No announcement yet.

ASA5510 Enable/view logging on specific ACL line

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510 Enable/view logging on specific ACL line


    How do I configure logging, and more importantly view said logs, for a single line of an access-rule?

    More detail:
    The firewall in our DR site was incorrectly configured with a single IP any/any allow rule for the DMZ interface. We recently fixed that by adding in the specific ports/rules we needed for dmz to inside/outside access, and disabled the ip any/any rule. However that caused some issues, as we had missed a few critical rules that needed to be added. So we re-enabled the ip any/any rule, albeit at the end of the list of rules so that the correct ones would be used first.
    But we're still showing traffic hitting that ip any/any rule.

    My approach would be to disable the rule, and then watch the logs (in ASDM) to see what's getting denied, and fix accordingly. I know how to do that.

    Alas, the bossman would like to be more pro-active, and instead view the logs for that rule to see what traffic is being passed currently, and then go from there.

    I'm not that familiar with CLI, I use ASDM more. It looks like that rule already has logging enabled to 'informational', but when I right-click and view log, the only thing that shows up is 'begin configuration' notices. I can watch the hit-count go up on the ip any/any rule, but the log shows nothing.

    If I do a sh run log, I get:
    logging enable
    logging buffered notifications
    logging trap notifications
    logging asdm notifications
    logging from-address *********
    logging recipient-address ********* level errors
    logging host inside

    access list for that rule shows:
    access-list dmz_access_in line 74 extended permit ip any log informational interval 300

    Any help or input would be appreciated.

  • #2
    Re: ASA5510 Enable/view logging on specific ACL line

    Dump the logs to a syslog server. The Realtime Log Viewer in ASDM is pretty good as well.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: ASA5510 Enable/view logging on specific ACL line

      Real time viewer isn't showing any results for the DMZ acl, only for outside (i.e. it's not showing any results for internal IP addresses, only the external ones).

      Here's how I'm testing.
      1) Open Real Time viewer.
      2) In ASDM, note hit-count for ip any/any rule
      3) Go to DMZ machine and launch IE (we don't have an explicit rule allowing http access, so that traffic is going through the ip any/any rule).
      4) Note that the hitcount increased
      5) look at Real Time viewer - nada. The only thing in the view is syslog ID 111007: Begin Configuration: 172.31.x.x reading from http [POST] (the IP address is the machine I'm running ASDM on).

      How do I view the traffic that's causing the hit-count to increase for the ip any/any rule? Do I need to change something in ASDM? Logging is set to Debugging.


      • #4
        Re: ASA5510 Enable/view logging on specific ACL line

        The only thing i see in the Real TIme Viewer is traffic denied on our outside interface (we block all international IP's).
        I don't see any internal traffic, or site-to-site VPN traffic.
        I'm not familiar enough with syslog to use that to view the logs.

        Surely there's a way to view from either ASDM or cli? It's probably something really simple that I just do'nt know how to do.


        • #5
          Re: ASA5510 Enable/view logging on specific ACL line

          I would create a an access list and a packet capture. This way you can capture only what you want.


          access-list PACKET_CAPTURE extended permit ip any any

          capture MY_PACKET_CAPTURE access-list PACKET_CAPTURE interface inside
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)