I have some network monitoring servers that are using snmp/icmp to monitor devices on the network. The icmp functions are not used but can not be turned off on the application so are blocked on the firewall. This is filling the logs on the ASA with icmp denied messages.
The FW acl has 2 lines which log traffic deny tcp any any log informational interval 300 and deny udp any any log informational interval 300, both at the end of the ACL just before the implicit deny. Neither of which i believe should log icmp traffic. In case I am wrong I added an additional line denying icmp from the servers to the network above those lines with no log statement. Packet-tracer confirms icmp is being block by this deny statement. The acl is also showing about 40K hits on the line blocking icmp.
Yet the logs on the ASA still show icmp packet being denied between the servers and network devices. Is there some other service running that is logging, is it more likely I should check my ACL's again, am I doing something wrong or are there any bugs that could affect this? Bit stuck with this one, any help would be appreciated.
FW-PRI/act# show ver Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(3) Compiled on Thu 07-Aug-08 20:53 by builders System image file is "disk0:/asa804-k8.bin" Config file at boot was "startup-config" FW-PRI up 1 year 83 days failover cluster up 1 year 83 days Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Thank you for the replies, if I understand this correctly the logging is automatic and can only be turned off globally. I can only turn it off for certain subnets as we know why that is occuring and we cant turn it off on the application, anything else would occur the wrath of change control. Is there anyway to just turn it off for these submits?
Unfirtunately, that can not be done. One thing you can do to throttle the rate at which msges are generated for that subnet alone is to use an access-list entry with the log keyword. For details on this command, please refer the below link:
So what the above does is it produces syslog ID 106100 at an interval of 1000 seconds specifying how many times this access-list entry has been hit in the past 100 seconds. You can specify an interval as required. For details about this syslog, please refer the below link:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :