Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA acl logging based on source IP not working

I have got two Cisco ASA 5520 running with IOS version 8.4.

I am trying to get all the packet events for a given "specific source" IP address > send to a syslog server. Syslog server has been configured and working fine for other ASA events.

I have created new ACL rule to log all events for that specific source IP address to syslog server - but noting showing on syslog logs because (??) of packets already permitted by other ACL rule sitting on the top.

I use the following ACL rule -

#access-list aclName extended permit ip host x.x.x.x any log debugging

ACL hitcount is zero but I am getting that "specific source IP" at ASDM live traffic monitoring.

Could anyone please shed some light on this?

 

Everyone's tags (3)
3 REPLIES

You might need to re-order

You might need to re-order your access-list rules to put the "permit ... log" one much earlier.  Remember that ASA's do first match; the first permit or deny rule which matches a packet controls its fate, regardless of any subsequent rules.

-- Jim Leinweber, WI State Lab of Hygiene

New Member

Hi Jim, thanks for your reply

Hi Jim, thanks for your reply.

Is there any command/utility like the "shun" command that can work on "live packets" which are been already permitted first by other ACL rule?

Re-ordering acl would be difficult because its a live circuit.

 

Thanks again - Jami.

VIP Green

Reording the ACL will not

Reording the ACL will not affect other traffic.  depending on if you use the ASDM or CLI:  In the ASDM select the rule you want to place higher and then use the arrow buttons toward the top left of the page to move it up, then click apply.

in CLI, remove the ACL entry and then re enter it but this time issue the sequence number where you want to place it.

access-list aclName line 5 extended permit ip host x.x.x.x any log debugging

the above ACL will "squeeze" the ACL in to position 5 in the ACL order.  All lower ACLs will be reordered automatically.

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
23
Views
10
Helpful
3
Replies