https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471811#M270038 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would suggest considering adding a <STRONG>"log"</STRONG> keyword to the <STRONG>"permit ip any any"</STRONG> rule you have and setting the logging level you want.</P><P></P><P>Here is the explanation of the <STRONG>"log"</STRONG> parameter at the end of <STRONG>"access-list"</STRONG> command</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp1610428table1609330" width="80%"><TBODY><TR align="left" valign="top"><TD><P> <STRONG>log</STRONG> </P></TD><TD><A name="wp1610525"></A><P> (Optional) Sets logging options when a <STRONG>ACE</STRONG> matches a packet for network access (an ACL applied with the <STRONG>access-group</STRONG> command). If you enter the <STRONG>log</STRONG> keyword without any arguments, you enable system log message 106100 at&nbsp; the default level (6) and for the default interval (300 seconds). If you&nbsp; do not enter the <STRONG>log</STRONG> keyword, then the default system log message 106023 is generated. </P></TD></TR></TBODY></TABLE><P></P><P>I guess you might have to play around with the<STRONG> "interval"</STRONG> value perhaps.</P><P></P><P>Source from Command Reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407">http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407</A></P><P></P><P>To my understanding if you have a <STRONG>"permit"</STRONG> line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The <STRONG>"deny"</STRONG> rules however generate Notifications level messages.</P><P></P><P>Since using the<STRONG> "log"</STRONG> parameter at the end of this <STRONG>"permit ip any any"</STRONG> rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this<STRONG> "log"</STRONG> enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.</P><P></P><P>You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.</P><P></P><P>Naturally there is probably tools that would also handle this but I havent had the change to work with any <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/sad.gif"></SPAN></P><P></P><P>I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps <STRONG>"permit tcp any any eq <PORT required="">"</PORT></STRONG> to allow the basic services outbound.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Feb 2014 20:07:36 GMT Jouni Forss 2014-02-07T20:07:36Z https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471810#M270036 <P>Hello everyone-</P><P></P><P>I have an ASA-5585-SSP-10 that I have subinterfaces and VLANs created on. I used this ASA to firewall the vlans downstream on our Catalyst 4k's. Most all of my interfaces have specific ACLs in for the necessary traffic and all is good. I have a couple interfaces that have an IP any-any in and I would like to remove the any-any, but do not want to do so immediately, as the ACL has thousands of hits. I have cleared the ACL hit counter, but would like to know how I determine what traffic (source, dest, etc) is hitting the any-any so I can build specific ACLs to match, and ultimately remove the any-any. I have reviewed the log for a specific any-any, but this has not turned out to be helpful. Can anyone give me some help?</P><P></P><P>Thank you-</P><P></P><P>Brian</P> Tue, 12 Mar 2019 03:42:33 GMT https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471810#M270036 arrayservices 2019-03-12T03:42:33Z https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471811#M270038 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would suggest considering adding a <STRONG>"log"</STRONG> keyword to the <STRONG>"permit ip any any"</STRONG> rule you have and setting the logging level you want.</P><P></P><P>Here is the explanation of the <STRONG>"log"</STRONG> parameter at the end of <STRONG>"access-list"</STRONG> command</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp1610428table1609330" width="80%"><TBODY><TR align="left" valign="top"><TD><P> <STRONG>log</STRONG> </P></TD><TD><A name="wp1610525"></A><P> (Optional) Sets logging options when a <STRONG>ACE</STRONG> matches a packet for network access (an ACL applied with the <STRONG>access-group</STRONG> command). If you enter the <STRONG>log</STRONG> keyword without any arguments, you enable system log message 106100 at&nbsp; the default level (6) and for the default interval (300 seconds). If you&nbsp; do not enter the <STRONG>log</STRONG> keyword, then the default system log message 106023 is generated. </P></TD></TR></TBODY></TABLE><P></P><P>I guess you might have to play around with the<STRONG> "interval"</STRONG> value perhaps.</P><P></P><P>Source from Command Reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407">http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598407</A></P><P></P><P>To my understanding if you have a <STRONG>"permit"</STRONG> line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The <STRONG>"deny"</STRONG> rules however generate Notifications level messages.</P><P></P><P>Since using the<STRONG> "log"</STRONG> parameter at the end of this <STRONG>"permit ip any any"</STRONG> rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this<STRONG> "log"</STRONG> enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.</P><P></P><P>You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.</P><P></P><P>Naturally there is probably tools that would also handle this but I havent had the change to work with any <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/sad.gif"></SPAN></P><P></P><P>I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps <STRONG>"permit tcp any any eq <PORT required="">"</PORT></STRONG> to allow the basic services outbound.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 07 Feb 2014 20:07:36 GMT https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471811#M270038 Jouni Forss 2014-02-07T20:07:36Z https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471812#M270042 <HTML><HEAD></HEAD><BODY><P>Jouni-</P><P></P><P>How would you recommend I allow Intenet access outbound using ACLs in the ASA, without the any-any. We do not proxy to our web filter appliance, we have a Juniper firewall (external) which redirects 80 and 443 traffic to the web filter, it then send Internet traffic out.</P><P></P><P>Brian</P></BODY></HTML> Fri, 07 Feb 2014 22:32:48 GMT https://community.cisco.com/t5/network-security/asa-acl-questions/m-p/2471812#M270042 arrayservices 2014-02-07T22:32:48Z