ASA 8.4 ASDM 6.4 objects / names in log

Erik Ingeberg · ‎10-06-2011

Hello,

In ASA 8.2 and earlier, when an object was created in ASDM, a line with the "name" command and the corresponding IP was entered in the configuration. This made it possible to filter for the object in the real-time log by name instead of IP.

Now, with the new objects in ASA 8.3 - 8.4, creating an object in ASDM does not enter the "name" command in ASDM, and consequently the object is seen in the real-time log with IP only.

I know it is possible to manually enter the name command in CLI, but this is a bit cumbersome. Has anyone found a way of getting objects created in ASDM displayed by name in the real-time log?

Kureli Sankar · ‎10-30-2011

You can use ASDM and to creat an object for each of the IP address fairly quickly/easily.

(1) Icons: Singleton Objects has a blue terminal icon where ASDM
address objects has a green terminal icon with the letters "IP" to
indicate it only have an ip address (no name). Blue icons of 2
terminals indicates an ASDM group address objects.

(2) Singleton Objects can only be used in NAT rules and access rules,
like in CSCtg75448, Public Server is actually a representation of
Singleton Object with NAT enabled and access rule therefore it should
show the Singleton Object names not the name CLI.

(3) During migration, only name CLI that were used in NAT rules are
converted to the Singleton Object and if that same name was also used in
the access rule, the access rule will use the Singleton Object. All
other name CLI are not converted to the Singleton Object are ASDM
address objects, which has no name.

Here is a workaround:

In the Address panel, select the ASDM address object, there is an option
that you can enter a name there.  After the name is entered, a new
Singleton object will be created with that name.  Notice the ASDM
address object is not deleted or replaced because there is a possiblity
that it is still being referenced in other modules besides NAT and
access rule.

(4) In the access rule, you can use either singleton object or ASDM
address object or group.

Filed a few defects:
CSCti38856 ASDM: Elements in the network object group are not converted to nw obj
CSCti38852 ASDM: Filter may not work in the ACL panel under IPV4 Network Object add
CSCti38860 ASDM: ENH - All names need to be converted to object network

CSCtg75448 ASDM public server names lost in upgrade from 8.x to 8.3

You can read more about this here:

Long story short:

1. If you need to see names show up in logs, then enable the names command.

2. If you also want to see these names in CLI show up with names and not IP address

in ASDM then, you need to create singleton objects for each IP address from

ASDM address panel.

The takeaway is that, if the object is not used in NAT rule, logs will not

show the object names, only IP address (if names is not enabled in CLI).

-Kureli

Erik Ingeberg · ‎11-10-2011

Thanks for your reply Kureli. The problem here is for customers that are used to filtering the real-time logs using names.

In 8.3 and later, objects created in ASDM will show up as IP addresses in the logs, even if the object has been given a name. The reason for this is that ASDM does not send the "name" command to the ASA. The only workaround for this is to enter the name in CLI for each ASDM created object.

I understand that names created in 8.2 and earlier will still show up as names in the logs, but the problem is for new objects created after upgrade to 8.3 and later.

From a customers point of view, this changes the way they can use ASDM, they need to use CLI as well.

I made a TAC case regarding this, and an enhancement request bug was created: CSCtu19014.

fguillot · ‎01-13-2012

Hi,

Just add the following command to get back your mapping :

ASA(conf t)#names

Hope this help

Regards,

/Fabien