Track what ip addresses try to hit an external ip address in Cisco ASA

How can I monitor what ip addresses try to connect to an external facing server on a cisco asa 5510.  The server is setup with a static nat with an internal and external ip address.  I want to monitor any attempts to connect to the external address and from what ip the attempt is from.  
LVL 14
Who is Participating?
Yes, if you only need to know the fact that a host connects, the logging information is the easiest way. I use it at most places to track access to/from resources. The capture is only needed in case you need detailed information about the packets being sent. Logging with an access-list entry if you really only want to log one specific item, but this comes down to the same thing as you also log to either the buffer or syslog or asdm etc.
conf t
access-list caphitacl permit ip any host x.x.x.x

cap caphits interface outside access-list caphitacl

then after some time

show cap caphits

this really shows the packets. However the buffer is limited.

Assuming you have somewhere

access-list outside_in permit ip any host x.x.x.x

If you set your logging level to 7 (debugging) with

logging buffered 7

but then you see a lot of other stuff you may not want to see

To reduce messages:
you can change the logging level for that line as follows:

access-list outside_in permit ip any host x.x.x.x log 4

and change the logging level:

logging buffered 4

so all warnings and higher are logged.
But all really depends on your other requirements with regard to logging. There are many possibilities.
Eg, you could also log to a syslog server, then you can be sure that your logdata is retained. If you need that, let  me know and I can give you the syntax.
dmwynneAuthor Commented:
Is the host here the external or internal address?

access-list caphitacl permit ip any host x.x.x.x

I actually setup both internal and exteranal ip and then connected to the host from outide, I telnetted to port 25, but the cap hits did not go up.

I would like to setup a syslog server.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

what version of ASA are you using?

ie: command: show version

Address to use has changed in version 8.3

Although, if you used both internal and external representation, one of them should have worked.
Could you post (relevant part of) the config?

to log to syslog:

assume syslog server is host a.b.c.d. located on inside, code the following
logging host inside a.b.c.d
dmwynneAuthor Commented:
Cisco Adaptive Security Appliance Software Version 8.2(1)11
Device Manager Version 6.2(5)

This is the access list I created, not sure which part of config you need.

access-list caphitacl extended permit ip any host "external IP"
access-list caphitacl extended permit ip any host "internal ip"

Can't seem to get the syslog working either:

Here is the info from show run.

logging enable
logging timestamp
logging asdm warnings
logging host inside
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
dmwynneAuthor Commented:
OK so I realized after this was posted how to get the syslog server working.  Any chance you know what level syslog or what event numbers I should be looking for to see connections to the specific acl that server uses?
That is not enough information. Did you do the capture or the logging on an access-list attached to an interface?
What is the syslogserver you have running? Is it receiving logs from other hosts?

Best would be to paste the complete config (without passwords/external ip's)

Otherwise, what is result of the following commands:

sh run access-group
sh logging
sh cap
sh access-list

Oh, just saw your last message, so forget about the syslog.
The question about how you setup the access-list stuff is important. I think you don't have the access-group command, however is you just set the logging level to 6, message %ASA-6-302020 and %ASA-6-302021 are 2 interesting ones.
I see now that TCP connections are logged under a different code, but they do start with %ASA-6-3020 so you may want to select on those messages
But I also see from your config, you are suppressing these messages with

no logging message 302015
no logging message 302020

so I would take these lines out with the commands:
logging message 302015
logging message 302020

dmwynneAuthor Commented:
sh run access-group - access-group outside_access_in in interface outside

sh logging - Syslog logging: enabled
    Facility: 20
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level warnings, 27 messages logged

sh cap - capture caphits type raw-data access-list caphitacl interface outside [Capturing - 0 bytes]

your capture is correct and your acl is correct. Should be a typo somehwere.

What is the output of the command

sh access-list caphitacl


Are your connection attempts now visible in syslog? Did you set it to level 6?
dmwynneAuthor Commented:
sh access-list caphitacl
access-list caphitacl; 2 elements; name hash: 0xb9185424
access-list caphitacl line 1 extended permit ip any host "external ip" (hitcnt=0) 0xef958d9a
access-list caphitacl line 2 extended permit ip any host "internal ip" (hitcnt=0) 0x7c3bab30

I did set it to level 6 and I can see some connection attempts.  I am seeing an event that tells me what I need to know, it shows the external ip of a test machine I have connecting to the internal host.  Is this the best way to see what I want to see.  

11-22-2010      17:31:25      Local4.Debug      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host outside:x.x.x.x
11-22-2010      17:31:25      Local4.Debug      Nov 22 2010 17:30:54: %ASA-7-609001: Built local-host inside:x.x.x.x
dmwynneAuthor Commented:
I am able to show a connection how do I log a denied attempt.  I want to be able to see a connection attempt from an ip range that is not allowed.
dmwynneAuthor Commented:
I found out that I could do this using 106023.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.