Re: ACL or url filtering, ASA 5510 w/cscssm

jclarksprint · ‎01-09-2007

How do I monitor traffic to a specific location. I need to monitor or log traffic from my internal network to a specific website.

sachinraja · ‎01-09-2007

Hello clark,

It is really tough to monitor traffic with ACL. If it is for troubleshooting purpose and if you probably want to monitor from a single PC, you can probably do a syslog, attached with an ACL and monitor the destination IP address from that specific PC.

If this is going to be for regular monitoring and reporting to business guys, I think you will have to have some kinda URL filtering software, which can log traffic going to some destination and can report based on the URL's surfed. You can use software like websense which can interact with the ASA box or use CSCSSM. Websense does give very good reports.. not really sure of CSC. you can probably have a look at the tech docs on CCO to find this.

Hope this helps.. all the best rate replies if found useful..

Raj

jclarksprint · ‎01-09-2007

I figured I could use the syslog of an acl because I can have it report when specific traffic is allowed but I can't figure out how I would write it. What I need to do is anything interal to a specific ip on public side I need to log. If I could figure out how to write the rule I might be able to get it to work. I just need to do it for a week or so. I don't actually want to block the traffic I just want to log it when it happens. The CSCSSM seems to be an all or nothing, I haven't really figured out how I would log succesful traffic. I can scan all http traffic and it seems to run on linux/unix. I know I could use websense but I don't need to buy a product which I am only going to use for a week, when I figure I should be able to do it with the equipment I already have.

sachinraja · ‎01-10-2007

cant you write an ACL on the inside interface with a "log" keyword ? enable syslog with a test server on the inside. any traffic which hits the ACL will then be logged onto the syslog server !!! wont this work out for you ?

Raj

jclarksprint · ‎01-10-2007

Yes, I should be able to, cant seem to work it out. I wish the cscssm had the abiity to do more than simply deny traffic, it scans all http traffic, guess I could look through the config files. and see how the rule are written. I wish I could just go in the filtering and say anytime this ip log it. the firewall is nat. I have internal people going to a specific public website I need to log. I did figure out that I can log a successful attempt, but I can't seem to get the acl right, doesn't seem to be working. I am sure it's just my poor skills

jclarksprint · ‎01-11-2007

I got it taken care of. I got out my old pix manual and looked up url logging. I think I need to filter my syslog though so I can have just the url logging traffic. Anybody know how to do that?