Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1952
Views
0
Helpful
2
Replies

ASA - log traffic coming To the ASA

Mariusz Kuriata
Level 1
Level 1

‎04-05-2012 09:31 AM - edited ‎03-11-2019 03:51 PM

Hi,
we all do know CBAC on our routers, we create 'deny all' on the outside  interface for all traffic coming IN. CBAC is going to open the ports for  all traffic coming back and deny everything else that was not  originated in the LAN... and you can LOG it all as this is an ACl.

I want to do the same with my ASA5505. I want to know that someone  tried to e.g. RDP to my outside interface of my ASA etc. Unfortunately  'deny any any' on the outside itnerface (incoming traffic) does not  catch these things. My config:
LAN ---- ASA ---- Internet ---- PC1

PC1 is trying to RDP to the outisde interface of the ASA and 3389 is  closed. I want to log it. I enabled the logs, I am checking the live  logs in my ASDM and can see a lot of messages (logs are working) but  these requests are not being logged/dropped.

I am sure that e.g. RDP to the outside interface of my ASA is dropped right? The port IS closed. How can I log it please?

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎04-05-2012 09:46 AM

Hi,

What is your logging level for either buffer,  asdm or syslog server?

If you are using the Windows remote desktop client to connect to the ASA outside you should get a Level 7 syslog message which is debugging.

The Syslog ID for these discarded packets towards the ASAs outside interface is %ASA-7-710005

%ASA-7-710005: {TCP|UDP} request discarded from 
source_address/source_port to interface_name:dest_address/service
The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded. In addition, this message appears (with the SNMP service) when the ASA receives an SNMP request with an empty payload, even if it is from an authorized host. When the service is SNMP, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.

the command "logging asdm debugging" should make these messages visible on ASDM.

Hope this helps, please rate if it was of any help

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-05-2012 09:55 AM

Also,

I imagine if you are trying to connect to some other IP address in the ASAs outside interface (not the actual interface IP), for example a static NAT IP, you would get a normal ACL Deny log message which logging message level is 4 (Notifications) which is pretty normal setting for all the logging destinations (trap, buffered, asdm)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card