topic Find TCP Connection destination in Network Security

Find TCP Connection destination

mcmurphytoo — Tue, 12 Mar 2019 03:29:55 GMT

I recently updated ASA 5510 from V8.0 to V9.1. In 8.0 I had elevated the severity of event 302013 so ASA sent it to syslog. It gave me inside and outside IP addresses of every TCP connection. When the IPS called, said an inside user was infected and trying to send to an evil web server, but IPS knew only ASA's outside address, I used the syslog to track down the offending inside address by its logged TCP connection. On V9.1 I'm seeing event 305011 building a TCP connection, but I see only the port, not the IP address of the destination. Will anything in V9.1 log for me both the inside and outside addresses of every connection?

Find TCP Connection destination

Jouni Forss — Tue, 14 Jan 2014 23:09:25 GMT

Hi,

All the basic syslog IDs should be there still no matter which software level you are using.

The Syslog ID 305011 seems to be a message for when a translation is built for the actual connection on the ASA. So it doesnt give the information about the actual connection specifically.

On its basic setting it should be able to get the connection Built/Teardown messages to show with the Informational (level 6) logging level or otherwise manipulating the logging levels.

Are you sure that the Syslog ID has not been disabled for some reason by someone?

Does your logging configuration output of "show run logging" indicate that any Syslog ID would have been disabled or any Syslog IDs level would have been changed to something else than its supposed to be?

- Jouni

Find TCP Connection destination

mcmurphytoo — Wed, 15 Jan 2014 14:17:17 GMT

The ASDM syslog info showed ID 302013 still set to Errors, not disabled. But a sho run log showed:

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

logging message 713120 level errors

logging message 722022 level errors

logging message 722023 level errors

logging message 713050 level errors

logging message 302013 level errors

I must guess the 8.0-to-9.1 updater guys did a command line disable that the ASDM somehow did not pick up.

So I did a command-line "logging message 302013" and now i see them again syslogged. I know it's lots of logging, but it's critically important when I get those calls from the IPS monitors that something is happening inside my network and trying to get out. Thanks.

Find TCP Connection destination

Jouni Forss — Wed, 15 Jan 2014 14:22:36 GMT

Hi,

Great to hear its working

Yeah its an important log that I also like to keep logged to our Syslog servers. Helps with a lot of troubleshooting situations especially in cases where the users report about the problem after its already passed. Usually get somekind of picture about a possible cause from the "Teardown" log messages for example.

Naturally it also helps with confirming if certain connections have been formed through the firewall as you mention.

- Jouni

Find TCP Connection destination

Jouni Forss — Wed, 15 Jan 2014 14:25:00 GMT

Also,

In situations such as yours I tend to always configure traffic capture on the ASA to capture this traffic and go through the capture every now and then in addition to monitoring the logs.

The ASA can hold a 33,5MB buffer of captured data in a single capture. Naturally if you dont capture the actual data contained in the packet you can get more traffic captured and see whats been happening.

If you need any example configurations/commands to take a capture directly on the ASA (and then later open it on your own computer with Wireshark) then let me know.

- Jouni