02-07-2014 11:54 AM - edited 03-11-2019 08:42 PM
Hello everyone-
I have an ASA-5585-SSP-10 that I have subinterfaces and VLANs created on. I used this ASA to firewall the vlans downstream on our Catalyst 4k's. Most all of my interfaces have specific ACLs in for the necessary traffic and all is good. I have a couple interfaces that have an IP any-any in and I would like to remove the any-any, but do not want to do so immediately, as the ACL has thousands of hits. I have cleared the ACL hit counter, but would like to know how I determine what traffic (source, dest, etc) is hitting the any-any so I can build specific ACLs to match, and ultimately remove the any-any. I have reviewed the log for a specific any-any, but this has not turned out to be helpful. Can anyone give me some help?
Thank you-
Brian
02-07-2014 12:07 PM
Hi,
I would suggest considering adding a "log" keyword to the "permit ip any any" rule you have and setting the logging level you want.
Here is the explanation of the "log" parameter at the end of "access-list" command
I guess you might have to play around with the "interval" value perhaps.
Source from Command Reference:
http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407
To my understanding if you have a "permit" line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The "deny" rules however generate Notifications level messages.
Since using the "log" parameter at the end of this "permit ip any any" rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this "log" enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.
You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.
Naturally there is probably tools that would also handle this but I havent had the change to work with any
I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps "permit tcp any any eq
Hope this helps
- Jouni
02-07-2014 02:32 PM
Jouni-
How would you recommend I allow Intenet access outbound using ACLs in the ASA, without the any-any. We do not proxy to our web filter appliance, we have a Juniper firewall (external) which redirects 80 and 443 traffic to the web filter, it then send Internet traffic out.
Brian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: