topic Re: Dechiper ASA ACL Hex ID in Syslog in Network Security

Dechiper ASA ACL Hex ID in Syslog

scottpickett — Fri, 21 Feb 2020 09:45:05 GMT

There is a hex id in ASA syslogs that corresponds to which ACL or ACE line generated the log entry. I know that ADSM uses it, but I want to know how to decipher it for use with other apps.

Anyone figure it out?

See examples below:

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.1(1165) -> Inside_VLAN_248/SERVER1(80) hit-cnt 1 first hit [0xf2412831, 0xc45cf9c2]

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.2(1503) -> Inside_VLAN_248/SERVER2(8008) hit-cnt 1 first hit [0x83e69c8, 0xee877a0]

Re: Dechiper ASA ACL Hex ID in Syslog

tstanik — Mon, 05 Nov 2007 18:07:58 GMT

In the syslog entry, there are two hashes. The first one points to the configured ACE which is the ACE that appears in the "show running-config" output. The second one points to the ACE that is expanded if the configured ACE uses object groups. It will be "0x0" if the ACE does not use object groups. But still it won't be possible to use this with some other application.

Re: Dechiper ASA ACL Hex ID in Syslog

scottpickett — Tue, 06 Nov 2007 05:51:16 GMT

What I mean by other apps is a log viewer and I would like to know which ACL or ACE put the entry in the log? There is no way to do this you think?

Re: Dechiper ASA ACL Hex ID in Syslog

scottpickett — Fri, 09 Nov 2007 17:18:14 GMT

I found out how to do it. Here it is:

So let's say a system administrator comes to me and says â€œI have a new server that needs to send print jobs to a print queue and it's not working. My old server is working though.â€

What I want to know is, â€œWhat is the rule that allows the old server to work?â€ so I can add the new server to that rule.

When I look through my syslog server for the â€œold serverâ€ which has the ip address of 10.10.30.101, I find this:

â€œ%ASA-3-106100: access-list IN_ACL permitted tcp Inside_VLAN/10.10.30.101(4172) -> Outside_VLAN/192.168.69.61(9100) hit-cnt 1 first hit [0xa00e0f20, 0xb4d3bb50]â€

So now I know the ACL line with the hex id â€œ0xa00e0f20â€ is the line that allowed the packet through.

So I go to my firewall and run the command:

â€œshow access-list | include 0xa00e0f20â€

I get the following output:

â€œaccess-list IN_ACL line 2 extended permit tcp object-group PRINT_SERVERS object-group ALL_PRINTERS object-group PRINTING_SERVICES log errors interval 300 0xa00e0f20â€

I now know that IN_ACL line 2 permitted the traffic and I know that I need to add the new server to the PRINT_SERVERS object.

Alternatively, using the second hex id, you can find the actual ACE that permitted the traffic too:

FIREWALL#show access-list | include 0xb4d3bb50

access-list IN_ACL line 2 extended permit tcp host 10.10.30.101 192.168.69.0 255.255.255.0 eq 9100 log errors interval 300 (hitcnt=17803762) 0xb4d3bb50

With this method, you can have many ACL lines and still locate the exact line that is permitting or denying traffic.