04-05-2020 07:21 PM - edited 04-05-2020 07:22 PM
I've enabled logging (logging enable) on our Cisco ASA 5510. I have an ACL on our outside interface. I see many deny log entries with a warning (level 4) severity, but I don't have the "log" keyword enabled on any of the ACL entries in the referenced ACL. Does anyone know where the warning (level 4) denies are coming from, and how I can stop them?
ASA5510(config)# sh run all | i logging
logging enable
logging timestamp
logging hide username
logging buffer-size 1048576
logging asdm-buffer-size 100
logging monitor notifications
logging buffered notifications
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
ASA5510(config)#
ASA5510(config)#sh logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: level notifications, 891 messages logged
Buffer logging: level notifications, 884 messages logged
Trap logging: disabled
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
ASA5510(config)#
Deny examples:
Apr 05 2020 23:25:15: %ASA-4-106023: Deny udp src outside:168.232.213.153/21592 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:16: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Apr 05 2020 23:25:19: %ASA-4-106023: Deny udp src outside:178.198.131.51/40837 dst inside:172.18.0.4/10682 by access-group "ACL-OUTSIDE-IN" [0xe63c7008, 0x0]
Our ACL:
ASA5510(config)# sh access-list ACL-OUTSIDE-IN
access-list ACL-OUTSIDE-IN; 11 elements; name hash: 0x4c51d238
access-list ACL-OUTSIDE-IN line 1 extended deny ip 10.0.0.0 255.0.0.0 any (hitcnt=15) 0x048a140c
access-list ACL-OUTSIDE-IN line 2 extended deny ip 172.16.0.0 255.240.0.0 any (hitcnt=109) 0xd408f2c1
access-list ACL-OUTSIDE-IN line 3 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=0) 0x783f94e3
access-list ACL-OUTSIDE-IN line 4 extended deny ip 224.0.0.0 224.0.0.0 any (hitcnt=0) 0x9a833009
access-list ACL-OUTSIDE-IN line 6 extended permit icmp any any unreachable (hitcnt=100583) 0x6aeef44e
access-list ACL-OUTSIDE-IN line 7 extended permit icmp any any time-exceeded (hitcnt=6983) 0x4242299f
access-list ACL-OUTSIDE-IN line 8 extended deny icmp any any (hitcnt=0) 0x43e8b911
access-list ACL-OUTSIDE-IN line 9 extended deny udp any any (hitcnt=658) 0xe63c7008
access-list ACL-OUTSIDE-IN line 10 extended deny tcp any any (hitcnt=232) 0x783583f8
access-list ACL-OUTSIDE-IN line 11 extended deny ip any any (hitcnt=0) 0x320f194c
ASA5510(config)#
Solved! Go to Solution.
04-06-2020 09:38 AM
Hi,
The ASA firewall, by default, logs anytime there is an ACE match in your ACL for a new flow, with or without the "log" keyword being configured. If you don't specify the log keyword you get a "106023" system message, if you do specify the log keyword you get a "106100" system message. If you don't want the ASA to log at all, configure the ACE with the "log disable" option. Like for example:
access-list ACL-OUTSIDE-IN line 9 extended deny udp any any log disable
Regards,
Cristian Matei.