Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA SYSLOG - How is direction determined in 302013 & 302015

So, according to the above link, if in message ID 302013 or 302015 you see the keyword "outbound" it means that the addresses are flipped in the SYSLOG message. Instead of just putting them in there correctly, they indicate the direction with that keyword.  Here is an example:

Jul  6 09:38:51 %ASA-6-302013: Built outbound TCP connection 1465712 for dev: ( to inside: (

The above message is me initiating a TELNET session from my laptop ( to the server on TCP port 25. However, since my machine is located on the "inside" interface, and the target machine is located on the "dev" interface the ASA returns the message backwards and indicates that with the keyword "outside". It's very counterintuitive, since the "to" in between the two addresses would in English indicate direction!

So my question is this, how does the ASA determine what is inside and what is outside? Since in some scenarios you may have no interfaces named "inside" or "outside", I assume it's using interface security level? I can find no further explanations of how this works, does anyone know?

Thanks in advance


Everyone's tags (2)
Cisco Employee

ASA SYSLOG - How is direction determined in 302013 & 302015


The ASA will actually see if the traffic cames from a higher security level; since the traffic goes to a lower security level it will label the connection as "outbound".

Luis Silva

Luis Silva "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
New Member

ASA SYSLOG - How is direction determined in 302013 & 302015

So what does it do if the two interfaces are the same security level then I wonder?

ASA SYSLOG - How is direction determined in 302013 & 302015

Actual log message indicates the successful connection which is an outbound connection from a source LAN ( to (

Always ASA treats higher secuirty levels as inside/dmz zones and lower security zone as 0.

Since this log indicates that traffic initiated from inside to a dmz zone.... so it treated it as outbound...

CreatePlease to create content