Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tracking access-list permits and denies in syslog

Hello -

I have worked with PIX/ASA in the past, but where i work now, they migrated from a Checkpoint firewall.  One thing that the Checkpoint did very well was log both permits and denies.  I am trying to replicate this with the ASA and a syslog server (kiwi syslog) and am having problems.

I have a DNS rule that only allows our DNS servers to get to external DNS.  When I do a NSLOOKUP and set the server to an external server (4.2.2.2), the lookup fails and I get the following:

2011-12-19 14:23:54 Local4.Info 10.1.0.213 Dec 19 2011 14:23:54 medela : %ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]

Before I go on, it would be nice to know that this is failing at INSIDE rule #7 (as that is the number that shows up on the ADSM).

....moving along....

If I add IP address to the list of DNS servers, It works (as expected), but it doesn't show that in the syslog.  According to the ADSM, I have the logging set to informational.  The actual code in the ASA is:

access-list INSIDE-IN extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log

I am adding and removing myself from the MCHENRY-DNS-SERVERS object group.

What seems weird to me is I have this entry:

2011-12-19 14:32:49 Local4.Info 10.1.0.213 Dec 19 2011 14:32:49 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]

10.1.1.44 is one of our internal DNS servers so this entry make sense.

I have multiple valid log entries like right above, but I can't seem to see the ones I generate.

The logging commands are:

logging enable

logging timestamp

logging buffer-size 500000

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging from-address XXXXX

logging recipient-address XXXXXXX level errors

logging recipient-address XXXXXX level errors

logging device-id string medela

logging host INSIDE 10.1.1.92 17/1514

What am I missing here?

We are running 8.2(3) ASA code and 6.3(4) 53 ADSM code

Thanks!

/alan

Everyone's tags (4)
4 REPLIES
New Member

Tracking access-list permits and denies in syslog

Hi Alan,

Looking at this syslog message

%ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]

Seems like there is an explicit ACE on the access-list INSIDE-IN which denied this outbound DNS traffic from host PC-alan.

Can you check this

show access-l | in 0xe09e77c3

Now as per you,

If you add this host PC-alan to the list of trusted DNS servers in the object-group "MCHENRY-DNS-SERVERS" the DNS traffic works fine but you dont see a sylog telling you that the traffic was permitted.

But at the same time you see a log for a different server being permitted by the access-l.

%ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]

Looking at this

The first hex value correspond to object group,second correspond to actual access rule.

So can you please show me the output of this

show access-l | in 0xcf9aa9e5
show access-l | in 0x96f1d973

Can you send me the output of

show access-l INSIDE-IN | in domain when you've that host added in that object-group and after you try nslookup from that host.

I'd like to see if that ACE has got any hit-cnts against it or not.

Puneet

New Member

Tracking access-list permits and denies in syslog

Puneet -

I want to clarify that I expected the first "denied" since PC-aolan was not in the object MCHENRY-DNS-SERVERS.  That said, here is the first show access-l

show access-l | in 0xe09e77c3

access-list INSIDE-IN line 26 extended deny ip any any log informational interval 300 (hitcnt=1407496) 0xe09e77c3

Line 26 is our deny all so that is good.

Before I did the second, I cleared the DNS cache to make sure it would do hits.  The log entry is now:

2011-12-20 08:47:46 Local4.Info 10.1.0.213 Dec 20 2011 08:47:46 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/204.245.152.68(53) hit-cnt 12 300-second interval [0xcf9aa9e5, 0x96f1d973]

The two coresponding show access-lists are:

show access-l | i 0xcf9aa9e5

access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5

and

show access-l | i 0x96f1d973

  access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2153394) 0x96f1d973

Before I go on, I have a seperate question (sorry for the digression).  Both of these refer to "line 8".  Shouldn't they show "line 7" per the attached ADSM screenshot?

Here is the final show command:

show access-l INSIDE-IN |  in domain

access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5

  access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2155033) 0x96f1d973

  access-list INSIDE-IN line 8 extended permit udp host 10.1.1.51 any eq domain log informational interval 300 (hitcnt=1063240) 0x5452a227

  access-list INSIDE-IN line 8 extended permit udp host 10.1.1.32 any eq domain log informational interval 300 (hitcnt=447) 0x17ac19ab

  access-list INSIDE-IN line 8 extended permit udp host 10.1.1.42 any eq domain log informational interval 300 (hitcnt=168) 0x598ed364

  access-list INSIDE-IN line 8 extended permit udp host PC-gail any eq domain log informational interval 300 (hitcnt=0) 0xfc2104c5

  access-list INSIDE-IN line 8 extended permit udp host PC-seth any eq domain log informational interval 300 (hitcnt=0) 0x5e736aae

  access-list INSIDE-IN line 8 extended permit udp host PC-alan any eq domain log informational interval 300 (hitcnt=17) 0xeceb330a

I see on the last line the hits on my lookup.  Now I look in the log file and I see:

2011-12-20 09:22:34 Local4.Info 10.1.0.213 Dec 20 2011 09:22:34 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/PC-alan(1503) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xcf9aa9e5, 0xeceb330a]

So now I see the entry in the log file.  I don't know why I didn't see it earlier.

Since I want to know that I hit line 7 on INSIDE-IN, why is that showing line 8.  And is there a way to get those lines numbers over to my syslog since that is how I would like to troubleshoot things (as crazy as that sounds).

Thanks!

/alan

New Member

Tracking access-list permits and denies in syslog

Unfortunately you cannot get those line nos to the syslog.

However can you send me a screenshot of ASDM from line 1 to line 9.

And send me the output of show access-l INSIDE-IN?

Puneet

New Member

Tracking access-list permits and denies in syslog

Puneet - Thank you for your quick reply

I found what is causing this.  It appears to be a remark or description is taking a line#:

  access-list INSIDE-IN line 2 extended permit ip host 10.1.x.x host addx (hitcnt=6) 0xe0fe5d0a
access-list INSIDE-IN line 3 extended permit tcp host 10.1.x.x any range 6366 6416 (hitcnt=0) 0x3235c4cb
access-list INSIDE-IN line 4 remark Laughlin Constable developing between our erpdev server and our web server
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 object-group eCommerce-Development-Web 0xf2f65af6
  access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Echo-Mountain (hitcnt=0) 0x2b726d07
  access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Laughlin-Constable (hitcnt=0) 0x4c7009c7
access-list INSIDE-IN line 6 extended permit tcp object-group TIME-CLOCKS-IPS host tcaddx object-group TIME-CLOCK-TCP 0xc76e898f

So if I take the time to add a description in the ADSM, it shows messes up the line # in the hit count.

Any idea on how to get around that short of not using the description?

Thanks!

/alan

8341
Views
0
Helpful
4
Replies
CreatePlease login to create content