I want to monitor any attempts to connect to the external address and from what ip the attempt is from.  
0
Comment
Question by:dmwynne
  • 8
  • 7
15 Comments
 
LVL 7

Expert Comment

by:joelvp
ID: 34190643
conf t
access-list caphitacl permit ip any host x.x.x.x

cap caphits interface outside access-list caphitacl

then after some time

show cap caphits

this really shows the packets. However the buffer is limited.

-----------
Assuming you have somewhere

access-list outside_in permit ip any host x.x.x.x

If you set your logging level to 7 (debugging) with

logging buffered 7

but then you see a lot of other stuff you may not want to see

-----------
To reduce messages:
you can change the logging level for that line as follows:

access-list outside_in permit ip any host x.x.x.x log 4

and change the logging level:

logging buffered 4

so all warnings and higher are logged.
----------------------
But all really depends on your other requirements with regard to logging. There are many possibilities.
Eg, you could also log to a syslog server, then you can be sure that your logdata is retained. If you need that, let  me know and I can give you the syntax.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34191501
Is the host here the external or internal address?

access-list caphitacl permit ip any host x.x.x.x

I actually setup both internal and exteranal ip and then connected to the host from outide, I telnetted to port 25, but the cap hits did not go up.

I would like to setup a syslog server.



0
 
LVL 7

Expert Comment

by:joelvp
ID: 34191986
what version of ASA are you using?

ie: command: show version

Address to use has changed in version 8.3

Although, if you used both internal and external representation, one of them should have worked.
Could you post (relevant part of) the config?

to log to syslog:

assume syslog server is host a.b.c.d. located on inside, code the following
logging host inside a.b.c.d
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192355
Cisco Adaptive Security Appliance Software Version 8.2(1)11
Device Manager Version 6.2(5)

This is the access list I created, not sure which part of config you need.

access-list caphitacl extended permit ip any host "external IP"
access-list caphitacl extended permit ip any host "internal ip"


Can't seem to get the syslog working either:

Here is the info from show run.


logging enable
logging timestamp
logging asdm warnings
logging host inside 10.10.4.42
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192391
OK so I realized after this was posted how to get the syslog server working.  Any chance you know what level syslog or what event numbers I should be looking for to see connections to the specific acl that server uses?
0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192447
That is not enough information. Did you do the capture or the logging on an access-list attached to an interface?
What is the syslogserver you have running? Is it receiving logs from other hosts?

Best would be to paste the complete config (without passwords/external ip's)

Otherwise, what is result of the following commands:

sh run access-group
sh logging
sh cap
sh access-list

0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192474
Oh, just saw your last message, so forget about the syslog.
The question about how you setup the access-list stuff is important. I think you don't have the access-group command, however is you just set the logging level to 6, message %ASA-6-302020 and %ASA-6-302021 are 2 interesting ones.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 7

Expert Comment

by:joelvp
ID: 34192532
I see now that TCP connections are logged under a different code, but they do start with %ASA-6-3020 so you may want to select on those messages
0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192547
But I also see from your config, you are suppressing these messages with

no logging message 302015
.....
no logging message 302020

so I would take these lines out with the commands:
logging message 302015
.....
logging message 302020

0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192597
sh run access-group - access-group outside_access_in in interface outside

sh logging - Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level warnings, 27 messages logged

sh cap - capture caphits type raw-data access-list caphitacl interface outside [Capturing - 0 bytes]

0
 
LVL 7

Expert Comment

by:joelvp
ID: 34192665
your capture is correct and your acl is correct. Should be a typo somehwere.

What is the output of the command

sh access-list caphitacl

?

Are your connection attempts now visible in syslog? Did you set it to level 6?
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34192686
sh access-list caphitacl
access-list caphitacl; 2 elements; name hash: 0xb9185424
access-list caphitacl line 1 extended permit ip any host "external ip" (hitcnt=0) 0xef958d9a
access-list caphitacl line 2 extended permit ip any host "internal ip" (hitcnt=0) 0x7c3bab30

I did set it to level 6 and I can see some connection attempts.  I am seeing an event that tells me what I need to know, it shows the external ip of a test machine I have connecting to the internal host.  Is this the best way to see what I want to see.  

11-22-2010      17:31:25      Local4.Debug      10.10.1.9      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host outside:x.x.x.x
11-22-2010      17:31:25      Local4.Debug      10.10.1.9      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host inside:x.x.x.x
0
 
LVL 7

Accepted Solution

by:
joelvp earned 500 total points
ID: 34193230
Yes, if you only need to know the fact that a host connects, the logging information is the easiest way. I use it at most places to track access to/from resources. The capture is only needed in case you need detailed information about the packets being sent. Logging with an access-list entry if you really only want to log one specific item, but this comes down to the same thing as you also log to either the buffer or syslog or asdm etc.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34197032
I am able to show a connection how do I log a denied attempt.  I want to be able to see a connection attempt from an ip range that is not allowed.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34198253
I found out that I could do this using 106023.

Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now