Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
1
Replies

access list logging on firewall

carl_townshend
Spotlight
Spotlight

‎02-03-2012 04:27 AM - edited ‎03-11-2019 03:23 PM

Hi

If I permit all traffic on my firewall, will I see on the logs all this traffic going through, or would I need to add the log keyword on the end of the permit statement ?

cheers

Carl

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2012 05:53 AM

Hi,

Would you be looking at the logs through the ASDM Monitoring or reading them from a separate server?

Your basic ASA logging configuration could look something like this

logging on

logging timestamp

logging buffer-size

logging device-id hostname

logging buffered notifications

logging trap informational

logging asdm informational

logging host

"logging  trap informational" would mean that your ASA would send a log message of every connection and NAT translation made through the ASA. It would also log messages when those connections and NATs are tore down. (When the connections in question are finished)

"logging asdm informational" should do the same as above but this would only apply when you have opened the Monitor/logging window in through the ASDM.

These to my knowledge dont require any separate command on the actual access-list.

I haven't used the "log" parameters in my ASA configurations but If I understood correctly this parameter would make it so that you will also see permitted connections in the ASA logs while without the "log" parameter you would only see a message when the access-list blocked some connection based on some access-list rule.

The Command Reference states the following:

(Optional) Sets logging options when a ACE matches a packet for network

access (an access list applied with the access-group command). If you enter

the log keyword without any arguments, you enable system log message

106100 at the default level (6) and for the default interval (300 seconds). If

you do not enter the log keyword, then the default system log message

106023 is generated.

Heres link to the syslog IDs mentioned above (Software 8.2)

106100:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769049

106023:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4769021

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card