ASA syslog

Answered Question
Jun 23rd, 2009
User Badges:

Why does the firewall block the following IPs? 207.105.ttt.ttt is the outside int. of the firewall. Below the syslog mssgs is the firewall's "access-list OUTSIDE-ACL".


06-23-2009 09:33:38 Local4.Warning 192.168.1.10 Jun 23 2009 09:06:52: %ASA-4-106023: Deny udp src outside:77.67.10.132/3478 dst Inside:207.105.ttt.ttt/51458 by access-group "OUTSIDE-ACL" [0x0, 0x0]

06-23-2009 09:33:29 Local4.Warning 192.168.ooo.ooo Jun 23 2009 09:06:43: %ASA-4-106023: Deny tcp src outside:78.153.19.185/2427 dst outside:207.105.ttt.ttt/445 by access-group "OUTSIDE-ACL" [0x0, 0x0]


access-list OUTSIDE-ACL extended permit udp any host 207.105.ttt.ttt eq syslog

access-list OUTSIDE-ACL extended permit icmp any any echo

access-list OUTSIDE-ACL extended permit icmp any any echo-reply

access-list OUTSIDE-ACL extended permit icmp any any unreachable

access-list OUTSIDE-ACL extended permit icmp any any time-exceeded

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.xxx eq smtp

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.xxx eq ssh

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.xxx eq https

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.xxx eq www

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.xxx eq pop3

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.yyy

access-list OUTSIDE-ACL extended deny tcp host 60.223.nnn.ttt any

access-list OUTSIDE-ACL extended deny tcp host 89.0.fff.eee any

access-list OUTSIDE-ACL remark "IPS ALERT ACCESS TO BARACUDA"

access-list OUTSIDE-ACL remark "IPS ALERT ACCESS TO BARACUDA"

access-list OUTSIDE-ACL extended permit tcp any host 207.105.ttt.yyy eq https

Correct Answer by Collin Clark about 8 years 1 month ago

You will need to set the logging level to Informational (6).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Tue, 06/23/2009 - 12:16
User Badges:
  • Purple, 4500 points or more

It blocks it because there is no rule to permit it. The only rule with 207.105.ttt.ttt is the following-


access-list OUTSIDE-ACL extended permit udp any host 207.105.ttt.ttt eq syslog


Anything other than syslog will be denied.

saidfrh Tue, 06/23/2009 - 12:32
User Badges:

Since this is a stateful firewall, does access to the firewall from outside that was not initiated from the inside produce a syslog message?

Correct Answer
Collin Clark Tue, 06/23/2009 - 12:34
User Badges:
  • Purple, 4500 points or more

You will need to set the logging level to Informational (6).

Actions

This Discussion