topic Inconsistent ACL hits seen in syslog in Network Security

Inconsistent ACL hits seen in syslog

Nasos Ergot — Fri, 21 Feb 2020 16:15:49 GMT

Hi,

Any idea why traffic destined to port 443 might be bypassing an ACL for that port and hitting an IP any/any ACL that's at the bottom of the list, at least according to syslog.

The ACLs:

access-list inside_access_in line 5 extended permit tcp 10.1.0.0 255.255.0.0 any4 object-group DM_INLINE_TCP_6 (https & https) log disable (hitcnt=2951027) 0xb0c12c26


access-list inside_access_in line 24 extended permit ip any4 any4 log informational interval 300 (hitcnt=295888) 0x2bc0c8ca

What i see in syslog:

12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.1.2.91(52106) -> outside-WAN/52.114.76.35(443) hit-cnt 1 first hit [0xb0c12c26, 0x15b7e092]


12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/216.58.206.46(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]

How reliable is the information coming from syslog?

Re: Inconsistent ACL hits seen in syslog

Alex Pfeil — Thu, 20 Sep 2018 16:41:25 GMT

The second log showed udp.

12-09-2018 15:22:19 Local7.Info 10.1.1.232 %ASA-6-106100: access-list inside_access_in permitted udp inside/10.1.2.7(51150) -> outside-WAN/216.58.206.46(443) hit-cnt 1 first hit [0x2bc0c8ca, 0x00000000]

Please rate helpful posts.

Re: Inconsistent ACL hits seen in syslog

Kykeonas — Fri, 21 Sep 2018 13:12:51 GMT

You are absolutely right.

Re: Inconsistent ACL hits seen in syslog

Nasos Ergot — Fri, 21 Sep 2018 13:18:52 GMT

Thanks.

I need glasses.