It is really tough to monitor traffic with ACL. If it is for troubleshooting purpose and if you probably want to monitor from a single PC, you can probably do a syslog, attached with an ACL and monitor the destination IP address from that specific PC.
If this is going to be for regular monitoring and reporting to business guys, I think you will have to have some kinda URL filtering software, which can log traffic going to some destination and can report based on the URL's surfed. You can use software like websense which can interact with the ASA box or use CSCSSM. Websense does give very good reports.. not really sure of CSC. you can probably have a look at the tech docs on CCO to find this.
Hope this helps.. all the best rate replies if found useful..
I figured I could use the syslog of an acl because I can have it report when specific traffic is allowed but I can't figure out how I would write it. What I need to do is anything interal to a specific ip on public side I need to log. If I could figure out how to write the rule I might be able to get it to work. I just need to do it for a week or so. I don't actually want to block the traffic I just want to log it when it happens. The CSCSSM seems to be an all or nothing, I haven't really figured out how I would log succesful traffic. I can scan all http traffic and it seems to run on linux/unix. I know I could use websense but I don't need to buy a product which I am only going to use for a week, when I figure I should be able to do it with the equipment I already have.
cant you write an ACL on the inside interface with a "log" keyword ? enable syslog with a test server on the inside. any traffic which hits the ACL will then be logged onto the syslog server !!! wont this work out for you ?
Yes, I should be able to, cant seem to work it out. I wish the cscssm had the abiity to do more than simply deny traffic, it scans all http traffic, guess I could look through the config files. and see how the rule are written. I wish I could just go in the filtering and say anytime this ip log it. the firewall is nat. I have internal people going to a specific public website I need to log. I did figure out that I can log a successful attempt, but I can't seem to get the acl right, doesn't seem to be working. I am sure it's just my poor skills
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :