Looks like my syslog viewer can do some sort of email alerting, I can see message type "ASA-1-710003" appear and I now get an email, but I need to suppress it somehow.

What I don't understand is I get syslog alerts for denied access to our ASA, but we have other devices with public IP's that are NAT'd to their private addresses that I don't get denies from, it this down tot he device behind the NAT or shoudl the firewall also pickup these denies?

I assume the deny access would be syslog from access-list on interfaces.

That is correct.

For example we have a few public IP addresses going to web servers behind the firewall, I need a deny message to be sent our syslog server should the attempt be anything other that port 80. How can I achieve this?

What is strange also if I try and telnet to our ASA over the internet on port 80 or 23 I get a deny message sent to the syslog server but if I telnet on any other random port I don't get a deny log, it gets blocked but that's it I need to record this and for the other servers.

Thanks

This is not possible. These will be dropped by the firewall. You can see these in the asp drop captures.

cap capasp type asp-drop all

sh cap capasp

What is configured to be alllowed - will send syslogs if tried to be accessed by some IP that is not allowed.

What is not even configured when tried to be accessed - the firewall just drops these packets and not log.

-KS

Thanks, how can I tell if we are being targeted from an external IP on the outside interface lots of the time?

If I run your capture command will it show all drops from all interfaces or just the outside interface?

That is correct. ASP drop will show all drops - all interfaces.

for example.

I have asdm/443, telnet and ssh allowed on my firewall. I tried a telnet to port 556 from the outside and the asp drop captures shows below:

ASA# sh cap capasp | i 556
   2: 23:16:44.371425 802.1Q vlan#10 P0 10.117.14.69.58538 > 172.18.254.34.556: S 3707472990:3707472990(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  21: 23:16:54.769003 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  23: 23:16:55.677500 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
  26: 23:16:56.680323 802.1Q vlan#10 P0 10.117.14.69.58543 > 172.18.254.34.556: S 185959746:185959746(0) win 65535

All SYNs from my outside client are dropped.

-KS

Anyway this can be outputted to a syslog server?

How would a company know if they are being hacked, I know the firewall is dropping the packets, but somebody could be trying for weeks and I wouldn't even know?

No. ASP drops cannot be sent to syslog server.  Unfortunately not.  Threat Detection feature will help you: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1088111

Besides this you need an IPS/IDS device.

-KS

Thanks. I do have the IPS module installed but again I think it only logs on allowed traffic passing through the firewall.

NO. You can do a few things with an IPS/IDS device

a. Deny Attacker Inline - Create an ACL that denies all traffic from the suspected source IP address

  b. Deny connection Inline - Send resets to terminate the TCP flow

  c. Deny packet Inline - Do not transmit the packet (inline only)

  d. Produce Alert - Generate an alarm message

  e. Reset TCP connection - Drop the packet and all future packets from the TCP flow

Read about it here: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html

Figure 59-1 shows the traffic flow when running the AIP SSM/SSC in inline mode. In this example, the AIP SSM/SSC automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.

-KS

This is what we have configured.

policy-map global_policy
class myipsclass
  ips inline fail-open sensor vs0

I asked TAC about the report and they also say I can't do it.  Is this do to me using "ips inline fail-open" and not one of the other options you mentioned?