I have an ASA-5585-SSP-10 that I have subinterfaces and VLANs created on. I used this ASA to firewall the vlans downstream on our Catalyst 4k's. Most all of my interfaces have specific ACLs in for the necessary traffic and all is good. I have a couple interfaces that have an IP any-any in and I would like to remove the any-any, but do not want to do so immediately, as the ACL has thousands of hits. I have cleared the ACL hit counter, but would like to know how I determine what traffic (source, dest, etc) is hitting the any-any so I can build specific ACLs to match, and ultimately remove the any-any. I have reviewed the log for a specific any-any, but this has not turned out to be helpful. Can anyone give me some help?
I would suggest considering adding a "log" keyword to the "permit ip any any" rule you have and setting the logging level you want.
Here is the explanation of the "log" parameter at the end of "access-list" command
(Optional) Sets logging options when a ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated.
I guess you might have to play around with the "interval" value perhaps.
To my understanding if you have a "permit" line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The "deny" rules however generate Notifications level messages.
Since using the "log" parameter at the end of this "permit ip any any" rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this "log" enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.
You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.
Naturally there is probably tools that would also handle this but I havent had the change to work with any
I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps "permit tcp any any eq " to allow the basic services outbound.
How would you recommend I allow Intenet access outbound using ACLs in the ASA, without the any-any. We do not proxy to our web filter appliance, we have a Juniper firewall (external) which redirects 80 and 443 traffic to the web filter, it then send Internet traffic out.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...