Solved: ASA 5505 isn't logging permitted packets

Andriy Sidko · ‎09-28-2018

i guys.

History:

I got notification from IT security team that one computer in subnet 10.244.244.0/26 has a malware on it (it's opening multiple connections to 192.42.119.41 detected by IPS as malware). I need find out that computer private IP.

Subnet 10.244.244.0/26 PATing to public IP x.x.x.x

firewall logging looks like:

logging enable
logging buffer-size 1048576
logging monitor notifications
logging buffered notifications
logging trap notifications
logging history notifications
logging from-address di@di.di
logging recipient-address netops@ar.ar level emergencies
logging facility 18
logging queue 0

logging device-id ipaddress inside
logging host inside 172.16.63.145
logging message 304001 level informational

access-list name data_access_in assigned to interface where ip from subnet 10.244.244.0/26 is.

I added wery first ACE permitting any connections from 10.244.244.0/26 to 192.42.119.41:80/tcp

access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging

Whenever I run test by packet-tracer:

TDI04-DI0-FW01(config)# packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www det

ACE hits increased (red bellow):

TDI04-DI0-FW01(config)# sh access-list data_access_in | i 192.42.119.41
access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging interval 300 (hitcnt=2) 0xfd11a8a6
access-list data_access_in line 1 extended permit tcp 10.244.244.0 255.255.255.192 host 192.42.119.41 eq www log debugging interval 300 (hitcnt=2) 0xfd11a8a6
TDI04-DI0-FW01(config)#

but I don't see packet registered by syslog @ 172.16.63.145 (greed above).

Syslog consists only this:

Sep 28 09:54:52 10.4.4.3 10.4.4.3 %ASA-5-111008: User 'as-admin' executed the 'packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www detailed' command.
Sep 28 09:54:52 10.4.4.3 10.4.4.3 %ASA-5-111010: User 'as-admin', running 'CLI' from IP snoopy, executed 'packet-tracer input data tcp 10.244.244.30 4455 192.42.119.41 www detailed'

Could you help me out?

Thank you.

Joel · ‎09-28-2018

Change logging level on the ACL to informational and same with logging trap

i.e.

access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging

to

access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log informational

Also

logging trap x.x.x.x informational

Here's the log level description:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html

Joel

View solution in original post

Joel · ‎09-28-2018

Change logging level on the ACL to informational and same with logging trap

i.e.

access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log debugging

to

access-list data_access_in line 1 extended permit tcp object data-network host 192.42.119.41 eq www log informational

Also

logging trap x.x.x.x informational

Here's the log level description:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_syslog.html

Joel

Andriy Sidko · ‎09-28-2018

Thank you Joel.

commands bellow made the trick:

no access-list data_access_in extended permit tcp object data-network host 192.42.119.41 eq www log debugging

access-list data_access_in lin 1 extended permit tcp object data-network host 192.42.119.41 eq www log info

no logging trap notifications

logging trap informational

I see logs now:

Sep 28 11:10:37 10.4.4.3 10.4.4.3 %ASA-6-106100: access-list data_access_in permitted tcp data/10.244.244.30(4455) -> inside/192.42.119.41(80) hit-cnt 1 first hit [0xfd11a8a6, 0x0]