https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444882#M267732 <P>Hi Jim, thanks for your reply.</P><P>Is there any command/utility like the "shun" command that can work on "live packets" which are been already permitted first by other ACL rule?</P><P>Re-ordering acl would be difficult because its a live circuit.</P><P>&nbsp;</P><P>Thanks again - Jami.</P> Thu, 10 Apr 2014 00:33:25 GMT mjami 2014-04-10T00:33:25Z https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444880#M267730 <P>I have got two Cisco ASA 5520 running with IOS version 8.4.</P><P>I am trying to get all the packet events for a given "specific source" IP address &gt; send to a syslog server. Syslog server has been configured and working fine for other ASA events.</P><P>I have created new ACL rule to log all events for that specific source IP address to syslog server - but noting showing on syslog logs because (??) of packets already permitted by other ACL rule sitting on the top.</P><P>I use the following ACL rule -</P><P>#access-list aclName extended permit ip host x.x.x.x any log debugging</P><P>ACL hitcount is zero but I am getting that "specific source IP" at ASDM live traffic monitoring.</P><P>Could anyone please shed some light on this?</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:02:49 GMT https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444880#M267730 mjami 2019-03-12T04:02:49Z https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444881#M267731 <P>You might need to re-order your access-list rules to put the "permit ... log" one much earlier.&nbsp; Remember that ASA's do first match; the first permit or deny rule which matches a packet controls its fate, regardless of any subsequent rules.</P><P>-- Jim Leinweber, WI State Lab of Hygiene</P> Wed, 09 Apr 2014 15:39:08 GMT https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444881#M267731 James Leinweber 2014-04-09T15:39:08Z https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444882#M267732 <P>Hi Jim, thanks for your reply.</P><P>Is there any command/utility like the "shun" command that can work on "live packets" which are been already permitted first by other ACL rule?</P><P>Re-ordering acl would be difficult because its a live circuit.</P><P>&nbsp;</P><P>Thanks again - Jami.</P> Thu, 10 Apr 2014 00:33:25 GMT https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444882#M267732 mjami 2014-04-10T00:33:25Z https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444883#M267733 <P>Reording the ACL will not affect other traffic.&nbsp; depending on if you use the ASDM or CLI:&nbsp; In the ASDM select the rule you want to place higher and then use the arrow buttons toward the top left of the page to move it up, then click apply.</P><P>in CLI, remove the ACL entry and then re enter it but this time issue the sequence number where you want to place it.</P><P><STRONG>access-list aclName line 5 extended permit ip host x.x.x.x any log debugging</STRONG></P><P>the above ACL will "squeeze" the ACL in to position 5 in the ACL order.&nbsp; All lower ACLs will be reordered automatically.</P><P>--</P><P>Please remember to rate and select a correct answer</P> Thu, 10 Apr 2014 08:43:46 GMT https://community.cisco.com/t5/network-security/cisco-asa-acl-logging-based-on-source-ip-not-working/m-p/2444883#M267733 Marius Gunnerud 2014-04-10T08:43:46Z