topic Re: ASA Email logging issue in Network Security

ASA Email logging issue

d3mb0y555 — Mon, 11 Mar 2019 16:50:19 GMT

I have an ASA 5520 that I am trying to configure to send email alerts to my exchange account. I have all the proper information and I 've configured what I think to be the necessary parts but I still do not receive emails from the firewall. Any help?

logging enable
logging timestamp
logging standby
logging list LOGGING level informational
logging console emergencies
logging monitor critical
logging buffered informational
logging trap critical
logging history errors
logging asdm warnings
logging mail errors
logging from-address x.x.x@x.x.x.x
logging recipient-address x.x.x@x.x.x.x level errors
logging facility 23
logging queue 1000
logging host inside CISCOWKS
logging host inside x.x.x.x
logging host inside x.x.x.x
logging host inside x.x.x.x
logging debug-trace
no logging message 106015
no logging message 106011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016

smtp-server x.x.x.x

Re: ASA Email logging issue

Federico Coto Fajardo — Fri, 18 Dec 2009 22:58:54 GMT

Hi,

Are you getting logs on the syslog servers configured?

Is just the e-mail alert that is not getting to your e-mail account?

If so, are the from & recipient e-mail addresses sending and receiving any e-mail (properly configured)?

Cheers,

Federico.

Re: ASA Email logging issue

d3mb0y555 — Sat, 19 Dec 2009 00:59:49 GMT

The send and receive email addresses are properly configured. The sysl

og server, however, I can not confirm at the moment if it is receiving syslog messages.

But right now my email account is not receiving logs.

Re: ASA Email logging issue

Kureli Sankar — Sat, 19 Dec 2009 01:25:39 GMT

Could you try this pls.

conf t

loggin message 111008 level 3

exit

write mem

Now, see if you receive the message via e-mail. You are only logging error level to mail and there may not be many that are generated.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/l2.html#wp1751895

hostname(config)# logging mail critical

hostname(config)# logging from-address ciscosecurityappliance@example.com

hostname(config)# logging recipient-address admin@example.com

hostname(config)# smtp-server pri-smtp-host sec-smtp-host

-KS

Re: ASA Email logging issue

d3mb0y555 — Sat, 19 Dec 2009 01:52:30 GMT

KS,

I tried that but to no avail. Here's the current config now.

logging recipient-address admin@example.com level informational
logging recipient-address admin@example.com level errors
logging recipient-address admin@example.com level errors
logging facility 23
logging queue 1000
logging host inside CISCOWKS
logging host inside x.x.x.x
logging host inside x.x.x.x
logging host inside x.x.x.x
logging debug-trace
no logging message 106015
no logging message 106011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 302016
logging message 111008 level errors

Re: ASA Email logging issue

Kureli Sankar — Sat, 19 Dec 2009 01:57:58 GMT

Now your logging mail shows critical. It showed errors before.

change it to errors pls.

conf t

loggin mail errors

Issue a wri mem and see if it sends you the 111009 syslog via e-mail.

-KS

Re: ASA Email logging issue

d3mb0y555 — Sat, 19 Dec 2009 02:26:32 GMT

KS,

I just made that change but still no email. Any other suggestions?

Arshad

Re: ASA Email logging issue

Federico Coto Fajardo — Sat, 19 Dec 2009 03:27:00 GMT

Is the e-mail server accessible from the ASA itself?

Are the e-mail getting to the e-mail server and just not getting to your e-mail account?

You can try a capture to see if the ASA is sending e-mails to the server:

access-list 101 permit ip host IP_of_the_ASA host IP_of_the_e-mail_server
access-list 101 permit ip host IP_of_the_e-mail_server host IP_of_the_ASA

capture E-MAIL access-list 101 packet-length 1512 interface (name_of_the_interface_used_to_reach_the_mail_server)

show capture E-MAIL

This will show us if the ASA is indeed sending packets to the e-mail server, and what kind of packets, and if there's a failure....

Federico.

Re: ASA Email logging issue

Kureli Sankar — Mon, 21 Dec 2009 13:56:55 GMT

I hope the firewall has connectivity to the e-mail server. Make sure to ping it using its IP address that you configured in the smtp-server line.

Besides that we just have to do captures like Federico says.

If you are running 7.2.4 and above you can simplify the capture command as following without any ACL.

cap capin int inside match tcp host 10.10.10.1 any eq 25

where 10.10.10.1 is the IP address of the inside interface. I am assuming the e-mail server is on the inside.

-KS

Re: ASA Email logging issue

d3mb0y555 — Mon, 21 Dec 2009 18:36:02 GMT

I ran the capture and I can see bi-directional communication between the firewall

and the email server. I've attached the some of the capture traffic.

Re: ASA Email logging issue

Kureli Sankar — Mon, 21 Dec 2009 18:50:04 GMT

Ok. You are correct I do see bi-directional traffic. That rules the firewall out.

Check the e-mail server logs, even viewer, smtp-server logs and see if shows any indication of receiving rejecting these e-mails.

Wireshark capture on the server to see what it is doing with the packets that it receives.

-KS

Re: ASA Email logging issue

d3mb0y555 — Mon, 21 Dec 2009 21:04:32 GMT

My exchange administrator checked the server and saw the messages being block by the spam filter. He adjusted the filter and now I'm receiving alerts from the ASA. Thanks alot guys for all the help.

Arshad