Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 7.2 106100 logging

Hi all,

when to construct a rule base we need to log 106100 messages to see which connections are required, but no 106100 message appears. does anybody know the reason or what can i do to enable logging this message.

thanks.

6 REPLIES

Re: ASA 7.2 106100 logging

Log 106100 normally tells you of the denied/permitted translation/access.

In PIX/ASA, enable the syslog service and logging level to informational (notification will do as well):

Minimum config will be as follow:

ASA(config)# logging enable --> (in PIX, use 'logging on')

ASA(config)# logging buffer informational

You may enabled timestamp as well to get correct time/date of the events, or send it to external syslog server.

Verify this using 'sh log' command:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b3ff.html#wp1064559

HTH

AK

Re: ASA 7.2 106100 logging

You may use access-list (ACL) and apply to Inside interface to ensure all logs/events are recorded.

Since your're still at the starting level, create ACL permitting any/all traffic. This is good for internal access to external/internet or any lower security level segment.

example:

access-list inside permit tcp any any

access-list inside permit udp any any

access-group inside in interface inside --> bind to inside inyetface

Optionally, you can use 'ip' to replace tcp/udp keyword, and have 1 ACL line instead of 2. But having separate TCP & UDP lines gives you more accurate hitcount on TCP & UDP traffics. But no exact rules on this.

To check outside/internet access to your internal server(s), I am not sure sure if you already have ACL permitting the incoming access, plus the static nat for internal server-Public IP address mapping.

HTH

AK

New Member

Re: ASA 7.2 106100 logging

As you can clearly see from the following the necessary configuration is done. the problem is although i enable logging informational no 106100 log appears at ASDM. the question is what may be the reason.

thanks.

FW-ROM-OUT# sh logg

Syslog logging: enabled

Facility: 17

Timestamp logging: disabled

Standby logging: disabled

Deny Conn when Queue Full: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: list access-list, 14914 messages logged

Trap logging: list permitler, facility 17, 176370 messages logged

Logging to inside 10.129.0.237

Logging to inside SYSLOG

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level informational, class session sys, 90100 messages logged

Re: ASA 7.2 106100 logging

Can you enable log for 106100?

pix(config)#logging message 106100

This link provide some useful tips:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#use3

New Member

Re: ASA 7.2 106100 logging

we used same kind of logging on FWSM before, so as to configuration there is no missing thing. however we had to upgrade our product for FWSM to see this log since there was a bug for it. it seems a bug exist for ASA also but i could not find out any using bug tool at cisco.com.

Re: ASA 7.2 106100 logging

I couldn't find any either. Informational level should be fine as 106100 (user-defined severity), by default appear in severity level 6.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cd.html#wp1085819

3248
Views
0
Helpful
6
Replies
CreatePlease to create content