Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
351
Views
0
Helpful
2
Replies

ASA ACL Questions

arrayservices
Level 1
Level 1

‎02-07-2014 11:54 AM - edited ‎03-11-2019 08:42 PM

Hello everyone-

I have an ASA-5585-SSP-10 that I have subinterfaces and VLANs created on. I used this ASA to firewall the vlans downstream on our Catalyst 4k's. Most all of my interfaces have specific ACLs in for the necessary traffic and all is good. I have a couple interfaces that have an IP any-any in and I would like to remove the any-any, but do not want to do so immediately, as the ACL has thousands of hits. I have cleared the ACL hit counter, but would like to know how I determine what traffic (source, dest, etc) is hitting the any-any so I can build specific ACLs to match, and ultimately remove the any-any. I have reviewed the log for a specific any-any, but this has not turned out to be helpful. Can anyone give me some help?

Thank you-

Brian

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎02-07-2014 12:07 PM

Hi,

I would suggest considering adding a "log" keyword to the "permit ip any any" rule you have and setting the logging level you want.

Here is the explanation of the "log" parameter at the end of "access-list" command

log

(Optional) Sets logging options when a ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at  the default level (6) and for the default interval (300 seconds). If you  do not enter the log keyword, then the default system log message 106023 is generated.

I guess you might have to play around with the "interval" value perhaps.

Source from Command Reference:

http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407

To my understanding if you have a "permit" line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The "deny" rules however generate Notifications level messages.

Since using the "log" parameter at the end of this "permit ip any any" rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this "log" enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.

You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.

Naturally there is probably tools that would also handle this but I havent had the change to work with any

I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps "permit tcp any any eq " to allow the basic services outbound.

Hope this helps

- Jouni

0 Helpful

arrayservices
Level 1
Level 1
In response to Jouni Forss

‎02-07-2014 02:32 PM

Jouni-

How would you recommend I allow Intenet access outbound using ACLs in the ASA, without the any-any. We do not proxy to our web filter appliance, we have a Juniper firewall (external) which redirects 80 and 443 traffic to the web filter, it then send Internet traffic out.

Brian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card