Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
2
Replies

Filter informational traffic.

samarjit.das
Level 1
Level 1

‎05-06-2012 09:08 AM - edited ‎03-11-2019 04:02 PM

Hi

I am sending the informational log,specifically the message id302013 of cisco ASA to syslog server. I am only concern about the built in message created from outside to inside direction. Is it possible through configuration so that I can only receive traffic in syslog sevrer that flow from outside to inside zone.

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-06-2012 06:57 PM

Hello,

So you just want to have outbound connections being logged? That message wont work neither the build local-host. I dont think there is a way to do that. You can always submit a enhacement request to a Cisco Account manager. Thinking it a little bit you can try the following workaround:

What you can do is to set an ACL with a normal permit IP any any with the log keyword at the end and place it on the Interface for example inside on the inbound direction. I will log every attempt to estalish a connection outbound the ASA, then you can set the logging level for that and send it to the syslog server.

Cheers,

Mike

Mike
0 Helpful

samarjit.das
Level 1
Level 1
In response to Maykol Rojas

‎05-06-2012 10:34 PM

Hi Mike

Thanks for your reply.

I tried to do so but I faced another problem. I set the log  keyword at the end of ACL that is being applied to outside zone  interface and configured FW to send only the message id 106100 to syslog  server but enabling log gives some irrelevant traffic log. It catches  the 1st response packet of traffic that is actually initiated from  inside to outside direction which ideally should not happen caz return  traffic goes via existing session. I have users in inside zone which  connect to proxy server in outside zone. In case of proxy, the  connection always bulit up by the user, not by the proxy server, but i  get traffic log for those packets also that is replied by proxy( source  port is known proxy port & destination ip is user's machine IP  address and port is always unknown destination port). To make sure  whether this packet initiated by the proxy server, I started capture log  for both message ids 106100 & 302013 and found none of the build in  message is generated after getting log for permitted message(getting  generated by106100).So in case build in message is not getting generating, it is not proxy initiated traffic. I don;t know what is going on.

Please help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card