Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

hit details on a specific policy

Hello all,

  I am new to the Firewall world and in doing some troubleshooting, I wanted to see if it was possible on an ASA 5505 to see the details of specific hits on a policy

I have an Interface called FrontEnd and I added an any any permit as the last policy on that interface and I see the traffic incrementing so I know that there is some traffic coming in from the FrontEnd interface that is passing by all the other policies on that interface and being allowed by the any any permit

Is there a way to see the details of those hits?  for example the source IP destination IP and destination port?

I am sorry if this question has been asked before, I did search but I might be using the wrong criteria in my search of the forum and the web

Thanks in advance for any assistance.

I do have ASDM up and this specific policy ID on that interface is 5 if that matters

Wally

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

hit details on a specific policy

Absolutely possible.  What you will have to do is enable ACL logging on the "permit any any" ACL in question.

access-list 101 permit ip any any log

This will generate a log message 106100 each time traffic matches the ACL entry in question.  By default, this log message is severity level 6 (informational). 

To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level.  For instance:

access-list 101 permit ip any any log alerts

Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs.  To enable logging to the buffer, use the following:

logging buffered alerts

Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.

Hope this helps.

4 REPLIES
New Member

hit details on a specific policy

Absolutely possible.  What you will have to do is enable ACL logging on the "permit any any" ACL in question.

access-list 101 permit ip any any log

This will generate a log message 106100 each time traffic matches the ACL entry in question.  By default, this log message is severity level 6 (informational). 

To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level.  For instance:

access-list 101 permit ip any any log alerts

Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs.  To enable logging to the buffer, use the following:

logging buffered alerts

Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.

Hope this helps.

Red

hit details on a specific policy

Just to add to what Eddie said, even if you want to see all th traffic hitting the ip any any acl, then you can use the acl:

access-list 101 permit ip any any log

and then go to the asdm, right click on the rule and select "show logg", this would pop up a ASDM log viewer window, and you would see all the traffic hitting that specific acl.

This way you can keep a track of it.

The above acl would turn on logging at informational level for that ACL only.

Hope that helps.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

hit details on a specific policy

Hi Walter,

are looking for these features

Keeps track of flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records.

Defines  and exports templates that describe the progression of a flow.  Templates describe the format of the data records that are exported  through NetFlow. Each event has several record formats or templates  associated with it.

Tracks  configured NSEL collectors and delivers templates and data records to  these configured NSEL collectors through NetFlow over UDP only.

Sends  template information periodically to NSEL collectors. Collectors  receive template definitions, normally before receiving flow records.

Filters  NSEL events based on the traffic and event type through Modular Policy  Framework, and then sends records to different collectors. Traffic is  matched based on the order in which classes are configured. After a  match is found, no other classes are checked. The supported event types  are flow-create, flow-denied, flow-teardown, and all. Records can be  sent to different collectors. For example, with two collectors, you can  do the following:

Log all flow-denied events that match access-list 1 to collector 1.

Log all flow-create events to collector 1.

Log all flow-teardown events to collector 2.

Delays the export of flow-create events.

Then have a look at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wp1111174

Sachin

New Member

hit details on a specific policy

Thank you all for the tips, they have helped out quite a bit.  Sachin the links in your post did not show up, but I got the meaning of what you were saying so I can do further research.  Thanks all very much

Wally

403
Views
0
Helpful
4
Replies
CreatePlease to create content