Dechiper ASA ACL Hex ID in Syslog

Unanswered Question
Oct 30th, 2007
User Badges:

There is a hex id in ASA syslogs that corresponds to which ACL or ACE line generated the log entry. I know that ADSM uses it, but I want to know how to decipher it for use with other apps.


Anyone figure it out?


See examples below:


%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.1(1165) -> Inside_VLAN_248/SERVER1(80) hit-cnt 1 first hit [0xf2412831, 0xc45cf9c2]

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.2(1503) -> Inside_VLAN_248/SERVER2(8008) hit-cnt 1 first hit [0x83e69c8, 0xee877a0]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Mon, 11/05/2007 - 10:07
User Badges:
  • Bronze, 100 points or more

In the syslog entry, there are two hashes. The first one points to the configured ACE which is the ACE that appears in the "show running-config" output. The second one points to the ACE that is expanded if the configured ACE uses object groups. It will be "0x0" if the ACE does not use object groups. But still it won't be possible to use this with some other application.

scottpickett Mon, 11/05/2007 - 21:51
User Badges:

What I mean by other apps is a log viewer and I would like to know which ACL or ACE put the entry in the log? There is no way to do this you think?


scottpickett Fri, 11/09/2007 - 09:18
User Badges:

I found out how to do it. Here it is:


So let's say a system administrator comes to me and says “I have a new server that needs to send print jobs to a print queue and it's not working. My old server is working though.”



What I want to know is, “What is the rule that allows the old server to work?” so I can add the new server to that rule.



When I look through my syslog server for the “old server” which has the ip address of 10.10.30.101, I find this:



“%ASA-3-106100: access-list IN_ACL permitted tcp Inside_VLAN/10.10.30.101(4172) -> Outside_VLAN/192.168.69.61(9100) hit-cnt 1 first hit [0xa00e0f20, 0xb4d3bb50]”



So now I know the ACL line with the hex id “0xa00e0f20” is the line that allowed the packet through.



So I go to my firewall and run the command:



“show access-list | include 0xa00e0f20”



I get the following output:



“access-list IN_ACL line 2 extended permit tcp object-group PRINT_SERVERS object-group ALL_PRINTERS object-group PRINTING_SERVICES log errors interval 300 0xa00e0f20”



I now know that IN_ACL line 2 permitted the traffic and I know that I need to add the new server to the PRINT_SERVERS object.



Alternatively, using the second hex id, you can find the actual ACE that permitted the traffic too:



FIREWALL#show access-list | include 0xb4d3bb50


access-list IN_ACL line 2 extended permit tcp host 10.10.30.101 192.168.69.0 255.255.255.0 eq 9100 log errors interval 300 (hitcnt=17803762) 0xb4d3bb50



With this method, you can have many ACL lines and still locate the exact line that is permitting or denying traffic.



Actions

This Discussion