Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
6
Replies

ASA is logging return traffic not only the traffic that was logged

mishadib
Level 1
Level 1

‎11-27-2024 11:55 PM

Hi, 

On a FPR running in ASA mode, i have logged an ACE for traffic leaving this interface (incoming from ASA context). The logs are being sent to Elastic. When I am looking for the logs I see some strange results. This is my ACE: 

access-list acl_A extended permit ip object-group grp-B 10.0.0.0 255.0.0.0 log warnings

and how it is associated:

access-group acl_A in interface C

So normally i should only see in Elastic logs from traffic coming from interface C with well-known destination port and source dynamic ports. 

What I see is also some traffic originating from well-known ports to dynamic destinations ports. To me this seems like returning traffic resulting from stateful inspection. Why is this being logged?

0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎11-28-2024 12:04 AM

""So normally i should only see in Elastic logs from traffic coming from interface C with well-known destination port and source dynamic ports.""

I dont get this' the ACL apply as INbound so traffic come to Interface C and hit the ACL will generate Log.

MHM

0 Helpful

mishadib
Level 1
Level 1

‎11-28-2024 12:30 AM - edited ‎11-28-2024 12:31 AM

Isn't it the other way around? What am I getting wrong? ACL should be from the ASA context point of view right? 

mishadib_0-1732782571629.png

PS: All my traffic is originating from Interface C devices 

0 Helpful

MHM Cisco World
VIP
VIP
In response to mishadib

‎11-28-2024 12:38 AM

DeviceA-ASA(interface C)

Your shown ACL will filter traffic come from deviceA to ASA(interface C).

MHM

0 Helpful

mishadib
Level 1
Level 1
In response to MHM Cisco World

‎11-28-2024 02:53 AM

Sorry maybe i didn't understand something or i didn't express myself ok or I am stupid  
This is what i have : 

mishadib_0-1732790960147.png

Traffic would flow like this: 
Let's take ACL_A : This ACL would filter traffic comming from Dev A and going to either Inside, B or C interfaces. 
Am I correct? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to mishadib

‎11-28-2024 03:23 AM

You share access-group can I see acl?

Also insideA/B/C have same secuirty level?

MHM

0 Helpful

mishadib
Level 1
Level 1
In response to MHM Cisco World

‎11-28-2024 05:00 AM

the ACL_A has something like this : 

access-list acl_A extended permit ip object-group DEV A 10.0.0.0 255.0.0.0 log warnings

interfaces A, B and C have Security 0 
inside has 100 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card