Hi,
Note: posted elsewhere in another thread.
I'm trying to use a searchable syslog server to track the flows on one of my ASAs but have run into a problem. Hypothetically, let's say I have a web server behind an ASA with IP address 192.168.1.1 and I allow access from anywhere to the web server. I know some but not all of the IP addresses accessing the server (eg clients in 10.1.1.0/24).
Question: If I put a specific access rule in permitting 10.1.1.0/24 to 192.168.1.1 with logging disabled followed by a less specific rule of any to 192.168.1.1 with logging enabled, should I expect to only see the events relating to the "unknown" traffic flows being logged? As I identify clients accessing my web server, I can add them to the first ACE to prevent logging.
I'm only interested in message 302014 (teardowns) so I can see whether they are FINs, resets or SYN timeouts etc, so the config looks like this:
access-list outside_access_in extended permit tcp object-group KNOWN_SOURCES host 192.168.1.1 eq http log disable
access-list outside_access_in extended permit any host 192.168.1.1 eq http
logging enable
logging list Syslog_events message 302014
logging trap Syslog_events
logging host management a.b.c.d
Something is not right because I'm still seeing events logged against the ACE's with logging disabled. Have I missed something?
Thanks,
Stuart