ASA Logging Traffic Outbound

Unanswered Question
Feb 11th, 2010

Hello,


I need to be able to find an errant PC on an internal network that is sending RDP traffic outbound.

Has anyone any pointers on this ?


I need to log port 3389 from inside to outside.


Thank you.

S.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 02/11/2010 - 11:44

Create an ACL that will go on the inside interface.


access-list extended find_pc permit tcp any any eq 3389 log

access-list extended find_pc permit ip any any

access-group find_pc in interface inside


This will generate a log message when an RDP packet is sent to the outside. You can view the log with


show logging


Is this what you're looking for?

Diego Armando C... Thu, 02/11/2010 - 12:39

SOmething easier



Access-list CAPIN permit tcp host PC-IPADDRESS any eq 3389

Access-list CAPIN permit tcp any eq 3389 host PC-IPADDRESS


Capture CAP access-list CAPIN interface INSIDE


Then wait until the PC uses port 3389. and whenever you can do a SHOW CAPTURE CAP


Hope it helps

Actions

This Discussion