topic Re: Cisco ASA Syslog Message 302013 source IP in Network Security

Cisco ASA Syslog Message 302013 source IP

meirtz4 — Mon, 23 Jan 2023 11:44:15 GMT

Hi, in the log messages for 302013, on outbound, is it possible to determine the source IP. Meaning who is the IP that initiates the connection? Or is the inbound/outbound indication + IP location in the message only indicating of the security levels?

Some examples:
Jul 6 09:38:51 44.254.0.8 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.2.4.86/25 (10.2.4.86/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)

%ASA-6-302013: Built outbound TCP connection 1139888864 for Outside:103.33.237.104/443 (103.33.237.104/443) to Inside:10.12.122.84/17960 (192.44.45.104/17880)

Thanks.

Re: Cisco ASA Syslog Message 302013 source IP

Marius Gunnerud — Mon, 23 Jan 2023 12:11:06 GMT

You could use a WHOIS (use google to and select a WHOIS site you would like to use) service and lookup the IP address 103.33.237.104. Just did a lookup on it and it is an IP located in China.

Re: Cisco ASA Syslog Message 302013 source IP

meirtz4 — Mon, 23 Jan 2023 12:47:04 GMT

Thank you. Actually what I am trying to achieve, if possible, a definition of which IP will be the source and which is the destination. Meaning, who initiated the connection. From reading the docs, I'm not sure if it's possible. For example in the log with the IP 103.33.237.104, is it the IP who initiated the connection? Or the other?

Thanks.

Re: Cisco ASA Syslog Message 302013 source IP

MHM Cisco World — Mon, 23 Jan 2023 13:02:03 GMT

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.pdf
answer is here in this link

Re: Cisco ASA Syslog Message 302013 source IP

Marius Gunnerud — Mon, 23 Jan 2023 13:59:08 GMT

Usually the log that states "Built" defines the initiating IP. So in your first example, the initiating IP would be 10.2.4.86. But the second example doesn't make sense as it is stating Built outbound TCP connection from the Outside interface. Is this a copy paste error or an actual log message?

Jul 6 09:38:51 44.254.0.8 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.2.4.86/25 (10.2.4.86/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)

%ASA-6-302013: Built outbound TCP connection 1139888864 for Outside:103.33.237.104/443 (103.33.237.104/443) to Inside:10.12.122.84/17960 (192.44.45.104/17880)

Had the second log message stated Built inbound TCP connection ... for Outside.... then this would mean that the IP 103.33.237.104 is initiating a connection inbound with source port tcp/443.

A better way to validate this is to setup a capture and then go through the captured data in Wireshark

Re: Cisco ASA Syslog Message 302013 source IP

Marvin Rhoads — Mon, 23 Jan 2023 14:34:30 GMT

in addition to what's already been shared, consider the port numbers. TCP connections (and UDP flows) are generally initiated from an ephemeral port (>1024) to a well-known port. For instance, tcp/25 would be smtp (mail server) and tcp/443 is https (web server). Clients generally initiate connections to servers.

Re: Cisco ASA Syslog Message 302013 source IP

meirtz4 — Mon, 23 Jan 2023 19:02:01 GMT

@Marvin Rhoads @Marius Gunnerud Thank you for your response.

In the first example, unlike what you assumed, the initiating IP is 10.128.85.25. Please refer to this thread - ASA SYSLOG - How is direction determined in 302013 & 302015 - Cisco Community

The second example, which provided by me, is an actual message. I need to decide how to parse it, who is the source and who is the destination. And I agree it doesn't make sense, also I've noticed to the ports as you said.

Do you think maybe the source and destination IP's has no correlation with outbound/inbound and order?

Re: Cisco ASA Syslog Message 302013 source IP

Marius Gunnerud — Tue, 24 Jan 2023 09:59:05 GMT

As of yet I have not been able to find any documentation that will support what I am about to write, but this is what I believe why the log message is being displayed in reverse.

When a connection is established from the inside to the outside on HTTPS that connection the return traffic needs to be allowed and I believe that it is this connection / opening that we see in the log and therefore why it is being showed with IPs in the reverse order.

Re: Cisco ASA Syslog Message 302013 source IP

meirtz4 — Wed, 25 Jan 2023 10:08:49 GMT

Thanks, I was also looking for official documentation but can't seem to find any. What ever this is the reason or not, the important thing for me is to understand - will the later IP will always be the source (on outbound), or this may change between different interfaces?

Thanks.

Re: Cisco ASA Syslog Message 302013 source IP

Marius Gunnerud — Wed, 25 Jan 2023 10:36:31 GMT

The IP itself and the interface associated with the IP will of course change, but the latter will always represent the source.

Re: Cisco ASA Syslog Message 302013 source IP

MHM Cisco World — Wed, 25 Jan 2023 12:49:18 GMT

I will check some point with you today.

Re: Cisco ASA Syslog Message 302013 source IP

Marius Gunnerud — Wed, 25 Jan 2023 13:41:30 GMT

Here is a document describing the logs a little more.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.html

Re: Cisco ASA Syslog Message 302013 source IP

MHM Cisco World — Wed, 25 Jan 2023 15:43:03 GMT

I make small lab, config two ASA FW with allow TCP to OUT of each,
I run tcp from the R1 toward R2

I get notification message, it not so helpful but using info in log message and using
show conn we can get more info. about this traffic,
TCP have flag we can use it to see if traffic Inbound Outbound direction and also FIN SYN and ACK of traffic.

in my lab since I tcp from R1 to R2 I can see flag UIO <<- and by using another table I can see that this traffic is Outbound Date, meaning that the traffic initiate from Inside of ASA FW.

Re: Cisco ASA Syslog Message 302013 source IP

meirtz4 — Wed, 25 Jan 2023 16:46:42 GMT

Thanks @MHM Cisco World ! Just to be sure:
inside == R1 == 10.0.0.10 ?

Re: Cisco ASA Syslog Message 302013 source IP

MHM Cisco World — Wed, 25 Jan 2023 16:57:18 GMT

Yes you are correct R1 is 10.0.0.10 and R2 is 20.0.0.20