12-19-2011 12:58 PM - edited 03-11-2019 03:03 PM
Hello -
I have worked with PIX/ASA in the past, but where i work now, they migrated from a Checkpoint firewall. One thing that the Checkpoint did very well was log both permits and denies. I am trying to replicate this with the ASA and a syslog server (kiwi syslog) and am having problems.
I have a DNS rule that only allows our DNS servers to get to external DNS. When I do a NSLOOKUP and set the server to an external server (4.2.2.2), the lookup fails and I get the following:
2011-12-19 14:23:54 Local4.Info 10.1.0.213 Dec 19 2011 14:23:54 medela : %ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]
Before I go on, it would be nice to know that this is failing at INSIDE rule #7 (as that is the number that shows up on the ADSM).
....moving along....
If I add IP address to the list of DNS servers, It works (as expected), but it doesn't show that in the syslog. According to the ADSM, I have the logging set to informational. The actual code in the ASA is:
access-list INSIDE-IN extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log
I am adding and removing myself from the MCHENRY-DNS-SERVERS object group.
What seems weird to me is I have this entry:
2011-12-19 14:32:49 Local4.Info 10.1.0.213 Dec 19 2011 14:32:49 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]
10.1.1.44 is one of our internal DNS servers so this entry make sense.
I have multiple valid log entries like right above, but I can't seem to see the ones I generate.
The logging commands are:
logging enable
logging timestamp
logging buffer-size 500000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging from-address XXXXX
logging recipient-address XXXXXXX level errors
logging recipient-address XXXXXX level errors
logging device-id string medela
logging host INSIDE 10.1.1.92 17/1514
What am I missing here?
We are running 8.2(3) ASA code and 6.3(4) 53 ADSM code
Thanks!
/alan
12-20-2011 04:59 AM
Hi Alan,
Looking at this syslog message
%ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]
Seems like there is an explicit ACE on the access-list INSIDE-IN which denied this outbound DNS traffic from host PC-alan.
Can you check this
show access-l | in 0xe09e77c3
Now as per you,
If you add this host PC-alan to the list of trusted DNS servers in the object-group "MCHENRY-DNS-SERVERS" the DNS traffic works fine but you dont see a sylog telling you that the traffic was permitted.
But at the same time you see a log for a different server being permitted by the access-l.
%ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]
Looking at this
The first hex value correspond to object group,second correspond to actual access rule.
So can you please show me the output of this
show access-l | in 0xcf9aa9e5
show access-l | in 0x96f1d973
Can you send me the output of
show access-l INSIDE-IN | in domain when you've that host added in that object-group and after you try nslookup from that host.
I'd like to see if that ACE has got any hit-cnts against it or not.
Puneet
12-20-2011 07:34 AM
Puneet -
I want to clarify that I expected the first "denied" since PC-aolan was not in the object MCHENRY-DNS-SERVERS. That said, here is the first show access-l
show access-l | in 0xe09e77c3
access-list INSIDE-IN line 26 extended deny ip any any log informational interval 300 (hitcnt=1407496) 0xe09e77c3
Line 26 is our deny all so that is good.
Before I did the second, I cleared the DNS cache to make sure it would do hits. The log entry is now:
2011-12-20 08:47:46 Local4.Info 10.1.0.213 Dec 20 2011 08:47:46 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/204.245.152.68(53) hit-cnt 12 300-second interval [0xcf9aa9e5, 0x96f1d973]
The two coresponding show access-lists are:
show access-l | i 0xcf9aa9e5
access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5
and
show access-l | i 0x96f1d973
access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2153394) 0x96f1d973
Before I go on, I have a seperate question (sorry for the digression). Both of these refer to "line 8". Shouldn't they show "line 7" per the attached ADSM screenshot?
Here is the final show command:
show access-l INSIDE-IN | in domain
access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5
access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2155033) 0x96f1d973
access-list INSIDE-IN line 8 extended permit udp host 10.1.1.51 any eq domain log informational interval 300 (hitcnt=1063240) 0x5452a227
access-list INSIDE-IN line 8 extended permit udp host 10.1.1.32 any eq domain log informational interval 300 (hitcnt=447) 0x17ac19ab
access-list INSIDE-IN line 8 extended permit udp host 10.1.1.42 any eq domain log informational interval 300 (hitcnt=168) 0x598ed364
access-list INSIDE-IN line 8 extended permit udp host PC-gail any eq domain log informational interval 300 (hitcnt=0) 0xfc2104c5
access-list INSIDE-IN line 8 extended permit udp host PC-seth any eq domain log informational interval 300 (hitcnt=0) 0x5e736aae
access-list INSIDE-IN line 8 extended permit udp host PC-alan any eq domain log informational interval 300 (hitcnt=17) 0xeceb330a
I see on the last line the hits on my lookup. Now I look in the log file and I see:
2011-12-20 09:22:34 Local4.Info 10.1.0.213 Dec 20 2011 09:22:34 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/PC-alan(1503) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xcf9aa9e5, 0xeceb330a]
So now I see the entry in the log file. I don't know why I didn't see it earlier.
Since I want to know that I hit line 7 on INSIDE-IN, why is that showing line 8. And is there a way to get those lines numbers over to my syslog since that is how I would like to troubleshoot things (as crazy as that sounds).
Thanks!
/alan
12-20-2011 08:01 AM
Unfortunately you cannot get those line nos to the syslog.
However can you send me a screenshot of ASDM from line 1 to line 9.
And send me the output of show access-l INSIDE-IN?
Puneet
12-20-2011 09:43 AM
Puneet - Thank you for your quick reply
I found what is causing this. It appears to be a remark or description is taking a line#:
access-list INSIDE-IN line 2 extended permit ip host 10.1.x.x host addx (hitcnt=6) 0xe0fe5d0a
access-list INSIDE-IN line 3 extended permit tcp host 10.1.x.x any range 6366 6416 (hitcnt=0) 0x3235c4cb
access-list INSIDE-IN line 4 remark Laughlin Constable developing between our erpdev server and our web server
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 object-group eCommerce-Development-Web 0xf2f65af6
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Echo-Mountain (hitcnt=0) 0x2b726d07
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Laughlin-Constable (hitcnt=0) 0x4c7009c7
access-list INSIDE-IN line 6 extended permit tcp object-group TIME-CLOCKS-IPS host tcaddx object-group TIME-CLOCK-TCP 0xc76e898f
So if I take the time to add a description in the ADSM, it shows messes up the line # in the hit count.
Any idea on how to get around that short of not using the description?
Thanks!
/alan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide