cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
613
Views
10
Helpful
3
Replies

Cisco ASA acl logging based on source IP not working

mjami
Level 1
Level 1

I have got two Cisco ASA 5520 running with IOS version 8.4.

I am trying to get all the packet events for a given "specific source" IP address > send to a syslog server. Syslog server has been configured and working fine for other ASA events.

I have created new ACL rule to log all events for that specific source IP address to syslog server - but noting showing on syslog logs because (??) of packets already permitted by other ACL rule sitting on the top.

I use the following ACL rule -

#access-list aclName extended permit ip host x.x.x.x any log debugging

ACL hitcount is zero but I am getting that "specific source IP" at ASDM live traffic monitoring.

Could anyone please shed some light on this?

 

3 Replies 3

James Leinweber
Level 4
Level 4

You might need to re-order your access-list rules to put the "permit ... log" one much earlier.  Remember that ASA's do first match; the first permit or deny rule which matches a packet controls its fate, regardless of any subsequent rules.

-- Jim Leinweber, WI State Lab of Hygiene

Hi Jim, thanks for your reply.

Is there any command/utility like the "shun" command that can work on "live packets" which are been already permitted first by other ACL rule?

Re-ordering acl would be difficult because its a live circuit.

 

Thanks again - Jami.

Reording the ACL will not affect other traffic.  depending on if you use the ASDM or CLI:  In the ASDM select the rule you want to place higher and then use the arrow buttons toward the top left of the page to move it up, then click apply.

in CLI, remove the ACL entry and then re enter it but this time issue the sequence number where you want to place it.

access-list aclName line 5 extended permit ip host x.x.x.x any log debugging

the above ACL will "squeeze" the ACL in to position 5 in the ACL order.  All lower ACLs will be reordered automatically.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: