05-06-2012 09:08 AM - edited 03-11-2019 04:02 PM
Hi
I am sending the informational log,specifically the message id302013 of cisco ASA to syslog server. I am only concern about the built in message created from outside to inside direction. Is it possible through configuration so that I can only receive traffic in syslog sevrer that flow from outside to inside zone.
05-06-2012 06:57 PM
Hello,
So you just want to have outbound connections being logged? That message wont work neither the build local-host. I dont think there is a way to do that. You can always submit a enhacement request to a Cisco Account manager. Thinking it a little bit you can try the following workaround:
What you can do is to set an ACL with a normal permit IP any any with the log keyword at the end and place it on the Interface for example inside on the inbound direction. I will log every attempt to estalish a connection outbound the ASA, then you can set the logging level for that and send it to the syslog server.
Cheers,
Mike
05-06-2012 10:34 PM
Hi Mike
Thanks for your reply.
I tried to do so but I faced another problem. I set the log keyword at the end of ACL that is being applied to outside zone interface and configured FW to send only the message id 106100 to syslog server but enabling log gives some irrelevant traffic log. It catches the 1st response packet of traffic that is actually initiated from inside to outside direction which ideally should not happen caz return traffic goes via existing session. I have users in inside zone which connect to proxy server in outside zone. In case of proxy, the connection always bulit up by the user, not by the proxy server, but i get traffic log for those packets also that is replied by proxy( source port is known proxy port & destination ip is user's machine IP address and port is always unknown destination port). To make sure whether this packet initiated by the proxy server, I started capture log for both message ids 106100 & 302013 and found none of the build in message is generated after getting log for permitted message(getting generated by106100).So in case build in message is not getting generating, it is not proxy initiated traffic. I don;t know what is going on.
Please help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: