https://community.cisco.com/t5/network-security/asa-log/m-p/1619757#M595282 <HTML><HEAD></HEAD><BODY><P>1. The level of logging is different for ASDM and buffer. That is why the logging outputs in ASDM and buffer (sho log) will not be the same. One will be a 'subset' of the other.</P><P></P><P>2. This would depend entirely on your requirement. E.g., if most traffic is through IPSec then more BW should be recseved for this traffic.</P><P></P><P>HTH</P><P>Paps</P></BODY></HTML> Wed, 05 Jan 2011 13:19:48 GMT padatta 2011-01-05T13:19:48Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619756#M595281 <P>Hi,</P><P></P><P>Few questions on ASA:</P><P></P><P>1. one of asa&nbsp; has logging enabled for warning &amp; information message.</P><P></P><P>&nbsp;&nbsp; logging enable</P><P>logging buffered warnings</P><P>logging asdm informational</P><P></P><P>when asdm logs are seen, it shows normal teardown etc. for traffic. but sh log gives lot of different logs, below is one of them:</P><P></P><P>&nbsp; %ASA-2-106001: Inbound TCP connection denied from 45.34.115.88/3160 to 202.88.179.15/445 flags SYN&nbsp; on interface outside</P><P></P><P>why are these logs appearing seperately &amp; is it the correct way of syslog configuration.</P><P></P><P>2. diagram is:</P><P></P><P>&nbsp; remote branch - internet - asa - 3845 router - local office</P><P></P><P>&nbsp;&nbsp; remote branch needs data from local office and vice-versa, this is done with ipsec, which is between remote branch &amp; router. plan is to do shift this frm router to asa. i.e remote branch to asa will have ipsec points &amp; users on both sides will use it for data.</P><P></P><P>on the router , we feel that ipsec is using large bandwidth from our internet ( 5M ),router to local office has 4M capacity. i know asa can be used for police function.</P><P>will it be&nbsp; a good solution if set bandwidth of 1M is put on asa for it.</P><P></P><P>Thanks in advance.</P> Mon, 11 Mar 2019 19:30:28 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619756#M595281 suthomas1 2019-03-11T19:30:28Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619757#M595282 <HTML><HEAD></HEAD><BODY><P>1. The level of logging is different for ASDM and buffer. That is why the logging outputs in ASDM and buffer (sho log) will not be the same. One will be a 'subset' of the other.</P><P></P><P>2. This would depend entirely on your requirement. E.g., if most traffic is through IPSec then more BW should be recseved for this traffic.</P><P></P><P>HTH</P><P>Paps</P></BODY></HTML> Wed, 05 Jan 2011 13:19:48 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619757#M595282 padatta 2011-01-05T13:19:48Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619758#M595283 <HTML><HEAD></HEAD><BODY><P>1. what should be the correct logging level for both to be same or so not to have 2 different log outputs &amp; only 1 common log.</P><P></P><P>2. oracle tcp traffic between 2 hosts on both sites will be major use on this ipsec. either can initiate the connection.</P><P></P><P></P><P>please help.</P><P>thanks</P></BODY></HTML> Wed, 05 Jan 2011 13:42:25 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619758#M595283 suthomas1 2011-01-05T13:42:25Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619759#M595285 <HTML><HEAD></HEAD><BODY><P>There is no correct way of logging. It is how much information you like to see which is entirely upto the requirement. These do not have to be the same.</P><P></P><P>We suggest not to send debug level logs to the console as it is at 9600 bps. As far as monitor, buffer, trap and asdm is concerned you can change it to any level.</P><P></P><P>When we troubleshoot from command line we usually crank up the buffer log to debug</P><P></P><P>conf t</P><P>logging on</P><P>logging buffered 7</P><P>exit</P><P></P><P>People also use ftp server to send the buffer-wrap to and also send certain messages or range of messages via e-mail.</P><P>Techically you can have</P><P>logging on</P><P>logging buffered 7</P><P>logging console 1</P><P>logging monitor 2</P><P>logging trap 6</P><P>logging host inside 1.1.1.1</P><P>logging asdm 5</P><P></P><P><SPAN>You can check the command ref. here: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754</A></P><P></P><P><SPAN>2. Yes you can configure policing and prioritizing. Pls. refer this QoS link: </SPAN><A href="https://community.cisco.com/docs/DOC-1230">https://supportforums.cisco.com/docs/DOC-1230</A></P><P>That has step by step instructions.</P><P></P><P>-KS</P></BODY></HTML> Wed, 05 Jan 2011 14:27:09 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619759#M595285 Kureli Sankar 2011-01-05T14:27:09Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619760#M595288 <HTML><HEAD></HEAD><BODY><P>Thanks KS. lastly, on the qos part, when policy is put on outside, does it police for both inbound &amp; outbound?</P><P> can i put an acl like; </P><P></P><P>&nbsp;&nbsp; acl oracle line 1 extended permit tcp host 192.168.100.2 host 192.168.200.5 eq 1445</P><P>&nbsp;&nbsp; acl oracle line 2 extended permit tcp host 192.168.200.5 host 192.168.100.2 eq 1445</P><P>and then apply this to class for limit on both ways traffic.</P><P></P><P>thanks.</P></BODY></HTML> Wed, 05 Jan 2011 15:02:00 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619760#M595288 suthomas1 2011-01-05T15:02:00Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619761#M595290 <HTML><HEAD></HEAD><BODY><P>No. ACL is just the interesting traffic that you want policed. Police input and/or police out should be used.</P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1">The <STRONG class="cCN_CmdName">input </STRONG>keyword enables policing of traffic flowing in the input direction.</P><A name="wp1078093"></A><P class="pB1_Body1">The <STRONG class="cKeyword">output </STRONG>keyword enables policing of traffic flowing in the output direction.</P><P class="pB1_Body1"></P><P class="pB1_Body1"><SPAN>You can refer this link (step 3): </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1071334">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1071334</A></P><P class="pB1_Body1"></P><P class="pB1_Body1">-KS</P><P></P></BODY></HTML> Wed, 05 Jan 2011 15:13:36 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619761#M595290 Kureli Sankar 2011-01-05T15:13:36Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619762#M595292 <HTML><HEAD></HEAD><BODY><P>so if the traffic flows&nbsp; from remote site to locate site &amp; vice versa</P><P></P><P> ( remote branch - internet - asa - 3845 router - local office ) </P><P></P><P>it would be more proper to apply it outbound on outside of asa. please correct if otherwise.</P><P></P><P>thanks</P></BODY></HTML> Wed, 05 Jan 2011 15:34:10 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619762#M595292 suthomas1 2011-01-05T15:34:10Z https://community.cisco.com/t5/network-security/asa-log/m-p/1619763#M595293 <HTML><HEAD></HEAD><BODY><P>Correct. I agree.</P><P>Policy outside - would be appropriate.</P><P></P><P>-KS</P></BODY></HTML> Wed, 05 Jan 2011 15:38:54 GMT https://community.cisco.com/t5/network-security/asa-log/m-p/1619763#M595293 Kureli Sankar 2011-01-05T15:38:54Z