when to construct a rule base we need to log 106100 messages to see which connections are required, but no 106100 message appears. does anybody know the reason or what can i do to enable logging this message.
Log 106100 normally tells you of the denied/permitted translation/access.
In PIX/ASA, enable the syslog service and logging level to informational (notification will do as well):
Minimum config will be as follow:
ASA(config)# logging enable --> (in PIX, use 'logging on')
ASA(config)# logging buffer informational
You may enabled timestamp as well to get correct time/date of the events, or send it to external syslog server.
Verify this using 'sh log' command:
You may use access-list (ACL) and apply to Inside interface to ensure all logs/events are recorded.
Since your're still at the starting level, create ACL permitting any/all traffic. This is good for internal access to external/internet or any lower security level segment.
access-list inside permit tcp any any
access-list inside permit udp any any
access-group inside in interface inside --> bind to inside inyetface
Optionally, you can use 'ip' to replace tcp/udp keyword, and have 1 ACL line instead of 2. But having separate TCP & UDP lines gives you more accurate hitcount on TCP & UDP traffics. But no exact rules on this.
To check outside/internet access to your internal server(s), I am not sure sure if you already have ACL permitting the incoming access, plus the static nat for internal server-Public IP address mapping.
As you can clearly see from the following the necessary configuration is done. the problem is although i enable logging informational no 106100 log appears at ASDM. the question is what may be the reason.
FW-ROM-OUT# sh logg
Syslog logging: enabled
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: list access-list, 14914 messages logged
Trap logging: list permitler, facility 17, 176370 messages logged
Logging to inside 10.129.0.237
Logging to inside SYSLOG
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, class session sys, 90100 messages logged
Can you enable log for 106100?
pix(config)#logging message 106100
This link provide some useful tips:
we used same kind of logging on FWSM before, so as to configuration there is no missing thing. however we had to upgrade our product for FWSM to see this log since there was a bug for it. it seems a bug exist for ASA also but i could not find out any using bug tool at cisco.com.
I couldn't find any either. Informational level should be fine as 106100 (user-defined severity), by default appear in severity level 6.