×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA - log traffic coming To the ASA

Unanswered Question
Apr 5th, 2012
User Badges:

Hi,
we all do know CBAC on our routers, we create 'deny all' on the outside  interface for all traffic coming IN. CBAC is going to open the ports for  all traffic coming back and deny everything else that was not  originated in the LAN... and you can LOG it all as this is an ACl.


I want to do the same with my ASA5505. I want to know that someone  tried to e.g. RDP to my outside interface of my ASA etc. Unfortunately  'deny any any' on the outside itnerface (incoming traffic) does not  catch these things. My config:
LAN ---- ASA ---- Internet ---- PC1


PC1 is trying to RDP to the outisde interface of the ASA and 3389 is  closed. I want to log it. I enabled the logs, I am checking the live  logs in my ASDM and can see a lot of messages (logs are working) but  these requests are not being logged/dropped.


I am sure that e.g. RDP to the outside interface of my ASA is dropped right? The port IS closed. How can I log it please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Thu, 04/05/2012 - 09:46
User Badges:
  • Super Bronze, 10000 points or more

Hi,


What is your logging level for either buffer,  asdm or syslog server?


If you are using the Windows remote desktop client to connect to the ASA outside you should get a Level 7 syslog message which is debugging.


The Syslog ID for these discarded packets towards the ASAs outside interface is %ASA-7-710005


%ASA-7-710005: {TCP|UDP} request discarded from

source_address/source_port to interface_name:dest_address/service


The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.


the command "logging asdm debugging" should make these messages visible on ASDM.


Hope this helps, please rate if it was of any help


- Jouni

Jouni Forss Thu, 04/05/2012 - 09:55
User Badges:
  • Super Bronze, 10000 points or more

Also,


I imagine if you are trying to connect to some other IP address in the ASAs outside interface (not the actual interface IP), for example a static NAT IP, you would get a normal ACL Deny log message which logging message level is 4 (Notifications) which is pretty normal setting for all the logging destinations (trap, buffered, asdm)

Actions

This Discussion