ASA5550 - logging disable issue

Answered Question
Aug 6th, 2008
User Badges:

Hello,


My Firewall is an ASA 5550 running software 8.0(3).

I have many times the following message in my logs:


"%asa-2-106006: deny inbound udp from 192.168.1.x/138 to 192.168.1.255/138 on interface outside".


The range 192.168.1.128/25 is the pool for my IPSec remote access users.


I don't want to use the "sysopt connection permit-vpn". So I have some specific rules on my outside interface for VPN access.

I've put 2 rules for disabling logging on Netbios protocol.


"access-list outside_access_in extended deny udp 192.168.1.128 255.255.255.128 host 192.168.1.255 object-group NBT-UDP log disable"

"access-list outside_access_in extended deny udp 192.168.1.128 255.255.255.128 any object-group NBT-UDP log disable"


Object-Group NBT-UDP is defined as below:

object-group service NBT-UDP udp

port-object eq 135

port-object eq 136

port-object eq 137

port-object eq 138

port-object eq 139


Is there any errors in my config ?

How could I do to remove "noise" provided by NetBios traffic from my IPSec remote users ?


Thanks

Christian


Correct Answer by Farrukh Haroon about 8 years 8 months ago

Yup it did not come from the ACL engine, that seems obvious and this is a pretty old behavior of the finesse code. It runs two sets of logging functions. Even if you don't have ANY acl on a interface, all connection messages are 'logged' on the firewall.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Farrukh Haroon Wed, 08/06/2008 - 06:28
User Badges:
  • Red, 2250 points or more

Not all messages are generated due to the 'log' message on the ACL on the ASA/PIX.

As per the command referenace:


" If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated. "


You can disable this message by:


no logging message 106006


But this will disable this message for all flows. You could also push this message to level 7 and log to level 6.


Regards


Farrukh



christian.belkreir Wed, 08/06/2008 - 06:36
User Badges:

Thanks for your answer Farrukh.


But I don't want to disable syslog message 106006.

I only want to disable logging for netbios traffic on broadcast address.


Is it possible or not ?


Many thanks

Regards,

Christian

Farrukh Haroon Wed, 08/06/2008 - 06:40
User Badges:
  • Red, 2250 points or more

As far as I know, you cannot filter syslogs based on particular IPS.


Regards


Farrukh

Farrukh Haroon Wed, 08/06/2008 - 06:40
User Badges:
  • Red, 2250 points or more

As far as I know, you cannot filter syslogs based on particular IPS.


Regards


Farrukh

christian.belkreir Wed, 08/06/2008 - 06:47
User Badges:

I agree with you regarding the "logging filter" command.


If I well understand your answer, in my case, the log didn't come from the ACL engine.

So putting rules with option "log disable", as I've done, will not solve my issue ?


Regards,

Christian

Correct Answer
Farrukh Haroon Wed, 08/06/2008 - 06:55
User Badges:
  • Red, 2250 points or more

Yup it did not come from the ACL engine, that seems obvious and this is a pretty old behavior of the finesse code. It runs two sets of logging functions. Even if you don't have ANY acl on a interface, all connection messages are 'logged' on the firewall.


Regards


Farrukh

Actions

This Discussion