04-05-2012 09:31 AM - edited 03-11-2019 03:51 PM
Hi,
we all do know CBAC on our routers, we create 'deny all' on the outside interface for all traffic coming IN. CBAC is going to open the ports for all traffic coming back and deny everything else that was not originated in the LAN... and you can LOG it all as this is an ACl.
I want to do the same with my ASA5505. I want to know that someone tried to e.g. RDP to my outside interface of my ASA etc. Unfortunately 'deny any any' on the outside itnerface (incoming traffic) does not catch these things. My config:
LAN ---- ASA ---- Internet ---- PC1
PC1 is trying to RDP to the outisde interface of the ASA and 3389 is closed. I want to log it. I enabled the logs, I am checking the live logs in my ASDM and can see a lot of messages (logs are working) but these requests are not being logged/dropped.
I am sure that e.g. RDP to the outside interface of my ASA is dropped right? The port IS closed. How can I log it please?
04-05-2012 09:46 AM
Hi,
What is your logging level for either buffer, asdm or syslog server?
If you are using the Windows remote desktop client to connect to the ASA outside you should get a Level 7 syslog message which is debugging.
The Syslog ID for these discarded packets towards the ASAs outside interface is %ASA-7-710005
%ASA-7-710005: {TCP|UDP} request discarded from
source_address/source_port to interface_name:dest_address/service
The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.
the command "logging asdm debugging" should make these messages visible on ASDM.
Hope this helps, please rate if it was of any help
- Jouni
04-05-2012 09:55 AM
Also,
I imagine if you are trying to connect to some other IP address in the ASAs outside interface (not the actual interface IP), for example a static NAT IP, you would get a normal ACL Deny log message which logging message level is 4 (Notifications) which is pretty normal setting for all the logging destinations (trap, buffered, asdm)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: