01-05-2011 04:23 AM - edited 03-11-2019 12:30 PM
Hi,
Few questions on ASA:
1. one of asa has logging enabled for warning & information message.
logging enable
logging buffered warnings
logging asdm informational
when asdm logs are seen, it shows normal teardown etc. for traffic. but sh log gives lot of different logs, below is one of them:
%ASA-2-106001: Inbound TCP connection denied from 45.34.115.88/3160 to 202.88.179.15/445 flags SYN on interface outside
why are these logs appearing seperately & is it the correct way of syslog configuration.
2. diagram is:
remote branch - internet - asa - 3845 router - local office
remote branch needs data from local office and vice-versa, this is done with ipsec, which is between remote branch & router. plan is to do shift this frm router to asa. i.e remote branch to asa will have ipsec points & users on both sides will use it for data.
on the router , we feel that ipsec is using large bandwidth from our internet ( 5M ),router to local office has 4M capacity. i know asa can be used for police function.
will it be a good solution if set bandwidth of 1M is put on asa for it.
Thanks in advance.
Solved! Go to Solution.
01-05-2011 06:27 AM
There is no correct way of logging. It is how much information you like to see which is entirely upto the requirement. These do not have to be the same.
We suggest not to send debug level logs to the console as it is at 9600 bps. As far as monitor, buffer, trap and asdm is concerned you can change it to any level.
When we troubleshoot from command line we usually crank up the buffer log to debug
conf t
logging on
logging buffered 7
exit
People also use ftp server to send the buffer-wrap to and also send certain messages or range of messages via e-mail.
Techically you can have
logging on
logging buffered 7
logging console 1
logging monitor 2
logging trap 6
logging host inside 1.1.1.1
logging asdm 5
You can check the command ref. here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754
2. Yes you can configure policing and prioritizing. Pls. refer this QoS link: https://supportforums.cisco.com/docs/DOC-1230
That has step by step instructions.
-KS
01-05-2011 05:19 AM
1. The level of logging is different for ASDM and buffer. That is why the logging outputs in ASDM and buffer (sho log) will not be the same. One will be a 'subset' of the other.
2. This would depend entirely on your requirement. E.g., if most traffic is through IPSec then more BW should be recseved for this traffic.
HTH
Paps
01-05-2011 05:42 AM
1. what should be the correct logging level for both to be same or so not to have 2 different log outputs & only 1 common log.
2. oracle tcp traffic between 2 hosts on both sites will be major use on this ipsec. either can initiate the connection.
please help.
thanks
01-05-2011 06:27 AM
There is no correct way of logging. It is how much information you like to see which is entirely upto the requirement. These do not have to be the same.
We suggest not to send debug level logs to the console as it is at 9600 bps. As far as monitor, buffer, trap and asdm is concerned you can change it to any level.
When we troubleshoot from command line we usually crank up the buffer log to debug
conf t
logging on
logging buffered 7
exit
People also use ftp server to send the buffer-wrap to and also send certain messages or range of messages via e-mail.
Techically you can have
logging on
logging buffered 7
logging console 1
logging monitor 2
logging trap 6
logging host inside 1.1.1.1
logging asdm 5
You can check the command ref. here: http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754
2. Yes you can configure policing and prioritizing. Pls. refer this QoS link: https://supportforums.cisco.com/docs/DOC-1230
That has step by step instructions.
-KS
01-05-2011 07:02 AM
Thanks KS. lastly, on the qos part, when policy is put on outside, does it police for both inbound & outbound?
can i put an acl like;
acl oracle line 1 extended permit tcp host 192.168.100.2 host 192.168.200.5 eq 1445
acl oracle line 2 extended permit tcp host 192.168.200.5 host 192.168.100.2 eq 1445
and then apply this to class for limit on both ways traffic.
thanks.
01-05-2011 07:13 AM
No. ACL is just the interesting traffic that you want policed. Police input and/or police out should be used.
The input keyword enables policing of traffic flowing in the input direction.
The output keyword enables policing of traffic flowing in the output direction.
You can refer this link (step 3): http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1071334
-KS
01-05-2011 07:34 AM
so if the traffic flows from remote site to locate site & vice versa
( remote branch - internet - asa - 3845 router - local office )
it would be more proper to apply it outbound on outside of asa. please correct if otherwise.
thanks
01-05-2011 07:38 AM
Correct. I agree.
Policy outside - would be appropriate.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: