Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

access list logging on firewall

Hi

If I permit all traffic on my firewall, will I see on the logs all this traffic going through, or would I need to add the log keyword on the end of the permit statement ?

cheers

Carl

1 REPLY
Super Bronze

access list logging on firewall

Hi,

Would you be looking at the logs through the ASDM Monitoring or reading them from a separate server?

Your basic ASA logging configuration could look something like this

logging on

logging timestamp

logging buffer-size

logging device-id hostname

logging buffered notifications

logging trap informational

logging asdm informational

logging host

"logging  trap informational" would mean that your ASA would send a log message of every connection and NAT translation made through the ASA. It would also log messages when those connections and NATs are tore down. (When the connections in question are finished)

"logging asdm informational" should do the same as above but this would only apply when you have opened the Monitor/logging window in through the ASDM.

These to my knowledge dont require any separate command on the actual access-list.

I haven't used the "log" parameters in my ASA configurations but If I understood correctly this parameter would make it so that you will also see permitted connections in the ASA logs while without the "log" parameter you would only see a message when the access-list blocked some connection based on some access-list rule.

The Command Reference states the following:

(Optional) Sets logging options when a ACE matches a packet for network

access (an access list applied with the access-group command). If you enter

the log keyword without any arguments, you enable system log message

106100 at the default level (6) and for the default interval (300 seconds). If

you do not enter the log keyword, then the default system log message

106023 is generated.

Heres link to the syslog IDs mentioned above (Software 8.2)

106100:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049

106023:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021

- Jouni

220
Views
0
Helpful
1
Replies