×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA SYSLOG - How is direction determined in 302013 & 302015

Unanswered Question
Jul 6th, 2012
User Badges:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4770603


So, according to the above link, if in message ID 302013 or 302015 you see the keyword "outbound" it means that the addresses are flipped in the SYSLOG message. Instead of just putting them in there correctly, they indicate the direction with that keyword.  Here is an example:


Jul  6 09:38:51 44.254.0.8 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.1.4.84/25 (10.1.4.84/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)


The above message is me initiating a TELNET session from my laptop (10.128.85.25) to the server 10.1.4.84 on TCP port 25. However, since my machine is located on the "inside" interface, and the target machine is located on the "dev" interface the ASA returns the message backwards and indicates that with the keyword "outside". It's very counterintuitive, since the "to" in between the two addresses would in English indicate direction!


So my question is this, how does the ASA determine what is inside and what is outside? Since in some scenarios you may have no interfaces named "inside" or "outside", I assume it's using interface security level? I can find no further explanations of how this works, does anyone know?


Thanks in advance


-Paul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Luis Silva Benavides Fri, 07/13/2012 - 16:21
User Badges:
  • Cisco Employee,

Paul,


The ASA will actually see if the traffic cames from a higher security level; since the traffic goes to a lower security level it will label the connection as "outbound".


Luis Silva

paulhignutt Thu, 08/02/2012 - 07:11
User Badges:

So what does it do if the two interfaces are the same security level then I wonder?

nkarthikeyan Sat, 07/14/2012 - 03:08
User Badges:
  • Gold, 750 points or more

Actual log message indicates the successful connection which is an outbound connection from a source LAN (10.128.85.25/37281) to (10.1.4.84/25).


Always ASA treats higher secuirty levels as inside/dmz zones and lower security zone as 0.


Since this log indicates that traffic initiated from inside to a dmz zone.... so it treated it as outbound...

Actions

This Discussion

Related Content