06-10-2011 10:45 AM - edited 03-11-2019 01:43 PM
Hello,
How do I know if someone has attempted to hack into my ASA from the outside? I understand the firewall drops the traffic if the rules don't apply, but I was wondering if there is a way of logging attempts on any ports on the ASA against the outside interface (so anyone from the internet) to our syslog server then I can generate reports and alerts from there.
We have a number of public IP addresses that the ASA Nat's to various servers can these also be monitored?
What options do I have?
Many thanks in advance for your time spent looking at my issue.
06-10-2011 10:55 AM
Hi Andy,
Lots of options here:
First being, setting up a syslog server, you would need the following config for it.
logging host
logging trap 7
logging facility 20
Install a syslog server on a machine like kiwi sysog server.
Or
In the ASDM, go to the Access-rules, you would see a deny acl right at the bottom, whenever you see hitcounts increasing on it, just right click----> show log ------> ASDM real-time log viewer would pop up, you can see real-time logs of the traffic being denied by the firewall.
These docs migt help you:
http://www.cisco.com/en/US/customer/docs/security/asa/asa83/system/message/logsevp.html
and
Hope this helps.
Thanks,
Varun
06-10-2011 11:08 AM
I see an implicit deny at the bottom of my outside account list but it doesn't have a hit count next to it, should it?
06-10-2011 11:18 AM
If this gets hit, then it would show a hit count.
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide