cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1449
Views
5
Helpful
4
Replies

Tracking ASA rules

benson.low
Level 1
Level 1

Hi CSC,

Is there a way to extract which traffic is hitting which rule from syslog? Thanks.

Rgrds,

Benson

4 Replies 4

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

You can assing the keyword log at the end of the ACL and that will generate a syslog per rule match that it has this keyword at the end.

Mike

Mike

Hi Mike,

What you proposed is for cisco routers, I am referring to ASA. The syslog entries have the following fields, but it does not show which rule it hits.

Jan 24 00:00:52 172.16.132.21 :Jan 23 23:49:07 SGT: %ASA-session-6-302013: Built inbound TCP connection 1158354 for CITRIX:x.x.x.x/60659 (x.x.x.x/60659) to Inside:x.x.x.x/445 (x.x.x.x/445)

Extract from CISCO ASA COMMAND REFERENCE 8.2

Syntax Description

log

(Optional) Sets logging options when a ACE matches a packet for network access (an access list applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at  the default level (6) and for the default interval (300 seconds). If you  do not enter the log keyword, then the default system log message 106023 is generated.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450

Extract from Cisco ASA 5500 Series System Log Messages, 8.2

Log message: 106100

Error Message    %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} 
protocol interface_name/source_address(source_port) - 
interface_name/dest_address(dest_port) hit-cnt number ({first hit | 
number-second interval}) hash codes

When an access-list line has the log argument, it is expected that this syslog ID might be triggered because  of a non-synchronized packet reaching the adaptive security appliance  and being evaluated by the access-list. For example, if an ACK packet is  received on the adaptive security appliance (for which no TCP  connection exists in the connection table), the device might generate  syslog 106100, indicating that the packet was permitted; however, the  packet is later correctly dropped because of no matching connection.

If you are in doubts, please ask first.

Mike

Mike

Hi Mike,

Thanks, it does help to solve part1. Now I am stuck with another issue, the moment the log keyword is entered for 1 ACE, no more syslog is being generated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: